diff --git a/.env b/.env
new file mode 100644
index 0000000..b7715f2
--- /dev/null
+++ b/.env
@@ -0,0 +1 @@
+PERPLEXITY_API_KEY=dummy
diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..60bd23e
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,12 @@
+# API Keys (Required to enable respective provider)
+ANTHROPIC_API_KEY="your_anthropic_api_key_here"       # Required: Format: sk-ant-api03-...
+PERPLEXITY_API_KEY="your_perplexity_api_key_here"     # Optional: Format: pplx-...
+OPENAI_API_KEY="your_openai_api_key_here"             # Optional, for OpenAI models. Format: sk-proj-...
+GOOGLE_API_KEY="your_google_api_key_here"             # Optional, for Google Gemini models.
+MISTRAL_API_KEY="your_mistral_key_here"               # Optional, for Mistral AI models.
+XAI_API_KEY="YOUR_XAI_KEY_HERE"                       # Optional, for xAI AI models.
+GROQ_API_KEY="YOUR_GROQ_KEY_HERE"                     # Optional, for Groq models.
+OPENROUTER_API_KEY="YOUR_OPENROUTER_KEY_HERE"         # Optional, for OpenRouter models.
+AZURE_OPENAI_API_KEY="your_azure_key_here"            # Optional, for Azure OpenAI models (requires endpoint in .taskmaster/config.json).
+OLLAMA_API_KEY="your_ollama_api_key_here"             # Optional: For remote Ollama servers that require authentication.
+GITHUB_API_KEY="your_github_api_key_here"             # Optional: For GitHub import/export features. Format: ghp_... or github_pat_...
\ No newline at end of file
diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
new file mode 100644
index 0000000..7474bff
--- /dev/null
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,263 @@
+name: CI/CD
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  GITEA_REGISTRY: 10.0.0.194:3012
+  GITEA_PUBLIC_URL: https://mysources.co.uk
+  GITEA_OWNER: michal
+
+# ============================================================
+# Required Gitea secrets:
+#   PACKAGES_TOKEN     -- Gitea API token (packages + registry)
+# ============================================================
+
+jobs:
+  # -- CI checks (run in parallel on every push/PR) ----------
+
+  lint:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: bastion
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: Lint
+        run: pnpm lint || echo "::warning::Lint has errors -- not blocking CI yet"
+
+  typecheck:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: bastion
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: Typecheck
+        run: pnpm typecheck
+
+  test:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: bastion
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: Build (needed by completions check)
+        run: pnpm build
+
+      - name: Run tests
+        run: pnpm test:run
+
+  # -- Build & package (both architectures) -------------------
+
+  build:
+    runs-on: ubuntu-latest
+    needs: [lint, typecheck, test]
+    defaults:
+      run:
+        working-directory: bastion
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build all packages
+        run: pnpm build
+
+      - name: Generate shell completions
+        run: pnpm completions:generate
+
+      - uses: oven-sh/setup-bun@v2
+
+      - name: Install nfpm
+        run: |
+          curl -sL -o /tmp/nfpm.tar.gz "https://github.com/goreleaser/nfpm/releases/download/v2.45.0/nfpm_2.45.0_Linux_x86_64.tar.gz"
+          tar xzf /tmp/nfpm.tar.gz -C /usr/local/bin nfpm
+
+      - name: Bundle x86_64 binary
+        run: |
+          mkdir -p dist
+          bun build src/cli/src/index.ts --compile --target=bun-linux-x64 --outfile dist/lab-x86_64
+
+      - name: Bundle arm64 binary
+        run: |
+          bun build src/cli/src/index.ts --compile --target=bun-linux-arm64 --outfile dist/lab-arm64
+
+      - name: Package x86_64 RPM + DEB
+        run: |
+          sed -e 's|^arch:.*|arch: amd64|' -e 's|src: ./dist/lab$|src: ./dist/lab-x86_64|' nfpm.yaml > /tmp/nfpm-x86_64.yaml
+          nfpm pkg --config /tmp/nfpm-x86_64.yaml --packager rpm --target dist/
+          nfpm pkg --config /tmp/nfpm-x86_64.yaml --packager deb --target dist/
+
+      - name: Package arm64 RPM + DEB
+        run: |
+          sed -e 's|^arch:.*|arch: arm64|' -e 's|src: ./dist/lab$|src: ./dist/lab-arm64|' nfpm.yaml > /tmp/nfpm-arm64.yaml
+          nfpm pkg --config /tmp/nfpm-arm64.yaml --packager rpm --target dist/
+          nfpm pkg --config /tmp/nfpm-arm64.yaml --packager deb --target dist/
+
+      - name: Upload RPM artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: rpm-packages
+          path: bastion/dist/lab-*.rpm
+          retention-days: 7
+
+      - name: Upload DEB artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: deb-packages
+          path: bastion/dist/lab*.deb
+          retention-days: 7
+
+  # -- Release pipeline (main branch push only) --------------
+
+  publish-rpm:
+    runs-on: ubuntu-latest
+    needs: [build]
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    defaults:
+      run:
+        working-directory: bastion
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download RPM artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: rpm-packages
+          path: bastion/dist/
+
+      - name: Install rpm tools
+        run: sudo apt-get update && sudo apt-get install -y rpm
+
+      - name: Publish RPMs to Gitea
+        env:
+          GITEA_TOKEN: ${{ secrets.PACKAGES_TOKEN }}
+          GITEA_URL: http://${{ env.GITEA_REGISTRY }}
+          GITEA_OWNER: ${{ env.GITEA_OWNER }}
+          GITEA_REPO: lab
+        run: |
+          for RPM_FILE in dist/lab-*.rpm; do
+            [ -f "$RPM_FILE" ] || continue
+            RPM_VERSION=$(rpm -qp --queryformat '%{VERSION}-%{RELEASE}' "$RPM_FILE")
+            RPM_ARCH=$(rpm -qp --queryformat '%{ARCH}' "$RPM_FILE")
+            echo "Publishing $RPM_FILE (version $RPM_VERSION, arch $RPM_ARCH)..."
+
+            # Delete existing version if present
+            HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              "${GITEA_URL}/api/v1/packages/${GITEA_OWNER}/rpm/lab/${RPM_VERSION}")
+
+            if [ "$HTTP_CODE" = "200" ]; then
+              echo "Version exists, replacing..."
+              curl -s -o /dev/null -X DELETE \
+                -H "Authorization: token ${GITEA_TOKEN}" \
+                "${GITEA_URL}/api/v1/packages/${GITEA_OWNER}/rpm/lab/${RPM_VERSION}"
+            fi
+
+            # Upload
+            curl --fail -X PUT \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              --upload-file "$RPM_FILE" \
+              "${GITEA_URL}/api/packages/${GITEA_OWNER}/rpm/upload"
+
+            echo "Published $RPM_FILE successfully!"
+          done
+
+          # Link package to repo
+          source scripts/link-package.sh
+          link_package "rpm" "lab"
+
+  publish-deb:
+    runs-on: ubuntu-latest
+    needs: [build]
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    defaults:
+      run:
+        working-directory: bastion
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download DEB artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: deb-packages
+          path: bastion/dist/
+
+      - name: Publish DEBs to Gitea
+        env:
+          GITEA_TOKEN: ${{ secrets.PACKAGES_TOKEN }}
+          GITEA_URL: http://${{ env.GITEA_REGISTRY }}
+          GITEA_OWNER: ${{ env.GITEA_OWNER }}
+          GITEA_REPO: lab
+        run: |
+          # Publish to each supported distribution
+          DISTRIBUTIONS="trixie forky noble plucky"
+
+          for DEB_FILE in dist/lab*.deb; do
+            [ -f "$DEB_FILE" ] || continue
+            DEB_VERSION=$(dpkg-deb --field "$DEB_FILE" Version)
+            DEB_ARCH=$(dpkg-deb --field "$DEB_FILE" Architecture)
+            echo "Publishing $DEB_FILE (version $DEB_VERSION, arch $DEB_ARCH)..."
+
+            for DIST in $DISTRIBUTIONS; do
+              echo "  -> $DIST..."
+              HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+                -X PUT \
+                -H "Authorization: token ${GITEA_TOKEN}" \
+                --upload-file "$DEB_FILE" \
+                "${GITEA_URL}/api/packages/${GITEA_OWNER}/debian/pool/${DIST}/main/upload")
+
+              if [ "$HTTP_CODE" = "201" ] || [ "$HTTP_CODE" = "200" ]; then
+                echo "     Published to $DIST"
+              elif [ "$HTTP_CODE" = "409" ]; then
+                echo "     Already exists in $DIST (skipping)"
+              else
+                echo "     WARNING: Upload to $DIST returned HTTP $HTTP_CODE"
+              fi
+            done
+          done
+
+          echo "Published successfully!"
+
+          # Link package to repo
+          source scripts/link-package.sh
+          link_package "debian" "lab"
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f270674
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,25 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+dev-debug.log
+
+# Dependency directories
+node_modules/
+
+# Environment variables
+.env
+
+# Editor directories and files
+.idea
+.vscode
+*.suo
+*.ntvs*
+*.njsproj
+*.sln
+*.sw?
+
+# OS specific
+.DS_Store
diff --git a/.mcp.json b/.mcp.json
new file mode 100644
index 0000000..f505dc7
--- /dev/null
+++ b/.mcp.json
@@ -0,0 +1,12 @@
+{
+  "mcpServers": {
+    "labctl": {
+      "command": "mcpctl",
+      "args": [
+        "mcp",
+        "-p",
+        "labctl"
+      ]
+    }
+  }
+}
diff --git a/.taskmaster/.env b/.taskmaster/.env
new file mode 100644
index 0000000..b7715f2
--- /dev/null
+++ b/.taskmaster/.env
@@ -0,0 +1 @@
+PERPLEXITY_API_KEY=dummy
diff --git a/.taskmaster/config.json b/.taskmaster/config.json
new file mode 100644
index 0000000..f026c1d
--- /dev/null
+++ b/.taskmaster/config.json
@@ -0,0 +1,44 @@
+{
+  "models": {
+    "main": {
+      "provider": "claude-code",
+      "modelId": "opus",
+      "maxTokens": 32000,
+      "temperature": 0.2
+    },
+    "research": {
+      "provider": "claude-code",
+      "modelId": "opus",
+      "maxTokens": 32000,
+      "temperature": 0.2
+    },
+    "fallback": {
+      "provider": "claude-code",
+      "modelId": "sonnet",
+      "maxTokens": 64000,
+      "temperature": 0.2
+    }
+  },
+  "global": {
+    "logLevel": "info",
+    "debug": false,
+    "defaultNumTasks": 10,
+    "defaultSubtasks": 5,
+    "defaultPriority": "medium",
+    "projectName": "Task Master",
+    "ollamaBaseURL": "http://localhost:11434/api",
+    "bedrockBaseURL": "https://bedrock.us-east-1.amazonaws.com",
+    "responseLanguage": "English",
+    "enableCodebaseAnalysis": true,
+    "enableProxy": false,
+    "anonymousTelemetry": true,
+    "userId": "1234567890"
+  },
+  "claudeCode": {},
+  "codexCli": {},
+  "grokCli": {
+    "timeout": 120000,
+    "workingDirectory": null,
+    "defaultModel": "grok-4-latest"
+  }
+}
\ No newline at end of file
diff --git a/.taskmaster/docs/prd.md b/.taskmaster/docs/prd.md
new file mode 100644
index 0000000..0110694
--- /dev/null
+++ b/.taskmaster/docs/prd.md
@@ -0,0 +1,452 @@
+# labctl — Infrastructure Management Platform
+
+## Product Requirements Document
+
+## 1. Overview
+
+labctl is a unified infrastructure management platform for bare-metal servers, Kubernetes clusters, and cloud resources. It replaces Puppet with a modern, TypeScript-native system using Pulumi for infrastructure as code.
+
+### 1.1 Core Principles
+- **Single CLI** (`labctl`) for all infrastructure operations
+- **mTLS everywhere** — built-in Certificate Authority, no SSH key management
+- **RBAC from day one** — deny by default, audit everything
+- **Multi-cloud** — bare metal now, AWS later, extensible to any cloud
+- **Test infrastructure like code** — ephemeral environments, smoke tests, security tests
+- **Pulumi over Helm** — TypeScript charts, typed, testable, no YAML templating
+
+### 1.2 Current State (completed)
+- PXE bastion for bare-metal provisioning (discover, install, reprovision)
+- CLI with subcommands: `labctl init bastion`, `labctl provision`
+- LVM partitioning with reprovision data preservation (/home, /srv, /var/lib/longhorn, /var/lib/rancher)
+- Worker role (k3s agent + Longhorn) and infra role (k3s server + etcd)
+- 32 unit tests, VM smoke tests verified on real hardware
+- Multi-arch builds (x86_64 + arm64), RPM/DEB packaging, Gitea CI/CD
+- labd scaffold with CockroachDB Prisma schema (Server, Agent, User, Role, Permission, AuditLog, JoinToken, Cluster, PulumiRun)
+
+### 1.3 Hardware
+- labmaster (puppet.ad.itaz.eu / 78:55:36:08:35:14): MinisForum SER9, AMD Ryzen 7 255, 16 cores, 27GB RAM, 1TB NVMe, infra role
+- Future: additional bare-metal worker nodes, AWS EC2 instances
+
+## 2. Architecture
+
+### 2.1 Components
+
+```
+labctl CLI → labd (master) → lab-agent (on every server)
+                ↓
+          CockroachDB
+```
+
+**labctl** — CLI binary installed on developer workstations. Compiled with bun to standalone binary. Distributed as RPM/DEB/binary.
+
+**labd** — Master daemon running as k8s Deployment on labmaster's k3s cluster. Stateless (all state in CockroachDB). Multiple instances behind k8s Service for HA. Manages: CA, RBAC, agent registry, Pulumi executor, kubectl proxy, app deployments, log relay.
+
+**lab-agent** — Lightweight daemon on every managed machine. Connects to labd via mTLS WebSocket. Handles: heartbeat, command execution, log streaming, module application. Compiled to standalone binary with bun. Installed via systemd service.
+
+**CockroachDB** — Distributed SQL database. PostgreSQL wire-compatible (Prisma works unchanged). Single node to start, multi-node for HA. Stores: server state, RBAC, audit logs, certificates, kubeconfigs (encrypted), Pulumi state.
+
+**Bastion** — PXE provisioning server. Runs as k8s pod with hostNetwork (needs DHCP/TFTP). Managed by labd as an "app". Multiple bastions for multiple sites.
+
+### 2.2 Network Architecture
+
+**Cilium** as k8s CNI (replacing default flannel):
+- eBPF-based pod networking
+- Built-in WireGuard encryption between nodes
+- Network policies (ties into RBAC)
+- Hubble for observability
+- Future: Cluster Mesh for multi-site transparent networking
+
+No Tailscale dependency — Cilium handles node-to-node encryption. Agents connect to labd over standard TCP/TLS.
+
+### 2.3 Authentication
+
+**mTLS with built-in Certificate Authority:**
+1. labd generates root CA on first start (stored encrypted in CockroachDB)
+2. Agents enroll with join token → receive signed certificate
+3. CLI users authenticate with client certificates (or SSH key-based initial auth)
+4. All communication authenticated via mutual TLS
+5. Certificate rotation and revocation supported
+
+**Join tokens:**
+- One-time tokens: for individual bare-metal servers (generated during PXE provision, embedded in kickstart)
+- Reusable tokens: for autoscaling groups (AWS ASG instances share a token)
+- Tokens can be revoked, have optional expiry
+
+### 2.4 RBAC Model
+
+Inspired by mcpctl's RBAC (src/mcpd/src/services/, middleware/auth). Hierarchical permissions:
+
+```
+action:cloud:environment:server
+
+Examples:
+  read:*:*:*                    — read everything
+  exec:baremetal:lab:*          — exec on any lab bare-metal server
+  kubectl:*:*:*                 — kubectl proxy on any cluster
+  *:baremetal:lab:puppet        — full access to puppet server only
+  manage:*:*:*                  — manage apps, clusters, tokens
+  admin:*:*:*                   — full admin (create users, roles)
+```
+
+**Resources:** servers, environments, clouds, modules, roles, users, clusters, apps, pulumi-stacks
+**Actions:** read, exec, apply, destroy, manage, admin, kubectl
+**Deny rules:** explicit deny overrides any allow (like AWS IAM)
+
+Prisma models: Role, Permission (allow/deny), UserRole binding.
+
+### 2.5 Database
+
+**CockroachDB** chosen over PostgreSQL and Cassandra:
+- PostgreSQL wire-compatible — Prisma works, mcpctl patterns reusable
+- Multi-master replication — any node accepts reads AND writes
+- Strong consistency (not eventual like Cassandra)
+- Survives node failures (3 nodes = 1 failure, 5 nodes = 2)
+- Auto-rebalancing when adding nodes
+- Start single-node, scale to multi-node with zero code changes (just add nodes)
+
+**Schema (already scaffolded in Prisma):**
+- Server — managed machines (hostname, mac, cloud, env, role, labels, status)
+- Agent — connected agents (cert, enrollment, last seen)
+- User — platform users (username, cert fingerprint)
+- Role — RBAC roles with permissions
+- Permission — allow/deny rules (action:cloud:env:server)
+- UserRole — user-to-role bindings
+- JoinToken — enrollment tokens (one-time, reusable, revocable)
+- AuditLog — every action logged (user, session, action, resource, result, duration)
+- PulumiRun — infrastructure-as-code execution records
+- Cluster — managed k8s clusters (kubeconfig encrypted)
+
+## 3. CLI Command Reference
+
+### 3.1 Bastion (PXE Provisioning) — IMPLEMENTED
+```bash
+sudo labctl init bastion standalone start [--foreground] [--port 8080]
+sudo labctl init bastion standalone stop
+labctl init bastion standalone status
+```
+
+### 3.2 Provisioning — IMPLEMENTED
+```bash
+labctl provision list
+labctl provision install <mac> <hostname> --role worker|infra
+labctl provision reprovision <mac> <hostname> --role worker|infra
+labctl provision forget <mac>
+```
+
+### 3.3 Server Management — TO BUILD
+```bash
+labctl get servers [--env NAME] [--cloud NAME] [--label KEY=VALUE]
+labctl describe server/<name>
+```
+
+### 3.4 Remote Execution — TO BUILD
+```bash
+labctl exec server/<name> -- <command>
+labctl exec server/<name> -it -- bash          # interactive TTY
+labctl exec server/<name> --timeout 30s -- cmd
+```
+
+### 3.5 Kubernetes Proxy — TO BUILD
+```bash
+labctl kubectl --cluster <name> <kubectl-args>
+labctl clusters add <name> --kubeconfig <path>
+labctl clusters list
+labctl clusters remove <name>
+```
+
+### 3.6 Logs — TO BUILD
+```bash
+# Server logs (journalctl passthrough, no DB in hot path)
+labctl logs server/<name>                     # all journal
+labctl logs server/<name> -f                  # follow (live WebSocket relay)
+labctl logs server/<name> -n 100              # last 100 lines
+labctl logs server/<name> -u k3s              # specific unit
+labctl logs server/<name> -u sshd --since "1h ago"
+labctl logs server/<name> -k                  # kernel
+labctl logs server/<name> -p err              # errors only
+labctl logs server/<name> --file /var/log/nginx/error.log
+
+# App logs (k8s pod logs)
+labctl logs app/<name> [-f] [--container NAME]
+
+# Pulumi execution logs
+labctl logs pulumi/<run-id> [-f]
+
+# Bastion logs
+labctl logs bastion/<env> [--mac MAC]
+
+# Agent daemon logs
+labctl logs agent/<server>
+
+# Audit logs (from CockroachDB)
+labctl logs audit [--user NAME] [--action ACTION] [--since TIME]
+labctl logs audit/<user-date-sessionid>       # specific session
+```
+
+Log architecture: agent runs journalctl/tail with user-provided flags, streams stdout over WebSocket to labd, labd relays to CLI. No database in the hot path. Future: Grafana Loki integration for cold storage.
+
+### 3.7 Apps (Pulumi Charts, replacing Helm) — TO BUILD
+```bash
+labctl apps list
+labctl apps install <name> [--set key=value] [-f values.yaml]
+labctl apps status <name>
+labctl apps upgrade <name>
+labctl apps history <name>
+labctl apps rollback <name> <version>
+labctl apps uninstall <name>
+```
+
+### 3.8 Infrastructure as Code — TO BUILD
+```bash
+labctl apply -f <file.ts> --env <env>
+labctl plan -f <file.ts> --env <env>
+labctl destroy -f <file.ts> --env <env>
+```
+
+### 3.9 RBAC — TO BUILD
+```bash
+labctl get roles
+labctl get users
+labctl create role <name> --allow "action:cloud:env:server"
+labctl create role <name> --deny "destroy:*:*:*"
+labctl bind role <role> --user <user>
+labctl unbind role <role> --user <user>
+labctl get permissions
+```
+
+### 3.10 Environments and Clouds — TO BUILD
+```bash
+labctl get environments
+labctl get clouds
+labctl create environment <name> --cloud <cloud>
+```
+
+## 4. Partition Layout
+
+### Worker Role
+```
+/boot/efi       600MB  EFI
+/boot           3GB    ext4
+── LVM VG: labvg ──
+  swap          27GB
+  /             33GB   xfs
+  /var          100GB  xfs
+  /var/log      10GB   xfs
+  /home         10GB   xfs         ← preserved on reprovision
+  /srv          20GB   xfs         ← preserved on reprovision
+  /var/lib/longhorn  rest  xfs     ← preserved (Longhorn PVC storage)
+  /tmp          tmpfs 4GB
+```
+
+### Infra Role
+```
+/boot/efi       600MB  EFI
+/boot           3GB    ext4
+── LVM VG: labvg ──
+  swap          27GB
+  /             33GB   xfs
+  /var          100GB  xfs
+  /var/log      10GB   xfs
+  /home         10GB   xfs         ← preserved on reprovision
+  /srv          20GB   xfs         ← preserved on reprovision
+  /var/lib/rancher  20GB  xfs      ← preserved (k3s etcd data)
+  /tmp          tmpfs 4GB
+```
+
+## 5. Module System
+
+Configuration modules define desired state. Three tiers:
+1. **Core modules** (this repo, `modules/`): k3s-server, k3s-agent, labd, lab-agent, bastion
+2. **Official modules** (separate repos): monitoring, cilium, DNS
+3. **Custom modules** (user repos): pulled by git URL
+
+Module structure:
+```
+module.yaml          # name, version, targets (roles/labels), deps
+src/index.ts         # entry point
+src/install.ts       # installation logic
+src/configure.ts     # configuration logic
+src/health.ts        # health check
+tests/               # vitest tests (mandatory)
+```
+
+## 6. Testing Strategy
+
+### 6.1 Testing Pyramid
+```
+Unit Tests        → pure logic, milliseconds, every commit
+Smoke Tests       → containers (podman-compose), minutes, every commit
+Integration Tests → VMs (libvirt), 10-15 min, PRs
+E2E Tests         → real hardware/cloud, 20-30 min, pre-release
+```
+
+### 6.2 Smoke Test Stack (podman-compose)
+```yaml
+services:
+  cockroachdb:
+    image: cockroachdb/cockroach:latest-v24.3
+  labd:
+    build: .
+    depends_on: [cockroachdb]
+  agent-1:
+    build: ./agent
+    depends_on: [labd]
+  agent-2:
+    build: ./agent
+    depends_on: [labd]
+```
+Tests: agent enrollment, certificate issuance, heartbeat, exec, logs, RBAC deny/allow.
+
+### 6.3 Security Tests (RBAC)
+- Deny exec without permission
+- Deny cross-environment access
+- Deny rules override allow rules
+- Cannot escalate own permissions
+- Audit logs all denied attempts
+- Certificate-based auth cannot be spoofed
+- Join tokens cannot be reused (one-time)
+- Expired tokens rejected
+
+### 6.4 Ephemeral Test Environments
+```bash
+labctl test smoke                                    # podman-compose
+labctl test integration                              # libvirt VMs
+labctl env create pr-123 --cloud containers          # CI ephemeral
+labctl env create pr-123 --cloud aws                 # cloud ephemeral (future)
+```
+
+### 6.5 Health Gates for Deployment
+Before promoting to production, ALL must pass:
+- labd API responds
+- Expected number of agents connected
+- k3s nodes Ready
+- Certificates valid (>30 days)
+- RBAC smoke test passes
+- No error logs in last 5 minutes
+
+## 7. Cloud/Environment Model
+
+```
+Cloud: baremetal
+  └── Environment: lab
+       ├── Server: labmaster.ad.itaz.eu (infra, labels={k3s=server})
+       └── Server: ser9.ad.itaz.eu (worker, labels={k3s=agent})
+
+Cloud: aws (future)
+  └── Environment: production
+       ├── Server: i-abc123 (from ASG web-servers)
+       └── Server: i-def456 (from ASG web-servers)
+```
+
+Each bastion creates an environment under baremetal cloud. AWS autoscaling groups create environments under aws cloud.
+
+## 8. App Model (Pulumi Charts)
+
+Each app is a Pulumi TypeScript program:
+```
+app.yaml             # name, version, inputs schema, required permissions
+src/index.ts         # Pulumi program
+values.yaml          # defaults
+tests/               # vitest tests
+```
+
+First apps to build:
+- bastion — PXE provisioning (wrap existing code)
+- labd — master daemon (self-deployment)
+- cockroachdb — database
+- cilium — CNI
+
+## 9. Implementation Phases
+
+### Phase 1: Foundation (PARTIALLY DONE)
+- [x] PXE bastion (discover, install, reprovision)
+- [x] CLI structure (labctl init/provision)
+- [x] labd scaffold (Fastify + CockroachDB/Prisma schema)
+- [x] Multi-arch builds, packaging, CI/CD
+- [ ] Certificate Authority in labd
+- [ ] lab-agent skeleton (connect, heartbeat, enrollment)
+- [ ] Agent enrollment via join tokens
+- [ ] RBAC engine
+- [ ] labctl exec (remote execution)
+- [ ] labctl logs (resource-scoped streaming)
+- [ ] labctl get servers (with filters)
+- [ ] Smoke test stack (podman-compose)
+
+### Phase 2: Deployment
+- [ ] Reprovision labmaster as labmaster.ad.itaz.eu
+- [ ] Deploy k3s with Cilium CNI
+- [ ] Deploy CockroachDB on k3s
+- [ ] Deploy labd on k3s
+- [ ] Deploy bastion as managed app
+- [ ] Auto-enroll agents during PXE provision
+
+### Phase 3: Infrastructure as Code
+- [ ] Module system
+- [ ] Pulumi charts (replacing Helm)
+- [ ] labctl apps install/upgrade/rollback
+- [ ] labctl apply -f (Pulumi execution)
+- [ ] kubectl proxy (audited)
+- [ ] Kubeconfig store (encrypted)
+
+### Phase 4: Multi-Cloud
+- [ ] AWS provider (Pulumi)
+- [ ] Reusable join tokens for ASGs
+- [ ] Cilium Cluster Mesh
+- [ ] Ephemeral test environments
+- [ ] Grafana Loki for cold logs
+
+## 10. Technology Stack
+
+| Component | Technology | Notes |
+|-----------|-----------|-------|
+| Language | TypeScript (ESM) | Same for CLI, daemon, agents, IaC |
+| CLI | Commander.js | Matches mcpctl patterns |
+| HTTP Server | Fastify + WebSocket | labd and bastion |
+| Database | CockroachDB | PostgreSQL compatible, Prisma ORM |
+| ORM | Prisma | Reuse mcpctl patterns |
+| IaC | Pulumi (TypeScript) | Replaces Helm and Puppet |
+| k8s CNI | Cilium | eBPF, WireGuard, network policies |
+| Auth | mTLS (built-in CA) | Certificate-based, no SSH keys |
+| Packaging | nfpm (RPM/DEB) | bun compile for standalone binary |
+| Containers | Podman + podman-compose | No Docker dependency |
+| CI/CD | Gitea Actions | Self-hosted on mysources.co.uk |
+| Testing | Vitest | Unit + smoke + integration |
+| Registry | Gitea packages | RPM, DEB, container images |
+
+## 11. Lessons from mcpctl
+
+The mcpctl project (../mcpctl/) established patterns reused here:
+
+**Project structure:** pnpm monorepo with workspace packages (shared, cli, daemon). Each package has own package.json, tsconfig.json, vitest.config.ts.
+
+**CLI patterns:** Commander.js with factory functions (createXxxCommand). Global options (--project → --env/--cloud). Resource CRUD (get, describe, delete, create, apply).
+
+**Server patterns:** Fastify with route registration functions. Services layer with repository pattern. Middleware for auth. Health endpoints.
+
+**Database:** Prisma ORM with PostgreSQL (now CockroachDB, wire-compatible). Migration-first schema. Seed data for initial setup.
+
+**RBAC:** Role-based with permission strings. Middleware checks on every request. Audit logging in middleware.
+
+**Testing:** Vitest with separate configs for unit vs smoke. Smoke tests with real database and services. Security tests for RBAC.
+
+**CI/CD:** Gitea Actions with lint→typecheck→test→build→publish pipeline. nfpm for RPM/DEB. Bun compile for standalone binaries. Podman for container images.
+
+**Deployment:** Docker/Podman compose for dev stack. Portainer API for production deploy (we'll use k3s instead). systemd for local daemons.
+
+**Completions:** Generated from Commander tree. Bash + Fish. --write and --check modes. Included in packages.
+
+**Key learnings applied:**
+- Start with proper monorepo structure (not flat scripts)
+- Type safety across packages via workspace references
+- Test-driven (unit tests before features)
+- CI from the start (not retrofitted)
+- RBAC and audit from the start (not bolted on)
+- Database-first design (schema defines the domain)
+
+## 12. Gitea Registry
+
+**Registry:** mysources.co.uk (self-hosted Gitea at 10.0.0.194)
+**Token:** stored at ~/.gitea-token, env var PACKAGES_TOKEN
+**Packages:** RPM and DEB published to Gitea packages API
+**Container images:** pushed to Gitea container registry
+**API pattern:** Same as mcpctl publish scripts (check existing, delete, re-upload, link to repo)
diff --git a/.taskmaster/state.json b/.taskmaster/state.json
new file mode 100644
index 0000000..e0fdc3a
--- /dev/null
+++ b/.taskmaster/state.json
@@ -0,0 +1,6 @@
+{
+  "currentTag": "master",
+  "lastSwitched": "2026-03-18T00:17:54.213Z",
+  "branchTagMapping": {},
+  "migrationNoticeShown": true
+}
\ No newline at end of file
diff --git a/.taskmaster/tasks/tasks.json b/.taskmaster/tasks/tasks.json
new file mode 100644
index 0000000..57fc906
--- /dev/null
+++ b/.taskmaster/tasks/tasks.json
@@ -0,0 +1,180 @@
+{
+  "master": {
+    "tasks": [
+      {
+        "id": 72,
+        "title": "Expand Prisma Schema with Resource Relationships",
+        "description": "Add Network, ServerNic, ServerDisk, and ClusterMember models to the Prisma schema. Add bastionId foreign key to Server model to track which bastion owns each server.",
+        "details": "Edit `bastion/src/labd/prisma/schema.prisma` to add:\n\n1. **Server model changes**:\n   - Add `bastionId String?` with relation to Bastion\n   - Add `hardwareInfo Json?` for storing raw HardwareInfo\n   - Add `os String?` for installed OS\n\n2. **Network model**:\n```prisma\nmodel Network {\n  id          String   @id @default(uuid())\n  name        String   @unique\n  cidr        String\n  vlan        Int?\n  gateway     String?\n  domain      String?\n  dhcpEnabled Boolean  @default(false)\n  createdAt   DateTime @default(now())\n  updatedAt   DateTime @updatedAt\n  \n  nics ServerNic[]\n}\n```\n\n3. **ServerNic model**:\n```prisma\nmodel ServerNic {\n  id        String  @id @default(uuid())\n  serverId  String\n  server    Server  @relation(fields: [serverId], references: [id], onDelete: Cascade)\n  networkId String?\n  network   Network? @relation(fields: [networkId], references: [id])\n  mac       String\n  ip        String?\n  name      String\n  state     String  @default(\"DOWN\")\n  \n  @@unique([serverId, mac])\n  @@index([networkId])\n}\n```\n\n4. **ServerDisk model**:\n```prisma\nmodel ServerDisk {\n  id       String @id @default(uuid())\n  serverId String\n  server   Server @relation(fields: [serverId], references: [id], onDelete: Cascade)\n  name     String\n  sizeGb   Float\n  model    String?\n  \n  @@unique([serverId, name])\n}\n```\n\n5. **ClusterMember model**:\n```prisma\nmodel ClusterMember {\n  id        String @id @default(uuid())\n  clusterId String\n  cluster   Cluster @relation(fields: [clusterId], references: [id], onDelete: Cascade)\n  serverId  String\n  server    Server  @relation(fields: [serverId], references: [id], onDelete: Cascade)\n  role      String  @default(\"worker\") // control-plane, worker\n  joinedAt  DateTime @default(now())\n  \n  @@unique([clusterId, serverId])\n  @@index([clusterId])\n  @@index([serverId])\n}\n```\n\n6. Update Server model with relations to nics, disks, clusterMemberships, and bastion.\n\nRun `pnpm prisma generate` and `pnpm prisma migrate dev --name add-resource-models`.",
+        "testStrategy": "1. Run `pnpm prisma validate` to verify schema syntax\n2. Run `pnpm prisma generate` to confirm client generation\n3. Create migration and verify it applies cleanly to local CockroachDB\n4. Write unit tests that create/read/delete each new model\n5. Verify cascade deletes work (deleting Server removes its NICs and Disks)",
+        "priority": "high",
+        "dependencies": [],
+        "status": "pending",
+        "subtasks": []
+      },
+      {
+        "id": 73,
+        "title": "Implement State Persistence Service in labd",
+        "description": "Create a new service in labd that persists bastion state syncs to the Server table in CockroachDB. When bastion-state-sync messages arrive, upsert machines into Server with their hardware info, status, and ownership.",
+        "details": "Create `bastion/src/labd/src/services/state-persistence.ts`:\n\n```typescript\nimport type { PrismaClient } from \"@prisma/client\";\nimport type { BastionState, HardwareInfo, InstallConfig, InstalledInfo } from \"@lab/shared\";\nimport { logger } from \"./logger.js\";\n\nexport class StatePersistence {\n  constructor(private readonly db: PrismaClient) {}\n\n  async syncBastionState(bastionId: string, state: BastionState): Promise<void> {\n    // Process discovered machines\n    for (const [mac, hw] of Object.entries(state.discovered)) {\n      await this.upsertDiscoveredServer(bastionId, mac, hw);\n    }\n    \n    // Process queued machines (update status to provisioning)\n    for (const [mac, cfg] of Object.entries(state.install_queue)) {\n      await this.upsertQueuedServer(bastionId, mac, cfg);\n    }\n    \n    // Process installed machines\n    for (const [mac, info] of Object.entries(state.installed)) {\n      await this.upsertInstalledServer(bastionId, mac, info);\n    }\n  }\n\n  private async upsertDiscoveredServer(bastionId: string, mac: string, hw: HardwareInfo): Promise<void> {\n    const normalized = mac.toLowerCase();\n    \n    await this.db.server.upsert({\n      where: { mac: normalized },\n      create: {\n        hostname: `unknown-${normalized.replace(/:/g, \"\").slice(-6)}`,\n        mac: normalized,\n        bastionId,\n        status: \"discovered\",\n        hardwareInfo: hw as any,\n        labels: {\n          arch: hw.arch,\n          cpu_model: hw.cpu_model,\n          cpu_cores: hw.cpu_cores,\n          memory_gb: hw.memory_gb,\n        },\n      },\n      update: {\n        bastionId,\n        status: \"discovered\", // only if not already provisioning/installed\n        hardwareInfo: hw as any,\n      },\n    });\n    \n    // Sync NICs and Disks\n    await this.syncServerHardware(normalized, hw);\n  }\n  \n  private async syncServerHardware(mac: string, hw: HardwareInfo): Promise<void> {\n    const server = await this.db.server.findUnique({ where: { mac } });\n    if (!server) return;\n    \n    // Upsert NICs\n    for (const nic of hw.nics) {\n      await this.db.serverNic.upsert({\n        where: { serverId_mac: { serverId: server.id, mac: nic.mac.toLowerCase() } },\n        create: { serverId: server.id, mac: nic.mac.toLowerCase(), name: nic.name, state: nic.state },\n        update: { name: nic.name, state: nic.state },\n      });\n    }\n    \n    // Upsert Disks\n    for (const disk of hw.disks) {\n      await this.db.serverDisk.upsert({\n        where: { serverId_name: { serverId: server.id, name: disk.name } },\n        create: { serverId: server.id, name: disk.name, sizeGb: disk.size_gb, model: disk.model },\n        update: { sizeGb: disk.size_gb, model: disk.model },\n      });\n    }\n  }\n  \n  // Similar methods for upsertQueuedServer and upsertInstalledServer...\n}\n```\n\nIntegrate into `server.ts` WebSocket handler by calling `statePersistence.syncBastionState()` when `bastion-state-sync` messages arrive.",
+        "testStrategy": "1. Unit test StatePersistence with mocked PrismaClient\n2. Integration test: simulate bastion-state-sync message, verify Server rows created\n3. Test idempotency: send same state twice, verify no duplicates\n4. Test status transitions: discovered -> provisioning -> installed\n5. Verify hardware info (NICs, Disks) is correctly persisted",
+        "priority": "high",
+        "dependencies": [
+          72
+        ],
+        "status": "pending",
+        "subtasks": []
+      },
+      {
+        "id": 74,
+        "title": "Add State Loading from labd on Bastion Startup",
+        "description": "Modify bastion startup to request its persisted state from labd before using the local JSON cache. This ensures bastions restore their state after pod restarts.",
+        "details": "1. Add new labd API endpoint `GET /api/bastions/:id/state` that returns the aggregated state for a specific bastion from the Server table:\n\n```typescript\n// bastion/src/labd/src/routes/bastions.ts\napp.get<{ Params: { id: string } }>(\"/api/bastions/:id/state\", async (request, reply) => {\n  const { id } = request.params;\n  \n  const servers = await db.server.findMany({\n    where: { bastionId: id },\n    include: { nics: true, disks: true },\n  });\n  \n  // Transform back to BastionState format\n  const state: BastionState = { discovered: {}, install_queue: {}, installed: {} };\n  for (const server of servers) {\n    const mac = server.mac;\n    if (!mac) continue;\n    \n    switch (server.status) {\n      case \"discovered\":\n        state.discovered[mac] = transformToHardwareInfo(server);\n        break;\n      case \"provisioning\":\n        state.install_queue[mac] = transformToInstallConfig(server);\n        break;\n      case \"installed\":\n        state.installed[mac] = transformToInstalledInfo(server);\n        break;\n    }\n  }\n  \n  return reply.send(state);\n});\n```\n\n2. Modify `BastionConnection.connect()` in `labd-connection.ts` to fetch state after enrollment:\n\n```typescript\nprivate async loadRemoteState(): Promise<BastionState | null> {\n  if (!this.bastionId || !this.config.labdUrl) return null;\n  try {\n    const resp = await fetch(`${this.config.labdUrl}/api/bastions/${this.bastionId}/state`);\n    if (resp.ok) return await resp.json();\n  } catch { /* fall back to local */ }\n  return null;\n}\n```\n\n3. In bastion `main.ts`, after establishing labd connection, merge remote state with local state (remote takes precedence for installed machines, local wins for in-progress installs).",
+        "testStrategy": "1. Integration test: start bastion, let it persist state, restart bastion, verify state restored\n2. Test merge logic: local has in-progress install, remote has discovered - verify install preserved\n3. Test offline mode: labd unavailable, bastion falls back to local JSON\n4. Test fresh start: no local state, no remote state - bastion starts with empty state",
+        "priority": "high",
+        "dependencies": [
+          73
+        ],
+        "status": "pending",
+        "subtasks": []
+      },
+      {
+        "id": 75,
+        "title": "Fix Bastion --dir Environment Variable Default",
+        "description": "Fix the bug where CLI's --dir default overrides the BASTION_DIR environment variable. The CLI option should use the env var as its default.",
+        "details": "Edit `bastion/src/cli/src/commands/serve.ts`:\n\n```typescript\n// Before (line 14):\n.option(\"--dir <dir>\", \"Bastion data directory\", \"/tmp/lab-bastion\")\n\n// After:\n.option(\n  \"--dir <dir>\",\n  \"Bastion data directory\",\n  process.env[\"BASTION_DIR\"] ?? \"/tmp/lab-bastion\"\n)\n```\n\nThis ensures:\n1. If `BASTION_DIR` env var is set (e.g., in k8s deployment), it's used as default\n2. Explicit `--dir` flag still overrides both\n3. Falls back to `/tmp/lab-bastion` if neither is set\n\nAlso update the k8s deployment manifest `bastion/deploy/k3s/deployment.yaml` to ensure `BASTION_DIR=/data` is properly set.",
+        "testStrategy": "1. Unit test: verify option default reads from process.env\n2. Integration test: set BASTION_DIR, run labctl without --dir, verify correct dir used\n3. Integration test: set BASTION_DIR, run labctl with --dir /custom, verify /custom used\n4. Test no env var: verify default /tmp/lab-bastion used",
+        "priority": "high",
+        "dependencies": [],
+        "status": "pending",
+        "subtasks": []
+      },
+      {
+        "id": 76,
+        "title": "Create Resource Type Registry with Aliases",
+        "description": "Create a centralized resource type registry that maps resource names, plurals, and short aliases to canonical types. This enables kubectl-style resource resolution.",
+        "details": "Create `bastion/src/cli/src/utils/resources.ts`:\n\n```typescript\nexport interface ResourceDefinition {\n  kind: string;           // Canonical type: \"Server\", \"Cluster\", etc.\n  singular: string;       // \"server\"\n  plural: string;         // \"servers\"\n  aliases: string[];      // [\"srv\"]\n  apiPath: string;        // \"/api/servers\"\n  columns: TableColumn[]; // Default columns for 'get' output\n  wideColumns?: TableColumn[]; // Extra columns for -o wide\n}\n\nconst RESOURCE_DEFINITIONS: ResourceDefinition[] = [\n  {\n    kind: \"Server\",\n    singular: \"server\",\n    plural: \"servers\",\n    aliases: [\"srv\"],\n    apiPath: \"/api/servers\",\n    columns: serverColumns,\n    wideColumns: serverWideColumns,\n  },\n  {\n    kind: \"Cluster\",\n    singular: \"cluster\",\n    plural: \"clusters\",\n    aliases: [],\n    apiPath: \"/api/clusters\",\n    columns: clusterColumns,\n  },\n  {\n    kind: \"Network\",\n    singular: \"network\",\n    plural: \"networks\",\n    aliases: [\"net\"],\n    apiPath: \"/api/networks\",\n    columns: networkColumns,\n  },\n  // ... bastion, role, user, token, audit\n];\n\nconst aliasMap = new Map<string, ResourceDefinition>();\nfor (const def of RESOURCE_DEFINITIONS) {\n  aliasMap.set(def.singular, def);\n  aliasMap.set(def.plural, def);\n  for (const alias of def.aliases) {\n    aliasMap.set(alias, def);\n  }\n}\n\nexport function resolveResourceType(input: string): ResourceDefinition {\n  const normalized = input.toLowerCase();\n  const def = aliasMap.get(normalized);\n  if (!def) {\n    const valid = RESOURCE_DEFINITIONS.map(d => d.plural).join(\", \");\n    throw new Error(`Unknown resource type \"${input}\". Valid types: ${valid}`);\n  }\n  return def;\n}\n\nexport function resolveResourceIdentifier(input: string): {\n  type: ResourceDefinition;\n  name?: string;\n} {\n  // Handle \"server/labmaster\" or just \"servers\"\n  const parts = input.split(\"/\");\n  const type = resolveResourceType(parts[0]);\n  const name = parts.length > 1 ? parts.slice(1).join(\"/\") : undefined;\n  return { type, name };\n}\n```\n\nUpdate `bastion/src/cli/src/utils/resource.ts` to use the new registry.",
+        "testStrategy": "1. Unit test resolveResourceType with all aliases: server, servers, srv -> Server\n2. Test unknown resource type throws descriptive error\n3. Test case insensitivity: SERVER, Server, server all resolve correctly\n4. Test resolveResourceIdentifier parses \"server/labmaster\" correctly",
+        "priority": "high",
+        "dependencies": [],
+        "status": "pending",
+        "subtasks": []
+      },
+      {
+        "id": 77,
+        "title": "Implement 'labctl get' Command",
+        "description": "Create the core 'labctl get <resource> [name]' command that lists resources with filtering and output format support. This is the foundation of the kubectl-style CLI.",
+        "details": "Create `bastion/src/cli/src/commands/get.ts`:\n\n```typescript\nimport { Command } from \"commander\";\nimport { resolveResourceType, type ResourceDefinition } from \"../utils/resources.js\";\nimport { getLabdClient } from \"../api/config.js\";\nimport { formatOutput, type TableColumn } from \"../utils/table.js\";\n\nexport function registerGetCommand(program: Command): void {\n  program\n    .command(\"get <resource> [name]\")\n    .description(\"List resources or get a specific resource by name\")\n    .option(\"--status <status>\", \"Filter by status\")\n    .option(\"--role <role>\", \"Filter by role (servers only)\")\n    .option(\"--cloud <cloud>\", \"Filter by cloud\")\n    .option(\"--env <environment>\", \"Filter by environment\")\n    .option(\"-l, --label <label>\", \"Filter by label (key=value)\")\n    .option(\"-A, --all-namespaces\", \"List across all clouds/environments\")\n    .action(async (resource: string, name: string | undefined, opts) => {\n      const config = program.opts()[\"_config\"];\n      const resourceDef = resolveResourceType(resource);\n      const client = getLabdClient();\n      \n      try {\n        let data: unknown[];\n        \n        if (name) {\n          // Get specific resource - could be name, ID, or MAC\n          const item = await client.getResource(resourceDef, name);\n          data = item ? [item] : [];\n        } else {\n          // List with filters\n          data = await client.listResources(resourceDef, {\n            status: opts.status,\n            role: opts.role,\n            cloud: opts.allNamespaces ? undefined : (opts.cloud ?? config.defaultCloud),\n            environment: opts.allNamespaces ? undefined : (opts.env ?? config.defaultEnvironment),\n            label: opts.label,\n          });\n        }\n        \n        if (data.length === 0) {\n          console.log(`No ${resourceDef.plural} found.`);\n          return;\n        }\n        \n        const columns = config.outputFormat === \"wide\" && resourceDef.wideColumns\n          ? [...resourceDef.columns, ...resourceDef.wideColumns]\n          : resourceDef.columns;\n        \n        formatOutput(data, config.outputFormat, columns);\n      } catch (err) {\n        console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);\n        process.exit(1);\n      }\n    });\n}\n```\n\nAdd to `index.ts`: `registerGetCommand(program);`\n\nExtend LabdClient with generic resource methods.",
+        "testStrategy": "1. Integration test: `labctl get servers` returns list from labd\n2. Test filtering: `labctl get servers --status discovered` only shows discovered\n3. Test name lookup: `labctl get server labmaster` returns single server\n4. Test MAC lookup: `labctl get server 38:05:25:33:e2:e4` resolves by MAC\n5. Test output formats: -o json, -o yaml, -o wide produce correct output\n6. Test unknown resource: `labctl get foo` shows helpful error",
+        "priority": "high",
+        "dependencies": [
+          76
+        ],
+        "status": "pending",
+        "subtasks": []
+      },
+      {
+        "id": 78,
+        "title": "Implement 'labctl describe' Command",
+        "description": "Create the 'labctl describe <resource> <name>' command that shows detailed information about a resource including relationships, hardware info, and history.",
+        "details": "Create `bastion/src/cli/src/commands/describe.ts`:\n\n```typescript\nimport { Command } from \"commander\";\nimport { resolveResourceType } from \"../utils/resources.js\";\nimport { getLabdClient } from \"../api/config.js\";\n\nconst BOLD = \"\\x1b[1m\";\nconst DIM = \"\\x1b[2m\";\nconst RESET = \"\\x1b[0m\";\n\ninterface DescribeSection {\n  title: string;\n  fields: Array<[string, string | undefined]>;\n}\n\nfunction printDescribe(name: string, sections: DescribeSection[]): void {\n  console.log(`${BOLD}Name:${RESET} ${name}`);\n  for (const section of sections) {\n    console.log(`\\n${BOLD}${section.title}:${RESET}`);\n    for (const [key, value] of section.fields) {\n      if (value !== undefined) {\n        console.log(`  ${DIM}${key}:${RESET} ${value}`);\n      }\n    }\n  }\n}\n\nexport function registerDescribeCommand(program: Command): void {\n  program\n    .command(\"describe <resource> <name>\")\n    .description(\"Show detailed information about a resource\")\n    .action(async (resource: string, name: string) => {\n      const resourceDef = resolveResourceType(resource);\n      const client = getLabdClient();\n      \n      try {\n        const item = await client.describeResource(resourceDef, name);\n        if (!item) {\n          console.error(`${resourceDef.singular} \"${name}\" not found.`);\n          process.exit(1);\n        }\n        \n        // Resource-specific formatting\n        switch (resourceDef.kind) {\n          case \"Server\":\n            printServerDescription(item);\n            break;\n          case \"Cluster\":\n            printClusterDescription(item);\n            break;\n          default:\n            console.log(JSON.stringify(item, null, 2));\n        }\n      } catch (err) {\n        console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);\n        process.exit(1);\n      }\n    });\n}\n\nfunction printServerDescription(server: any): void {\n  const sections: DescribeSection[] = [\n    {\n      title: \"Metadata\",\n      fields: [\n        [\"ID\", server.id],\n        [\"Cloud\", server.cloud],\n        [\"Environment\", server.environment],\n        [\"Role\", server.role],\n        [\"Status\", server.status],\n        [\"Created\", server.createdAt],\n        [\"Last Seen\", server.lastHeartbeat],\n      ],\n    },\n    {\n      title: \"Hardware\",\n      fields: [\n        [\"MAC\", server.mac],\n        [\"IP\", server.ip],\n        [\"Architecture\", server.hardwareInfo?.arch],\n        [\"CPU\", server.hardwareInfo?.cpu_model],\n        [\"Cores\", String(server.hardwareInfo?.cpu_cores)],\n        [\"Memory\", `${server.hardwareInfo?.memory_gb}GB`],\n        [\"Product\", server.hardwareInfo?.product],\n      ],\n    },\n  ];\n  \n  if (server.nics?.length > 0) {\n    sections.push({\n      title: \"Network Interfaces\",\n      fields: server.nics.map((n: any) => [n.name, `${n.mac} ${n.ip ?? \"\"} (${n.state})`]),\n    });\n  }\n  \n  if (server.disks?.length > 0) {\n    sections.push({\n      title: \"Disks\",\n      fields: server.disks.map((d: any) => [d.name, `${d.sizeGb}GB ${d.model ?? \"\"}`]),\n    });\n  }\n  \n  if (server.clusterMemberships?.length > 0) {\n    sections.push({\n      title: \"Cluster Membership\",\n      fields: server.clusterMemberships.map((m: any) => [m.cluster.name, m.role]),\n    });\n  }\n  \n  printDescribe(server.hostname, sections);\n}\n```",
+        "testStrategy": "1. Integration test: `labctl describe server labmaster` shows full details\n2. Test hardware info display: CPU, memory, disks, NICs all shown\n3. Test cluster membership: server in cluster shows membership section\n4. Test not found: `labctl describe server nonexistent` shows helpful error\n5. Test different resource types: describe cluster, network, bastion",
+        "priority": "medium",
+        "dependencies": [
+          77
+        ],
+        "status": "pending",
+        "subtasks": []
+      },
+      {
+        "id": 79,
+        "title": "Implement 'labctl create/delete' Commands",
+        "description": "Create the 'labctl create <resource>' and 'labctl delete <resource> <name>' commands for creating and removing resources like networks, clusters, and tokens.",
+        "details": "Create `bastion/src/cli/src/commands/create.ts`:\n\n```typescript\nimport { Command } from \"commander\";\nimport { resolveResourceType } from \"../utils/resources.js\";\nimport { getLabdClient } from \"../api/config.js\";\n\nexport function registerCreateCommand(program: Command): void {\n  const create = program\n    .command(\"create <resource>\")\n    .description(\"Create a resource\");\n  \n  // labctl create network --name lab --cidr 192.168.8.0/24\n  create\n    .command(\"network\")\n    .description(\"Create a network\")\n    .requiredOption(\"--name <name>\", \"Network name\")\n    .requiredOption(\"--cidr <cidr>\", \"Network CIDR (e.g., 192.168.8.0/24)\")\n    .option(\"--gateway <gateway>\", \"Gateway IP\")\n    .option(\"--vlan <vlan>\", \"VLAN ID\", parseInt)\n    .option(\"--domain <domain>\", \"DNS domain\")\n    .option(\"--dhcp\", \"Enable DHCP\")\n    .action(async (opts) => {\n      const client = getLabdClient();\n      try {\n        const network = await client.createNetwork({\n          name: opts.name,\n          cidr: opts.cidr,\n          gateway: opts.gateway,\n          vlan: opts.vlan,\n          domain: opts.domain,\n          dhcpEnabled: opts.dhcp ?? false,\n        });\n        console.log(`network/${network.name} created`);\n      } catch (err) {\n        console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);\n        process.exit(1);\n      }\n    });\n  \n  // labctl create token --label \"worker enrollment\" --type reusable\n  create\n    .command(\"token\")\n    .description(\"Create a join token\")\n    .option(\"--label <label>\", \"Token label/description\")\n    .option(\"--type <type>\", \"Token type: one-time or reusable\", \"one-time\")\n    .option(\"--expires <duration>\", \"Expiration (e.g., 24h, 7d)\")\n    .action(async (opts) => {\n      const client = getLabdClient();\n      try {\n        const token = await client.createToken(opts);\n        console.log(`Token created: ${token.token}`);\n        if (opts.label) console.log(`Label: ${opts.label}`);\n        if (token.expiresAt) console.log(`Expires: ${token.expiresAt}`);\n      } catch (err) {\n        console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);\n        process.exit(1);\n      }\n    });\n}\n```\n\nCreate `bastion/src/cli/src/commands/delete.ts`:\n\n```typescript\nexport function registerDeleteCommand(program: Command): void {\n  program\n    .command(\"delete <resource> <name>\")\n    .description(\"Delete a resource\")\n    .option(\"--force\", \"Skip confirmation\")\n    .action(async (resource: string, name: string, opts) => {\n      const resourceDef = resolveResourceType(resource);\n      const client = getLabdClient();\n      \n      if (!opts.force) {\n        const { confirm } = await import(\"../utils/prompts.js\");\n        const yes = await confirm(`Delete ${resourceDef.singular} \"${name}\"?`);\n        if (!yes) {\n          console.log(\"Cancelled.\");\n          return;\n        }\n      }\n      \n      try {\n        await client.deleteResource(resourceDef, name);\n        console.log(`${resourceDef.singular}/${name} deleted`);\n      } catch (err) {\n        console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);\n        process.exit(1);\n      }\n    });\n}\n```",
+        "testStrategy": "1. Integration test: `labctl create network` creates network in DB\n2. Test validation: missing required flags shows helpful error\n3. Test token creation: token returned is valid UUID, stored in DB\n4. Test delete with confirmation: prompts user, respects --force\n5. Test delete cascade: deleting server removes NICs, disks\n6. Test delete protection: cannot delete bastion with connected servers",
+        "priority": "medium",
+        "dependencies": [
+          77
+        ],
+        "status": "pending",
+        "subtasks": []
+      },
+      {
+        "id": 80,
+        "title": "Refactor Provision Commands to kubectl-style",
+        "description": "Refactor existing provision commands to use kubectl-style syntax: 'labctl provision <server>' instead of 'labctl provision install <mac>'.",
+        "details": "The new command structure should be:\n- `labctl provision <server> --os fedora-43 --role worker` (queue install)\n- `labctl reprovision <server>` (reinstall)\n- `labctl forget <server>` (remove from tracking)\n\nModify `bastion/src/cli/src/commands/install.ts` → rename to `provision.ts`:\n\n```typescript\nexport function registerProvisionCommand(program: Command): void {\n  program\n    .command(\"provision <server>\")\n    .description(\"Queue a server for OS installation\")\n    .requiredOption(\"--os <os>\", \"Operating system\", \"fedora-43\")\n    .requiredOption(\"--role <role>\", \"Server role\", \"worker\")\n    .option(\"--disk <disk>\", \"Target disk (auto-detected if not specified)\")\n    .option(\"--hostname <hostname>\", \"Override hostname\")\n    .action(async (server: string, opts) => {\n      const client = getLabdClient();\n      \n      // Resolve server: could be hostname, MAC, or ID\n      const resolved = await client.resolveServer(server);\n      if (!resolved) {\n        console.error(`Server \"${server}\" not found.`);\n        console.error(\"Tip: Use 'labctl get servers' to see available servers.\");\n        process.exit(1);\n      }\n      \n      if (resolved.status === \"installed\") {\n        console.error(`Server \"${resolved.hostname}\" is already installed.`);\n        console.error(\"Tip: Use 'labctl reprovision' to reinstall.\");\n        process.exit(1);\n      }\n      \n      try {\n        await client.provisionServer(resolved.mac, {\n          hostname: opts.hostname ?? resolved.hostname,\n          os: opts.os,\n          role: opts.role,\n          disk: opts.disk,\n        });\n        console.log(`Server ${resolved.hostname} queued for ${opts.os} installation as ${opts.role}.`);\n      } catch (err) {\n        console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);\n        process.exit(1);\n      }\n    });\n}\n```\n\nSimilarly update reprovision.ts and forget.ts to accept server name/MAC/ID.\n\nUpdate index.ts to register commands at top level instead of under 'provision' subcommand.",
+        "testStrategy": "1. Test server resolution: provision by hostname, MAC, or UUID all work\n2. Test already installed: provisioning installed server shows reprovision hint\n3. Test unknown server: helpful error message with tip\n4. Test reprovision: reinstalls installed server\n5. Test forget: removes server from all state categories\n6. Backward compat: verify 'labctl provision list' still works (deprecation warning)",
+        "priority": "medium",
+        "dependencies": [
+          77
+        ],
+        "status": "pending",
+        "subtasks": []
+      },
+      {
+        "id": 81,
+        "title": "Implement Server and Resource API Endpoints in labd",
+        "description": "Add REST API endpoints in labd for full resource CRUD operations: networks, clusters, tokens. Extend servers endpoint with filters and relationship includes.",
+        "details": "Create/extend labd route files:\n\n1. **Extend servers.ts**:\n```typescript\n// GET /api/servers - with extended filters and includes\napp.get(\"/api/servers\", async (request, reply) => {\n  const { status, role, cloud, environment, label, include } = request.query;\n  \n  const where = {};\n  if (status) where.status = status;\n  if (role) where.role = role;\n  if (cloud) where.cloud = cloud;\n  if (environment) where.environment = environment;\n  if (label) where.labels = { path: [labelKey], equals: labelValue };\n  \n  const servers = await db.server.findMany({\n    where,\n    include: {\n      nics: include?.includes(\"nics\"),\n      disks: include?.includes(\"disks\"),\n      clusterMemberships: include?.includes(\"clusters\") ? { include: { cluster: true } } : false,\n      bastion: include?.includes(\"bastion\"),\n    },\n  });\n  return servers;\n});\n\n// GET /api/servers/:id - by ID, hostname, or MAC\napp.get(\"/api/servers/:identifier\", async (request, reply) => {\n  const { identifier } = request.params;\n  \n  // Try UUID first\n  let server = await db.server.findUnique({ where: { id: identifier }, include: fullInclude });\n  // Try hostname\n  if (!server) server = await db.server.findUnique({ where: { hostname: identifier }, include: fullInclude });\n  // Try MAC\n  if (!server) server = await db.server.findUnique({ where: { mac: identifier.toLowerCase() }, include: fullInclude });\n  \n  if (!server) return reply.code(404).send({ error: \"Server not found\" });\n  return server;\n});\n```\n\n2. **Create networks.ts**:\n```typescript\n// GET /api/networks, POST /api/networks, DELETE /api/networks/:id\nexport function registerNetworkRoutes(app: FastifyInstance, db: DbClient): void {\n  app.get(\"/api/networks\", async () => db.network.findMany());\n  \n  app.post(\"/api/networks\", async (request, reply) => {\n    const { name, cidr, gateway, vlan, domain, dhcpEnabled } = request.body;\n    // Validate CIDR format\n    const network = await db.network.create({ data: { name, cidr, gateway, vlan, domain, dhcpEnabled } });\n    return reply.code(201).send(network);\n  });\n  \n  app.delete(\"/api/networks/:id\", async (request, reply) => {\n    await db.network.delete({ where: { id: request.params.id } });\n    return reply.code(204).send();\n  });\n}\n```\n\n3. **Create clusters.ts**:\n```typescript\n// Similar CRUD for clusters with member management\napp.get(\"/api/clusters/:id/members\", ...);\napp.post(\"/api/clusters/:id/members\", ...);\napp.delete(\"/api/clusters/:id/members/:serverId\", ...);\n```",
+        "testStrategy": "1. Integration test all CRUD endpoints with HTTP client\n2. Test server resolution: by id, hostname, and MAC all return same server\n3. Test include parameter: nics, disks, clusters included when requested\n4. Test validation: invalid CIDR rejected, duplicate names rejected\n5. Test cascade: delete network with NICs fails or cascades appropriately",
+        "priority": "medium",
+        "dependencies": [
+          72,
+          73
+        ],
+        "status": "pending",
+        "subtasks": []
+      },
+      {
+        "id": 82,
+        "title": "Implement RBAC Permission Checks in CLI",
+        "description": "Wire RBAC permission checks into CLI commands. Check user permissions before executing operations using the existing Permission model.",
+        "details": "1. Create `bastion/src/cli/src/middleware/rbac.ts`:\n\n```typescript\nimport { getLabdClient } from \"../api/config.js\";\n\nexport interface PermissionContext {\n  action: string;      // read, exec, apply, destroy, manage, admin\n  cloud?: string;\n  environment?: string;\n  server?: string;\n}\n\nexport async function checkPermission(ctx: PermissionContext): Promise<boolean> {\n  const client = getLabdClient();\n  try {\n    const result = await client.checkPermission(ctx);\n    return result.allowed;\n  } catch {\n    // If can't reach labd, fail open for local operations\n    return true;\n  }\n}\n\nexport async function requirePermission(ctx: PermissionContext): Promise<void> {\n  const allowed = await checkPermission(ctx);\n  if (!allowed) {\n    throw new Error(\n      `Permission denied: ${ctx.action} on ${ctx.server ?? \"*\"}@${ctx.cloud ?? \"*\"}/${ctx.environment ?? \"*\"}`\n    );\n  }\n}\n```\n\n2. Add labd endpoint `POST /api/auth/check-permission`:\n```typescript\napp.post(\"/api/auth/check-permission\", async (request, reply) => {\n  const user = await authenticateRequest(request); // from cert or token\n  const { action, cloud, environment, server } = request.body;\n  \n  const permissions = await db.permission.findMany({\n    where: {\n      role: { userBindings: { some: { userId: user.id } } },\n    },\n  });\n  \n  const allowed = permissions.some(p => \n    matchesPattern(p.action, action) &&\n    matchesPattern(p.cloud, cloud ?? \"*\") &&\n    matchesPattern(p.environment, environment ?? \"*\") &&\n    matchesPattern(p.server, server ?? \"*\")\n  );\n  \n  return { allowed };\n});\n```\n\n3. Integrate into commands:\n```typescript\n// In provision command\nawait requirePermission({ action: \"apply\", cloud, environment, server: resolved.hostname });\n\n// In delete command\nawait requirePermission({ action: \"destroy\", cloud, environment, server: name });\n\n// In get command (filter results)\nconst servers = await client.listServers(filters);\nconst visible = await filterByPermission(servers, \"read\");\n```",
+        "testStrategy": "1. Unit test permission matching logic with wildcards\n2. Test admin role: has access to all resources\n3. Test operator role: can read/exec but not destroy\n4. Test viewer role: can only read, provision denied\n5. Test scope matching: permission for cloud=aws doesn't grant access to cloud=baremetal\n6. Test denied action is audit-logged",
+        "priority": "medium",
+        "dependencies": [
+          77,
+          81
+        ],
+        "status": "pending",
+        "subtasks": []
+      },
+      {
+        "id": 83,
+        "title": "Implement Audit Logging for Resource Operations",
+        "description": "Log all resource mutations to the AuditLog table. Include user, action, resource type/name, result, and source IP.",
+        "details": "1. Create `bastion/src/labd/src/services/audit.ts`:\n\n```typescript\nimport type { PrismaClient } from \"@prisma/client\";\n\nexport interface AuditEntry {\n  userId?: string;\n  serverId?: string;\n  sessionId?: string;\n  action: string;         // create, update, delete, provision, exec, rbac-denied\n  resourceType: string;   // server, cluster, network, token, etc.\n  resourceName: string;\n  args?: string;          // sanitized args (no secrets)\n  result: \"success\" | \"denied\" | \"error\";\n  durationMs?: number;\n  sourceIp?: string;\n}\n\nexport class AuditService {\n  constructor(private readonly db: PrismaClient) {}\n  \n  async log(entry: AuditEntry): Promise<void> {\n    await this.db.auditLog.create({\n      data: {\n        userId: entry.userId,\n        serverId: entry.serverId,\n        sessionId: entry.sessionId,\n        action: entry.action,\n        resourceType: entry.resourceType,\n        resourceName: entry.resourceName,\n        args: entry.args,\n        result: entry.result,\n        durationMs: entry.durationMs,\n        sourceIp: entry.sourceIp,\n      },\n    });\n  }\n  \n  async query(filters: {\n    userId?: string;\n    action?: string;\n    resourceType?: string;\n    since?: Date;\n    limit?: number;\n  }): Promise<AuditEntry[]> {\n    return this.db.auditLog.findMany({\n      where: {\n        userId: filters.userId,\n        action: filters.action,\n        resourceType: filters.resourceType,\n        timestamp: filters.since ? { gte: filters.since } : undefined,\n      },\n      orderBy: { timestamp: \"desc\" },\n      take: filters.limit ?? 100,\n    });\n  }\n}\n```\n\n2. Add Fastify hook to wrap route handlers:\n```typescript\napp.addHook(\"onResponse\", async (request, reply) => {\n  // Log mutations (POST, PUT, DELETE)\n  if ([\"POST\", \"PUT\", \"DELETE\"].includes(request.method)) {\n    const path = request.url;\n    const resourceMatch = path.match(/\\/api\\/(\\w+)(?:\\/([^/]+))?/);\n    if (resourceMatch) {\n      await auditService.log({\n        action: methodToAction(request.method),\n        resourceType: resourceMatch[1],\n        resourceName: resourceMatch[2] ?? \"\",\n        result: reply.statusCode < 400 ? \"success\" : \"error\",\n        sourceIp: request.ip,\n      });\n    }\n  }\n});\n```\n\n3. Add `labctl get audit` command to view audit logs.",
+        "testStrategy": "1. Integration test: create network, verify audit log entry created\n2. Test RBAC denial is logged with result=denied\n3. Test sensitive data sanitization: tokens/passwords not in args\n4. Test query filters: by user, action, resourceType, time range\n5. Test `labctl get audit` displays recent entries correctly",
+        "priority": "medium",
+        "dependencies": [
+          81,
+          82
+        ],
+        "status": "pending",
+        "subtasks": []
+      },
+      {
+        "id": 84,
+        "title": "Update CLI Entry Point and Help Text",
+        "description": "Update the CLI entry point to register all new commands and update help text to reflect the kubectl-style interface. Add deprecation warnings for old command structure.",
+        "details": "Update `bastion/src/cli/src/index.ts`:\n\n```typescript\nimport { Command } from \"commander\";\nimport { APP_VERSION } from \"@lab/shared\";\nimport { loadConfig } from \"./config/index.js\";\n\n// New kubectl-style commands\nimport { registerGetCommand } from \"./commands/get.js\";\nimport { registerDescribeCommand } from \"./commands/describe.js\";\nimport { registerCreateCommand } from \"./commands/create.js\";\nimport { registerDeleteCommand } from \"./commands/delete.js\";\nimport { registerApplyCommand } from \"./commands/apply.js\";\nimport { registerEditCommand } from \"./commands/edit.js\";\n\n// Action commands\nimport { registerProvisionCommand } from \"./commands/provision.js\";\nimport { registerReprovisionCommand } from \"./commands/reprovision.js\";\nimport { registerForgetCommand } from \"./commands/forget.js\";\n\n// Bastion management\nimport { registerBastionCommand } from \"./commands/bastion.js\"; // start/stop/status\n\n// App management (unchanged)\nimport { registerAppCommand } from \"./commands/app.js\";\n\n// Utility\nimport { registerConfigCommand } from \"./commands/config.js\";\nimport { registerLoginCommand } from \"./commands/login.js\";\nimport { registerDoctorCommand } from \"./commands/doctor.js\";\n\nexport function createProgram(): Command {\n  const program = new Command();\n  \n  program\n    .name(\"labctl\")\n    .description(\"Lab infrastructure management CLI\")\n    .version(APP_VERSION);\n  \n  // Global options\n  program\n    .option(\"-o, --output <format>\", \"output format (table, json, yaml, wide)\", \"table\")\n    .option(\"--server <url>\", \"override labd server URL\")\n    .option(\"--env <name>\", \"override default environment\")\n    .option(\"--cloud <name>\", \"override default cloud\")\n    .option(\"--debug\", \"enable debug output\")\n    .option(\"--no-color\", \"disable colored output\");\n  \n  // Core CRUD commands\n  registerGetCommand(program);        // labctl get <resource> [name]\n  registerDescribeCommand(program);   // labctl describe <resource> <name>\n  registerCreateCommand(program);     // labctl create <resource>\n  registerDeleteCommand(program);     // labctl delete <resource> <name>\n  registerApplyCommand(program);      // labctl apply -f <file>\n  registerEditCommand(program);       // labctl edit <resource> <name>\n  \n  // Provisioning actions\n  registerProvisionCommand(program);  // labctl provision <server>\n  registerReprovisionCommand(program);// labctl reprovision <server>\n  registerForgetCommand(program);     // labctl forget <server>\n  \n  // Bastion management\n  registerBastionCommand(program);    // labctl bastion start|stop|status\n  \n  // App management\n  registerAppCommand(program);        // labctl app install|health k3s\n  \n  // Utility\n  registerConfigCommand(program);\n  registerLoginCommand(program);\n  registerDoctorCommand(program);\n  \n  // Legacy compatibility with deprecation warnings\n  registerLegacyCommands(program);\n  \n  return program;\n}\n\nfunction registerLegacyCommands(program: Command): void {\n  // labctl provision list -> labctl get servers (with warning)\n  program\n    .command(\"provision\")\n    .command(\"list\")\n    .action(() => {\n      console.warn(\"DEPRECATED: Use 'labctl get servers' instead.\");\n      // Delegate to get servers\n    });\n}\n```\n\nUpdate shell completions in `scripts/generate-completions.ts` for new command structure.",
+        "testStrategy": "1. Test --help shows all new commands with descriptions\n2. Test resource type help: `labctl get --help` lists valid resources\n3. Test deprecated commands show warning but still work\n4. Test shell completions generated for new commands\n5. Test global options: -o, --server, --env, --cloud all work",
+        "priority": "low",
+        "dependencies": [
+          77,
+          78,
+          79,
+          80
+        ],
+        "status": "pending",
+        "subtasks": []
+      }
+    ],
+    "metadata": {
+      "created": "2026-03-26T04:26:49.813Z",
+      "updated": "2026-03-26T04:26:49.813Z",
+      "description": "Tasks for master context"
+    }
+  }
+}
\ No newline at end of file
diff --git a/.taskmaster/templates/example_prd.txt b/.taskmaster/templates/example_prd.txt
new file mode 100644
index 0000000..194114d
--- /dev/null
+++ b/.taskmaster/templates/example_prd.txt
@@ -0,0 +1,47 @@
+<context>
+# Overview  
+[Provide a high-level overview of your product here. Explain what problem it solves, who it's for, and why it's valuable.]
+
+# Core Features  
+[List and describe the main features of your product. For each feature, include:
+- What it does
+- Why it's important
+- How it works at a high level]
+
+# User Experience  
+[Describe the user journey and experience. Include:
+- User personas
+- Key user flows
+- UI/UX considerations]
+</context>
+<PRD>
+# Technical Architecture  
+[Outline the technical implementation details:
+- System components
+- Data models
+- APIs and integrations
+- Infrastructure requirements]
+
+# Development Roadmap  
+[Break down the development process into phases:
+- MVP requirements
+- Future enhancements
+- Do not think about timelines whatsoever -- all that matters is scope and detailing exactly what needs to be build in each phase so it can later be cut up into tasks]
+
+# Logical Dependency Chain
+[Define the logical order of development:
+- Which features need to be built first (foundation)
+- Getting as quickly as possible to something usable/visible front end that works
+- Properly pacing and scoping each feature so it is atomic but can also be built upon and improved as development approaches]
+
+# Risks and Mitigations  
+[Identify potential risks and how they'll be addressed:
+- Technical challenges
+- Figuring out the MVP that we can build upon
+- Resource constraints]
+
+# Appendix  
+[Include any additional information:
+- Research findings
+- Technical specifications]
+</PRD>
\ No newline at end of file
diff --git a/.taskmaster/templates/example_prd_rpg.txt b/.taskmaster/templates/example_prd_rpg.txt
new file mode 100644
index 0000000..5ad908f
--- /dev/null
+++ b/.taskmaster/templates/example_prd_rpg.txt
@@ -0,0 +1,511 @@
+<rpg-method>
+# Repository Planning Graph (RPG) Method - PRD Template
+
+This template teaches you (AI or human) how to create structured, dependency-aware PRDs using the RPG methodology from Microsoft Research. The key insight: separate WHAT (functional) from HOW (structural), then connect them with explicit dependencies.
+
+## Core Principles
+
+1. **Dual-Semantics**: Think functional (capabilities) AND structural (code organization) separately, then map them
+2. **Explicit Dependencies**: Never assume - always state what depends on what
+3. **Topological Order**: Build foundation first, then layers on top
+4. **Progressive Refinement**: Start broad, refine iteratively
+
+## How to Use This Template
+
+- Follow the instructions in each `<instruction>` block
+- Look at `<example>` blocks to see good vs bad patterns
+- Fill in the content sections with your project details
+- The AI reading this will learn the RPG method by following along
+- Task Master will parse the resulting PRD into dependency-aware tasks
+
+## Recommended Tools for Creating PRDs
+
+When using this template to **create** a PRD (not parse it), use **code-context-aware AI assistants** for best results:
+
+**Why?** The AI needs to understand your existing codebase to make good architectural decisions about modules, dependencies, and integration points.
+
+**Recommended tools:**
+- **Claude Code** (claude-code CLI) - Best for structured reasoning and large contexts
+- **Cursor/Windsurf** - IDE integration with full codebase context
+- **Gemini CLI** (gemini-cli) - Massive context window for large codebases
+- **Codex/Grok CLI** - Strong code generation with context awareness
+
+**Note:** Once your PRD is created, `task-master parse-prd` works with any configured AI model - it just needs to read the PRD text itself, not your codebase.
+</rpg-method>
+
+---
+
+<overview>
+<instruction>
+Start with the problem, not the solution. Be specific about:
+- What pain point exists?
+- Who experiences it?
+- Why existing solutions don't work?
+- What success looks like (measurable outcomes)?
+
+Keep this section focused - don't jump into implementation details yet.
+</instruction>
+
+## Problem Statement
+[Describe the core problem. Be concrete about user pain points.]
+
+## Target Users
+[Define personas, their workflows, and what they're trying to achieve.]
+
+## Success Metrics
+[Quantifiable outcomes. Examples: "80% task completion via autopilot", "< 5% manual intervention rate"]
+
+</overview>
+
+---
+
+<functional-decomposition>
+<instruction>
+Now think about CAPABILITIES (what the system DOES), not code structure yet.
+
+Step 1: Identify high-level capability domains
+- Think: "What major things does this system do?"
+- Examples: Data Management, Core Processing, Presentation Layer
+
+Step 2: For each capability, enumerate specific features
+- Use explore-exploit strategy:
+  * Exploit: What features are REQUIRED for core value?
+  * Explore: What features make this domain COMPLETE?
+
+Step 3: For each feature, define:
+- Description: What it does in one sentence
+- Inputs: What data/context it needs
+- Outputs: What it produces/returns
+- Behavior: Key logic or transformations
+
+<example type="good">
+Capability: Data Validation
+  Feature: Schema validation
+    - Description: Validate JSON payloads against defined schemas
+    - Inputs: JSON object, schema definition
+    - Outputs: Validation result (pass/fail) + error details
+    - Behavior: Iterate fields, check types, enforce constraints
+
+  Feature: Business rule validation
+    - Description: Apply domain-specific validation rules
+    - Inputs: Validated data object, rule set
+    - Outputs: Boolean + list of violated rules
+    - Behavior: Execute rules sequentially, short-circuit on failure
+</example>
+
+<example type="bad">
+Capability: validation.js
+  (Problem: This is a FILE, not a CAPABILITY. Mixing structure into functional thinking.)
+
+Capability: Validation
+  Feature: Make sure data is good
+  (Problem: Too vague. No inputs/outputs. Not actionable.)
+</example>
+</instruction>
+
+## Capability Tree
+
+### Capability: [Name]
+[Brief description of what this capability domain covers]
+
+#### Feature: [Name]
+- **Description**: [One sentence]
+- **Inputs**: [What it needs]
+- **Outputs**: [What it produces]
+- **Behavior**: [Key logic]
+
+#### Feature: [Name]
+- **Description**:
+- **Inputs**:
+- **Outputs**:
+- **Behavior**:
+
+### Capability: [Name]
+...
+
+</functional-decomposition>
+
+---
+
+<structural-decomposition>
+<instruction>
+NOW think about code organization. Map capabilities to actual file/folder structure.
+
+Rules:
+1. Each capability maps to a module (folder or file)
+2. Features within a capability map to functions/classes
+3. Use clear module boundaries - each module has ONE responsibility
+4. Define what each module exports (public interface)
+
+The goal: Create a clear mapping between "what it does" (functional) and "where it lives" (structural).
+
+<example type="good">
+Capability: Data Validation
+  → Maps to: src/validation/
+    ├── schema-validator.js      (Schema validation feature)
+    ├── rule-validator.js         (Business rule validation feature)
+    └── index.js                  (Public exports)
+
+Exports:
+  - validateSchema(data, schema)
+  - validateRules(data, rules)
+</example>
+
+<example type="bad">
+Capability: Data Validation
+  → Maps to: src/utils.js
+  (Problem: "utils" is not a clear module boundary. Where do I find validation logic?)
+
+Capability: Data Validation
+  → Maps to: src/validation/everything.js
+  (Problem: One giant file. Features should map to separate files for maintainability.)
+</example>
+</instruction>
+
+## Repository Structure
+
+```
+project-root/
+├── src/
+│   ├── [module-name]/       # Maps to: [Capability Name]
+│   │   ├── [file].js        # Maps to: [Feature Name]
+│   │   └── index.js         # Public exports
+│   └── [module-name]/
+├── tests/
+└── docs/
+```
+
+## Module Definitions
+
+### Module: [Name]
+- **Maps to capability**: [Capability from functional decomposition]
+- **Responsibility**: [Single clear purpose]
+- **File structure**:
+  ```
+  module-name/
+  ├── feature1.js
+  ├── feature2.js
+  └── index.js
+  ```
+- **Exports**:
+  - `functionName()` - [what it does]
+  - `ClassName` - [what it does]
+
+</structural-decomposition>
+
+---
+
+<dependency-graph>
+<instruction>
+This is THE CRITICAL SECTION for Task Master parsing.
+
+Define explicit dependencies between modules. This creates the topological order for task execution.
+
+Rules:
+1. List modules in dependency order (foundation first)
+2. For each module, state what it depends on
+3. Foundation modules should have NO dependencies
+4. Every non-foundation module should depend on at least one other module
+5. Think: "What must EXIST before I can build this module?"
+
+<example type="good">
+Foundation Layer (no dependencies):
+  - error-handling: No dependencies
+  - config-manager: No dependencies
+  - base-types: No dependencies
+
+Data Layer:
+  - schema-validator: Depends on [base-types, error-handling]
+  - data-ingestion: Depends on [schema-validator, config-manager]
+
+Core Layer:
+  - algorithm-engine: Depends on [base-types, error-handling]
+  - pipeline-orchestrator: Depends on [algorithm-engine, data-ingestion]
+</example>
+
+<example type="bad">
+- validation: Depends on API
+- API: Depends on validation
+(Problem: Circular dependency. This will cause build/runtime issues.)
+
+- user-auth: Depends on everything
+(Problem: Too many dependencies. Should be more focused.)
+</example>
+</instruction>
+
+## Dependency Chain
+
+### Foundation Layer (Phase 0)
+No dependencies - these are built first.
+
+- **[Module Name]**: [What it provides]
+- **[Module Name]**: [What it provides]
+
+### [Layer Name] (Phase 1)
+- **[Module Name]**: Depends on [[module-from-phase-0], [module-from-phase-0]]
+- **[Module Name]**: Depends on [[module-from-phase-0]]
+
+### [Layer Name] (Phase 2)
+- **[Module Name]**: Depends on [[module-from-phase-1], [module-from-foundation]]
+
+[Continue building up layers...]
+
+</dependency-graph>
+
+---
+
+<implementation-roadmap>
+<instruction>
+Turn the dependency graph into concrete development phases.
+
+Each phase should:
+1. Have clear entry criteria (what must exist before starting)
+2. Contain tasks that can be parallelized (no inter-dependencies within phase)
+3. Have clear exit criteria (how do we know phase is complete?)
+4. Build toward something USABLE (not just infrastructure)
+
+Phase ordering follows topological sort of dependency graph.
+
+<example type="good">
+Phase 0: Foundation
+  Entry: Clean repository
+  Tasks:
+    - Implement error handling utilities
+    - Create base type definitions
+    - Setup configuration system
+  Exit: Other modules can import foundation without errors
+
+Phase 1: Data Layer
+  Entry: Phase 0 complete
+  Tasks:
+    - Implement schema validator (uses: base types, error handling)
+    - Build data ingestion pipeline (uses: validator, config)
+  Exit: End-to-end data flow from input to validated output
+</example>
+
+<example type="bad">
+Phase 1: Build Everything
+  Tasks:
+    - API
+    - Database
+    - UI
+    - Tests
+  (Problem: No clear focus. Too broad. Dependencies not considered.)
+</example>
+</instruction>
+
+## Development Phases
+
+### Phase 0: [Foundation Name]
+**Goal**: [What foundational capability this establishes]
+
+**Entry Criteria**: [What must be true before starting]
+
+**Tasks**:
+- [ ] [Task name] (depends on: [none or list])
+  - Acceptance criteria: [How we know it's done]
+  - Test strategy: [What tests prove it works]
+
+- [ ] [Task name] (depends on: [none or list])
+
+**Exit Criteria**: [Observable outcome that proves phase complete]
+
+**Delivers**: [What can users/developers do after this phase?]
+
+---
+
+### Phase 1: [Layer Name]
+**Goal**:
+
+**Entry Criteria**: Phase 0 complete
+
+**Tasks**:
+- [ ] [Task name] (depends on: [[tasks-from-phase-0]])
+- [ ] [Task name] (depends on: [[tasks-from-phase-0]])
+
+**Exit Criteria**:
+
+**Delivers**:
+
+---
+
+[Continue with more phases...]
+
+</implementation-roadmap>
+
+---
+
+<test-strategy>
+<instruction>
+Define how testing will be integrated throughout development (TDD approach).
+
+Specify:
+1. Test pyramid ratios (unit vs integration vs e2e)
+2. Coverage requirements
+3. Critical test scenarios
+4. Test generation guidelines for Surgical Test Generator
+
+This section guides the AI when generating tests during the RED phase of TDD.
+
+<example type="good">
+Critical Test Scenarios for Data Validation module:
+  - Happy path: Valid data passes all checks
+  - Edge cases: Empty strings, null values, boundary numbers
+  - Error cases: Invalid types, missing required fields
+  - Integration: Validator works with ingestion pipeline
+</example>
+</instruction>
+
+## Test Pyramid
+
+```
+        /\
+       /E2E\       ← [X]% (End-to-end, slow, comprehensive)
+      /------\
+     /Integration\ ← [Y]% (Module interactions)
+    /------------\
+   /  Unit Tests  \ ← [Z]% (Fast, isolated, deterministic)
+  /----------------\
+```
+
+## Coverage Requirements
+- Line coverage: [X]% minimum
+- Branch coverage: [X]% minimum
+- Function coverage: [X]% minimum
+- Statement coverage: [X]% minimum
+
+## Critical Test Scenarios
+
+### [Module/Feature Name]
+**Happy path**:
+- [Scenario description]
+- Expected: [What should happen]
+
+**Edge cases**:
+- [Scenario description]
+- Expected: [What should happen]
+
+**Error cases**:
+- [Scenario description]
+- Expected: [How system handles failure]
+
+**Integration points**:
+- [What interactions to test]
+- Expected: [End-to-end behavior]
+
+## Test Generation Guidelines
+[Specific instructions for Surgical Test Generator about what to focus on, what patterns to follow, project-specific test conventions]
+
+</test-strategy>
+
+---
+
+<architecture>
+<instruction>
+Describe technical architecture, data models, and key design decisions.
+
+Keep this section AFTER functional/structural decomposition - implementation details come after understanding structure.
+</instruction>
+
+## System Components
+[Major architectural pieces and their responsibilities]
+
+## Data Models
+[Core data structures, schemas, database design]
+
+## Technology Stack
+[Languages, frameworks, key libraries]
+
+**Decision: [Technology/Pattern]**
+- **Rationale**: [Why chosen]
+- **Trade-offs**: [What we're giving up]
+- **Alternatives considered**: [What else we looked at]
+
+</architecture>
+
+---
+
+<risks>
+<instruction>
+Identify risks that could derail development and how to mitigate them.
+
+Categories:
+- Technical risks (complexity, unknowns)
+- Dependency risks (blocking issues)
+- Scope risks (creep, underestimation)
+</instruction>
+
+## Technical Risks
+**Risk**: [Description]
+- **Impact**: [High/Medium/Low - effect on project]
+- **Likelihood**: [High/Medium/Low]
+- **Mitigation**: [How to address]
+- **Fallback**: [Plan B if mitigation fails]
+
+## Dependency Risks
+[External dependencies, blocking issues]
+
+## Scope Risks
+[Scope creep, underestimation, unclear requirements]
+
+</risks>
+
+---
+
+<appendix>
+## References
+[Papers, documentation, similar systems]
+
+## Glossary
+[Domain-specific terms]
+
+## Open Questions
+[Things to resolve during development]
+</appendix>
+
+---
+
+<task-master-integration>
+# How Task Master Uses This PRD
+
+When you run `task-master parse-prd <file>.txt`, the parser:
+
+1. **Extracts capabilities** → Main tasks
+   - Each `### Capability:` becomes a top-level task
+
+2. **Extracts features** → Subtasks
+   - Each `#### Feature:` becomes a subtask under its capability
+
+3. **Parses dependencies** → Task dependencies
+   - `Depends on: [X, Y]` sets task.dependencies = ["X", "Y"]
+
+4. **Orders by phases** → Task priorities
+   - Phase 0 tasks = highest priority
+   - Phase N tasks = lower priority, properly sequenced
+
+5. **Uses test strategy** → Test generation context
+   - Feeds test scenarios to Surgical Test Generator during implementation
+
+**Result**: A dependency-aware task graph that can be executed in topological order.
+
+## Why RPG Structure Matters
+
+Traditional flat PRDs lead to:
+- ❌ Unclear task dependencies
+- ❌ Arbitrary task ordering
+- ❌ Circular dependencies discovered late
+- ❌ Poorly scoped tasks
+
+RPG-structured PRDs provide:
+- ✅ Explicit dependency chains
+- ✅ Topological execution order
+- ✅ Clear module boundaries
+- ✅ Validated task graph before implementation
+
+## Tips for Best Results
+
+1. **Spend time on dependency graph** - This is the most valuable section for Task Master
+2. **Keep features atomic** - Each feature should be independently testable
+3. **Progressive refinement** - Start broad, use `task-master expand` to break down complex tasks
+4. **Use research mode** - `task-master parse-prd --research` leverages AI for better task generation
+</task-master-integration>
diff --git a/STATUS.md b/STATUS.md
new file mode 100644
index 0000000..941461f
--- /dev/null
+++ b/STATUS.md
@@ -0,0 +1,244 @@
+# labctl Platform — Implementation Status
+
+## What This Document Is
+
+An honest assessment of what code exists, what works, what is stubbed, and what
+hasn't been started — measured against the PRD phases.
+
+---
+
+## Architecture Overview (as built)
+
+```
+labctl CLI ──HTTP──▶ bastion (PXE server)     ← WORKING
+labctl CLI ──HTTP──▶ labd (master daemon)     ← PARTIALLY WORKING
+                       │
+                       ├── CockroachDB/Prisma  ← SCHEMA DEFINED, NOT DEPLOYED
+                       ├── /ws/agent WebSocket  ← ACCEPTS CONNECTIONS, DOES NOT ROUTE
+                       └── mTLS CA              ← NOT IMPLEMENTED
+
+lab-agent ──WS──▶ labd                        ← LIBRARY CODE, NO DAEMON BINARY
+```
+
+---
+
+## Package Inventory
+
+| Package | Lines of Source | Tests | Status |
+|---------|---------------|-------|--------|
+| @lab/shared | ~200 | 0 | Complete — types, protocol, errors |
+| @lab/bastion | ~800 | 32 | **Production-ready** — PXE discovery, install, reprovision |
+| @lab/cli | ~600 | 0 (uses bastion tests) | Complete — all commands implemented |
+| @lab/labd | ~500 | 2 | Partial — routes exist, core features stubbed |
+| @lab/agent | ~300 | 0 | Library only — no daemon binary |
+
+All 5 packages compile. 32 tests pass.
+
+---
+
+## Phase 1: Foundation
+
+### DONE — Working in production
+
+| Feature | Code | How It Works |
+|---------|------|-------------|
+| PXE bastion server | `src/bastion/` | Fastify HTTP + dnsmasq DHCP/TFTP. Machines PXE boot, get iPXE script from `/dispatch?mac=XX`, chain to discovery or install kickstart. State persisted to JSON file. |
+| Machine discovery | `routes/dispatch.ts`, `templates/discover.ks.ts` | Unknown MACs get a mini-kickstart that boots a RAM-only Fedora, scrapes hardware via `/proc`, `/sys`, `dmidecode`, POSTs to `/api/discover`, then reboots. No disk touch. |
+| Machine installation | `routes/api.ts`, `templates/install.ks.ts` | Queue a MAC via `POST /api/install`. Next PXE boot gets a full Kickstart with LVM partitioning (worker: longhorn LV, infra: rancher LV), SSH keys, k3s kernel prereqs, progress callbacks. |
+| Reprovision with data preservation | `commands/reprovision.ts`, `install.ks.ts` | `%pre` script detects existing LVM. Reformats `/`, `/var`, `/boot` but preserves `/home`, `/srv`, `/var/lib/longhorn`, `/var/lib/rancher`. |
+| CLI: init/provision commands | `src/cli/src/commands/` | `labctl init bastion standalone start/stop/status`, `labctl provision list/install/reprovision/forget`. All talk to bastion HTTP API. |
+| CLI: config management | `config/index.ts`, `commands/config.ts` | `labctl config list/get/set/path`. YAML config at `~/.labctl/config.yaml` with env var overrides. |
+| labd scaffold | `src/labd/` | Fastify server with health, server listing, token management routes. Prisma schema for all models. Starts with or without database. |
+| Prisma schema | `prisma/schema.prisma` | 10 models: Server, Agent, User, Role, Permission, UserRole, JoinToken, AuditLog, PulumiRun, Cluster. CockroachDB provider. |
+| Database seeding | `prisma/seed.ts` | Creates admin/viewer/operator roles with proper allow/deny permissions. Idempotent via upsert. |
+| Multi-arch builds + packaging | `nfpm.yaml`, `scripts/` | nfpm config for RPM/DEB. Bun compile for standalone binary (102MB labctl in `dist/`). |
+| Gitea CI/CD | `.gitea/` (on remote) | Lint → typecheck → test → build → publish pipeline on mysources.co.uk. |
+
+### DONE — Code exists, not yet connected end-to-end
+
+| Feature | Code | What's Real | What's Missing |
+|---------|------|------------|----------------|
+| lab-agent connection library | `lab-agent/src/services/connection.ts` | `AgentConnection` class: WebSocket to labd, heartbeat (10s), exponential backoff reconnect (1-30s), state machine (disconnected/connecting/connected/reconnecting), handles server-shutdown messages. | **No daemon binary.** This is a library — nothing starts it. No systemd unit. No enrollment flow. |
+| lab-agent command executor | `lab-agent/src/services/executor.ts` | `CommandExecutor` class: `spawn()` with timeout handling (SIGTERM then SIGKILL after 5s), stdout/stderr streaming via EventEmitter, stdin writing, signal forwarding. | **Not wired to WebSocket.** The executor and connection don't talk to each other. No message dispatch. |
+| Agent registry (labd) | `labd/src/services/agent-registry.ts` | `AgentRegistry`: in-memory Map tracking by serverId and hostname, lifecycle events, heartbeat updates. Singleton exported. | **Not used by /ws/agent handler.** The WebSocket handler in `server.ts` just logs messages — it doesn't call `agentRegistry.register()`. |
+| Message router (labd) | `labd/src/services/message-router.ts` | `MessageRouter`: handler registration, pending request tracking with timeouts, streaming support, log subscription, agent cleanup on disconnect. | **Not used.** `server.ts` doesn't call `messageRouter.handleMessage()`. The router exists but is dead code. |
+| Token management | `labd/src/routes/auth.ts` | Create, list, revoke join tokens. Validates one-time vs reusable, expiry, revocation. Marks tokens as used. | Token validation works. **But enrollment returns `certificatePem: null`** — no actual certificate is issued. |
+| CLI API client | `cli/src/api/client.ts` | `LabdClient` with mTLS support, typed methods for servers/tokens/health/enrollment. | Works for REST endpoints. **No CLI commands use it yet** — existing commands still talk directly to bastion HTTP. |
+| CLI WebSocket streaming | `cli/src/api/websocket.ts` | `streamExec()` and `streamLogs()` functions. | **No `labctl exec` or `labctl logs` commands exist.** The streaming code has no consumer. |
+| Zod validation | `labd/src/validation/` | Schemas for createToken, enrollment, serverFilters, createRole, permission patterns. Middleware for body/query validation. | **Not applied to routes.** The schemas and middleware exist but no route uses `preHandler: [validateBody(schema)]`. |
+| Encryption service | `labd/src/services/encryption.ts` | AES-256-GCM with scrypt key derivation. Encrypt/decrypt roundtrip. Singleton from `CA_ENCRYPTION_KEY` env var. | **Not used anywhere.** No CA key is encrypted, no kubeconfig is stored. |
+| Graceful shutdown | `labd/src/services/shutdown.ts` | SIGTERM/SIGINT handlers, agent notification, message router cleanup, DB disconnect, force exit timer. | Works but agent notification is a no-op since no agents are registered (see above). |
+| Rate limiting | `labd/src/middleware/rate-limit.ts` | `@fastify/rate-limit`: 100/min global, 10/min for enrollment, 20/min for tokens. | **Wired up in `server.ts`.** This actually works. |
+| Health checks | `labd/src/routes/health.ts` | `/healthz`, `/health`, `/health/detailed`, `/health/live`, `/health/ready`. Checks DB latency and agent count. | Works. Returns `agents: { connected: 0 }` since no agents ever register. |
+| Error hierarchy | `shared/src/errors/` | `LabError`, `NotFoundError`, `PermissionDeniedError`, `ValidationError`, `AgentNotConnectedError`. | **Not used in routes.** Routes still use inline `reply.code(404).send({error: ...})`. |
+| Table formatting | `cli/src/utils/table.ts` | `printTable`, `formatStatus`, `formatRelativeTime`, predefined column sets. | **Not used by existing commands.** `provision list` has its own inline formatting. |
+| Resource parsing | `cli/src/utils/resource.ts` | Parse `server/labmaster`, `app/kube-system/nginx` format. | **Not used.** No commands accept `type/name` arguments yet. |
+| Doctor command | `cli/src/commands/doctor.ts` | Config, cert, connectivity diagnostics. | Works standalone. |
+| Login command | `cli/src/commands/login.ts` | Generates EC keypair, prompts for token, POSTs to `/api/auth/user-enroll`. | **labd has no `/api/auth/user-enroll` endpoint.** Only `/api/auth/enroll` exists (for agents). Login will 404. |
+
+### NOT DONE — Phase 1 items from PRD with no code
+
+| Feature | PRD Description | Status |
+|---------|----------------|--------|
+| Certificate Authority | Built-in CA in labd. Generate root CA, sign CSRs, revoke certs, rotate. | **Nothing.** No CA code. No X.509 operations. No `@peculiar/x509` dependency. `EncryptionService` exists but it's for data-at-rest, not PKI. |
+| RBAC engine | Middleware that checks permissions on every request. Deny overrides allow. | **Nothing.** `auth.ts` middleware is a placeholder. No route checks permissions. Anyone can call any endpoint. |
+| Audit logging | Log every action with user, session, action, resource, result, duration. | **Nothing.** `AuditLog` Prisma model exists but nothing writes to it. No audit middleware. |
+| `labctl exec` | Remote command execution via labd → agent WebSocket relay. | **Nothing.** No `exec` CLI command. The executor library exists in lab-agent but isn't connected. |
+| `labctl logs` | Resource-scoped log streaming (server, app, bastion, audit). | **Nothing.** No `logs` CLI command. |
+| `labctl get servers` | List servers from labd with filters. | **Nothing.** No `get` CLI command. The API client has `getServers()` but no command calls it. |
+| Smoke test stack | `podman-compose` with CockroachDB + labd + 2 agents, testing enrollment/heartbeat/exec/RBAC. | **Nothing.** `stack/docker-compose.yml` exists but only runs bastion + CockroachDB, not labd or agents. |
+| Agent enrollment during PXE | Embed join token in kickstart, agent auto-enrolls on first boot. | **Nothing.** Kickstart installs k3s prereqs but doesn't install or start lab-agent. |
+
+---
+
+## Phase 2: Deployment
+
+**Nothing from Phase 2 has been built.**
+
+| Feature | Status |
+|---------|--------|
+| Reprovision labmaster as labmaster.ad.itaz.eu | Not done — manual operation |
+| Deploy k3s with Cilium CNI | Not done — kickstart only sets up kernel prereqs, leaves a comment "run `curl -sfL https://get.k3s.io`" |
+| Deploy CockroachDB on k3s | Not done — `docker-compose.yml` runs it in-memory for dev, no k8s manifests for CRDB |
+| Deploy labd on k3s | **K8s manifests exist** (`deploy/k8s/labd/base/`) — Deployment, Service, ConfigMap, HPA, PDB. But no CockroachDB to connect to and no TLS configured. |
+| Deploy bastion as managed app | Not done — bastion runs standalone, no Pulumi chart |
+| Auto-enroll agents during PXE | Not done — no agent install in kickstart, no token embedding |
+
+---
+
+## Phase 3: Infrastructure as Code
+
+**Nothing from Phase 3 has been built.**
+
+| Feature | Status |
+|---------|--------|
+| Module system | Not done — no `module.yaml`, no module loader |
+| Pulumi charts | Not done — no Pulumi dependency, no chart structure |
+| `labctl apps install/upgrade/rollback` | Not done — no `apps` command |
+| `labctl apply -f` | Not done — no `apply` command |
+| `kubectl proxy` (audited) | Not done — no kubectl proxy |
+| Kubeconfig store (encrypted) | `EncryptionService` exists but nothing uses it. `Cluster.kubeconfigEnc` field exists in Prisma but nothing reads/writes it. |
+
+---
+
+## Phase 4: Multi-Cloud
+
+**Nothing from Phase 4 has been built.**
+
+| Feature | Status |
+|---------|--------|
+| AWS provider | Not done |
+| Reusable join tokens for ASGs | Token model supports `reusable` type, but no AWS integration |
+| Cilium Cluster Mesh | Not done |
+| Ephemeral test environments | Not done |
+| Grafana Loki | Not done |
+
+---
+
+## Infrastructure Files
+
+| File | Status |
+|------|--------|
+| `Dockerfile.labd` | Exists. Multi-stage Alpine build. Would work if you `docker build` it. |
+| `Dockerfile.bastion` | Exists. Multi-stage Fedora build. Would work. |
+| `.dockerignore` | Exists. |
+| `deploy/k8s/labd/base/` | Kustomize manifests for labd (Deployment, Service, ConfigMap, HPA, PDB). Points at a non-existent CockroachDB and has no TLS. |
+| `stack/docker-compose.yml` | Runs bastion + CockroachDB for local dev. Works. |
+| `nfpm.yaml` | RPM/DEB packaging config. Works with `nfpm pkg`. |
+
+---
+
+## The Disconnection Problem
+
+The core issue is that many services were built in isolation but never wired together:
+
+```
+┌─────────────────────────────────────────────────────────┐
+│  BUILT BUT NOT CONNECTED                                │
+│                                                         │
+│  AgentConnection ──✗──▶ /ws/agent handler               │
+│  CommandExecutor ──✗──▶ MessageRouter                   │
+│  MessageRouter   ──✗──▶ /ws/agent handler               │
+│  AgentRegistry   ──✗──▶ /ws/agent handler               │
+│  Zod schemas     ──✗──▶ Route preHandlers               │
+│  Error classes   ──✗──▶ Route error handling             │
+│  LabdClient      ──✗──▶ CLI commands (get/exec/logs)    │
+│  Table formatting──✗──▶ CLI commands                    │
+│  Resource parsing──✗──▶ CLI commands                    │
+│  EncryptionService──✗──▶ CA / kubeconfig storage        │
+│  Login command   ──✗──▶ /api/auth/user-enroll (missing) │
+│  Audit logging   ──✗──▶ Any middleware                  │
+│  RBAC engine     ──✗──▶ Any middleware                  │
+└─────────────────────────────────────────────────────────┘
+```
+
+---
+
+## What Actually Works End-to-End Today
+
+1. **PXE boot a bare-metal machine:**
+   ```
+   labctl init bastion standalone start
+   # Machine PXE boots → discovered automatically
+   labctl provision list
+   labctl provision install AA:BB:CC:DD:EE:FF worker-1 --role worker
+   # Machine reboots → installs Fedora → reports complete
+   ```
+
+2. **Manage bastion lifecycle:**
+   ```
+   labctl init bastion standalone status
+   labctl init bastion standalone stop
+   ```
+
+3. **Start labd (without database):**
+   ```
+   LABD_PORT=3100 tsx src/labd/src/main.ts
+   # Starts with stub DB, health endpoint works, token/server routes return errors
+   ```
+
+4. **Start labd (with CockroachDB):**
+   ```
+   docker-compose -f stack/docker-compose.yml up cockroachdb
+   DATABASE_URL=postgresql://root@localhost:26257/lab tsx src/labd/src/main.ts
+   # Token creation/listing/revocation works
+   # Server listing works (empty until agents register)
+   ```
+
+5. **CLI diagnostics:**
+   ```
+   labctl doctor
+   labctl config list
+   labctl version
+   ```
+
+That's it. No agent communication, no remote exec, no log streaming, no RBAC, no certificates.
+
+---
+
+## Recommended Next Steps (to make Phase 1 actually work)
+
+### Priority 1: Wire up the agent connection
+1. Update `/ws/agent` handler to use `agentRegistry.register()` and `messageRouter.handleMessage()`
+2. Create lab-agent daemon binary that uses `AgentConnection` + `CommandExecutor`
+3. Create systemd unit for lab-agent
+
+### Priority 2: Certificate Authority
+1. Add `@peculiar/x509` dependency
+2. Implement CA service: generate root CA, sign CSRs
+3. Wire enrollment route to actually sign and return certificates
+4. Store CA key encrypted using `EncryptionService`
+
+### Priority 3: RBAC + Audit
+1. Create RBAC middleware that checks `Permission` table
+2. Create audit middleware that writes to `AuditLog`
+3. Apply both to all routes
+
+### Priority 4: CLI commands for labd
+1. `labctl get servers` using `LabdClient.getServers()`
+2. `labctl exec server/<name>` using `streamExec()`
+3. `labctl logs server/<name>` using `streamLogs()`
+
+### Priority 5: Smoke test stack
+1. Update `docker-compose.yml` to include labd + 2 agents
+2. Write integration tests for enrollment → heartbeat → exec → logs
diff --git a/bastion.sh b/bastion.sh
index 2acdfe1..ef60609 100755
--- a/bastion.sh
+++ b/bastion.sh
@@ -27,6 +27,7 @@ HTTP_PORT="${HTTP_PORT:-8080}"
 TIMEZONE="${TIMEZONE:-Europe/London}"
 LOCALE="${LOCALE:-en_GB.UTF-8}"
 BASTION_DIR="${BASTION_DIR:-/tmp/lab-bastion}"
+DOMAIN="${DOMAIN:-ad.itaz.eu}"           # internal domain for hostnames
 DHCP_MODE="${DHCP_MODE:-proxy}"        # proxy (alongside existing DHCP) or full (bastion IS the DHCP server)
 DHCP_RANGE_START="${DHCP_RANGE_START:-}"  # only for full mode, auto-derived if empty
 DHCP_RANGE_END="${DHCP_RANGE_END:-}"
@@ -45,13 +46,19 @@ CMD="${1:-serve}"
 
 case "$CMD" in
     install)
-        [[ $# -ge 3 ]] || { echo "Usage: bastion.sh install <mac> <hostname> [--disk <dev>]"; exit 1; }
+        [[ $# -ge 3 ]] || { echo "Usage: bastion.sh install <mac> <hostname> [--role worker|infra] [--disk <dev>]"; exit 1; }
         MAC="$2"
         HOSTNAME="$3"
-        DISK="${5:-}"  # --disk <dev>
-        PAYLOAD="{\"mac\":\"$MAC\",\"hostname\":\"$HOSTNAME\""
-        [[ -n "$DISK" ]] && PAYLOAD="$PAYLOAD,\"disk\":\"$DISK\""
-        PAYLOAD="$PAYLOAD}"
+        shift 3
+        DISK="" ROLE="worker"
+        while [[ $# -gt 0 ]]; do
+            case "$1" in
+                --disk) DISK="$2"; shift 2 ;;
+                --role) ROLE="$2"; shift 2 ;;
+                *) echo "Unknown option: $1"; exit 1 ;;
+            esac
+        done
+        PAYLOAD=$(python3 -c "import json; print(json.dumps({k:v for k,v in {'mac':'$MAC','hostname':'$HOSTNAME','disk':'$DISK','role':'$ROLE'}.items() if v}))")
         RESULT=$(curl -sf -X POST "http://localhost:${HTTP_PORT}/api/install" \
             -H "Content-Type: application/json" \
             -d "$PAYLOAD" 2>&1) || die "Cannot reach bastion at localhost:${HTTP_PORT}. Is it running?"
@@ -93,16 +100,62 @@ print()
 print('\033[1mINSTALLED\033[0m')
 if installed:
     for mac, info in installed.items():
-        print(f'  {mac:<20} → {info.get(\"hostname\",\"?\")}  ({info.get(\"installed_at\",\"?\")})')
+        ip = info.get('ip', '')
+        ip_str = f'  ip={ip}' if ip else ''
+        print(f'  {mac:<20} → {info.get(\"hostname\",\"?\")}  role={info.get(\"role\",\"?\")}{ip_str}  ({info.get(\"installed_at\",\"?\")})')
 else:
     print('  (none)')
 print()
 " 2>/dev/null || echo "$RESULT"
         exit 0
         ;;
+    reprovision)
+        [[ $# -ge 3 ]] || { echo "Usage: bastion.sh reprovision <mac> <hostname> [--role worker|infra] [--disk <dev>]"; exit 1; }
+        MAC="$2"
+        HOSTNAME="$3"
+        shift 3
+        DISK="" ROLE="worker"
+        while [[ $# -gt 0 ]]; do
+            case "$1" in
+                --disk) DISK="$2"; shift 2 ;;
+                --role) ROLE="$2"; shift 2 ;;
+                *) echo "Unknown option: $1"; exit 1 ;;
+            esac
+        done
+
+        # Queue the install
+        PAYLOAD=$(python3 -c "import json; print(json.dumps({k:v for k,v in {'mac':'$MAC','hostname':'$HOSTNAME','disk':'$DISK','role':'$ROLE'}.items() if v}))")
+        RESULT=$(curl -sf -X POST "http://localhost:${HTTP_PORT}/api/install" \
+            -H "Content-Type: application/json" \
+            -d "$PAYLOAD" 2>&1) || die "Cannot reach bastion at localhost:${HTTP_PORT}. Is it running?"
+        echo "$RESULT" | python3 -m json.tool 2>/dev/null || echo "$RESULT"
+
+        # Try to find IP from installed state and SSH in to trigger PXE reboot
+        IP=$(curl -sf "http://localhost:${HTTP_PORT}/api/machines" 2>/dev/null | \
+            python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('installed',{}).get('${MAC}',{}).get('ip',''))" 2>/dev/null || echo "")
+        ADMIN_USER="${SUDO_USER:-$USER}"
+        [[ "$ADMIN_USER" == "root" ]] && ADMIN_USER=""
+
+        if [[ -n "$IP" && -n "$ADMIN_USER" ]]; then
+            echo ""
+            echo "Attempting SSH reboot into PXE ($ADMIN_USER@$IP)..."
+            ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 "$ADMIN_USER@$IP" \
+                'sudo efibootmgr 2>/dev/null; PXE_ENTRY=$(sudo efibootmgr | grep -iE "pxe|network|ipv4" | head -1 | grep -oP "Boot\K[0-9A-F]+"); if [ -n "$PXE_ENTRY" ]; then sudo efibootmgr --bootnext "$PXE_ENTRY" && echo "PXE set as next boot" && sudo reboot; else echo "No PXE boot entry found, rebooting anyway..." && sudo reboot; fi' 2>&1 && {
+                echo ""
+                echo "Machine is rebooting into PXE. Install will start automatically."
+            } || {
+                echo ""
+                echo "SSH failed. Reboot the machine manually into PXE (e.g. via IPMI/KVM)."
+            }
+        else
+            echo ""
+            echo "No IP known for this machine. Reboot it manually into PXE."
+        fi
+        exit 0
+        ;;
     serve) ;;  # continue below
     *)
-        echo "Usage: bastion.sh [serve|install <mac> <hostname>|list]"
+        echo "Usage: bastion.sh [serve|install|reprovision|list]"
         exit 1
         ;;
 esac
@@ -111,6 +164,17 @@ esac
 # SERVE MODE — start the bastion
 # ══════════════════════════════════════════════════════════════════
 
+# ──── Kill old instances ──────────────────────────────────────────
+# Find and kill any previous bastion dnsmasq and HTTP server
+OLD_DNSMASQ=$(pgrep -f 'dnsmasq --no-daemon --conf-file=/tmp/lab-bastion' 2>/dev/null || true)
+OLD_HTTP=$(pgrep -f 'python3 /tmp/lab-bastion/server.py' 2>/dev/null || true)
+if [[ -n "$OLD_DNSMASQ" || -n "$OLD_HTTP" ]]; then
+    warn "Killing old bastion processes..."
+    [[ -n "$OLD_DNSMASQ" ]] && kill $OLD_DNSMASQ 2>/dev/null && log "  Stopped old dnsmasq (PID $OLD_DNSMASQ)"
+    [[ -n "$OLD_HTTP" ]]    && kill $OLD_HTTP    2>/dev/null && log "  Stopped old HTTP server (PID $OLD_HTTP)"
+    sleep 1
+fi
+
 # ──── Preflight ───────────────────────────────────────────────────
 [[ $EUID -eq 0 ]] || die "Must run as root (need DHCP/TFTP ports). Use: sudo bash bastion.sh"
 
@@ -143,23 +207,59 @@ GATEWAY="$(ip route | awk '/default/ {print $3; exit}')"
 [[ -n "$SERVER_IP" ]] || die "Cannot detect IP on interface $IFACE"
 log "Interface: ${BOLD}$IFACE${NC}  IP: ${BOLD}$SERVER_IP${NC}  Network: ${BOLD}$NETWORK${NC}"
 
-# ──── Auto-detect SSH pubkey ──────────────────────────────────────
-SSH_PUBKEY="${SSH_PUBKEY:-}"
-if [[ -z "$SSH_PUBKEY" ]]; then
-    REAL_HOME="${HOME}"
-    [[ -n "${SUDO_USER:-}" ]] && REAL_HOME="$(getent passwd "$SUDO_USER" | cut -d: -f6)"
-    for keyfile in "$REAL_HOME/.ssh/id_ed25519.pub" "$REAL_HOME/.ssh/id_rsa.pub" "$REAL_HOME/.ssh/id_ecdsa.pub"; do
-        [[ -f "$keyfile" ]] && { SSH_PUBKEY="$keyfile"; break; }
-    done
+# ──── Auto-detect SSH keys ───────────────────────────────────────
+REAL_HOME="${HOME}"
+[[ -n "${SUDO_USER:-}" ]] && REAL_HOME="$(getent passwd "$SUDO_USER" | cut -d: -f6)"
+
+SSH_KEYS_CONTENT=""
+SSH_KEY_SOURCE=""
+
+# Collect SSH keys from authorized_keys + local pubkeys (deduplicated)
+SSH_KEY_SOURCE=""
+if [[ -f "$REAL_HOME/.ssh/authorized_keys" ]]; then
+    SSH_KEYS_CONTENT="$(grep -v '^#' "$REAL_HOME/.ssh/authorized_keys" | grep -v '^$')"
+    SSH_KEY_SOURCE="$REAL_HOME/.ssh/authorized_keys"
 fi
 
-SSH_KEY_CONTENT=""
-if [[ -n "$SSH_PUBKEY" && -f "$SSH_PUBKEY" ]]; then
-    SSH_KEY_CONTENT="$(cat "$SSH_PUBKEY")"
-    log "SSH key: ${BOLD}$SSH_PUBKEY${NC}"
-else
-    warn "No SSH public key found. Set SSH_PUBKEY=/path/to/key.pub"
-    warn "Install mode will use root password 'changeme' as fallback."
+# Also include local pubkey files (they may not be in authorized_keys)
+for keyfile in "$REAL_HOME/.ssh/id_ed25519.pub" "$REAL_HOME/.ssh/id_rsa.pub" "$REAL_HOME/.ssh/id_ecdsa.pub"; do
+    if [[ -f "$keyfile" ]]; then
+        KEY_DATA="$(cat "$keyfile")"
+        KEY_FP="$(awk '{print $2}' "$keyfile")"
+        if [[ -n "$SSH_KEYS_CONTENT" ]]; then
+            # Add only if not already present
+            if ! echo "$SSH_KEYS_CONTENT" | grep -qF "$KEY_FP"; then
+                SSH_KEYS_CONTENT="$SSH_KEYS_CONTENT"$'\n'"$KEY_DATA"
+                SSH_KEY_SOURCE="${SSH_KEY_SOURCE} + $keyfile"
+            fi
+        else
+            SSH_KEYS_CONTENT="$KEY_DATA"
+            SSH_KEY_SOURCE="$keyfile"
+        fi
+    fi
+done
+
+# Priority 3: generate a keypair
+if [[ -z "$SSH_KEYS_CONTENT" ]]; then
+    GENERATED_KEY="$BASTION_DIR/bastion_ed25519"
+    if [[ ! -f "$GENERATED_KEY" ]]; then
+        log "No SSH keys found — generating ed25519 keypair..."
+        ssh-keygen -t ed25519 -f "$GENERATED_KEY" -N "" -C "bastion-generated@$(hostname)" >/dev/null 2>&1
+    fi
+    SSH_KEYS_CONTENT="$(cat "${GENERATED_KEY}.pub")"
+    SSH_KEY_SOURCE="$GENERATED_KEY (generated)"
+    warn "Using generated keypair: ${BOLD}$GENERATED_KEY${NC}"
+    warn "Save this private key — it's the only way to access installed machines."
+fi
+
+SSH_KEY_COUNT="$(echo "$SSH_KEYS_CONTENT" | wc -l)"
+log "SSH keys: ${BOLD}${SSH_KEY_COUNT} key(s)${NC} from ${BOLD}${SSH_KEY_SOURCE}${NC}"
+
+# ──── Detect admin username ──────────────────────────────────────
+ADMIN_USER="${SUDO_USER:-$USER}"
+[[ "$ADMIN_USER" == "root" ]] && ADMIN_USER=""
+if [[ -n "$ADMIN_USER" ]]; then
+    log "Admin user: ${BOLD}${ADMIN_USER}${NC} (will be created on installed machines)"
 fi
 
 # ──── Prepare directories ────────────────────────────────────────
@@ -264,13 +364,8 @@ FEDORA_MIRROR="https://download.fedoraproject.org/pub/fedora/linux/releases/${FE
 log "Preparing boot artifacts (Fedora ${FEDORA_VERSION} ${ARCH})..."
 copy_if_missing "/usr/share/ipxe/undionly.kpxe"  "$TFTPDIR/undionly.kpxe"    "iPXE BIOS"
 
-# UEFI x86_64: two-stage PXE boot
-# Stage 1: tiny PXE loader stub (<20KB) fits in constrained TFTP buffers
-# Stage 2: full iPXE binary downloaded via UEFI PXE protocol (no size limit)
-PXELOADER_SRC="$(cd "$(dirname "$0")" && pwd)/pxeloader.c"
-[[ -f "$PXELOADER_SRC" ]] || PXELOADER_SRC="$(dirname "${BASH_SOURCE[0]}")/pxeloader.c"
-build_pxeloader "$PXELOADER_SRC" "$TFTPDIR/ipxe.efi" "PXE loader stub (stage 1)"
-copy_if_missing "/usr/share/ipxe/ipxe-snponly-x86_64.efi" "$TFTPDIR/ipxe-real.efi" "iPXE UEFI x86_64 (stage 2)"
+# UEFI x86_64: serve iPXE directly via TFTP (UEFI has no TFTP size limit)
+copy_if_missing "/usr/share/ipxe/ipxe-snponly-x86_64.efi" "$TFTPDIR/ipxe.efi"      "iPXE UEFI x86_64"
 
 copy_if_missing "/usr/share/ipxe/arm64-efi/snponly.efi"  "$TFTPDIR/ipxe-arm64.efi"  "iPXE UEFI arm64"
 download "${FEDORA_MIRROR}/images/pxeboot/vmlinuz"        "$HTTPDIR/vmlinuz"          "Fedora kernel"
@@ -375,25 +470,29 @@ except Exception as e:
 "
 fi
 
-# ── Power off — do NOT let Anaconda proceed ──
+# ── Reboot — do NOT let Anaconda proceed ──
 echo ""
-echo "=== Discovery complete, powering off ==="
+echo "=== Discovery complete, rebooting ==="
 echo ""
 sleep 3
 echo 1 > /proc/sys/kernel/sysrq
-echo o > /proc/sysrq-trigger
+echo b > /proc/sysrq-trigger
 sleep 5
-poweroff -f
+reboot -f
 
 %end
 
 # Anaconda should never get here, but just in case:
-poweroff
+reboot
 DISCOVER_KS
 
 # Patch in the bastion URL
 sed -i "s|__BASTION_URL__|http://${SERVER_IP}:${HTTP_PORT}|g" "$HTTPDIR/discover.ks"
 
+# Save SSH keys and admin user for the HTTP server to use
+echo "$SSH_KEYS_CONTENT" > "$BASTION_DIR/ssh_keys"
+echo "$ADMIN_USER" > "$BASTION_DIR/admin_user"
+
 # ──── Generate iPXE boot script ───────────────────────────────────
 # Initial iPXE script chains to /dispatch with the MAC, so the server
 # can route to discover or install mode per machine.
@@ -431,9 +530,17 @@ SERVER_IP   = sys.argv[3]
 HTTP_PORT   = int(sys.argv[4])
 FEDORA_VER  = sys.argv[5]
 FEDORA_MIRROR = sys.argv[6]
-SSH_KEY     = sys.argv[7] if len(sys.argv) > 7 else ""
+SSH_KEYS_FILE = sys.argv[7] if len(sys.argv) > 7 else ""
 TIMEZONE    = sys.argv[8] if len(sys.argv) > 8 else "Europe/London"
 LOCALE      = sys.argv[9] if len(sys.argv) > 9 else "en_GB.UTF-8"
+DOMAIN      = sys.argv[10] if len(sys.argv) > 10 else "ad.itaz.eu"
+ADMIN_USER  = sys.argv[11] if len(sys.argv) > 11 else ""
+
+# Load SSH keys from file
+SSH_KEYS = []
+if SSH_KEYS_FILE and os.path.isfile(SSH_KEYS_FILE):
+    with open(SSH_KEYS_FILE) as f:
+        SSH_KEYS = [l.strip() for l in f if l.strip() and not l.startswith('#')]
 
 # ── State management (file-backed, lock-protected) ───────────────
 
@@ -452,19 +559,66 @@ def save_state(state):
 
 # ── Kickstart generation ─────────────────────────────────────────
 
-def generate_kickstart(hostname, disk="", ssh_key=""):
-    disk_cmds = "clearpart --all --initlabel\nautopart --type=plain"
-    if disk:
-        disk_cmds = f"ignoredisk --only-use={disk}\nclearpart --all --initlabel --drives={disk}\nautopart --type=plain"
+def generate_kickstart(hostname, disk="", ssh_keys=None, domain="", role="worker", admin_user=""):
+    ssh_keys = ssh_keys or []
+    fqdn = f"{hostname}.{domain}" if domain else hostname
+    vg = "labvg"
 
-    if ssh_key:
-        auth = f'rootpw --lock\nsshkey --username=root "{ssh_key}"'
+    # ── Auth ──
+    if ssh_keys:
+        auth = f'rootpw --lock\nsshkey --username=root "{ssh_keys[0]}"'
     else:
         auth = 'rootpw --plaintext changeme'
 
-    return f"""# Lab Bastion — Fedora {FEDORA_VER} install
+    # ── Admin user (kickstart directive) ──
+    user_directive = ""
+    if admin_user:
+        user_directive = f'user --name={admin_user} --groups=wheel --lock'
+
+    # ── SSH keys for %post (root + admin user) ──
+    all_keys = "\n".join(ssh_keys)
+    ssh_post_block = ""
+    if ssh_keys:
+        ssh_post_block = f"""
+# Set up SSH keys for root
+mkdir -p /root/.ssh && chmod 700 /root/.ssh
+cat > /root/.ssh/authorized_keys << 'SSHKEYS'
+{all_keys}
+SSHKEYS
+chmod 600 /root/.ssh/authorized_keys"""
+
+    if admin_user and ssh_keys:
+        ssh_post_block += f"""
+
+# Set up SSH keys for {admin_user}
+ADMIN_HOME=$(getent passwd {admin_user} | cut -d: -f6)
+mkdir -p "$ADMIN_HOME/.ssh" && chmod 700 "$ADMIN_HOME/.ssh"
+cp /root/.ssh/authorized_keys "$ADMIN_HOME/.ssh/authorized_keys"
+chown -R {admin_user}:{admin_user} "$ADMIN_HOME/.ssh"
+chmod 600 "$ADMIN_HOME/.ssh/authorized_keys"
+
+# Fix SELinux contexts for SSH
+restorecon -R /root/.ssh "$ADMIN_HOME/.ssh" 2>/dev/null || true
+
+# Passwordless sudo for {admin_user}
+echo '{admin_user} ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/{admin_user}
+chmod 440 /etc/sudoers.d/{admin_user}"""
+
+    # ── Determine disk (auto-detect first NVMe/SDA if not specified) ──
+    disk_line = f'DISK="{disk}"' if disk else '''
+DISK=""
+for d in /dev/nvme0n1 /dev/sda /dev/vda; do
+    [ -b "$d" ] && { DISK="$(basename $d)"; break; }
+done
+[ -z "$DISK" ] && { echo "ERROR: no disk found"; exit 1; }
+'''
+
+    # ── LVM layout sizes (MB) ──
+    has_longhorn = (role == "worker")
+
+    return f"""# Lab Bastion -- Fedora {FEDORA_VER} server install
 # Generated: {datetime.now().isoformat()}
-# Target: {hostname}
+# Target: {fqdn} (role={role})
 
 text
 reboot
@@ -473,39 +627,266 @@ lang {LOCALE}
 keyboard uk
 timezone {TIMEZONE} --utc
 
-network --bootproto=dhcp --activate --hostname={hostname}
+network --bootproto=dhcp --activate --hostname={fqdn}
 
 {auth}
-
-{disk_cmds}
+{user_directive}
 
 bootloader --append="console=tty0 console=ttyS0,115200n8"
 
 url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch
 
+# Partitioning is generated dynamically by %pre (supports longhorn preservation)
+%include /tmp/part.ks
+
+%pre --log=/tmp/pre-partition.log
+#!/bin/bash
+set -x
+
+# Progress callback helper
+bastion_progress() {{
+    local stage="$1" detail="${{2:-}}"
+    local mac=$(ip link show | awk '/ether/ && !/00:00:00:00/ {{print $2; exit}}')
+    curl -sf -X POST "http://{SERVER_IP}:{HTTP_PORT}/api/progress" \
+        -H "Content-Type: application/json" \
+        -d "{{\\"mac\\":\\"$mac\\",\\"stage\\":\\"$stage\\",\\"detail\\":\\"$detail\\"}}" 2>/dev/null || true
+}}
+
+bastion_progress "partitioning" "preparing disk layout"
+
+VG="{vg}"
+{disk_line}
+
+REPROVISION=no
+
+# Check if VG exists (reprovision scenario)
+if vgs $VG &>/dev/null; then
+    echo "=== Existing VG found - reprovision mode ==="
+    REPROVISION=yes
+
+    # Detect which data LVs to preserve
+    PRESERVE_LONGHORN=no; PRESERVE_SRV=no; PRESERVE_HOME=no
+    lvs $VG/longhorn &>/dev/null && PRESERVE_LONGHORN=yes
+    lvs $VG/srv      &>/dev/null && PRESERVE_SRV=yes
+    lvs $VG/home     &>/dev/null && PRESERVE_HOME=yes
+
+    echo "Preserving: longhorn=$PRESERVE_LONGHORN srv=$PRESERVE_SRV home=$PRESERVE_HOME"
+
+    # Remove only OS logical volumes (keep data LVs)
+    for lv in root var varlog swap; do
+        lvremove -f $VG/$lv 2>/dev/null || true
+    done
+fi
+
+if [ "$REPROVISION" = "yes" ]; then
+    # Find existing boot partitions by type
+    EFI_PART=$(blkid -t TYPE=vfat -o device /dev/${{DISK}}* 2>/dev/null | head -1)
+    BOOT_PART=$(blkid -t TYPE=ext4 -o device /dev/${{DISK}}* 2>/dev/null | head -1)
+    EFI_PART=${{EFI_PART:-/dev/${{DISK}}1}}
+    BOOT_PART=${{BOOT_PART:-/dev/${{DISK}}2}}
+    echo "Reusing EFI=$EFI_PART BOOT=$BOOT_PART"
+
+    # Build partition config reusing existing PV/VG
+    cat > /tmp/part.ks << PARTEOF
+ignoredisk --only-use=$DISK
+clearpart --none
+part /boot/efi --onpart=$EFI_PART --fstype=efi
+part /boot --onpart=$BOOT_PART --fstype=ext4
+volgroup {vg} --useexisting --noformat
+logvol swap --vgname={vg} --name=swap --fstype=swap --size=27648
+logvol / --vgname={vg} --name=root --fstype=xfs --size=33792
+logvol /var --vgname={vg} --name=var --fstype=xfs --size=102400
+logvol /var/log --vgname={vg} --name=varlog --fstype=xfs --size=10240
+PARTEOF
+
+    # Preserve or recreate data LVs
+    if [ "$PRESERVE_HOME" = "yes" ]; then
+        echo "logvol /home --vgname={vg} --name=home --useexisting --noformat" >> /tmp/part.ks
+    else
+        echo "logvol /home --vgname={vg} --name=home --fstype=xfs --size=10240" >> /tmp/part.ks
+    fi
+
+    if [ "$PRESERVE_SRV" = "yes" ]; then
+        echo "logvol /srv --vgname={vg} --name=srv --useexisting --noformat" >> /tmp/part.ks
+    else
+        echo "logvol /srv --vgname={vg} --name=srv --fstype=xfs --size=20480" >> /tmp/part.ks
+    fi
+
+    if [ "$PRESERVE_LONGHORN" = "yes" ]; then
+        echo "logvol /var/lib/longhorn --vgname={vg} --name=longhorn --useexisting --noformat" >> /tmp/part.ks
+    fi
+
+else
+    # Fresh install
+    cat > /tmp/part.ks << PARTEOF
+ignoredisk --only-use=$DISK
+clearpart --all --initlabel --drives=$DISK
+part /boot/efi --fstype=efi --size=600 --ondisk=$DISK
+part /boot --fstype=ext4 --size=3072 --ondisk=$DISK
+part pv.01 --size=1 --grow --ondisk=$DISK
+volgroup {vg} pv.01
+logvol swap --vgname={vg} --name=swap --fstype=swap --size=27648
+logvol / --vgname={vg} --name=root --fstype=xfs --size=33792
+logvol /var --vgname={vg} --name=var --fstype=xfs --size=102400
+logvol /var/log --vgname={vg} --name=varlog --fstype=xfs --size=10240
+logvol /home --vgname={vg} --name=home --fstype=xfs --size=10240
+logvol /srv --vgname={vg} --name=srv --fstype=xfs --size=20480
+{"logvol /var/lib/longhorn --vgname=" + vg + " --name=longhorn --fstype=xfs --grow --size=1" if has_longhorn else ""}
+PARTEOF
+fi
+
+echo "=== Generated partition config ==="
+cat /tmp/part.ks
+echo "==================================="
+
+bastion_progress "partitioning" "layout ready, starting install"
+
+%end
+
 %packages
 @core
-@server-product
 openssh-server
 vim-enhanced
 tmux
 git
 curl
+wget
 python3
 lshw
 dmidecode
 dnf-plugins-core
+
+# Networking and diagnostics
+NetworkManager
+bind-utils
+net-tools
+iproute
+iputils
+traceroute
+tcpdump
+htop
+iotop
+strace
+jq
+
+# k3s prerequisites
+container-selinux
+iptables-nft
+nftables
+policycoreutils-python-utils
+chrony
+tar
+socat
+conntrack-tools
+ethtool
+
+# Boot management
+efibootmgr
+
+# Puppet prerequisites
+ruby
+ruby-libs
+
+# Exclude desktop
+-@workstation-product
+-@gnome-desktop
+-gnome-shell
+-gdm
+-PackageKit
+-PackageKit-glib
 %end
 
 %post --log=/root/bastion-post-install.log
 #!/bin/bash
 set -x
+
+# Progress callback helper
+bastion_progress() {{
+    local stage="$1" detail="${{2:-}}"
+    local mac=$(ip link show | awk '/ether/ && !/00:00:00:00/ {{print $2; exit}}')
+    curl -sf -X POST "http://{SERVER_IP}:{HTTP_PORT}/api/progress" \
+        -H "Content-Type: application/json" \
+        -d "{{\\"mac\\":\\"$mac\\",\\"stage\\":\\"$stage\\",\\"detail\\":\\"$detail\\"}}" 2>/dev/null || true
+}}
+
+bastion_progress "post-install" "configuring system"
+
+# ── SSH ──
 systemctl enable --now sshd
 sed -i 's/^#\\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
 sed -i 's/^#\\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
-hostnamectl set-hostname {hostname}
-echo "Provisioned by lab-bastion on $(date -Iseconds)" > /etc/lab-provisioned
-echo "# Lab node — puppet enrollment pending" > /root/README
+{ssh_post_block}
+
+# ── Hostname and domain ──
+hostnamectl set-hostname {fqdn}
+
+# ── tmpfs for /tmp ──
+echo "tmpfs /tmp tmpfs defaults,noatime,nosuid,nodev,size=4G 0 0" >> /etc/fstab
+
+# ── Kernel modules for k3s ──
+cat > /etc/modules-load.d/k3s.conf << 'MODULES'
+br_netfilter
+overlay
+ip_conntrack
+MODULES
+modprobe br_netfilter || true
+modprobe overlay || true
+
+# ── Sysctl for k3s networking ──
+cat > /etc/sysctl.d/90-k3s.conf << 'SYSCTL'
+net.bridge.bridge-nf-call-iptables  = 1
+net.bridge.bridge-nf-call-ip6tables = 1
+net.ipv4.ip_forward                 = 1
+net.ipv6.conf.all.forwarding        = 1
+fs.inotify.max_user_instances       = 524288
+fs.inotify.max_user_watches         = 1048576
+SYSCTL
+sysctl --system || true
+
+# ── Disable firewalld (k3s manages its own iptables rules) ──
+systemctl disable --now firewalld || true
+
+# ── Enable chronyd for time sync ──
+systemctl enable --now chronyd
+
+# ── Set boot order: local disk first, PXE after ──
+if command -v efibootmgr >/dev/null 2>&1; then
+    # Find the Fedora boot entry and move it first
+    FEDORA_ENTRY=$(efibootmgr | grep -i fedora | head -1 | grep -oP 'Boot\\K[0-9A-F]+')
+    if [ -n "$FEDORA_ENTRY" ]; then
+        CURRENT_ORDER=$(efibootmgr | grep BootOrder | cut -d: -f2 | tr -d ' ')
+        # Put Fedora first, keep rest
+        NEW_ORDER="$FEDORA_ENTRY,$(echo "$CURRENT_ORDER" | sed "s/$FEDORA_ENTRY,\\?//;s/,$//")"
+        efibootmgr -o "$NEW_ORDER" || true
+        echo "Boot order set: Fedora first ($NEW_ORDER)"
+    fi
+fi
+
+# ── Provisioning metadata ──
+cat > /etc/lab-provisioned << PROVEOF
+hostname: {fqdn}
+role: {role}
+provisioned: $(date -Iseconds)
+bastion: {SERVER_IP}
+PROVEOF
+
+cat > /root/README << 'README'
+# Lab Node -- {fqdn} (role: {role})
+#
+# Next steps:
+#   1. Install puppet agent:
+#      dnf install -y puppet-agent
+#
+#   2. Install k3s:
+#      curl -sfL https://get.k3s.io | sh -
+#
+#   3. Or join existing cluster:
+#      curl -sfL https://get.k3s.io | K3S_URL=https://<server>:6443 K3S_TOKEN=<token> sh -
+README
+
+IP_ADDR=$(ip -4 addr show | awk '/inet / && !/127.0.0/ {{split($2,a,"/"); print a[1]; exit}}')
+bastion_progress "complete" "ready at $IP_ADDR"
+
 %end
 """
 
@@ -562,6 +943,25 @@ def print_install_started(mac, hostname):
     print(f"  Serving Fedora {FEDORA_VER} installer + kickstart...")
     print(f"\n{'─' * 60}\n", flush=True)
 
+PROGRESS_ICONS = {
+    "partitioning": "◆",
+    "installing":   "◆◆",
+    "post-install": "◆◆◆",
+    "complete":     "✔",
+    "error":        "✘",
+}
+
+def print_progress(mac, stage, detail=""):
+    icon = PROGRESS_ICONS.get(stage, "·")
+    color = GREEN if stage == "complete" else (RED if stage == "error" else YELLOW)
+    detail_str = f" -- {detail}" if detail else ""
+    print(f"  {color}{icon}{RESET} {mac}  {BOLD}{stage}{RESET}{detail_str}", flush=True)
+    if stage == "complete" and detail:
+        ip = detail.replace("ready at ", "").strip()
+        if ip:
+            admin = ADMIN_USER or "root"
+            print(f"\n  {GREEN}{BOLD}  ssh {admin}@{ip}{RESET}\n", flush=True)
+
 # ── HTTP Handler ──────────────────────────────────────────────────
 
 class BastionHandler(SimpleHTTPRequestHandler):
@@ -603,7 +1003,7 @@ class BastionHandler(SimpleHTTPRequestHandler):
 
 echo
 echo =============================================
-echo   Lab PXE Bastion — INSTALLING Fedora {FEDORA_VER}
+echo   Lab PXE Bastion - INSTALLING Fedora {FEDORA_VER}
 echo   Target: {hostname}
 echo   MAC:    {mac}
 echo =============================================
@@ -614,13 +1014,31 @@ initrd http://{SERVER_IP}:{HTTP_PORT}/initrd.img
 boot
 """
                 self.send_text(200, script)
+
+            elif mac in state.get("installed", {}):
+                info = state["installed"][mac]
+                hostname = info.get("hostname", "?")
+                print(f"  {GREEN}PXE request from {mac} ({hostname}) - already installed, booting local disk{RESET}", flush=True)
+                script = f"""#!ipxe
+
+echo
+echo =============================================
+echo   Lab PXE Bastion - {hostname}
+echo   Already installed, booting from local disk
+echo =============================================
+echo
+sleep 3
+exit
+"""
+                self.send_text(200, script)
+
             else:
                 print(f"  {YELLOW}PXE request from {mac} → discovery mode{RESET}", flush=True)
                 script = f"""#!ipxe
 
 echo
 echo =============================================
-echo   Lab PXE Bastion — DISCOVERY MODE
+echo   Lab PXE Bastion - DISCOVERY MODE
 echo   MAC: {mac}
 echo   Collecting hardware info...
 echo =============================================
@@ -642,7 +1060,10 @@ boot
             ks = generate_kickstart(
                 hostname=cfg.get("hostname", "lab-node"),
                 disk=cfg.get("disk", ""),
-                ssh_key=SSH_KEY,
+                ssh_keys=SSH_KEYS,
+                domain=DOMAIN,
+                role=cfg.get("role", "worker"),
+                admin_user=ADMIN_USER,
             )
             self.send_text(200, ks)
             return
@@ -710,15 +1131,21 @@ boot
             mac = data.get("mac", "").lower().replace("-", ":")
             hostname = data.get("hostname", "lab-node")
             disk = data.get("disk", "")
+            role = data.get("role", "worker")
 
             if not mac:
                 self.send_json(400, {"error": "mac is required"})
                 return
 
+            if role not in ("worker", "infra"):
+                self.send_json(400, {"error": "role must be 'worker' or 'infra'"})
+                return
+
             state = load_state()
             state.setdefault("install_queue", {})[mac] = {
                 "hostname": hostname,
                 "disk": disk,
+                "role": role,
                 "queued_at": datetime.now().isoformat(),
             }
             save_state(state)
@@ -729,10 +1156,49 @@ boot
                 "status": "queued",
                 "mac": mac,
                 "hostname": hostname,
-                "message": "PXE boot the machine to start installation",
+                "role": role,
+                "message": f"PXE boot the machine to start installation (role={role})",
             })
             return
 
+        # ── Install progress callback from kickstart ──
+        if parsed.path == "/api/progress":
+            try:
+                data = json.loads(body)
+            except json.JSONDecodeError:
+                self.send_json(400, {"error": "invalid JSON"})
+                return
+
+            mac = data.get("mac", "unknown").lower()
+            stage = data.get("stage", "unknown")
+            detail = data.get("detail", "")
+
+            print_progress(mac, stage, detail)
+
+            # Update state with progress
+            state = load_state()
+            if mac in state.get("install_queue", {}):
+                state["install_queue"][mac]["progress"] = stage
+                state["install_queue"][mac]["progress_at"] = datetime.now().isoformat()
+                if detail:
+                    state["install_queue"][mac]["progress_detail"] = detail
+
+                # Move to installed on completion
+                if stage == "complete":
+                    cfg = state["install_queue"].pop(mac)
+                    ip = detail.replace("ready at ", "").strip() if detail else ""
+                    state.setdefault("installed", {})[mac] = {
+                        "hostname": cfg.get("hostname", "?"),
+                        "role": cfg.get("role", "?"),
+                        "ip": ip,
+                        "installed_at": datetime.now().isoformat(),
+                    }
+
+                save_state(state)
+
+            self.send_json(200, {"status": "ok"})
+            return
+
         self.send_json(404, {"error": "not found"})
 
 
@@ -850,9 +1316,11 @@ python3 "$BASTION_DIR/server.py" \
     "$HTTP_PORT" \
     "$FEDORA_VERSION" \
     "$FEDORA_MIRROR" \
-    "$SSH_KEY_CONTENT" \
+    "$BASTION_DIR/ssh_keys" \
     "$TIMEZONE" \
-    "$LOCALE" &
+    "$LOCALE" \
+    "$DOMAIN" \
+    "$ADMIN_USER" &
 HTTP_PID=$!
 sleep 1
 
@@ -871,6 +1339,7 @@ echo -e "  Network:   ${BOLD}${NETWORK}/24${NC} via ${BOLD}${IFACE}${NC}"
 echo -e "  DHCP:      ${BOLD}${DHCP_MODE}${NC}$(if [[ "$DHCP_MODE" == "full" ]]; then echo " (${DHCP_RANGE_START}–${DHCP_RANGE_END})"; else echo " (alongside existing DHCP)"; fi)"
 echo -e "  HTTP:      ${BOLD}http://${SERVER_IP}:${HTTP_PORT}/${NC}"
 echo -e "  OS:        ${BOLD}Fedora ${FEDORA_VERSION} (${ARCH})${NC}"
+echo -e "  Domain:    ${BOLD}${DOMAIN}${NC}"
 echo -e "  State:     ${BOLD}${STATEFILE}${NC}"
 echo ""
 echo -e "  ${YELLOW}PXE boot any machine on this network.${NC}"
diff --git a/bastion/.dockerignore b/bastion/.dockerignore
new file mode 100644
index 0000000..3a66991
--- /dev/null
+++ b/bastion/.dockerignore
@@ -0,0 +1,8 @@
+node_modules
+dist
+.git
+*.log
+.env
+.env.*
+*.tsbuildinfo
+.taskmaster
diff --git a/bastion/.gitignore b/bastion/.gitignore
new file mode 100644
index 0000000..f4e2c6d
--- /dev/null
+++ b/bastion/.gitignore
@@ -0,0 +1,3 @@
+node_modules/
+dist/
+*.tsbuildinfo
diff --git a/bastion/.taskmaster/docs/pulumi-k3s-refactor.md b/bastion/.taskmaster/docs/pulumi-k3s-refactor.md
new file mode 100644
index 0000000..e40a871
--- /dev/null
+++ b/bastion/.taskmaster/docs/pulumi-k3s-refactor.md
@@ -0,0 +1,132 @@
+# PRD: Refactor K3s Module from Bash Heredocs to Pulumi TypeScript
+
+## Problem
+
+The k3s install/configure/health module currently generates ~300 lines of bash heredoc strings embedded in TypeScript files (`install.ts`, `configure.ts`, `health.ts`). These are unmaintainable, untestable, and impossible to compose. This is the same bash-in-code problem that drove the bastion TypeScript rewrite.
+
+## Vision
+
+The lab platform uses Pulumi as its IaC engine:
+- **Central execution**: labd runs Pulumi programs in labcontroller k8s for cloud/remote resources with RBAC, global state, and audit trail (PulumiRun table already exists in CockroachDB)
+- **Local execution**: lab-agents run Pulumi programs directly on bare-metal nodes
+- **Multi-environment**: supports multiple datacenters, clouds (baremetal, AWS, GCP), production/dev/ephemeral environments
+
+## Current State
+
+### Files to replace
+- `src/modules/modules/k3s/src/install.ts` — 275 lines, generates bash for 10 install phases
+- `src/modules/modules/k3s/src/configure.ts` — 118 lines, generates bash for 5 configure phases
+- `src/modules/modules/k3s/src/health.ts` — 57 lines, generates bash for 6 health checks
+
+### Existing infrastructure
+- `sshExec(ip, user, command, opts)` and `sshExecStreaming()` — SSH execution primitives in `src/modules/src/ssh.ts`
+- Module system: `ModuleRunner`, `ModuleRegistry`, `Module` interface with install/configure/health phases
+- `@lab/shared` types: `BastionConfig`, `K3sInstallContext`, roles, OS types
+- PulumiRun model in Prisma schema (labd) — tracks Pulumi execution state
+- labcontroller module generates k8s manifests (cockroachdb.ts, labd.ts, bastion.ts) — these also need Pulumi migration eventually
+
+### 32 distinct operations currently in bash
+**Install phase (10 steps):**
+1. Load kernel modules (br_netfilter, overlay, ip_conntrack)
+2. Apply CIS sysctl hardening (9 params)
+3. Disable swap
+4. Disable firewall (firewalld/ufw — mask to survive reboot)
+5. Set SELinux permissive
+6. Write k3s server config (flannel=none, secrets-encryption, audit, CIS hardened)
+7. Write audit policy YAML
+8. Clean up stale CNI (flannel.1 vxlan, cilium interfaces, port 8472 conflicts)
+9. Install k3s binary (curl | sh)
+10. Install Cilium CNI (detect arch, detect interface, kubeProxyReplacement)
+
+**Configure phase (5 steps):**
+1. Fix CoreDNS upstream DNS (systemd-resolved 127.0.0.53 unreachable from pod netns)
+2. Configure log rotation
+3. Check certificate expiry
+4. Apply default network policies (deny-ingress, allow-dns-egress)
+5. Apply Pod Security Standards (restricted)
+
+**Health checks (6 checks):**
+1. k3s service active
+2. Node Ready condition
+3. API server /healthz
+4. Secrets encryption enabled
+5. Cilium status
+6. kube-system pod status
+
+## Requirements
+
+### Architecture decisions needed (discuss with user via task-master)
+1. **Pulumi structure**: micro-stacks vs monorepo-by-env vs component-library vs GitOps operator
+2. **Multi-cloud support**: how stacks are organized across baremetal/AWS/GCP
+3. **Environment model**: how prod/dev/ephemeral environments are represented
+4. **State backend**: Pulumi Cloud vs self-hosted (S3/CockroachDB)
+5. **Execution model**: who runs `pulumi up` — labd central, lab-agent local, or both?
+
+### Operation design
+- Each operation is a typed TypeScript async function using `sshExec()`
+- Standard interface: `OperationContext` in, `OperationResult` out
+- **Idempotent**: check before act, report `changed: boolean`
+- **Composable**: operations grouped into logical units (host-prep, networking, hardening)
+- **Testable**: mock sshExec for unit tests
+- **Future Pulumi-ready**: each function maps 1:1 to a `remote.Command` resource
+
+### Groups (logical composition)
+- `host-prep`: kernel-modules + sysctl + swap + firewall + selinux
+- `k3s-server`: k3s-config + audit-policy + cni-cleanup + k3s-install
+- `k3s-agent`: k3s-config (agent) + k3s-install (agent mode)
+- `networking`: cilium + dns-fix + network-policy
+- `hardening`: pod-security + cert-check + log-rotation
+
+### Pulumi integration (when added)
+- Add `@pulumi/pulumi` and `@pulumi/command` as dependencies
+- Each operation becomes a `command.remote.Command` resource
+- Groups become `pulumi.ComponentResource` classes
+- K3sCluster becomes a top-level ComponentResource that composes groups
+- Stacks per environment: `lab-baremetal`, `aws-prod`, `dev`, `ephemeral-pr-123`
+
+## File structure
+
+```
+src/modules/modules/k3s/src/
+├── types.ts              # K3sConfig, OperationContext, OperationResult
+├── utils.ts              # sshOpts(), runSequential(), file helpers
+├── operations/           # ~15 atomic operations
+│   ├── kernel-modules.ts
+│   ├── sysctl.ts
+│   ├── swap.ts
+│   ├── firewall.ts
+│   ├── selinux.ts
+│   ├── k3s-config.ts
+│   ├── audit-policy.ts
+│   ├── cni-cleanup.ts
+│   ├── k3s-install.ts
+│   ├── cilium.ts
+│   ├── dns-fix.ts
+│   ├── log-rotation.ts
+│   ├── network-policy.ts
+│   ├── pod-security.ts
+│   └── cert-check.ts
+├── groups/               # Logical groupings
+│   ├── host-prep.ts
+│   ├── k3s-server.ts
+│   ├── k3s-agent.ts
+│   ├── networking.ts
+│   └── hardening.ts
+├── health/               # Health checks
+│   ├── k3s-service.ts
+│   ├── node-ready.ts
+│   ├── api-health.ts
+│   ├── secrets-encryption.ts
+│   ├── cilium-status.ts
+│   └── pod-status.ts
+├── k3s-module.ts         # Module implementation
+└── index.ts              # Public exports
+```
+
+## Success criteria
+- Zero bash heredoc strings in the k3s module
+- Every operation independently testable with mocked sshExec
+- `labctl app k3s install <target>` works end-to-end
+- `labctl app k3s health` works end-to-end
+- Existing test suite passes (updated for new API)
+- Clear path to wrapping operations as Pulumi resources
diff --git a/bastion/.taskmaster/docs/resource-tracking.md b/bastion/.taskmaster/docs/resource-tracking.md
new file mode 100644
index 0000000..b5da88e
--- /dev/null
+++ b/bastion/.taskmaster/docs/resource-tracking.md
@@ -0,0 +1,172 @@
+# PRD: Resource Tracking & kubectl-style CLI
+
+## Problem
+
+The lab platform currently has fragmented state management:
+- Bastion keeps machine state in an ephemeral JSON file (`/tmp/lab-bastion/state.json`) that is lost on pod restart
+- labd receives state syncs from bastions but only stores them in memory — the `Server` table in CockroachDB is never written to
+- There is no system to track relationships between resources (servers belong to clusters, clusters run on servers, networks connect servers)
+- The CLI (`labctl`) uses an inconsistent verb-noun structure (`labctl provision list`, `labctl app k3s install`) instead of a uniform resource-oriented pattern
+- RBAC permissions reference resources (server, cloud, environment) but there is no resource registry to validate against
+
+## Vision
+
+A unified resource tracking system where all infrastructure objects (servers, clusters, networks, bastions, VMs) are persisted in CockroachDB via labd, with relationships between them, and managed through a kubectl-style CLI. This replaces the ephemeral JSON state and becomes the single source of truth for the platform.
+
+## Current State
+
+### Database (CockroachDB via Prisma)
+Existing models that are scaffolded but mostly unused:
+- `Server` — hostname, mac, cloud, environment, role, labels, ip, status (0 rows)
+- `Agent` — mTLS certificate enrollment per server (0 rows)
+- `Bastion` — PXE server registration (1 row, labmaster)
+- `Cluster` — k8s cluster metadata (0 rows)
+- `User`, `Role`, `Permission`, `UserRole` — RBAC framework (seeded with 3 roles, 6 permissions)
+- `JoinToken` — agent/bastion enrollment tokens
+- `AuditLog` — action audit trail
+
+### Bastion State (ephemeral JSON)
+Three categories tracked per-bastion:
+- `discovered` — machines found via PXE with hardware info (CPU, RAM, disks, NICs, arch)
+- `install_queue` — machines queued for OS install with progress tracking
+- `installed` — machines with OS installed (hostname, role, IP, OS)
+
+### CLI Structure (current)
+```
+labctl init bastion standalone [start|stop|status]
+labctl provision [list|install|reprovision|forget|logs]
+labctl app [k3s|labcontroller]
+labctl config [list|get|set]
+labctl roles
+labctl doctor
+labctl login
+labctl logs
+```
+
+## Requirements
+
+### 1. Persist Bastion State to Database
+
+When labd receives `bastion-state-sync` messages, it must upsert machines into the `Server` table:
+- Discovered machines → create/update Server with status "discovered", store HardwareInfo as JSON labels
+- Queued machines → update Server status to "provisioning"
+- Installed machines → update Server with hostname, IP, role, OS, status "installed"
+- Track which bastion owns which server (add `bastionId` to Server model)
+- Track hardware info: arch, cpu_model, cpu_cores, memory_gb, disks, nics
+
+The bastion's local JSON state becomes a cache; labd's database is the source of truth. On bastion startup, it should load its state from labd if available.
+
+### 2. Resource Model Expansion
+
+Add new models to the Prisma schema for tracking infrastructure:
+
+**Network** — L2/L3 network segments
+- name, cidr, vlan, gateway, domain, dhcpEnabled
+- Servers have NICs on networks
+
+**ServerNic** — NIC-to-network mapping
+- serverId, networkId, mac, ip, name, state (UP/DOWN)
+- Derived from HardwareInfo during discovery
+
+**ServerDisk** — Disk inventory per server
+- serverId, name, sizeGb, model
+- Derived from HardwareInfo during discovery
+
+**ClusterMember** — Server-to-cluster membership
+- clusterId, serverId, role (control-plane, worker)
+
+### 3. kubectl-style CLI Redesign
+
+Restructure labctl to follow the `mcpctl` / `kubectl` pattern:
+
+```
+# Core CRUD verbs that work on any resource
+labctl get <resource> [name]          # List or get specific resource
+labctl describe <resource> <name>     # Detailed view with relationships
+labctl create <resource> [flags]      # Create a resource
+labctl delete <resource> <name>       # Delete a resource
+labctl edit <resource> <name>         # Edit in $EDITOR
+labctl apply -f <file>                # Declarative apply from YAML
+
+# Resource types (with aliases)
+servers (server, srv)
+clusters (cluster)
+networks (network, net)
+bastions (bastion)
+roles (role)
+users (user)
+tokens (token)
+audit (audit)
+
+# Output formats
+-o table (default), -o json, -o yaml, -o wide
+
+# Examples
+labctl get servers                     # List all servers
+labctl get servers -o wide             # With extra columns (disks, NICs)
+labctl get server labmaster            # Get specific server
+labctl describe server labmaster       # Full details + relationships
+labctl get servers --role worker       # Filter by role
+labctl get servers --status discovered # Filter by status
+labctl get clusters                    # List clusters
+labctl describe cluster lab-k3s        # Cluster members, health
+labctl get networks                    # List networks
+labctl create network --name lab --cidr 192.168.8.0/24 --gateway 192.168.8.1
+
+# Provisioning becomes actions on server resources
+labctl provision <server> --os fedora-43 --role worker   # Queue install
+labctl reprovision <server>                              # Reinstall
+labctl forget <server>                                   # Remove from tracking
+
+# App management stays as-is but simplified
+labctl app install k3s <server>
+labctl app health k3s [server]
+
+# Admin
+labctl bastion start [--foreground]    # Start local bastion
+labctl bastion status                  # Bastion health
+labctl login                           # Auth
+labctl doctor                          # Diagnostics
+```
+
+### 4. Resource Aliases & Resolution
+
+Follow mcpctl's pattern from `shared.ts`:
+- Accept singular, plural, and short aliases: `server`, `servers`, `srv` all resolve to the same resource
+- Accept name or ID: `labctl get server labmaster` or `labctl get server <uuid>`
+- Accept MAC address for servers: `labctl get server 38:05:25:33:e2:e4`
+
+### 5. RBAC Integration
+
+The existing Permission model uses `action:cloud:environment:server` patterns. Wire this into the resource system:
+- CLI commands check permissions before executing
+- `labctl get` respects read permissions (only show resources the user can see)
+- `labctl provision` requires `apply` permission on the target server
+- `labctl delete` requires `destroy` permission
+- Audit all resource operations to the AuditLog table
+
+### 6. Bastion State Directory Fix
+
+Fix the bug where the CLI's `--dir` default (`/tmp/lab-bastion`) overrides the `BASTION_DIR=/data` environment variable. The CLI option should use the env var as its default:
+```typescript
+.option("--dir <dir>", "Bastion data directory", process.env["BASTION_DIR"] ?? "/tmp/lab-bastion")
+```
+
+## Technical Constraints
+
+- Database: CockroachDB with Prisma ORM (already deployed)
+- API: Fastify + WebSocket (labd)
+- CLI: Commander.js (labctl)
+- Auth: mTLS certificates (planned), join tokens (implemented)
+- Monorepo: pnpm workspace with @lab/shared, @lab/bastion, @lab/cli, @lab/labd
+- The bastion-to-labd WebSocket protocol is defined in @lab/shared/protocol
+
+## Success Criteria
+
+1. `labctl get servers` shows all machines (discovered, provisioning, installed) from the database
+2. Server state survives bastion and labd pod restarts
+3. `labctl describe server <name>` shows hardware info, network, cluster membership
+4. Resources have tracked relationships (server→cluster, server→network, bastion→server)
+5. RBAC permissions are enforced on CLI operations
+6. All resource mutations are audit-logged
+7. CLI follows consistent kubectl-style `verb resource [name] [flags]` pattern
diff --git a/bastion/DESIGN-LAB-PLATFORM.md b/bastion/DESIGN-LAB-PLATFORM.md
new file mode 100644
index 0000000..9cbe675
--- /dev/null
+++ b/bastion/DESIGN-LAB-PLATFORM.md
@@ -0,0 +1,355 @@
+# Lab Platform — Design Document
+
+## Vision
+
+A unified infrastructure management platform that replaces Puppet with a modern, Pulumi-based system. Manages bare-metal servers, cloud VMs, and k3s clusters through a single CLI and API.
+
+## Architecture Overview
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│  Developer Workstation (thebeast)                               │
+│                                                                 │
+│  lab CLI                                                        │
+│  ├── lab init bastion standalone start     (PXE provisioning)   │
+│  ├── lab provision install/reprovision     (bare-metal)         │
+│  ├── lab get servers --env production      (query)              │
+│  ├── lab exec <server> -- <command>        (remote execution)   │
+│  ├── lab logs <server>                     (log streaming)      │
+│  ├── lab apply -f infra.ts                 (pulumi via labd)    │
+│  └── lab get roles/users/permissions       (RBAC management)    │
+│                                                                 │
+│  Connects to: labd via mTLS                                    │
+└─────────────────────┬───────────────────────────────────────────┘
+                      │ mTLS (client cert)
+                      ▼
+┌─────────────────────────────────────────────────────────────────┐
+│  labmaster.ad.itaz.eu (infra node, k3s single-node)            │
+│                                                                 │
+│  ┌──────────────────────────────────────────────────────┐      │
+│  │  labd (master daemon)                                 │      │
+│  │  ├── Certificate Authority (issues agent certs)       │      │
+│  │  ├── RBAC Engine (roles, permissions, ACLs)           │      │
+│  │  ├── Agent Registry (connected agents, heartbeats)    │      │
+│  │  ├── Pulumi Executor (runs IaC on behalf of users)    │      │
+│  │  ├── Log Aggregator (receives agent logs)             │      │
+│  │  ├── Module Registry (configuration modules)          │      │
+│  │  └── REST API + WebSocket (agent connections)         │      │
+│  └──────────────────────────────────────────────────────┘      │
+│                                                                 │
+│  ┌──────────────────────────────────────────────────────┐      │
+│  │  bastion (PXE provisioning)                           │      │
+│  │  Running as k3s pod with hostNetwork                  │      │
+│  └──────────────────────────────────────────────────────┘      │
+└──────────┬──────────────────────────────────────────────────────┘
+           │ mTLS (agent certs)
+           ▼
+┌──────────────────────┐  ┌──────────────────────┐  ┌────────────┐
+│  ser9.ad.itaz.eu     │  │  worker-2.ad.itaz.eu │  │  AWS EC2   │
+│  (bare-metal worker) │  │  (bare-metal worker) │  │  instances │
+│                      │  │                      │  │            │
+│  lab-agent           │  │  lab-agent           │  │  lab-agent │
+│  ├── heartbeat       │  │  ├── heartbeat       │  │  ├── ...   │
+│  ├── log shipping    │  │  ├── log shipping    │  │  └── ...   │
+│  ├── exec handler    │  │  ├── exec handler    │  │            │
+│  └── module runner   │  │  └── module runner   │  │            │
+└──────────────────────┘  └──────────────────────┘  └────────────┘
+```
+
+## Components
+
+### 1. labd (Master Daemon)
+
+The central control plane. Runs on labmaster.ad.itaz.eu as a k3s pod.
+
+**Responsibilities:**
+- Certificate Authority — signs agent certificates, manages trust chain
+- Agent Registry — tracks connected agents, heartbeats, status
+- RBAC — roles, permissions, ACLs per user/group/environment/cloud
+- Pulumi Executor — runs Pulumi TypeScript code submitted by users
+- Log Aggregator — receives and stores logs from agents
+- Module Registry — stores and distributes configuration modules
+- REST API — for CLI and external integrations
+- WebSocket — persistent agent connections for real-time commands
+
+**Tech:** Fastify, PostgreSQL (via Prisma, reuse mcpctl patterns), WebSocket
+
+### 2. lab-agent
+
+Lightweight daemon running on every managed machine.
+
+**Responsibilities:**
+- Connect to labd via mTLS (agent certificate)
+- Send heartbeats (status, load, disk, memory)
+- Ship logs (journald → labd)
+- Execute commands on demand (like `kubectl exec`)
+- Run configuration modules (like `puppet agent -tv`)
+- Report module run results
+
+**Tech:** Standalone TypeScript binary (bun compiled), systemd service
+
+### 3. lab CLI (extended)
+
+Extends the existing `lab` CLI with platform management commands.
+
+**New commands:**
+```
+# Server management
+lab get servers                           # List all servers
+lab get servers --env production          # Filter by environment
+lab get servers --cloud baremetal         # Filter by cloud
+lab get servers --label role=k3s-worker   # Filter by label
+lab describe server <name>               # Detailed server info
+lab exec <server> -- <command>           # Remote command execution
+lab logs <server> [-f]                   # Stream server logs
+
+# Infrastructure as Code
+lab apply -f <file.ts>                   # Execute Pulumi code via labd
+lab plan -f <file.ts>                    # Dry-run Pulumi code
+lab destroy -f <file.ts>                 # Tear down resources
+
+# RBAC
+lab get roles                            # List roles
+lab get users                            # List users
+lab create role <name>                   # Create role
+lab bind role <role> --user <user>       # Bind role to user
+lab get permissions                      # List permissions
+
+# Environment/Cloud management
+lab get environments                     # List environments
+lab get clouds                           # List clouds
+lab create environment <name> --cloud <cloud>
+
+# Module management
+lab get modules                          # List available modules
+lab apply module <name> --target <server>  # Apply module to server
+```
+
+### 4. Certificate Authority
+
+Built into labd. Issues and manages certificates for agents and users.
+
+**Flow:**
+```
+1. Agent starts with a join token (one-time or reusable)
+2. Agent generates CSR, sends to labd with token
+3. labd validates token, signs certificate
+4. Agent receives signed cert + CA cert
+5. All future communication uses mTLS
+
+For CLI users:
+1. User runs `lab login` or `lab init`
+2. labd issues a client certificate (or uses existing SSH keys)
+3. CLI uses client cert for all API calls
+```
+
+**Token types:**
+- **One-time token** — for individual bare-metal servers (generated during PXE provision)
+- **Reusable token** — for autoscaling groups (AWS ASG instances use the same token)
+
+### 5. RBAC Model
+
+Reuse mcpctl's RBAC patterns. Hierarchical permissions:
+
+```
+Cloud → Environment → Server → Action
+
+Examples:
+- baremetal:lab:*:exec           — can exec on any lab server
+- baremetal:lab:puppet:*         — full access to puppet server
+- aws:production:*:read         — read-only on all AWS prod servers
+- *:*:*:*                       — superadmin
+```
+
+**Resources:**
+- servers, environments, clouds, modules, roles, users, pulumi-stacks
+
+**Actions:**
+- read, exec, apply, destroy, manage, admin
+
+**Whitelist/Blacklist:**
+- Roles can have `allow` and `deny` rules
+- Deny takes precedence (like AWS IAM)
+
+### 6. Module System
+
+Configuration modules define the desired state of a server.
+
+**Module structure:**
+```
+modules/
+  k3s-server/
+    module.yaml          # Metadata: name, version, targets, deps
+    src/
+      index.ts           # Module entry point
+      install.ts         # Installation logic
+      configure.ts       # Configuration logic
+      health.ts          # Health check
+    tests/
+      install.test.ts
+  k3s-agent/
+    module.yaml
+    src/
+      index.ts
+  labd/
+    module.yaml
+    src/
+      index.ts           # Deploy labd to k3s
+```
+
+**module.yaml:**
+```yaml
+name: k3s-server
+version: 0.1.0
+description: Install and configure k3s server
+targets:
+  roles: [infra]
+  labels:
+    k3s: server
+dependencies:
+  - base-server
+```
+
+**Module sources:**
+- Built-in modules (in this repo, e.g., k3s-server, labd)
+- External modules (separate git repos, pulled by URL)
+- Module registry (future — like Puppet Forge)
+
+### 7. Cloud/Environment Model
+
+```
+Cloud: baremetal
+  └── Environment: lab
+       ├── Server: puppet.ad.itaz.eu (role=infra, labels={k3s=server})
+       ├── Server: ser9.ad.itaz.eu (role=worker, labels={k3s=agent})
+       └── ...
+
+Cloud: aws
+  └── Environment: production
+       ├── Server: i-abc123 (from ASG web-servers)
+       ├── Server: i-def456 (from ASG web-servers)
+       └── ...
+  └── Environment: staging
+       └── ...
+```
+
+Each bastion creates an environment under the `baremetal` cloud. AWS autoscaling groups create environments under the `aws` cloud.
+
+### 8. Pulumi Integration
+
+Users submit Pulumi TypeScript code to labd for execution.
+
+```bash
+# Apply infrastructure code
+lab apply -f infra/k3s-cluster.ts --env lab
+
+# The file is sent to labd, which:
+# 1. Checks RBAC (does user have apply permission for this env?)
+# 2. Creates a Pulumi stack
+# 3. Executes `pulumi up` in a sandboxed environment
+# 4. Streams output back to CLI
+# 5. Stores state in Pulumi backend (local or S3)
+```
+
+**Future AWS extension:**
+```typescript
+// infra/aws-web-servers.ts
+import * as aws from "@pulumi/aws";
+
+const asg = new aws.autoscaling.Group("web-servers", {
+  maxSize: 10,
+  minSize: 2,
+  launchTemplate: { /* ... */ },
+  // User data installs lab-agent with reusable join token
+});
+```
+
+## Project Structure
+
+```
+lab/
+  bastion/                    # Existing — PXE provisioning
+
+  src/
+    shared/                   # @lab/shared — types, constants, RBAC
+    labd/                     # @lab/labd — master daemon
+      src/
+        main.ts
+        server.ts
+        ca/                   # Certificate Authority
+        rbac/                 # RBAC engine (reuse mcpctl patterns)
+        agents/               # Agent registry + WebSocket
+        pulumi/               # Pulumi executor
+        logs/                 # Log aggregation
+        modules/              # Module registry
+        routes/               # REST API
+    agent/                    # @lab/agent — agent daemon
+      src/
+        main.ts
+        connection.ts         # mTLS WebSocket to labd
+        heartbeat.ts
+        executor.ts           # Command execution
+        logs.ts               # Log shipping
+        modules.ts            # Module runner
+    cli/                      # @lab/cli — extends existing CLI
+      src/
+        commands/
+          init/bastion/       # Existing bastion commands
+          provision/          # Existing provision commands
+          get/                # New: get servers/roles/users/etc
+          exec/               # New: remote execution
+          logs/               # New: log streaming
+          apply/              # New: pulumi apply
+          rbac/               # New: role management
+
+  modules/                    # Built-in modules
+    k3s-server/               # Deploy k3s server
+    k3s-agent/                # Deploy k3s agent
+    labd/                     # Deploy labd to k3s
+    lab-agent/                # Deploy lab-agent to servers
+
+  deploy/
+    k3s/                      # Existing k3s manifests for bastion
+    labd/                     # k3s manifests for labd
+```
+
+## Implementation Phases
+
+### Phase 1: Foundation (current + next)
+- [x] Bastion (PXE provisioning) — DONE
+- [x] CLI structure (`lab init/provision`) — DONE
+- [ ] Rename puppet to labmaster, reprovision
+- [ ] Deploy k3s on labmaster
+- [ ] Build labd skeleton (Fastify + Prisma)
+- [ ] Certificate Authority (issue/sign certs)
+- [ ] Agent skeleton (connect, heartbeat)
+
+### Phase 2: Core Platform
+- [ ] RBAC engine (roles, permissions, ACLs)
+- [ ] `lab get servers` with environment/cloud/label filters
+- [ ] `lab exec` remote command execution
+- [ ] `lab logs` streaming
+- [ ] Agent auto-enrollment via PXE provision (join token in kickstart)
+
+### Phase 3: Infrastructure as Code
+- [ ] Module system (define, apply, health check)
+- [ ] k3s-server module (deploy k3s)
+- [ ] labd module (deploy labd to k3s)
+- [ ] Pulumi executor in labd
+- [ ] `lab apply -f` command
+
+### Phase 4: Multi-Cloud
+- [ ] AWS provider (Pulumi-based)
+- [ ] Reusable join tokens for autoscaling groups
+- [ ] Cloud/environment model
+- [ ] Auto-discovery of cloud instances
+
+## Key Design Decisions
+
+1. **Pulumi over Puppet** — TypeScript-native, same language for IaC and platform code
+2. **mTLS over SSH** — proper PKI, scalable, no key management per-server
+3. **Agents connect to master** (not master pushing to agents) — works through NATs, firewalls
+4. **RBAC from day one** — security-first, deny by default
+5. **Module system inspired by Puppet** — declarative, testable, versionable
+6. **Multi-cloud extensible** — cloud is just a label, provider is pluggable
+7. **Reuse mcpctl patterns** — Prisma DB, Fastify routes, CLI structure, RBAC model
diff --git a/bastion/Dockerfile.bastion b/bastion/Dockerfile.bastion
new file mode 100644
index 0000000..a84edf9
--- /dev/null
+++ b/bastion/Dockerfile.bastion
@@ -0,0 +1,93 @@
+# Dockerfile.bastion -- PXE boot server (dnsmasq DHCP/TFTP + HTTP)
+# Requires host networking and NET_ADMIN/NET_RAW capabilities.
+
+# ── Stage 1: Build ───────────────────────────────────────────────
+FROM node:22-alpine AS builder
+
+RUN corepack enable && corepack prepare pnpm@9.15.0 --activate
+
+WORKDIR /app
+
+# Copy workspace config and package manifests first (layer cache)
+COPY pnpm-workspace.yaml pnpm-lock.yaml package.json tsconfig.base.json tsconfig.json ./
+COPY src/shared/package.json   src/shared/tsconfig.json   src/shared/
+COPY src/bastion/package.json  src/bastion/tsconfig.json  src/bastion/
+COPY src/cli/package.json      src/cli/tsconfig.json      src/cli/
+COPY src/modules/package.json  src/modules/tsconfig.json  src/modules/
+
+# Install all dependencies (dev included -- needed for build)
+RUN pnpm install --frozen-lockfile
+
+# Copy source code
+COPY src/shared/src/  src/shared/src/
+COPY src/bastion/src/ src/bastion/src/
+COPY src/cli/src/     src/cli/src/
+COPY src/modules/src/ src/modules/src/
+COPY src/modules/modules/ src/modules/modules/
+
+# Build TypeScript
+RUN pnpm build
+
+# ── Stage 1b: Build iPXE snp.efi (uses UEFI SNP protocol for ISO boot) ──
+FROM fedora:43 AS ipxe-builder
+
+RUN dnf install -y git gcc make perl-interpreter xz-devel gcc-aarch64-linux-gnu && dnf clean all
+RUN git clone --depth=1 https://github.com/ipxe/ipxe.git /tmp/ipxe
+RUN cd /tmp/ipxe/src && make bin-x86_64-efi/snp.efi && \
+    make CROSS_COMPILE=aarch64-linux-gnu- bin-arm64-efi/snp.efi
+
+# ── Stage 2: Production runtime (Fedora -- needs dnsmasq) ───────
+FROM fedora:43
+
+RUN dnf install -y \
+    dnsmasq \
+    ipxe-bootimgs-x86 \
+    ipxe-bootimgs-aarch64 \
+    iproute \
+    curl \
+    openssh-clients \
+    nodejs \
+    npm \
+    xorriso \
+    mtools \
+    && dnf clean all
+
+# iPXE snp.efi built from source (Fedora only ships snponly, which can't
+# boot from CD-ROM/USB -- it requires PXE chainloading)
+COPY --from=ipxe-builder /tmp/ipxe/src/bin-x86_64-efi/snp.efi /usr/share/ipxe/ipxe-snp-x86_64.efi
+COPY --from=ipxe-builder /tmp/ipxe/src/bin-arm64-efi/snp.efi /usr/share/ipxe/arm64-efi/ipxe-snp.efi
+
+# Install pnpm
+RUN npm install -g pnpm@9
+
+WORKDIR /app
+
+# Copy workspace config and package manifests
+COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./
+COPY src/shared/package.json  src/shared/
+COPY src/bastion/package.json src/bastion/
+COPY src/cli/package.json     src/cli/
+COPY src/modules/package.json src/modules/
+
+# Install production dependencies
+RUN pnpm install --frozen-lockfile --prod 2>/dev/null || pnpm install --prod
+
+# Copy built output from builder
+COPY --from=builder /app/src/shared/dist/  src/shared/dist/
+COPY --from=builder /app/src/bastion/dist/ src/bastion/dist/
+COPY --from=builder /app/src/cli/dist/     src/cli/dist/
+COPY --from=builder /app/src/modules/dist/ src/modules/dist/
+
+# Create data directories
+RUN mkdir -p /data/state /data/tftp /data/http
+
+ENV NODE_ENV=production
+ENV BASTION_DIR=/data
+ENV HTTP_PORT=8080
+
+EXPOSE 8080/tcp
+EXPOSE 67/udp
+EXPOSE 69/udp
+EXPOSE 4011/udp
+
+ENTRYPOINT ["node", "src/cli/dist/index.js", "init", "bastion", "standalone", "start", "--foreground"]
diff --git a/bastion/Dockerfile.labd b/bastion/Dockerfile.labd
new file mode 100644
index 0000000..50f7305
--- /dev/null
+++ b/bastion/Dockerfile.labd
@@ -0,0 +1,73 @@
+# Dockerfile.labd -- multi-stage build for the labd master daemon
+# Runs the Fastify API server with Prisma/CockroachDB backend.
+
+# ── Stage 1: Build ───────────────────────────────────────────────
+FROM node:22-alpine AS builder
+
+RUN corepack enable && corepack prepare pnpm@9.15.0 --activate
+
+WORKDIR /app
+
+# Copy workspace config and package manifests first (layer cache)
+COPY pnpm-workspace.yaml pnpm-lock.yaml package.json tsconfig.base.json tsconfig.json ./
+COPY src/shared/package.json src/shared/tsconfig.json src/shared/
+COPY src/labd/package.json   src/labd/tsconfig.json   src/labd/
+
+# Install all dependencies (dev included -- needed for build)
+RUN pnpm install --frozen-lockfile
+
+# Copy Prisma schema and generate client
+COPY src/labd/prisma/ src/labd/prisma/
+RUN pnpm --filter @lab/labd exec prisma generate
+
+# Copy source code
+COPY src/shared/src/ src/shared/src/
+COPY src/labd/src/   src/labd/src/
+
+# Build TypeScript (shared first via project references)
+RUN pnpm --filter @lab/shared build && pnpm --filter @lab/labd build
+
+# Hoist the generated Prisma client so stage 2 can COPY it from a stable path
+RUN mkdir -p /app/_prisma && \
+    cp -r $(find /app/node_modules/.pnpm -path '*/.prisma/client' -type d | head -1) /app/_prisma/client
+
+# ── Stage 2: Production runtime ─────────────────────────────────
+FROM node:22-alpine
+
+RUN corepack enable && corepack prepare pnpm@9.15.0 --activate
+
+WORKDIR /app
+
+# Copy workspace config and package manifests
+COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./
+COPY src/shared/package.json src/shared/
+COPY src/labd/package.json   src/labd/
+
+# Install production dependencies only
+RUN pnpm install --frozen-lockfile --prod 2>/dev/null || pnpm install --prod
+
+# Copy built output from builder
+COPY --from=builder /app/src/shared/dist/ src/shared/dist/
+COPY --from=builder /app/src/labd/dist/   src/labd/dist/
+
+# Copy Prisma schema + generated client into pnpm store location
+# Prisma expects .prisma/client as a sibling of @prisma/ in the same node_modules
+COPY --from=builder /app/src/labd/prisma/ src/labd/prisma/
+COPY --from=builder /app/_prisma/client/ /tmp/_prisma_client/
+RUN PRISMA_CLIENT_DIR=$(find /app/node_modules/.pnpm -path '*/@prisma/client' -type d | head -1) && \
+    NM_DIR="$(dirname "$(dirname "$PRISMA_CLIENT_DIR")")" && \
+    mkdir -p "$NM_DIR/.prisma/client" && \
+    cp -r /tmp/_prisma_client/* "$NM_DIR/.prisma/client/" && \
+    echo "Installed Prisma generated client at: $NM_DIR/.prisma/client/" && \
+    rm -rf /tmp/_prisma_client
+
+ENV NODE_ENV=production
+ENV DATABASE_URL=postgresql://root@cockroachdb:26257/labctl?sslmode=disable
+ENV LABD_PORT=3100
+ENV LABD_HOST=0.0.0.0
+
+EXPOSE 3100
+
+USER node
+
+ENTRYPOINT ["node", "src/labd/dist/main.js"]
diff --git a/bastion/README.md b/bastion/README.md
new file mode 100644
index 0000000..b6e5eae
--- /dev/null
+++ b/bastion/README.md
@@ -0,0 +1,358 @@
+# labctl
+
+Infrastructure management platform for bare-metal servers, Kubernetes clusters, and cloud resources.
+
+## Install
+
+```bash
+# From Gitea packages (Fedora/RHEL)
+sudo dnf config-manager --add-repo https://mysources.co.uk/michal/-/packages/rpm/
+sudo dnf install labctl
+
+# From source
+cd bastion && pnpm install && pnpm build
+bun build src/cli/src/index.ts --compile --outfile dist/labctl
+sudo cp dist/labctl /usr/bin/labctl
+```
+
+## Quick Start
+
+```bash
+# Start the bastion (PXE provisioning server)
+sudo labctl init bastion standalone start
+
+# PXE boot a machine — it gets discovered automatically
+labctl provision list
+
+# Install Fedora on a discovered machine
+labctl provision install 78:55:36:08:35:14 labmaster --role infra
+
+# Reprovision (SSH reboot into PXE, preserves /home /srv /var/lib/rancher)
+labctl provision reprovision 78:55:36:08:35:14 labmaster --role infra
+```
+
+## Commands
+
+### Bastion (PXE Provisioning)
+
+```bash
+# Lifecycle
+sudo labctl init bastion standalone start              # Start bastion (daemonized)
+sudo labctl init bastion standalone start --foreground  # Start in foreground
+sudo labctl init bastion standalone stop                # Stop bastion
+labctl init bastion standalone status                   # Show status, PID, machine count
+
+# Options
+sudo labctl init bastion standalone start \
+  --port 8080 \
+  --dir /tmp/lab-bastion \
+  --domain ad.itaz.eu \
+  --dhcp-mode proxy \
+  --fedora 43 \
+  --timezone Europe/London
+```
+
+### Provisioning
+
+```bash
+# List all machines (discovered, queued, installing, installed)
+labctl provision list
+
+# Queue a machine for Fedora install
+labctl provision install <mac> <hostname> --role worker   # k3s worker (gets longhorn)
+labctl provision install <mac> <hostname> --role infra    # infra node (gets k3s server + /var/lib/rancher)
+
+# Reprovision — queues install, SSHes in, sets PXE boot, reboots
+labctl provision reprovision <mac> <hostname> --role infra
+
+# Remove a machine from state
+labctl provision forget <mac>
+
+# Options
+labctl provision install <mac> <hostname> \
+  --role worker \
+  --disk nvme0n1 \
+  --port 8080
+```
+
+### Server Management (planned)
+
+```bash
+# List servers with filters
+labctl get servers
+labctl get servers --env production
+labctl get servers --cloud baremetal
+labctl get servers --cloud aws
+labctl get servers --label role=k3s-worker
+labctl get servers --label asg=web-servers
+
+# Detailed server info
+labctl describe server/puppet
+labctl describe server/ser9
+```
+
+### Remote Execution (planned)
+
+```bash
+# Execute commands on servers (audited, RBAC-checked)
+labctl exec server/puppet -- whoami
+labctl exec server/puppet -- systemctl status k3s
+labctl exec server/puppet -it -- bash              # interactive TTY
+labctl exec server/puppet --timeout 30s -- long-running-task
+```
+
+### Kubernetes (planned)
+
+```bash
+# Proxied kubectl — audited, RBAC-checked, no kubeconfig needed
+labctl kubectl --cluster lab get pods
+labctl kubectl --cluster lab get nodes
+labctl kubectl --cluster lab logs pod/nginx -f
+labctl kubectl --cluster lab exec pod/nginx -- bash
+labctl kubectl --cluster lab apply -f deployment.yaml
+labctl kubectl --cluster aws-prod get pods --namespace app
+
+# Cluster management
+labctl clusters add lab --kubeconfig ~/.kube/config
+labctl clusters list
+labctl clusters remove staging
+```
+
+### Logs (planned)
+
+```bash
+# Server logs (journalctl passthrough via agent)
+labctl logs server/puppet                                    # all journal
+labctl logs server/puppet -f                                 # follow (live stream)
+labctl logs server/puppet -n 100                             # last 100 lines
+labctl logs server/puppet -u k3s                             # specific unit
+labctl logs server/puppet -u sshd --since "1h ago"           # time range
+labctl logs server/puppet --since "2026-03-17" --until "2026-03-18"
+labctl logs server/puppet -k                                 # kernel only
+labctl logs server/puppet -p err                             # errors only
+labctl logs server/puppet --file /var/log/nginx/error.log    # tail a file
+labctl logs server/puppet --file /var/log/nginx/error.log -n 50
+
+# App logs (k8s pod logs)
+labctl logs app/bastion
+labctl logs app/bastion -f
+labctl logs app/labd --container postgres
+
+# Pulumi execution logs
+labctl logs pulumi/run-abc123
+labctl logs pulumi/run-abc123 -f                             # follow active run
+
+# Bastion logs
+labctl logs bastion/lab
+labctl logs bastion/lab --mac 78:55:36:08:35:14              # specific machine's install
+
+# Agent daemon logs
+labctl logs agent/puppet
+
+# Audit logs
+labctl logs audit
+labctl logs audit --user michal
+labctl logs audit --user michal --since "1h ago"
+labctl logs audit/michal-20260317-abc123                     # specific session
+labctl logs audit --action kubectl --cluster lab
+labctl logs audit --action exec --server puppet
+```
+
+### Apps (planned, replaces Helm)
+
+```bash
+# Install Pulumi-based apps to Kubernetes
+labctl apps list                                  # available apps
+labctl apps install bastion                       # deploy bastion
+labctl apps install bastion --set port=8080       # with overrides
+labctl apps install bastion -f values.yaml        # from values file
+labctl apps install monitoring                    # Prometheus + Grafana
+
+# Manage deployed apps
+labctl apps status bastion                        # health, version, config
+labctl apps upgrade bastion                       # rolling upgrade
+labctl apps history bastion                       # version history
+labctl apps rollback bastion 2                    # rollback to version 2
+labctl apps uninstall bastion
+```
+
+### Infrastructure as Code (planned)
+
+```bash
+# Execute Pulumi programs via labd (RBAC-checked)
+labctl apply -f infra/k3s-cluster.ts --env lab
+labctl plan -f infra/k3s-cluster.ts --env lab     # dry run
+labctl destroy -f infra/k3s-cluster.ts --env lab
+```
+
+### RBAC (planned)
+
+```bash
+# Roles and permissions
+labctl get roles
+labctl get users
+labctl create role viewer --allow "read:*:*:*"
+labctl create role lab-admin --allow "*:baremetal:lab:*" --deny "destroy:*:*:*"
+labctl bind role lab-admin --user michal
+labctl unbind role lab-admin --user michal
+
+# Permission model: action:cloud:environment:server
+#   read:*:*:*                   — read everything
+#   exec:baremetal:lab:*         — exec on any lab server
+#   kubectl:*:*:*                — kubectl on any cluster
+#   *:baremetal:lab:puppet       — full access to puppet only
+#   manage:*:*:*                 — manage apps, clusters, tokens
+```
+
+### Environments and Clouds (planned)
+
+```bash
+labctl get environments
+labctl get clouds
+labctl create environment staging --cloud aws
+labctl create environment lab --cloud baremetal
+```
+
+## Partition Layout
+
+Machines installed by the bastion get this LVM layout:
+
+### Worker role (k3s worker with Longhorn)
+```
+/boot/efi       600MB     EFI
+/boot           3GB       ext4
+                ── LVM VG: labvg ──
+  swap          27GB      (matches RAM)
+  /             33GB      xfs
+  /var          100GB     xfs
+  /var/log      10GB      xfs
+  /home         10GB      xfs         ← preserved on reprovision
+  /srv          20GB      xfs         ← preserved on reprovision
+  /tmp          tmpfs 4GB
+  /var/lib/longhorn  rest  xfs        ← preserved on reprovision (Longhorn PVC storage)
+```
+
+### Infra role (k3s server, labmaster)
+```
+/boot/efi       600MB     EFI
+/boot           3GB       ext4
+                ── LVM VG: labvg ──
+  swap          27GB      (matches RAM)
+  /             33GB      xfs
+  /var          100GB     xfs
+  /var/log      10GB      xfs
+  /home         10GB      xfs         ← preserved on reprovision
+  /srv          20GB      xfs         ← preserved on reprovision
+  /var/lib/rancher  20GB  xfs         ← preserved on reprovision (k3s etcd data)
+  /tmp          tmpfs 4GB
+```
+
+On reprovision, OS partitions (`/`, `/var`, `/var/log`, `swap`) are wiped. Data partitions (`/home`, `/srv`, `/var/lib/longhorn`, `/var/lib/rancher`) are preserved.
+
+## Architecture
+
+```
+┌──────────────────────────────────────────────────────────────┐
+│  labctl CLI                                                   │
+│  init | provision | get | exec | logs | apply | apps | kubectl│
+└───────────────────────────┬──────────────────────────────────┘
+                            │ mTLS
+                            ▼
+┌──────────────────────────────────────────────────────────────┐
+│  labd (master daemon — stateless, on k3s)                    │
+│  ┌─────┐ ┌──────┐ ┌──────┐ ┌────────┐ ┌──────┐ ┌────────┐ │
+│  │ CA  │ │ RBAC │ │ Logs │ │ Pulumi │ │ Apps │ │kubectl │ │
+│  │     │ │      │ │relay │ │executor│ │      │ │ proxy  │ │
+│  └─────┘ └──────┘ └──────┘ └────────┘ └──────┘ └────────┘ │
+│                        CockroachDB                           │
+└──────────────┬─────────────────────────┬─────────────────────┘
+               │ mTLS                    │ mTLS
+    ┌──────────▼───────────┐  ┌──────────▼───────────┐
+    │  lab-agent            │  │  lab-agent            │
+    │  bare-metal server   │  │  AWS EC2 / cloud VM   │
+    │  ┌────────────────┐  │  │  ┌────────────────┐  │
+    │  │ heartbeat      │  │  │  │ heartbeat      │  │
+    │  │ exec handler   │  │  │  │ exec handler   │  │
+    │  │ log streamer   │  │  │  │ log streamer   │  │
+    │  │ module runner  │  │  │  │ module runner  │  │
+    │  └────────────────┘  │  │  └────────────────┘  │
+    └──────────────────────┘  └──────────────────────┘
+```
+
+## Technology Stack
+
+| Component | Technology |
+|-----------|-----------|
+| Language | TypeScript (ESM) |
+| CLI | Commander.js |
+| HTTP Server | Fastify + WebSocket |
+| Database | CockroachDB (PostgreSQL compatible) |
+| ORM | Prisma |
+| IaC | Pulumi (TypeScript) |
+| k8s CNI | Cilium |
+| Auth | mTLS (built-in CA) |
+| Packaging | nfpm (RPM/DEB), bun compile |
+| Containers | Podman + podman-compose |
+| CI/CD | Gitea Actions |
+| Testing | Vitest |
+
+## Development
+
+```bash
+cd bastion
+
+# Install dependencies
+pnpm install
+
+# Build all packages
+pnpm build
+
+# Run tests (30 tests)
+pnpm test:run
+
+# Type check
+pnpm typecheck
+
+# Lint
+pnpm lint
+
+# Generate shell completions
+pnpm completions:generate
+
+# Build standalone binary
+bun build src/cli/src/index.ts --compile --outfile dist/labctl
+
+# Build RPM/DEB packages (both architectures)
+bash scripts/build-rpm.sh --all
+
+# Build Docker image
+bash scripts/build-bastion.sh
+
+# Full release (build + publish + install)
+bash scripts/release.sh
+```
+
+## Project Structure
+
+```
+bastion/
+├── src/
+│   ├── shared/          # @lab/shared — types, constants
+│   ├── bastion/         # @lab/bastion — PXE provisioning server
+│   ├── cli/             # @lab/cli — CLI binary (labctl)
+│   ├── labd/            # @lab/labd — master daemon (planned)
+│   └── agent/           # @lab/agent — server agent (planned)
+├── modules/             # Built-in configuration modules (planned)
+├── deploy/
+│   └── k3s/             # Kubernetes manifests
+├── stack/
+│   ├── Dockerfile
+│   └── docker-compose.yml
+├── scripts/             # Build, publish, release scripts
+├── completions/         # Generated shell completions
+└── ARCHITECTURE.md
+```
+
+## License
+
+MIT
diff --git a/bastion/completions/labctl.bash b/bastion/completions/labctl.bash
new file mode 100644
index 0000000..f7d4743
--- /dev/null
+++ b/bastion/completions/labctl.bash
@@ -0,0 +1,121 @@
+# labctl bash completions -- auto-generated by scripts/generate-completions.ts
+# DO NOT EDIT MANUALLY -- run: pnpm completions:generate
+
+_labctl() {
+  local cur prev words cword
+  _init_completion || return
+
+  local top_commands="version init provision config login doctor app roles"
+
+  # Extract the subcommand chain (skip options and their values)
+  local -a subcmd_chain=()
+  local i skip_next=false
+  for ((i=1; i < cword; i++)); do
+    if $skip_next; then skip_next=false; continue; fi
+    case "${words[i]}" in
+      -*) ;;  # skip options
+      *) subcmd_chain+=("${words[i]}") ;;
+    esac
+  done
+
+  local chain_len=${#subcmd_chain[@]}
+  local chain_str="${subcmd_chain[*]}"
+
+  case "$chain_str" in
+    "init bastion standalone start")
+      COMPREPLY=($(compgen -W "--port --dir --domain --dhcp-mode --fedora --arch --timezone --locale --skip-dnsmasq --skip-artifacts --foreground -h --help" -- "$cur"))
+      return ;;
+    "init bastion standalone stop")
+      COMPREPLY=($(compgen -W "--dir -h --help" -- "$cur"))
+      return ;;
+    "init bastion standalone status")
+      COMPREPLY=($(compgen -W "--dir --port -h --help" -- "$cur"))
+      return ;;
+    "init bastion standalone")
+      COMPREPLY=($(compgen -W "start stop status -h --help" -- "$cur"))
+      return ;;
+    "app labcontroller deploy")
+      COMPREPLY=($(compgen -W "--user --port --crdb-replicas -h --help" -- "$cur"))
+      return ;;
+    "app labcontroller status")
+      COMPREPLY=($(compgen -W "--user --port -h --help" -- "$cur"))
+      return ;;
+    "app k3s install")
+      COMPREPLY=($(compgen -W "--role --user --port --k3s-server --k3s-token -h --help" -- "$cur"))
+      return ;;
+    "app k3s health")
+      COMPREPLY=($(compgen -W "--user --port -h --help" -- "$cur"))
+      return ;;
+    "app k3s list")
+      COMPREPLY=($(compgen -W "--user --port -h --help" -- "$cur"))
+      return ;;
+    "init bastion")
+      COMPREPLY=($(compgen -W "standalone -h --help" -- "$cur"))
+      return ;;
+    "provision list")
+      COMPREPLY=($(compgen -W "--port -h --help" -- "$cur"))
+      return ;;
+    "provision install")
+      COMPREPLY=($(compgen -W "--role --os --disk --port -h --help" -- "$cur"))
+      return ;;
+    "provision reprovision")
+      COMPREPLY=($(compgen -W "--role --os --disk --port -h --help" -- "$cur"))
+      return ;;
+    "provision forget")
+      COMPREPLY=($(compgen -W "--port -h --help" -- "$cur"))
+      return ;;
+    "provision logs")
+      COMPREPLY=($(compgen -W "-f --follow --port -h --help" -- "$cur"))
+      return ;;
+    "config list")
+      COMPREPLY=($(compgen -W "-h --help" -- "$cur"))
+      return ;;
+    "config get")
+      COMPREPLY=($(compgen -W "-h --help" -- "$cur"))
+      return ;;
+    "config set")
+      COMPREPLY=($(compgen -W "-h --help" -- "$cur"))
+      return ;;
+    "config path")
+      COMPREPLY=($(compgen -W "-h --help" -- "$cur"))
+      return ;;
+    "app labcontroller")
+      COMPREPLY=($(compgen -W "deploy status -h --help" -- "$cur"))
+      return ;;
+    "app k3s")
+      COMPREPLY=($(compgen -W "install health list -h --help" -- "$cur"))
+      return ;;
+    "version")
+      COMPREPLY=($(compgen -W "-h --help" -- "$cur"))
+      return ;;
+    "init")
+      COMPREPLY=($(compgen -W "bastion -h --help" -- "$cur"))
+      return ;;
+    "provision")
+      COMPREPLY=($(compgen -W "list install reprovision forget logs -h --help" -- "$cur"))
+      return ;;
+    "config")
+      COMPREPLY=($(compgen -W "list get set path -h --help" -- "$cur"))
+      return ;;
+    "login")
+      COMPREPLY=($(compgen -W "--server -h --help" -- "$cur"))
+      return ;;
+    "doctor")
+      COMPREPLY=($(compgen -W "--json -h --help" -- "$cur"))
+      return ;;
+    "app")
+      COMPREPLY=($(compgen -W "labcontroller k3s -h --help" -- "$cur"))
+      return ;;
+    "roles")
+      COMPREPLY=($(compgen -W "-h --help" -- "$cur"))
+      return ;;
+    "")
+      COMPREPLY=($(compgen -W "$top_commands -h --help -v --version" -- "$cur"))
+      return ;;
+    *)
+      COMPREPLY=($(compgen -W "-h --help" -- "$cur"))
+      return ;;
+  esac
+}
+
+complete -F _labctl labctl
diff --git a/bastion/completions/labctl.fish b/bastion/completions/labctl.fish
new file mode 100644
index 0000000..832ad8e
--- /dev/null
+++ b/bastion/completions/labctl.fish
@@ -0,0 +1,202 @@
+# labctl fish completions -- auto-generated by scripts/generate-completions.ts
+# DO NOT EDIT MANUALLY -- run: pnpm completions:generate
+
+complete -c labctl -e
+complete -c labctl -f
+
+# Global options
+complete -c labctl -s v -l version -d 'Show version'
+complete -c labctl -s h -l help -d 'Show help'
+
+# Helper: test if exactly a subcommand chain is active (no extra positional args)
+function __labctl_using_cmd
+    set -l tokens (commandline -opc)
+    set -l expected $argv
+    set -l depth (count $expected)
+    set -l found 0
+    set -l i 1
+    for tok in $tokens[2..]
+        if string match -q -- "-*" $tok
+            continue
+        end
+        set i (math $i + 1)
+        set -l idx (math $i - 1)
+        if test $idx -le $depth
+            if test "$tok" != "$expected[$idx]"
+                return 1
+            end
+            set found (math $found + 1)
+        else
+            return 1
+        end
+    end
+    test $found -eq $depth
+end
+
+# Helper: test if command starts with a subcommand chain (options still apply after args)
+function __labctl_in_cmd
+    set -l tokens (commandline -opc)
+    set -l expected $argv
+    set -l depth (count $expected)
+    set -l found 0
+    for tok in $tokens[2..]
+        if string match -q -- "-*" $tok
+            continue
+        end
+        set found (math $found + 1)
+        if test $found -le $depth
+            if test "$tok" != "$expected[$found]"
+                return 1
+            end
+        end
+    end
+    test $found -ge $depth
+end
+
+# Dynamic: fetch machine hostnames from bastion (installed + queued)
+function __labctl_installed_hosts
+    curl -s http://localhost:8080/api/machines 2>/dev/null | 
+        python3 -c 'import sys,json; d=json.load(sys.stdin); hosts=[v.get("hostname","") for v in {**d.get("install_queue",{}), **d.get("installed",{})}.values() if v.get("hostname")]; [print(h) for h in set(hosts)]' 2>/dev/null
+end
+
+# Dynamic: fetch all known MAC addresses (discovered + queue + installed)
+function __labctl_known_macs
+    curl -s http://localhost:8080/api/machines 2>/dev/null | 
+        python3 -c 'import sys,json; d=json.load(sys.stdin); [print(k) for k in {**d.get("discovered",{}), **d.get("install_queue",{}), **d.get("installed",{})}]' 2>/dev/null
+end
+
+# Dynamic: fetch hostnames and MACs from all states
+function __labctl_hosts_and_macs
+    curl -s http://localhost:8080/api/machines 2>/dev/null | 
+        python3 -c 'import sys,json; d=json.load(sys.stdin); a={**d.get("discovered",{}), **d.get("install_queue",{}), **d.get("installed",{})}; macs=list(a.keys()); hosts=[v.get("hostname","") for v in {**d.get("install_queue",{}), **d.get("installed",{})}.values() if v.get("hostname")]; [print(x) for x in set(macs+hosts)]' 2>/dev/null
+end
+
+# Target argument completions
+complete -c labctl -n "__labctl_using_cmd app k3s install" -a "(__labctl_installed_hosts)" -d 'installed host'
+complete -c labctl -n "__labctl_using_cmd app k3s health" -a "(__labctl_installed_hosts)" -d 'installed host'
+complete -c labctl -n "__labctl_using_cmd app labcontroller deploy" -a "(__labctl_installed_hosts)" -d 'installed host'
+complete -c labctl -n "__labctl_using_cmd app labcontroller status" -a "(__labctl_installed_hosts)" -d 'installed host'
+complete -c labctl -n "__labctl_using_cmd provision install" -a "(__labctl_known_macs)" -d 'MAC address'
+complete -c labctl -n "__labctl_using_cmd provision reprovision" -a "(__labctl_hosts_and_macs)" -d 'host or MAC'
+complete -c labctl -n "__labctl_using_cmd provision forget" -a "(__labctl_hosts_and_macs)" -d 'host or MAC'
+complete -c labctl -n "__labctl_using_cmd provision logs" -a "(__labctl_hosts_and_macs)" -d 'host or MAC'
+
+# Top-level commands
+complete -c labctl -n "not __fish_seen_subcommand_from version init provision config login doctor app roles" -a version -d 'Show version information'
+complete -c labctl -n "not __fish_seen_subcommand_from version init provision config login doctor app roles" -a init -d 'Initialise infrastructure components'
+complete -c labctl -n "not __fish_seen_subcommand_from version init provision config login doctor app roles" -a provision -d 'Machine provisioning operations'
+complete -c labctl -n "not __fish_seen_subcommand_from version init provision config login doctor app roles" -a config -d 'View and modify CLI configuration'
+complete -c labctl -n "not __fish_seen_subcommand_from version init provision config login doctor app roles" -a login -d 'Authenticate with labd and obtain client certificate'
+complete -c labctl -n "not __fish_seen_subcommand_from version init provision config login doctor app roles" -a doctor -d 'Diagnose configuration and connectivity issues'
+complete -c labctl -n "not __fish_seen_subcommand_from version init provision config login doctor app roles" -a app -d 'Application management'
+complete -c labctl -n "not __fish_seen_subcommand_from version init provision config login doctor app roles" -a roles -d 'List available machine roles'
+
+# init subcommands
+complete -c labctl -n "__labctl_using_cmd init" -a bastion -d 'Bastion PXE server management'
+
+# init bastion subcommands
+complete -c labctl -n "__labctl_using_cmd init bastion" -a standalone -d 'Standalone bastion server lifecycle'
+
+# init bastion standalone subcommands
+complete -c labctl -n "__labctl_using_cmd init bastion standalone" -a start -d 'Start the bastion server (HTTP + dnsmasq PXE)'
+complete -c labctl -n "__labctl_using_cmd init bastion standalone" -a stop -d 'Stop a running bastion server'
+complete -c labctl -n "__labctl_using_cmd init bastion standalone" -a status -d 'Show bastion server status'
+
+# init bastion standalone start options
+complete -c labctl -n "__labctl_in_cmd init bastion standalone start" -l port -d 'HTTP port' -x
+complete -c labctl -n "__labctl_in_cmd init bastion standalone start" -l dir -d 'Bastion data directory' -x
+complete -c labctl -n "__labctl_in_cmd init bastion standalone start" -l domain -d 'Internal domain for hostnames' -x
+complete -c labctl -n "__labctl_in_cmd init bastion standalone start" -l dhcp-mode -d 'DHCP mode: proxy or full' -x
+complete -c labctl -n "__labctl_in_cmd init bastion standalone start" -l fedora -d 'Fedora version' -x
+complete -c labctl -n "__labctl_in_cmd init bastion standalone start" -l arch -d 'Architecture' -x
+complete -c labctl -n "__labctl_in_cmd init bastion standalone start" -l timezone -d 'Timezone' -x
+complete -c labctl -n "__labctl_in_cmd init bastion standalone start" -l locale -d 'Locale' -x
+complete -c labctl -n "__labctl_in_cmd init bastion standalone start" -l skip-dnsmasq -d 'Skip starting dnsmasq (for testing)'
+complete -c labctl -n "__labctl_in_cmd init bastion standalone start" -l skip-artifacts -d 'Skip downloading boot artifacts (for testing)'
+complete -c labctl -n "__labctl_in_cmd init bastion standalone start" -l foreground -d 'Run in foreground (default: daemonize)'
+
+# init bastion standalone stop options
+complete -c labctl -n "__labctl_in_cmd init bastion standalone stop" -l dir -d 'Bastion data directory' -x
+
+# init bastion standalone status options
+complete -c labctl -n "__labctl_in_cmd init bastion standalone status" -l dir -d 'Bastion data directory' -x
+complete -c labctl -n "__labctl_in_cmd init bastion standalone status" -l port -d 'Bastion HTTP port' -x
+
+# provision subcommands
+complete -c labctl -n "__labctl_using_cmd provision" -a list -d 'List all known machines'
+complete -c labctl -n "__labctl_using_cmd provision" -a install -d 'Queue a discovered machine for OS installation'
+complete -c labctl -n "__labctl_using_cmd provision" -a reprovision -d 'Queue install + SSH reboot into PXE (target: hostname, MAC, or IP)'
+complete -c labctl -n "__labctl_using_cmd provision" -a forget -d 'Remove a machine from bastion state'
+complete -c labctl -n "__labctl_using_cmd provision" -a logs -d 'Show provisioning logs for a machine (hostname, MAC, or IP)'
+
+# provision list options
+complete -c labctl -n "__labctl_in_cmd provision list" -l port -d 'Bastion HTTP port' -x
+
+# provision install options
+complete -c labctl -n "__labctl_in_cmd provision install" -l role -d 'Machine role (see below)' -xa 'vanilla worker infra labcontroller'
+complete -c labctl -n "__labctl_in_cmd provision install" -l os -d 'Operating system' -xa 'fedora-43 ubuntu-26.04'
+complete -c labctl -n "__labctl_in_cmd provision install" -l disk -d 'Target disk device (auto-detect if omitted)' -x
+complete -c labctl -n "__labctl_in_cmd provision install" -l port -d 'Bastion HTTP port' -x
+
+# provision reprovision options
+complete -c labctl -n "__labctl_in_cmd provision reprovision" -l role -d 'Machine role (see below)' -xa 'vanilla worker infra labcontroller'
+complete -c labctl -n "__labctl_in_cmd provision reprovision" -l os -d 'Operating system' -xa 'fedora-43 ubuntu-26.04'
+complete -c labctl -n "__labctl_in_cmd provision reprovision" -l disk -d 'Target disk device (auto-detect if omitted)' -x
+complete -c labctl -n "__labctl_in_cmd provision reprovision" -l port -d 'Bastion HTTP port' -x
+
+# provision forget options
+complete -c labctl -n "__labctl_in_cmd provision forget" -l port -d 'Bastion HTTP port' -x
+
+# provision logs options
+complete -c labctl -n "__labctl_in_cmd provision logs" -s f -l follow -d 'Follow logs in real-time (SSE stream)'
+complete -c labctl -n "__labctl_in_cmd provision logs" -l port -d 'Bastion HTTP port' -x
+
+# config subcommands
+complete -c labctl -n "__labctl_using_cmd config" -a list -d 'Show all configuration values'
+complete -c labctl -n "__labctl_using_cmd config" -a get -d 'Get a configuration value'
+complete -c labctl -n "__labctl_using_cmd config" -a set -d 'Set a configuration value'
+complete -c labctl -n "__labctl_using_cmd config" -a path -d 'Show configuration file path'
+
+# login options
+complete -c labctl -n "__labctl_in_cmd login" -l server -d 'labd server URL' -x
+
+# doctor options
+complete -c labctl -n "__labctl_in_cmd doctor" -l json -d 'Output results as JSON'
+
+# app subcommands
+complete -c labctl -n "__labctl_using_cmd app" -a labcontroller -d 'Labcontroller deployment (bastion + labd + CockroachDB)'
+complete -c labctl -n "__labctl_using_cmd app" -a k3s -d 'k3s cluster management'
+
+# app labcontroller subcommands
+complete -c labctl -n "__labctl_using_cmd app labcontroller" -a deploy -d 'Deploy labcontroller stack to a k3s node'
+complete -c labctl -n "__labctl_using_cmd app labcontroller" -a status -d 'Check labcontroller deployment status (all hosts if no target)'
+
+# app labcontroller deploy options
+complete -c labctl -n "__labctl_in_cmd app labcontroller deploy" -l user -d 'SSH user' -x
+complete -c labctl -n "__labctl_in_cmd app labcontroller deploy" -l port -d 'Bastion HTTP port' -x
+complete -c labctl -n "__labctl_in_cmd app labcontroller deploy" -l crdb-replicas -d 'CockroachDB replicas' -x
+
+# app labcontroller status options
+complete -c labctl -n "__labctl_in_cmd app labcontroller status" -l user -d 'SSH user' -x
+complete -c labctl -n "__labctl_in_cmd app labcontroller status" -l port -d 'Bastion HTTP port' -x
+
+# app k3s subcommands
+complete -c labctl -n "__labctl_using_cmd app k3s" -a install -d 'Install k3s on a target machine (hostname, IP, or MAC)'
+complete -c labctl -n "__labctl_using_cmd app k3s" -a health -d 'Check k3s health (all hosts if no target given)'
+complete -c labctl -n "__labctl_using_cmd app k3s" -a list -d 'List installed machines and their k3s status'
+
+# app k3s install options
+complete -c labctl -n "__labctl_in_cmd app k3s install" -l role -d 'k3s role: infra (server) or worker (agent)' -x
+complete -c labctl -n "__labctl_in_cmd app k3s install" -l user -d 'SSH user' -x
+complete -c labctl -n "__labctl_in_cmd app k3s install" -l port -d 'Bastion HTTP port (for resolving target)' -x
+complete -c labctl -n "__labctl_in_cmd app k3s install" -l k3s-server -d 'k3s server URL (required for worker role)' -x
+complete -c labctl -n "__labctl_in_cmd app k3s install" -l k3s-token -d 'k3s join token (required for worker role)' -x
+
+# app k3s health options
+complete -c labctl -n "__labctl_in_cmd app k3s health" -l user -d 'SSH user' -x
+complete -c labctl -n "__labctl_in_cmd app k3s health" -l port -d 'Bastion HTTP port' -x
+
+# app k3s list options
+complete -c labctl -n "__labctl_in_cmd app k3s list" -l user -d 'SSH user' -x
+complete -c labctl -n "__labctl_in_cmd app k3s list" -l port -d 'Bastion HTTP port' -x
+
diff --git a/bastion/deploy/k3s/configmap.yaml b/bastion/deploy/k3s/configmap.yaml
new file mode 100644
index 0000000..f000a81
--- /dev/null
+++ b/bastion/deploy/k3s/configmap.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bastion-config
+  namespace: lab-infra
+data:
+  HTTP_PORT: "8080"
+  DOMAIN: "ad.itaz.eu"
+  FEDORA_VERSION: "43"
+  DHCP_MODE: "proxy"
+  TIMEZONE: "Europe/London"
+  LOCALE: "en_GB.UTF-8"
+  LABD_URL: "http://labd.lab-system.svc.cluster.local:3100"
diff --git a/bastion/deploy/k3s/deployment.yaml b/bastion/deploy/k3s/deployment.yaml
new file mode 100644
index 0000000..ab3830c
--- /dev/null
+++ b/bastion/deploy/k3s/deployment.yaml
@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bastion
+  namespace: lab-infra
+  labels:
+    app: bastion
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: bastion
+  template:
+    metadata:
+      labels:
+        app: bastion
+    spec:
+      imagePullSecrets:
+        - name: gitea-registry
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "1"
+      containers:
+        - name: bastion
+          image: mysources.co.uk/michal/lab/bastion:latest
+          imagePullPolicy: Always
+          command:
+            - node
+            - src/cli/dist/index.js
+            - init
+            - bastion
+            - standalone
+            - start
+            - --foreground
+          envFrom:
+            - configMapRef:
+                name: bastion-config
+          env:
+            - name: BASTION_JOIN_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: bastion-join-token
+                  key: token
+          ports:
+            - containerPort: 8080
+              name: http
+          volumeMounts:
+            - name: state
+              mountPath: /data
+            - name: ssh-keys
+              mountPath: /root/.ssh
+              readOnly: true
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+                - NET_RAW
+          startupProbe:
+            httpGet:
+              path: /api/machines
+              port: 8080
+            failureThreshold: 60
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /api/machines
+              port: 8080
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /api/machines
+              port: 8080
+            periodSeconds: 10
+      volumes:
+        - name: state
+          persistentVolumeClaim:
+            claimName: bastion-state
+        - name: ssh-keys
+          hostPath:
+            path: /root/.ssh
+            type: Directory
diff --git a/bastion/deploy/k3s/kustomization.yaml b/bastion/deploy/k3s/kustomization.yaml
new file mode 100644
index 0000000..5e40278
--- /dev/null
+++ b/bastion/deploy/k3s/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - configmap.yaml
+  - pvc.yaml
+  - deployment.yaml
diff --git a/bastion/deploy/k3s/namespace.yaml b/bastion/deploy/k3s/namespace.yaml
new file mode 100644
index 0000000..9f71f98
--- /dev/null
+++ b/bastion/deploy/k3s/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: lab-infra
diff --git a/bastion/deploy/k3s/pvc.yaml b/bastion/deploy/k3s/pvc.yaml
new file mode 100644
index 0000000..cac9818
--- /dev/null
+++ b/bastion/deploy/k3s/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bastion-state
+  namespace: lab-infra
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 10Gi
diff --git a/bastion/deploy/k8s/labd/base/configmap.yaml b/bastion/deploy/k8s/labd/base/configmap.yaml
new file mode 100644
index 0000000..e2942e8
--- /dev/null
+++ b/bastion/deploy/k8s/labd/base/configmap.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: labd-config
+data:
+  LABD_PORT: "3100"
+  LABD_HOST: "0.0.0.0"
+  LABD_LOG_LEVEL: "info"
diff --git a/bastion/deploy/k8s/labd/base/deployment.yaml b/bastion/deploy/k8s/labd/base/deployment.yaml
new file mode 100644
index 0000000..d2eccf0
--- /dev/null
+++ b/bastion/deploy/k8s/labd/base/deployment.yaml
@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: labd
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: labd
+  template:
+    metadata:
+      labels:
+        app: labd
+    spec:
+      containers:
+        - name: labd
+          image: mysources.co.uk/michal/lab/labd:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 3100
+          envFrom:
+            - configMapRef:
+                name: labd-config
+            - secretRef:
+                name: labd-secrets
+          livenessProbe:
+            httpGet:
+              path: /health/live
+              port: 3100
+            initialDelaySeconds: 10
+            periodSeconds: 15
+          readinessProbe:
+            httpGet:
+              path: /health/ready
+              port: 3100
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
diff --git a/bastion/deploy/k8s/labd/base/hpa.yaml b/bastion/deploy/k8s/labd/base/hpa.yaml
new file mode 100644
index 0000000..67c2eea
--- /dev/null
+++ b/bastion/deploy/k8s/labd/base/hpa.yaml
@@ -0,0 +1,18 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: labd
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: labd
+  minReplicas: 2
+  maxReplicas: 10
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 70
diff --git a/bastion/deploy/k8s/labd/base/kustomization.yaml b/bastion/deploy/k8s/labd/base/kustomization.yaml
new file mode 100644
index 0000000..f2e8729
--- /dev/null
+++ b/bastion/deploy/k8s/labd/base/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: lab-infra
+
+commonLabels:
+  app: labd
+
+resources:
+  - deployment.yaml
+  - service.yaml
+  - configmap.yaml
+  - hpa.yaml
+  - pdb.yaml
diff --git a/bastion/deploy/k8s/labd/base/pdb.yaml b/bastion/deploy/k8s/labd/base/pdb.yaml
new file mode 100644
index 0000000..26ae4d8
--- /dev/null
+++ b/bastion/deploy/k8s/labd/base/pdb.yaml
@@ -0,0 +1,9 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: labd
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app: labd
diff --git a/bastion/deploy/k8s/labd/base/service.yaml b/bastion/deploy/k8s/labd/base/service.yaml
new file mode 100644
index 0000000..89a799b
--- /dev/null
+++ b/bastion/deploy/k8s/labd/base/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: labd
+spec:
+  type: ClusterIP
+  selector:
+    app: labd
+  ports:
+    - port: 3100
+      targetPort: 3100
+      protocol: TCP
diff --git a/bastion/eslint.config.js b/bastion/eslint.config.js
new file mode 100644
index 0000000..d57ac82
--- /dev/null
+++ b/bastion/eslint.config.js
@@ -0,0 +1,26 @@
+import tseslint from '@typescript-eslint/eslint-plugin';
+import tsparser from '@typescript-eslint/parser';
+
+export default [
+  {
+    files: ['src/*/src/**/*.ts'],
+    languageOptions: {
+      parser: tsparser,
+      parserOptions: {
+        project: ['./src/*/tsconfig.json'],
+        tsconfigRootDir: import.meta.dirname,
+      },
+    },
+    plugins: { '@typescript-eslint': tseslint },
+    rules: {
+      '@typescript-eslint/explicit-function-return-type': 'error',
+      '@typescript-eslint/no-explicit-any': 'error',
+      '@typescript-eslint/no-unused-vars': 'error',
+      '@typescript-eslint/strict-boolean-expressions': 'error',
+      'no-console': ['warn', { allow: ['warn', 'error'] }],
+    },
+  },
+  {
+    ignores: ['**/dist/**', '**/node_modules/**', '**/*.config.*'],
+  },
+];
diff --git a/bastion/nfpm.yaml b/bastion/nfpm.yaml
new file mode 100644
index 0000000..4c9dd03
--- /dev/null
+++ b/bastion/nfpm.yaml
@@ -0,0 +1,20 @@
+name: labctl
+arch: amd64
+version: 0.1.0
+release: "1"
+maintainer: michal
+description: Lab infrastructure CLI for bare-metal provisioning
+license: MIT
+contents:
+  - src: ./dist/labctl
+    dst: /usr/bin/labctl
+    file_info:
+      mode: 0755
+  - src: ./completions/labctl.bash
+    dst: /usr/share/bash-completion/completions/labctl
+    file_info:
+      mode: 0644
+  - src: ./completions/labctl.fish
+    dst: /usr/share/fish/vendor_completions.d/labctl.fish
+    file_info:
+      mode: 0644
diff --git a/bastion/package.json b/bastion/package.json
new file mode 100644
index 0000000..1e2a673
--- /dev/null
+++ b/bastion/package.json
@@ -0,0 +1,43 @@
+{
+  "name": "lab",
+  "version": "0.1.0",
+  "private": true,
+  "description": "PXE bastion server for discover-first bare-metal provisioning",
+  "type": "module",
+  "scripts": {
+    "build": "pnpm -r run build",
+    "test": "vitest",
+    "test:run": "vitest run",
+    "typecheck": "tsc --build",
+    "clean": "pnpm -r run clean && rimraf node_modules",
+    "lint": "eslint 'src/*/src/**/*.ts'",
+    "lint:fix": "eslint 'src/*/src/**/*.ts' --fix",
+    "completions:generate": "tsx scripts/generate-completions.ts --write",
+    "completions:check": "tsx scripts/generate-completions.ts --check",
+    "test:integration": "vitest run -c tests/integration/vitest.config.ts",
+    "test:integration:k3s": "vitest run -c tests/integration/vitest.config.ts -t k3s",
+    "test:integration:k3s:host": "sudo -E $(which npx) vitest run -c tests/integration/vitest.config.ts -t k3s",
+    "test:integration:pxe": "vitest run -c tests/integration/vitest.config.ts -t 'PXE boot'",
+    "test:integration:pxe:host": "sudo -E $(which npx) vitest run -c tests/integration/vitest.config.ts -t 'PXE boot'",
+    "test:integration:iso": "vitest run -c tests/integration/vitest.config.ts -t 'ISO boot'",
+    "test:integration:iso:host": "sudo -E $(which npx) vitest run -c tests/integration/vitest.config.ts -t 'ISO boot'",
+    "test:integration:arm-iso": "vitest run -c tests/integration/vitest.config.ts -t 'ARM ISO'",
+    "test:integration:arm-iso:host": "sudo -E $(which npx) vitest run -c tests/integration/vitest.config.ts -t 'ARM ISO'"
+  },
+  "engines": {
+    "node": ">=20.0.0",
+    "pnpm": ">=9.0.0"
+  },
+  "packageManager": "pnpm@9.15.0",
+  "devDependencies": {
+    "@types/node": "^22.10.0",
+    "@typescript-eslint/eslint-plugin": "^8.57.1",
+    "@typescript-eslint/parser": "^8.57.1",
+    "eslint": "^10.0.3",
+    "eslint-config-prettier": "^10.1.8",
+    "rimraf": "^6.0.0",
+    "tsx": "^4.21.0",
+    "typescript": "^5.7.0",
+    "vitest": "^3.0.0"
+  }
+}
diff --git a/bastion/pnpm-lock.yaml b/bastion/pnpm-lock.yaml
new file mode 100644
index 0000000..4d1cc45
--- /dev/null
+++ b/bastion/pnpm-lock.yaml
@@ -0,0 +1,3646 @@
+lockfileVersion: '9.0'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
+
+importers:
+
+  .:
+    devDependencies:
+      '@types/node':
+        specifier: ^22.10.0
+        version: 22.19.15
+      '@typescript-eslint/eslint-plugin':
+        specifier: ^8.57.1
+        version: 8.57.1(@typescript-eslint/parser@8.57.1(eslint@10.0.3(jiti@2.6.1))(typescript@5.9.3))(eslint@10.0.3(jiti@2.6.1))(typescript@5.9.3)
+      '@typescript-eslint/parser':
+        specifier: ^8.57.1
+        version: 8.57.1(eslint@10.0.3(jiti@2.6.1))(typescript@5.9.3)
+      eslint:
+        specifier: ^10.0.3
+        version: 10.0.3(jiti@2.6.1)
+      eslint-config-prettier:
+        specifier: ^10.1.8
+        version: 10.1.8(eslint@10.0.3(jiti@2.6.1))
+      rimraf:
+        specifier: ^6.0.0
+        version: 6.1.3
+      tsx:
+        specifier: ^4.21.0
+        version: 4.21.0
+      typescript:
+        specifier: ^5.7.0
+        version: 5.9.3
+      vitest:
+        specifier: ^3.0.0
+        version: 3.2.4(@types/node@22.19.15)(jiti@2.6.1)(tsx@4.21.0)
+
+  src/bastion:
+    dependencies:
+      '@fastify/static':
+        specifier: ^8.0.0
+        version: 8.3.0
+      '@lab/modules':
+        specifier: workspace:*
+        version: link:../modules
+      '@lab/shared':
+        specifier: workspace:*
+        version: link:../shared
+      execa:
+        specifier: ^9.5.0
+        version: 9.6.1
+      fastify:
+        specifier: ^5.0.0
+        version: 5.8.2
+      winston:
+        specifier: ^3.17.0
+        version: 3.19.0
+      ws:
+        specifier: ^8.19.0
+        version: 8.19.0
+    devDependencies:
+      '@types/node':
+        specifier: ^22.10.0
+        version: 22.19.15
+      '@types/ws':
+        specifier: ^8.18.0
+        version: 8.18.1
+
+  src/cli:
+    dependencies:
+      '@lab/bastion':
+        specifier: workspace:*
+        version: link:../bastion
+      '@lab/modules':
+        specifier: workspace:*
+        version: link:../modules
+      '@lab/shared':
+        specifier: workspace:*
+        version: link:../shared
+      commander:
+        specifier: ^13.0.0
+        version: 13.1.0
+      ws:
+        specifier: ^8.19.0
+        version: 8.19.0
+    devDependencies:
+      '@types/node':
+        specifier: ^22.10.0
+        version: 22.19.15
+      '@types/ws':
+        specifier: ^8.18.1
+        version: 8.18.1
+
+  src/lab-agent:
+    dependencies:
+      '@lab/shared':
+        specifier: workspace:*
+        version: link:../shared
+      winston:
+        specifier: ^3.17.0
+        version: 3.19.0
+      winston-daily-rotate-file:
+        specifier: ^5.0.0
+        version: 5.0.0(winston@3.19.0)
+      ws:
+        specifier: ^8.19.0
+        version: 8.19.0
+    devDependencies:
+      '@types/node':
+        specifier: ^22.14.1
+        version: 22.19.15
+      '@types/ws':
+        specifier: ^8.18.1
+        version: 8.18.1
+      rimraf:
+        specifier: ^6.1.3
+        version: 6.1.3
+      typescript:
+        specifier: ^5.9.3
+        version: 5.9.3
+
+  src/labd:
+    dependencies:
+      '@fastify/rate-limit':
+        specifier: ^10.3.0
+        version: 10.3.0
+      '@fastify/websocket':
+        specifier: ^11.0.2
+        version: 11.2.0
+      '@lab/shared':
+        specifier: workspace:*
+        version: link:../shared
+      '@prisma/client':
+        specifier: ^6.9.0
+        version: 6.19.2(prisma@6.19.2(typescript@5.9.3))(typescript@5.9.3)
+      fastify:
+        specifier: ^5.3.3
+        version: 5.8.2
+      winston:
+        specifier: ^3.17.0
+        version: 3.19.0
+      ws:
+        specifier: ^8.19.0
+        version: 8.19.0
+      zod:
+        specifier: ^4.3.6
+        version: 4.3.6
+    devDependencies:
+      '@types/node':
+        specifier: ^22.14.1
+        version: 22.19.15
+      '@types/ws':
+        specifier: ^8.18.1
+        version: 8.18.1
+      prisma:
+        specifier: ^6.9.0
+        version: 6.19.2(typescript@5.9.3)
+      rimraf:
+        specifier: ^6.1.3
+        version: 6.1.3
+      tsx:
+        specifier: ^4.21.0
+        version: 4.21.0
+      typescript:
+        specifier: ^5.9.3
+        version: 5.9.3
+
+  src/modules:
+    dependencies:
+      '@kubernetes/client-node':
+        specifier: ^1.4.0
+        version: 1.4.0
+      '@lab/shared':
+        specifier: workspace:*
+        version: link:../shared
+    devDependencies:
+      '@types/node':
+        specifier: ^22.14.1
+        version: 22.19.15
+      rimraf:
+        specifier: ^6.1.3
+        version: 6.1.3
+      typescript:
+        specifier: ^5.9.3
+        version: 5.9.3
+
+  src/shared: {}
+
+packages:
+
+  '@colors/colors@1.6.0':
+    resolution: {integrity: sha512-Ir+AOibqzrIsL6ajt3Rz3LskB7OiMVHqltZmspbW/TJuTVuyOMirVqAkjfY6JISiLHgyNqicAC8AyHHGzNd/dA==}
+    engines: {node: '>=0.1.90'}
+
+  '@dabh/diagnostics@2.0.8':
+    resolution: {integrity: sha512-R4MSXTVnuMzGD7bzHdW2ZhhdPC/igELENcq5IjEverBvq5hn1SXCWcsi6eSsdWP0/Ur+SItRRjAktmdoX/8R/Q==}
+
+  '@esbuild/aix-ppc64@0.27.4':
+    resolution: {integrity: sha512-cQPwL2mp2nSmHHJlCyoXgHGhbEPMrEEU5xhkcy3Hs/O7nGZqEpZ2sUtLaL9MORLtDfRvVl2/3PAuEkYZH0Ty8Q==}
+    engines: {node: '>=18'}
+    cpu: [ppc64]
+    os: [aix]
+
+  '@esbuild/android-arm64@0.27.4':
+    resolution: {integrity: sha512-gdLscB7v75wRfu7QSm/zg6Rx29VLdy9eTr2t44sfTW7CxwAtQghZ4ZnqHk3/ogz7xao0QAgrkradbBzcqFPasw==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [android]
+
+  '@esbuild/android-arm@0.27.4':
+    resolution: {integrity: sha512-X9bUgvxiC8CHAGKYufLIHGXPJWnr0OCdR0anD2e21vdvgCI8lIfqFbnoeOz7lBjdrAGUhqLZLcQo6MLhTO2DKQ==}
+    engines: {node: '>=18'}
+    cpu: [arm]
+    os: [android]
+
+  '@esbuild/android-x64@0.27.4':
+    resolution: {integrity: sha512-PzPFnBNVF292sfpfhiyiXCGSn9HZg5BcAz+ivBuSsl6Rk4ga1oEXAamhOXRFyMcjwr2DVtm40G65N3GLeH1Lvw==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [android]
+
+  '@esbuild/darwin-arm64@0.27.4':
+    resolution: {integrity: sha512-b7xaGIwdJlht8ZFCvMkpDN6uiSmnxxK56N2GDTMYPr2/gzvfdQN8rTfBsvVKmIVY/X7EM+/hJKEIbbHs9oA4tQ==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@esbuild/darwin-x64@0.27.4':
+    resolution: {integrity: sha512-sR+OiKLwd15nmCdqpXMnuJ9W2kpy0KigzqScqHI3Hqwr7IXxBp3Yva+yJwoqh7rE8V77tdoheRYataNKL4QrPw==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [darwin]
+
+  '@esbuild/freebsd-arm64@0.27.4':
+    resolution: {integrity: sha512-jnfpKe+p79tCnm4GVav68A7tUFeKQwQyLgESwEAUzyxk/TJr4QdGog9sqWNcUbr/bZt/O/HXouspuQDd9JxFSw==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [freebsd]
+
+  '@esbuild/freebsd-x64@0.27.4':
+    resolution: {integrity: sha512-2kb4ceA/CpfUrIcTUl1wrP/9ad9Atrp5J94Lq69w7UwOMolPIGrfLSvAKJp0RTvkPPyn6CIWrNy13kyLikZRZQ==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [freebsd]
+
+  '@esbuild/linux-arm64@0.27.4':
+    resolution: {integrity: sha512-7nQOttdzVGth1iz57kxg9uCz57dxQLHWxopL6mYuYthohPKEK0vU0C3O21CcBK6KDlkYVcnDXY099HcCDXd9dA==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [linux]
+
+  '@esbuild/linux-arm@0.27.4':
+    resolution: {integrity: sha512-aBYgcIxX/wd5n2ys0yESGeYMGF+pv6g0DhZr3G1ZG4jMfruU9Tl1i2Z+Wnj9/KjGz1lTLCcorqE2viePZqj4Eg==}
+    engines: {node: '>=18'}
+    cpu: [arm]
+    os: [linux]
+
+  '@esbuild/linux-ia32@0.27.4':
+    resolution: {integrity: sha512-oPtixtAIzgvzYcKBQM/qZ3R+9TEUd1aNJQu0HhGyqtx6oS7qTpvjheIWBbes4+qu1bNlo2V4cbkISr8q6gRBFA==}
+    engines: {node: '>=18'}
+    cpu: [ia32]
+    os: [linux]
+
+  '@esbuild/linux-loong64@0.27.4':
+    resolution: {integrity: sha512-8mL/vh8qeCoRcFH2nM8wm5uJP+ZcVYGGayMavi8GmRJjuI3g1v6Z7Ni0JJKAJW+m0EtUuARb6Lmp4hMjzCBWzA==}
+    engines: {node: '>=18'}
+    cpu: [loong64]
+    os: [linux]
+
+  '@esbuild/linux-mips64el@0.27.4':
+    resolution: {integrity: sha512-1RdrWFFiiLIW7LQq9Q2NES+HiD4NyT8Itj9AUeCl0IVCA459WnPhREKgwrpaIfTOe+/2rdntisegiPWn/r/aAw==}
+    engines: {node: '>=18'}
+    cpu: [mips64el]
+    os: [linux]
+
+  '@esbuild/linux-ppc64@0.27.4':
+    resolution: {integrity: sha512-tLCwNG47l3sd9lpfyx9LAGEGItCUeRCWeAx6x2Jmbav65nAwoPXfewtAdtbtit/pJFLUWOhpv0FpS6GQAmPrHA==}
+    engines: {node: '>=18'}
+    cpu: [ppc64]
+    os: [linux]
+
+  '@esbuild/linux-riscv64@0.27.4':
+    resolution: {integrity: sha512-BnASypppbUWyqjd1KIpU4AUBiIhVr6YlHx/cnPgqEkNoVOhHg+YiSVxM1RLfiy4t9cAulbRGTNCKOcqHrEQLIw==}
+    engines: {node: '>=18'}
+    cpu: [riscv64]
+    os: [linux]
+
+  '@esbuild/linux-s390x@0.27.4':
+    resolution: {integrity: sha512-+eUqgb/Z7vxVLezG8bVB9SfBie89gMueS+I0xYh2tJdw3vqA/0ImZJ2ROeWwVJN59ihBeZ7Tu92dF/5dy5FttA==}
+    engines: {node: '>=18'}
+    cpu: [s390x]
+    os: [linux]
+
+  '@esbuild/linux-x64@0.27.4':
+    resolution: {integrity: sha512-S5qOXrKV8BQEzJPVxAwnryi2+Iq5pB40gTEIT69BQONqR7JH1EPIcQ/Uiv9mCnn05jff9umq/5nqzxlqTOg9NA==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [linux]
+
+  '@esbuild/netbsd-arm64@0.27.4':
+    resolution: {integrity: sha512-xHT8X4sb0GS8qTqiwzHqpY00C95DPAq7nAwX35Ie/s+LO9830hrMd3oX0ZMKLvy7vsonee73x0lmcdOVXFzd6Q==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [netbsd]
+
+  '@esbuild/netbsd-x64@0.27.4':
+    resolution: {integrity: sha512-RugOvOdXfdyi5Tyv40kgQnI0byv66BFgAqjdgtAKqHoZTbTF2QqfQrFwa7cHEORJf6X2ht+l9ABLMP0dnKYsgg==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [netbsd]
+
+  '@esbuild/openbsd-arm64@0.27.4':
+    resolution: {integrity: sha512-2MyL3IAaTX+1/qP0O1SwskwcwCoOI4kV2IBX1xYnDDqthmq5ArrW94qSIKCAuRraMgPOmG0RDTA74mzYNQA9ow==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [openbsd]
+
+  '@esbuild/openbsd-x64@0.27.4':
+    resolution: {integrity: sha512-u8fg/jQ5aQDfsnIV6+KwLOf1CmJnfu1ShpwqdwC0uA7ZPwFws55Ngc12vBdeUdnuWoQYx/SOQLGDcdlfXhYmXQ==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [openbsd]
+
+  '@esbuild/openharmony-arm64@0.27.4':
+    resolution: {integrity: sha512-JkTZrl6VbyO8lDQO3yv26nNr2RM2yZzNrNHEsj9bm6dOwwu9OYN28CjzZkH57bh4w0I2F7IodpQvUAEd1mbWXg==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [openharmony]
+
+  '@esbuild/sunos-x64@0.27.4':
+    resolution: {integrity: sha512-/gOzgaewZJfeJTlsWhvUEmUG4tWEY2Spp5M20INYRg2ZKl9QPO3QEEgPeRtLjEWSW8FilRNacPOg8R1uaYkA6g==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [sunos]
+
+  '@esbuild/win32-arm64@0.27.4':
+    resolution: {integrity: sha512-Z9SExBg2y32smoDQdf1HRwHRt6vAHLXcxD2uGgO/v2jK7Y718Ix4ndsbNMU/+1Qiem9OiOdaqitioZwxivhXYg==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [win32]
+
+  '@esbuild/win32-ia32@0.27.4':
+    resolution: {integrity: sha512-DAyGLS0Jz5G5iixEbMHi5KdiApqHBWMGzTtMiJ72ZOLhbu/bzxgAe8Ue8CTS3n3HbIUHQz/L51yMdGMeoxXNJw==}
+    engines: {node: '>=18'}
+    cpu: [ia32]
+    os: [win32]
+
+  '@esbuild/win32-x64@0.27.4':
+    resolution: {integrity: sha512-+knoa0BDoeXgkNvvV1vvbZX4+hizelrkwmGJBdT17t8FNPwG2lKemmuMZlmaNQ3ws3DKKCxpb4zRZEIp3UxFCg==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [win32]
+
+  '@eslint-community/eslint-utils@4.9.1':
+    resolution: {integrity: sha512-phrYmNiYppR7znFEdqgfWHXR6NCkZEK7hwWDHZUjit/2/U0r6XvkDl0SYnoM51Hq7FhCGdLDT6zxCCOY1hexsQ==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+    peerDependencies:
+      eslint: ^6.0.0 || ^7.0.0 || >=8.0.0
+
+  '@eslint-community/regexpp@4.12.2':
+    resolution: {integrity: sha512-EriSTlt5OC9/7SXkRSCAhfSxxoSUgBm33OH+IkwbdpgoqsSsUg7y3uh+IICI/Qg4BBWr3U2i39RpmycbxMq4ew==}
+    engines: {node: ^12.0.0 || ^14.0.0 || >=16.0.0}
+
+  '@eslint/config-array@0.23.3':
+    resolution: {integrity: sha512-j+eEWmB6YYLwcNOdlwQ6L2OsptI/LO6lNBuLIqe5R7RetD658HLoF+Mn7LzYmAWWNNzdC6cqP+L6r8ujeYXWLw==}
+    engines: {node: ^20.19.0 || ^22.13.0 || >=24}
+
+  '@eslint/config-helpers@0.5.3':
+    resolution: {integrity: sha512-lzGN0onllOZCGroKJmRwY6QcEHxbjBw1gwB8SgRSqK8YbbtEXMvKynsXc3553ckIEBxsbMBU7oOZXKIPGZNeZw==}
+    engines: {node: ^20.19.0 || ^22.13.0 || >=24}
+
+  '@eslint/core@1.1.1':
+    resolution: {integrity: sha512-QUPblTtE51/7/Zhfv8BDwO0qkkzQL7P/aWWbqcf4xWLEYn1oKjdO0gglQBB4GAsu7u6wjijbCmzsUTy6mnk6oQ==}
+    engines: {node: ^20.19.0 || ^22.13.0 || >=24}
+
+  '@eslint/object-schema@3.0.3':
+    resolution: {integrity: sha512-iM869Pugn9Nsxbh/YHRqYiqd23AmIbxJOcpUMOuWCVNdoQJ5ZtwL6h3t0bcZzJUlC3Dq9jCFCESBZnX0GTv7iQ==}
+    engines: {node: ^20.19.0 || ^22.13.0 || >=24}
+
+  '@eslint/plugin-kit@0.6.1':
+    resolution: {integrity: sha512-iH1B076HoAshH1mLpHMgwdGeTs0CYwL0SPMkGuSebZrwBp16v415e9NZXg2jtrqPVQjf6IANe2Vtlr5KswtcZQ==}
+    engines: {node: ^20.19.0 || ^22.13.0 || >=24}
+
+  '@fastify/accept-negotiator@2.0.1':
+    resolution: {integrity: sha512-/c/TW2bO/v9JeEgoD/g1G5GxGeCF1Hafdf79WPmUlgYiBXummY0oX3VVq4yFkKKVBKDNlaDUYoab7g38RpPqCQ==}
+
+  '@fastify/ajv-compiler@4.0.5':
+    resolution: {integrity: sha512-KoWKW+MhvfTRWL4qrhUwAAZoaChluo0m0vbiJlGMt2GXvL4LVPQEjt8kSpHI3IBq5Rez8fg+XeH3cneztq+C7A==}
+
+  '@fastify/error@4.2.0':
+    resolution: {integrity: sha512-RSo3sVDXfHskiBZKBPRgnQTtIqpi/7zhJOEmAxCiBcM7d0uwdGdxLlsCaLzGs8v8NnxIRlfG0N51p5yFaOentQ==}
+
+  '@fastify/fast-json-stringify-compiler@5.0.3':
+    resolution: {integrity: sha512-uik7yYHkLr6fxd8hJSZ8c+xF4WafPK+XzneQDPU+D10r5X19GW8lJcom2YijX2+qtFF1ENJlHXKFM9ouXNJYgQ==}
+
+  '@fastify/forwarded@3.0.1':
+    resolution: {integrity: sha512-JqDochHFqXs3C3Ml3gOY58zM7OqO9ENqPo0UqAjAjH8L01fRZqwX9iLeX34//kiJubF7r2ZQHtBRU36vONbLlw==}
+
+  '@fastify/merge-json-schemas@0.2.1':
+    resolution: {integrity: sha512-OA3KGBCy6KtIvLf8DINC5880o5iBlDX4SxzLQS8HorJAbqluzLRn80UXU0bxZn7UOFhFgpRJDasfwn9nG4FG4A==}
+
+  '@fastify/proxy-addr@5.1.0':
+    resolution: {integrity: sha512-INS+6gh91cLUjB+PVHfu1UqcB76Sqtpyp7bnL+FYojhjygvOPA9ctiD/JDKsyD9Xgu4hUhCSJBPig/w7duNajw==}
+
+  '@fastify/rate-limit@10.3.0':
+    resolution: {integrity: sha512-eIGkG9XKQs0nyynatApA3EVrojHOuq4l6fhB4eeCk4PIOeadvOJz9/4w3vGI44Go17uaXOWEcPkaD8kuKm7g6Q==}
+
+  '@fastify/send@4.1.0':
+    resolution: {integrity: sha512-TMYeQLCBSy2TOFmV95hQWkiTYgC/SEx7vMdV+wnZVX4tt8VBLKzmH8vV9OzJehV0+XBfg+WxPMt5wp+JBUKsVw==}
+
+  '@fastify/static@8.3.0':
+    resolution: {integrity: sha512-yKxviR5PH1OKNnisIzZKmgZSus0r2OZb8qCSbqmw34aolT4g3UlzYfeBRym+HJ1J471CR8e2ldNub4PubD1coA==}
+
+  '@fastify/websocket@11.2.0':
+    resolution: {integrity: sha512-3HrDPbAG1CzUCqnslgJxppvzaAZffieOVbLp1DAy1huCSynUWPifSvfdEDUR8HlJLp3sp1A36uOM2tJogADS8w==}
+
+  '@humanfs/core@0.19.1':
+    resolution: {integrity: sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==}
+    engines: {node: '>=18.18.0'}
+
+  '@humanfs/node@0.16.7':
+    resolution: {integrity: sha512-/zUx+yOsIrG4Y43Eh2peDeKCxlRt/gET6aHfaKpuq267qXdYDFViVHfMaLyygZOnl0kGWxFIgsBy8QFuTLUXEQ==}
+    engines: {node: '>=18.18.0'}
+
+  '@humanwhocodes/module-importer@1.0.1':
+    resolution: {integrity: sha512-bxveV4V8v5Yb4ncFTT3rPSgZBOpCkjfK0y4oVVVJwIuDVBRMDXrPyXRL988i5ap9m9bnyEEjWfm5WkBmtffLfA==}
+    engines: {node: '>=12.22'}
+
+  '@humanwhocodes/retry@0.4.3':
+    resolution: {integrity: sha512-bV0Tgo9K4hfPCek+aMAn81RppFKv2ySDQeMoSZuvTASywNTnVJCArCZE2FWqpvIatKu7VMRLWlR1EazvVhDyhQ==}
+    engines: {node: '>=18.18'}
+
+  '@isaacs/cliui@9.0.0':
+    resolution: {integrity: sha512-AokJm4tuBHillT+FpMtxQ60n8ObyXBatq7jD2/JA9dxbDDokKQm8KMht5ibGzLVU9IJDIKK4TPKgMHEYMn3lMg==}
+    engines: {node: '>=18'}
+
+  '@jridgewell/sourcemap-codec@1.5.5':
+    resolution: {integrity: sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==}
+
+  '@jsep-plugin/assignment@1.3.0':
+    resolution: {integrity: sha512-VVgV+CXrhbMI3aSusQyclHkenWSAm95WaiKrMxRFam3JSUiIaQjoMIw2sEs/OX4XifnqeQUN4DYbJjlA8EfktQ==}
+    engines: {node: '>= 10.16.0'}
+    peerDependencies:
+      jsep: ^0.4.0||^1.0.0
+
+  '@jsep-plugin/regex@1.0.4':
+    resolution: {integrity: sha512-q7qL4Mgjs1vByCaTnDFcBnV9HS7GVPJX5vyVoCgZHNSC9rjwIlmbXG5sUuorR5ndfHAIlJ8pVStxvjXHbNvtUg==}
+    engines: {node: '>= 10.16.0'}
+    peerDependencies:
+      jsep: ^0.4.0||^1.0.0
+
+  '@kubernetes/client-node@1.4.0':
+    resolution: {integrity: sha512-Zge3YvF7DJi264dU1b3wb/GmzR99JhUpqTvp+VGHfwZT+g7EOOYNScDJNZwXy9cszyIGPIs0VHr+kk8e95qqrA==}
+
+  '@lukeed/ms@2.0.2':
+    resolution: {integrity: sha512-9I2Zn6+NJLfaGoz9jN3lpwDgAYvfGeNYdbAIjJOqzs4Tpc+VU3Jqq4IofSUBKajiDS8k9fZIg18/z13mpk1bsA==}
+    engines: {node: '>=8'}
+
+  '@pinojs/redact@0.4.0':
+    resolution: {integrity: sha512-k2ENnmBugE/rzQfEcdWHcCY+/FM3VLzH9cYEsbdsoqrvzAKRhUZeRNhAZvB8OitQJ1TBed3yqWtdjzS6wJKBwg==}
+
+  '@prisma/client@6.19.2':
+    resolution: {integrity: sha512-gR2EMvfK/aTxsuooaDA32D8v+us/8AAet+C3J1cc04SW35FPdZYgLF+iN4NDLUgAaUGTKdAB0CYenu1TAgGdMg==}
+    engines: {node: '>=18.18'}
+    peerDependencies:
+      prisma: '*'
+      typescript: '>=5.1.0'
+    peerDependenciesMeta:
+      prisma:
+        optional: true
+      typescript:
+        optional: true
+
+  '@prisma/config@6.19.2':
+    resolution: {integrity: sha512-kadBGDl+aUswv/zZMk9Mx0C8UZs1kjao8H9/JpI4Wh4SHZaM7zkTwiKn/iFLfRg+XtOAo/Z/c6pAYhijKl0nzQ==}
+
+  '@prisma/debug@6.19.2':
+    resolution: {integrity: sha512-lFnEZsLdFLmEVCVNdskLDCL8Uup41GDfU0LUfquw+ercJC8ODTuL0WNKgOKmYxCJVvFwf0OuZBzW99DuWmoH2A==}
+
+  '@prisma/engines-version@7.1.1-3.c2990dca591cba766e3b7ef5d9e8a84796e47ab7':
+    resolution: {integrity: sha512-03bgb1VD5gvuumNf+7fVGBzfpJPjmqV423l/WxsWk2cNQ42JD0/SsFBPhN6z8iAvdHs07/7ei77SKu7aZfq8bA==}
+
+  '@prisma/engines@6.19.2':
+    resolution: {integrity: sha512-TTkJ8r+uk/uqczX40wb+ODG0E0icVsMgwCTyTHXehaEfb0uo80M9g1aW1tEJrxmFHeOZFXdI2sTA1j1AgcHi4A==}
+
+  '@prisma/fetch-engine@6.19.2':
+    resolution: {integrity: sha512-h4Ff4Pho+SR1S8XerMCC12X//oY2bG3Iug/fUnudfcXEUnIeRiBdXHFdGlGOgQ3HqKgosTEhkZMvGM9tWtYC+Q==}
+
+  '@prisma/get-platform@6.19.2':
+    resolution: {integrity: sha512-PGLr06JUSTqIvztJtAzIxOwtWKtJm5WwOG6xpsgD37Rc84FpfUBGLKz65YpJBGtkRQGXTYEFie7pYALocC3MtA==}
+
+  '@rollup/rollup-android-arm-eabi@4.59.0':
+    resolution: {integrity: sha512-upnNBkA6ZH2VKGcBj9Fyl9IGNPULcjXRlg0LLeaioQWueH30p6IXtJEbKAgvyv+mJaMxSm1l6xwDXYjpEMiLMg==}
+    cpu: [arm]
+    os: [android]
+
+  '@rollup/rollup-android-arm64@4.59.0':
+    resolution: {integrity: sha512-hZ+Zxj3SySm4A/DylsDKZAeVg0mvi++0PYVceVyX7hemkw7OreKdCvW2oQ3T1FMZvCaQXqOTHb8qmBShoqk69Q==}
+    cpu: [arm64]
+    os: [android]
+
+  '@rollup/rollup-darwin-arm64@4.59.0':
+    resolution: {integrity: sha512-W2Psnbh1J8ZJw0xKAd8zdNgF9HRLkdWwwdWqubSVk0pUuQkoHnv7rx4GiF9rT4t5DIZGAsConRE3AxCdJ4m8rg==}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@rollup/rollup-darwin-x64@4.59.0':
+    resolution: {integrity: sha512-ZW2KkwlS4lwTv7ZVsYDiARfFCnSGhzYPdiOU4IM2fDbL+QGlyAbjgSFuqNRbSthybLbIJ915UtZBtmuLrQAT/w==}
+    cpu: [x64]
+    os: [darwin]
+
+  '@rollup/rollup-freebsd-arm64@4.59.0':
+    resolution: {integrity: sha512-EsKaJ5ytAu9jI3lonzn3BgG8iRBjV4LxZexygcQbpiU0wU0ATxhNVEpXKfUa0pS05gTcSDMKpn3Sx+QB9RlTTA==}
+    cpu: [arm64]
+    os: [freebsd]
+
+  '@rollup/rollup-freebsd-x64@4.59.0':
+    resolution: {integrity: sha512-d3DuZi2KzTMjImrxoHIAODUZYoUUMsuUiY4SRRcJy6NJoZ6iIqWnJu9IScV9jXysyGMVuW+KNzZvBLOcpdl3Vg==}
+    cpu: [x64]
+    os: [freebsd]
+
+  '@rollup/rollup-linux-arm-gnueabihf@4.59.0':
+    resolution: {integrity: sha512-t4ONHboXi/3E0rT6OZl1pKbl2Vgxf9vJfWgmUoCEVQVxhW6Cw/c8I6hbbu7DAvgp82RKiH7TpLwxnJeKv2pbsw==}
+    cpu: [arm]
+    os: [linux]
+
+  '@rollup/rollup-linux-arm-musleabihf@4.59.0':
+    resolution: {integrity: sha512-CikFT7aYPA2ufMD086cVORBYGHffBo4K8MQ4uPS/ZnY54GKj36i196u8U+aDVT2LX4eSMbyHtyOh7D7Zvk2VvA==}
+    cpu: [arm]
+    os: [linux]
+
+  '@rollup/rollup-linux-arm64-gnu@4.59.0':
+    resolution: {integrity: sha512-jYgUGk5aLd1nUb1CtQ8E+t5JhLc9x5WdBKew9ZgAXg7DBk0ZHErLHdXM24rfX+bKrFe+Xp5YuJo54I5HFjGDAA==}
+    cpu: [arm64]
+    os: [linux]
+
+  '@rollup/rollup-linux-arm64-musl@4.59.0':
+    resolution: {integrity: sha512-peZRVEdnFWZ5Bh2KeumKG9ty7aCXzzEsHShOZEFiCQlDEepP1dpUl/SrUNXNg13UmZl+gzVDPsiCwnV1uI0RUA==}
+    cpu: [arm64]
+    os: [linux]
+
+  '@rollup/rollup-linux-loong64-gnu@4.59.0':
+    resolution: {integrity: sha512-gbUSW/97f7+r4gHy3Jlup8zDG190AuodsWnNiXErp9mT90iCy9NKKU0Xwx5k8VlRAIV2uU9CsMnEFg/xXaOfXg==}
+    cpu: [loong64]
+    os: [linux]
+
+  '@rollup/rollup-linux-loong64-musl@4.59.0':
+    resolution: {integrity: sha512-yTRONe79E+o0FWFijasoTjtzG9EBedFXJMl888NBEDCDV9I2wGbFFfJQQe63OijbFCUZqxpHz1GzpbtSFikJ4Q==}
+    cpu: [loong64]
+    os: [linux]
+
+  '@rollup/rollup-linux-ppc64-gnu@4.59.0':
+    resolution: {integrity: sha512-sw1o3tfyk12k3OEpRddF68a1unZ5VCN7zoTNtSn2KndUE+ea3m3ROOKRCZxEpmT9nsGnogpFP9x6mnLTCaoLkA==}
+    cpu: [ppc64]
+    os: [linux]
+
+  '@rollup/rollup-linux-ppc64-musl@4.59.0':
+    resolution: {integrity: sha512-+2kLtQ4xT3AiIxkzFVFXfsmlZiG5FXYW7ZyIIvGA7Bdeuh9Z0aN4hVyXS/G1E9bTP/vqszNIN/pUKCk/BTHsKA==}
+    cpu: [ppc64]
+    os: [linux]
+
+  '@rollup/rollup-linux-riscv64-gnu@4.59.0':
+    resolution: {integrity: sha512-NDYMpsXYJJaj+I7UdwIuHHNxXZ/b/N2hR15NyH3m2qAtb/hHPA4g4SuuvrdxetTdndfj9b1WOmy73kcPRoERUg==}
+    cpu: [riscv64]
+    os: [linux]
+
+  '@rollup/rollup-linux-riscv64-musl@4.59.0':
+    resolution: {integrity: sha512-nLckB8WOqHIf1bhymk+oHxvM9D3tyPndZH8i8+35p/1YiVoVswPid2yLzgX7ZJP0KQvnkhM4H6QZ5m0LzbyIAg==}
+    cpu: [riscv64]
+    os: [linux]
+
+  '@rollup/rollup-linux-s390x-gnu@4.59.0':
+    resolution: {integrity: sha512-oF87Ie3uAIvORFBpwnCvUzdeYUqi2wY6jRFWJAy1qus/udHFYIkplYRW+wo+GRUP4sKzYdmE1Y3+rY5Gc4ZO+w==}
+    cpu: [s390x]
+    os: [linux]
+
+  '@rollup/rollup-linux-x64-gnu@4.59.0':
+    resolution: {integrity: sha512-3AHmtQq/ppNuUspKAlvA8HtLybkDflkMuLK4DPo77DfthRb71V84/c4MlWJXixZz4uruIH4uaa07IqoAkG64fg==}
+    cpu: [x64]
+    os: [linux]
+
+  '@rollup/rollup-linux-x64-musl@4.59.0':
+    resolution: {integrity: sha512-2UdiwS/9cTAx7qIUZB/fWtToJwvt0Vbo0zmnYt7ED35KPg13Q0ym1g442THLC7VyI6JfYTP4PiSOWyoMdV2/xg==}
+    cpu: [x64]
+    os: [linux]
+
+  '@rollup/rollup-openbsd-x64@4.59.0':
+    resolution: {integrity: sha512-M3bLRAVk6GOwFlPTIxVBSYKUaqfLrn8l0psKinkCFxl4lQvOSz8ZrKDz2gxcBwHFpci0B6rttydI4IpS4IS/jQ==}
+    cpu: [x64]
+    os: [openbsd]
+
+  '@rollup/rollup-openharmony-arm64@4.59.0':
+    resolution: {integrity: sha512-tt9KBJqaqp5i5HUZzoafHZX8b5Q2Fe7UjYERADll83O4fGqJ49O1FsL6LpdzVFQcpwvnyd0i+K/VSwu/o/nWlA==}
+    cpu: [arm64]
+    os: [openharmony]
+
+  '@rollup/rollup-win32-arm64-msvc@4.59.0':
+    resolution: {integrity: sha512-V5B6mG7OrGTwnxaNUzZTDTjDS7F75PO1ae6MJYdiMu60sq0CqN5CVeVsbhPxalupvTX8gXVSU9gq+Rx1/hvu6A==}
+    cpu: [arm64]
+    os: [win32]
+
+  '@rollup/rollup-win32-ia32-msvc@4.59.0':
+    resolution: {integrity: sha512-UKFMHPuM9R0iBegwzKF4y0C4J9u8C6MEJgFuXTBerMk7EJ92GFVFYBfOZaSGLu6COf7FxpQNqhNS4c4icUPqxA==}
+    cpu: [ia32]
+    os: [win32]
+
+  '@rollup/rollup-win32-x64-gnu@4.59.0':
+    resolution: {integrity: sha512-laBkYlSS1n2L8fSo1thDNGrCTQMmxjYY5G0WFWjFFYZkKPjsMBsgJfGf4TLxXrF6RyhI60L8TMOjBMvXiTcxeA==}
+    cpu: [x64]
+    os: [win32]
+
+  '@rollup/rollup-win32-x64-msvc@4.59.0':
+    resolution: {integrity: sha512-2HRCml6OztYXyJXAvdDXPKcawukWY2GpR5/nxKp4iBgiO3wcoEGkAaqctIbZcNB6KlUQBIqt8VYkNSj2397EfA==}
+    cpu: [x64]
+    os: [win32]
+
+  '@sec-ant/readable-stream@0.4.1':
+    resolution: {integrity: sha512-831qok9r2t8AlxLko40y2ebgSDhenenCatLVeW/uBtnHPyhHOvG0C7TvfgecV+wHzIm5KUICgzmVpWS+IMEAeg==}
+
+  '@sindresorhus/merge-streams@4.0.0':
+    resolution: {integrity: sha512-tlqY9xq5ukxTUZBmoOp+m61cqwQD5pHJtFY3Mn8CA8ps6yghLH/Hw8UPdqg4OLmFW3IFlcXnQNmo/dh8HzXYIQ==}
+    engines: {node: '>=18'}
+
+  '@so-ric/colorspace@1.1.6':
+    resolution: {integrity: sha512-/KiKkpHNOBgkFJwu9sh48LkHSMYGyuTcSFK/qMBdnOAlrRJzRSXAOFB5qwzaVQuDl8wAvHVMkaASQDReTahxuw==}
+
+  '@standard-schema/spec@1.1.0':
+    resolution: {integrity: sha512-l2aFy5jALhniG5HgqrD6jXLi/rUWrKvqN/qJx6yoJsgKhblVd+iqqU4RCXavm/jPityDo5TCvKMnpjKnOriy0w==}
+
+  '@types/chai@5.2.3':
+    resolution: {integrity: sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==}
+
+  '@types/deep-eql@4.0.2':
+    resolution: {integrity: sha512-c9h9dVVMigMPc4bwTvC5dxqtqJZwQPePsWjPlpSOnojbor6pGqdk541lfA7AqFQr5pB1BRdq0juY9db81BwyFw==}
+
+  '@types/esrecurse@4.3.1':
+    resolution: {integrity: sha512-xJBAbDifo5hpffDBuHl0Y8ywswbiAp/Wi7Y/GtAgSlZyIABppyurxVueOPE8LUQOxdlgi6Zqce7uoEpqNTeiUw==}
+
+  '@types/estree@1.0.8':
+    resolution: {integrity: sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==}
+
+  '@types/js-yaml@4.0.9':
+    resolution: {integrity: sha512-k4MGaQl5TGo/iipqb2UDG2UwjXziSWkh0uysQelTlJpX1qGlpUZYm8PnO4DxG1qBomtJUdYJ6qR6xdIah10JLg==}
+
+  '@types/json-schema@7.0.15':
+    resolution: {integrity: sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==}
+
+  '@types/node-fetch@2.6.13':
+    resolution: {integrity: sha512-QGpRVpzSaUs30JBSGPjOg4Uveu384erbHBoT1zeONvyCfwQxIkUshLAOqN/k9EjGviPRmWTTe6aH2qySWKTVSw==}
+
+  '@types/node@22.19.15':
+    resolution: {integrity: sha512-F0R/h2+dsy5wJAUe3tAU6oqa2qbWY5TpNfL/RGmo1y38hiyO1w3x2jPtt76wmuaJI4DQnOBu21cNXQ2STIUUWg==}
+
+  '@types/node@24.12.0':
+    resolution: {integrity: sha512-GYDxsZi3ChgmckRT9HPU0WEhKLP08ev/Yfcq2AstjrDASOYCSXeyjDsHg4v5t4jOj7cyDX3vmprafKlWIG9MXQ==}
+
+  '@types/stream-buffers@3.0.8':
+    resolution: {integrity: sha512-J+7VaHKNvlNPJPEJXX/fKa9DZtR/xPMwuIbe+yNOwp1YB+ApUOBv2aUpEoBJEi8nJgbgs1x8e73ttg0r1rSUdw==}
+
+  '@types/triple-beam@1.3.5':
+    resolution: {integrity: sha512-6WaYesThRMCl19iryMYP7/x2OVgCtbIVflDGFpWnb9irXI3UjYE4AzmYuiUKY1AJstGijoY+MgUszMgRxIYTYw==}
+
+  '@types/ws@8.18.1':
+    resolution: {integrity: sha512-ThVF6DCVhA8kUGy+aazFQ4kXQ7E1Ty7A3ypFOe0IcJV8O/M511G99AW24irKrW56Wt44yG9+ij8FaqoBGkuBXg==}
+
+  '@typescript-eslint/eslint-plugin@8.57.1':
+    resolution: {integrity: sha512-Gn3aqnvNl4NGc6x3/Bqk1AOn0thyTU9bqDRhiRnUWezgvr2OnhYCWCgC8zXXRVqBsIL1pSDt7T9nJUe0oM0kDQ==}
+    engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
+    peerDependencies:
+      '@typescript-eslint/parser': ^8.57.1
+      eslint: ^8.57.0 || ^9.0.0 || ^10.0.0
+      typescript: '>=4.8.4 <6.0.0'
+
+  '@typescript-eslint/parser@8.57.1':
+    resolution: {integrity: sha512-k4eNDan0EIMTT/dUKc/g+rsJ6wcHYhNPdY19VoX/EOtaAG8DLtKCykhrUnuHPYvinn5jhAPgD2Qw9hXBwrahsw==}
+    engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
+    peerDependencies:
+      eslint: ^8.57.0 || ^9.0.0 || ^10.0.0
+      typescript: '>=4.8.4 <6.0.0'
+
+  '@typescript-eslint/project-service@8.57.1':
+    resolution: {integrity: sha512-vx1F37BRO1OftsYlmG9xay1TqnjNVlqALymwWVuYTdo18XuKxtBpCj1QlzNIEHlvlB27osvXFWptYiEWsVdYsg==}
+    engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
+    peerDependencies:
+      typescript: '>=4.8.4 <6.0.0'
+
+  '@typescript-eslint/scope-manager@8.57.1':
+    resolution: {integrity: sha512-hs/QcpCwlwT2L5S+3fT6gp0PabyGk4Q0Rv2doJXA0435/OpnSR3VRgvrp8Xdoc3UAYSg9cyUjTeFXZEPg/3OKg==}
+    engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
+
+  '@typescript-eslint/tsconfig-utils@8.57.1':
+    resolution: {integrity: sha512-0lgOZB8cl19fHO4eI46YUx2EceQqhgkPSuCGLlGi79L2jwYY1cxeYc1Nae8Aw1xjgW3PKVDLlr3YJ6Bxx8HkWg==}
+    engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
+    peerDependencies:
+      typescript: '>=4.8.4 <6.0.0'
+
+  '@typescript-eslint/type-utils@8.57.1':
+    resolution: {integrity: sha512-+Bwwm0ScukFdyoJsh2u6pp4S9ktegF98pYUU0hkphOOqdMB+1sNQhIz8y5E9+4pOioZijrkfNO/HUJVAFFfPKA==}
+    engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
+    peerDependencies:
+      eslint: ^8.57.0 || ^9.0.0 || ^10.0.0
+      typescript: '>=4.8.4 <6.0.0'
+
+  '@typescript-eslint/types@8.57.1':
+    resolution: {integrity: sha512-S29BOBPJSFUiblEl6RzPPjJt6w25A6XsBqRVDt53tA/tlL8q7ceQNZHTjPeONt/3S7KRI4quk+yP9jK2WjBiPQ==}
+    engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
+
+  '@typescript-eslint/typescript-estree@8.57.1':
+    resolution: {integrity: sha512-ybe2hS9G6pXpqGtPli9Gx9quNV0TWLOmh58ADlmZe9DguLq0tiAKVjirSbtM1szG6+QH6rVXyU6GTLQbWnMY+g==}
+    engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
+    peerDependencies:
+      typescript: '>=4.8.4 <6.0.0'
+
+  '@typescript-eslint/utils@8.57.1':
+    resolution: {integrity: sha512-XUNSJ/lEVFttPMMoDVA2r2bwrl8/oPx8cURtczkSEswY5T3AeLmCy+EKWQNdL4u0MmAHOjcWrqJp2cdvgjn8dQ==}
+    engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
+    peerDependencies:
+      eslint: ^8.57.0 || ^9.0.0 || ^10.0.0
+      typescript: '>=4.8.4 <6.0.0'
+
+  '@typescript-eslint/visitor-keys@8.57.1':
+    resolution: {integrity: sha512-YWnmJkXbofiz9KbnbbwuA2rpGkFPLbAIetcCNO6mJ8gdhdZ/v7WDXsoGFAJuM6ikUFKTlSQnjWnVO4ux+UzS6A==}
+    engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
+
+  '@vitest/expect@3.2.4':
+    resolution: {integrity: sha512-Io0yyORnB6sikFlt8QW5K7slY4OjqNX9jmJQ02QDda8lyM6B5oNgVWoSoKPac8/kgnCUzuHQKrSLtu/uOqqrig==}
+
+  '@vitest/mocker@3.2.4':
+    resolution: {integrity: sha512-46ryTE9RZO/rfDd7pEqFl7etuyzekzEhUbTW3BvmeO/BcCMEgq59BKhek3dXDWgAj4oMK6OZi+vRr1wPW6qjEQ==}
+    peerDependencies:
+      msw: ^2.4.9
+      vite: ^5.0.0 || ^6.0.0 || ^7.0.0-0
+    peerDependenciesMeta:
+      msw:
+        optional: true
+      vite:
+        optional: true
+
+  '@vitest/pretty-format@3.2.4':
+    resolution: {integrity: sha512-IVNZik8IVRJRTr9fxlitMKeJeXFFFN0JaB9PHPGQ8NKQbGpfjlTx9zO4RefN8gp7eqjNy8nyK3NZmBzOPeIxtA==}
+
+  '@vitest/runner@3.2.4':
+    resolution: {integrity: sha512-oukfKT9Mk41LreEW09vt45f8wx7DordoWUZMYdY/cyAk7w5TWkTRCNZYF7sX7n2wB7jyGAl74OxgwhPgKaqDMQ==}
+
+  '@vitest/snapshot@3.2.4':
+    resolution: {integrity: sha512-dEYtS7qQP2CjU27QBC5oUOxLE/v5eLkGqPE0ZKEIDGMs4vKWe7IjgLOeauHsR0D5YuuycGRO5oSRXnwnmA78fQ==}
+
+  '@vitest/spy@3.2.4':
+    resolution: {integrity: sha512-vAfasCOe6AIK70iP5UD11Ac4siNUNJ9i/9PZ3NKx07sG6sUxeag1LWdNrMWeKKYBLlzuK+Gn65Yd5nyL6ds+nw==}
+
+  '@vitest/utils@3.2.4':
+    resolution: {integrity: sha512-fB2V0JFrQSMsCo9HiSq3Ezpdv4iYaXRG1Sx8edX3MwxfyNn83mKiGzOcH+Fkxt4MHxr3y42fQi1oeAInqgX2QA==}
+
+  abstract-logging@2.0.1:
+    resolution: {integrity: sha512-2BjRTZxTPvheOvGbBslFSYOUkr+SjPtOnrLP33f+VIWLzezQpZcqVg7ja3L4dBXmzzgwT+a029jRx5PCi3JuiA==}
+
+  acorn-jsx@5.3.2:
+    resolution: {integrity: sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==}
+    peerDependencies:
+      acorn: ^6.0.0 || ^7.0.0 || ^8.0.0
+
+  acorn@8.16.0:
+    resolution: {integrity: sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==}
+    engines: {node: '>=0.4.0'}
+    hasBin: true
+
+  agent-base@7.1.4:
+    resolution: {integrity: sha512-MnA+YT8fwfJPgBx3m60MNqakm30XOkyIoH1y6huTQvC0PwZG7ki8NacLBcrPbNoo8vEZy7Jpuk7+jMO+CUovTQ==}
+    engines: {node: '>= 14'}
+
+  ajv-formats@3.0.1:
+    resolution: {integrity: sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ==}
+    peerDependencies:
+      ajv: ^8.0.0
+    peerDependenciesMeta:
+      ajv:
+        optional: true
+
+  ajv@6.14.0:
+    resolution: {integrity: sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==}
+
+  ajv@8.18.0:
+    resolution: {integrity: sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==}
+
+  argparse@2.0.1:
+    resolution: {integrity: sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==}
+
+  assertion-error@2.0.1:
+    resolution: {integrity: sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==}
+    engines: {node: '>=12'}
+
+  async@3.2.6:
+    resolution: {integrity: sha512-htCUDlxyyCLMgaM3xXg0C0LW2xqfuQ6p05pCEIsXuyQ+a1koYKTuBMzRNwmybfLgvJDMd0r1LTn4+E0Ti6C2AA==}
+
+  asynckit@0.4.0:
+    resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}
+
+  atomic-sleep@1.0.0:
+    resolution: {integrity: sha512-kNOjDqAh7px0XWNI+4QbzoiR/nTkHAWNud2uvnJquD1/x5a7EQZMJT0AczqK0Qn67oY/TTQ1LbUKajZpp3I9tQ==}
+    engines: {node: '>=8.0.0'}
+
+  avvio@9.2.0:
+    resolution: {integrity: sha512-2t/sy01ArdHHE0vRH5Hsay+RtCZt3dLPji7W7/MMOCEgze5b7SNDC4j5H6FnVgPkI1MTNFGzHdHrVXDDl7QSSQ==}
+
+  b4a@1.8.0:
+    resolution: {integrity: sha512-qRuSmNSkGQaHwNbM7J78Wwy+ghLEYF1zNrSeMxj4Kgw6y33O3mXcQ6Ie9fRvfU/YnxWkOchPXbaLb73TkIsfdg==}
+    peerDependencies:
+      react-native-b4a: '*'
+    peerDependenciesMeta:
+      react-native-b4a:
+        optional: true
+
+  balanced-match@4.0.4:
+    resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==}
+    engines: {node: 18 || 20 || >=22}
+
+  bare-events@2.8.2:
+    resolution: {integrity: sha512-riJjyv1/mHLIPX4RwiK+oW9/4c3TEUeORHKefKAKnZ5kyslbN+HXowtbaVEqt4IMUB7OXlfixcs6gsFeo/jhiQ==}
+    peerDependencies:
+      bare-abort-controller: '*'
+    peerDependenciesMeta:
+      bare-abort-controller:
+        optional: true
+
+  bare-fs@4.5.6:
+    resolution: {integrity: sha512-1QovqDrR80Pmt5HPAsMsXTCFcDYr+NSUKW6nd6WO5v0JBmnItc/irNRzm2KOQ5oZ69P37y+AMujNyNtG+1Rggw==}
+    engines: {bare: '>=1.16.0'}
+    peerDependencies:
+      bare-buffer: '*'
+    peerDependenciesMeta:
+      bare-buffer:
+        optional: true
+
+  bare-os@3.8.0:
+    resolution: {integrity: sha512-Dc9/SlwfxkXIGYhvMQNUtKaXCaGkZYGcd1vuNUUADVqzu4/vQfvnMkYYOUnt2VwQ2AqKr/8qAVFRtwETljgeFg==}
+    engines: {bare: '>=1.14.0'}
+
+  bare-path@3.0.0:
+    resolution: {integrity: sha512-tyfW2cQcB5NN8Saijrhqn0Zh7AnFNsnczRcuWODH0eYAXBsJ5gVxAUuNr7tsHSC6IZ77cA0SitzT+s47kot8Mw==}
+
+  bare-stream@2.10.0:
+    resolution: {integrity: sha512-DOPZF/DDcDruKDA43cOw6e9Quq5daua7ygcAwJE/pKJsRWhgSSemi7qVNGE5kyDIxIeN1533G/zfbvWX7Wcb9w==}
+    peerDependencies:
+      bare-buffer: '*'
+      bare-events: '*'
+    peerDependenciesMeta:
+      bare-buffer:
+        optional: true
+      bare-events:
+        optional: true
+
+  bare-url@2.4.0:
+    resolution: {integrity: sha512-NSTU5WN+fy/L0DDenfE8SXQna4voXuW0FHM7wH8i3/q9khUSchfPbPezO4zSFMnDGIf9YE+mt/RWhZgNRKRIXA==}
+
+  brace-expansion@5.0.4:
+    resolution: {integrity: sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==}
+    engines: {node: 18 || 20 || >=22}
+
+  c12@3.1.0:
+    resolution: {integrity: sha512-uWoS8OU1MEIsOv8p/5a82c3H31LsWVR5qiyXVfBNOzfffjUWtPnhAb4BYI2uG2HfGmZmFjCtui5XNWaps+iFuw==}
+    peerDependencies:
+      magicast: ^0.3.5
+    peerDependenciesMeta:
+      magicast:
+        optional: true
+
+  cac@6.7.14:
+    resolution: {integrity: sha512-b6Ilus+c3RrdDk+JhLKUAQfzzgLEPy6wcXqS7f/xe1EETvsDP6GORG7SFuOs6cID5YkqchW/LXZbX5bc8j7ZcQ==}
+    engines: {node: '>=8'}
+
+  call-bind-apply-helpers@1.0.2:
+    resolution: {integrity: sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==}
+    engines: {node: '>= 0.4'}
+
+  chai@5.3.3:
+    resolution: {integrity: sha512-4zNhdJD/iOjSH0A05ea+Ke6MU5mmpQcbQsSOkgdaUMJ9zTlDTD/GYlwohmIE2u0gaxHYiVHEn1Fw9mZ/ktJWgw==}
+    engines: {node: '>=18'}
+
+  check-error@2.1.3:
+    resolution: {integrity: sha512-PAJdDJusoxnwm1VwW07VWwUN1sl7smmC3OKggvndJFadxxDRyFJBX/ggnu/KE4kQAB7a3Dp8f/YXC1FlUprWmA==}
+    engines: {node: '>= 16'}
+
+  chokidar@4.0.3:
+    resolution: {integrity: sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA==}
+    engines: {node: '>= 14.16.0'}
+
+  citty@0.1.6:
+    resolution: {integrity: sha512-tskPPKEs8D2KPafUypv2gxwJP8h/OaJmC82QQGGDQcHvXX43xF2VDACcJVmZ0EuSxkpO9Kc4MlrA3q0+FG58AQ==}
+
+  citty@0.2.1:
+    resolution: {integrity: sha512-kEV95lFBhQgtogAPlQfJJ0WGVSokvLr/UEoFPiKKOXF7pl98HfUVUD0ejsuTCld/9xH9vogSywZ5KqHzXrZpqg==}
+
+  color-convert@3.1.3:
+    resolution: {integrity: sha512-fasDH2ont2GqF5HpyO4w0+BcewlhHEZOFn9c1ckZdHpJ56Qb7MHhH/IcJZbBGgvdtwdwNbLvxiBEdg336iA9Sg==}
+    engines: {node: '>=14.6'}
+
+  color-name@2.1.0:
+    resolution: {integrity: sha512-1bPaDNFm0axzE4MEAzKPuqKWeRaT43U/hyxKPBdqTfmPF+d6n7FSoTFxLVULUJOmiLp01KjhIPPH+HrXZJN4Rg==}
+    engines: {node: '>=12.20'}
+
+  color-string@2.1.4:
+    resolution: {integrity: sha512-Bb6Cq8oq0IjDOe8wJmi4JeNn763Xs9cfrBcaylK1tPypWzyoy2G3l90v9k64kjphl/ZJjPIShFztenRomi8WTg==}
+    engines: {node: '>=18'}
+
+  color@5.0.3:
+    resolution: {integrity: sha512-ezmVcLR3xAVp8kYOm4GS45ZLLgIE6SPAFoduLr6hTDajwb3KZ2F46gulK3XpcwRFb5KKGCSezCBAY4Dw4HsyXA==}
+    engines: {node: '>=18'}
+
+  combined-stream@1.0.8:
+    resolution: {integrity: sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==}
+    engines: {node: '>= 0.8'}
+
+  commander@13.1.0:
+    resolution: {integrity: sha512-/rFeCpNJQbhSZjGVwO9RFV3xPqbnERS8MmIQzCtD/zl6gpJuV/bMLuN92oG3F7d8oDEHHRrujSXNUr8fpjntKw==}
+    engines: {node: '>=18'}
+
+  confbox@0.2.4:
+    resolution: {integrity: sha512-ysOGlgTFbN2/Y6Cg3Iye8YKulHw+R2fNXHrgSmXISQdMnomY6eNDprVdW9R5xBguEqI954+S6709UyiO7B+6OQ==}
+
+  consola@3.4.2:
+    resolution: {integrity: sha512-5IKcdX0nnYavi6G7TtOhwkYzyjfJlatbjMjuLSfE2kYT5pMDOilZ4OvMhi637CcDICTmz3wARPoyhqyX1Y+XvA==}
+    engines: {node: ^14.18.0 || >=16.10.0}
+
+  content-disposition@0.5.4:
+    resolution: {integrity: sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==}
+    engines: {node: '>= 0.6'}
+
+  cookie@1.1.1:
+    resolution: {integrity: sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ==}
+    engines: {node: '>=18'}
+
+  cross-spawn@7.0.6:
+    resolution: {integrity: sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==}
+    engines: {node: '>= 8'}
+
+  debug@4.4.3:
+    resolution: {integrity: sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==}
+    engines: {node: '>=6.0'}
+    peerDependencies:
+      supports-color: '*'
+    peerDependenciesMeta:
+      supports-color:
+        optional: true
+
+  deep-eql@5.0.2:
+    resolution: {integrity: sha512-h5k/5U50IJJFpzfL6nO9jaaumfjO/f2NjK/oYB2Djzm4p9L+3T9qWpZqZ2hAbLPuuYq9wrU08WQyBTL5GbPk5Q==}
+    engines: {node: '>=6'}
+
+  deep-is@0.1.4:
+    resolution: {integrity: sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==}
+
+  deepmerge-ts@7.1.5:
+    resolution: {integrity: sha512-HOJkrhaYsweh+W+e74Yn7YStZOilkoPb6fycpwNLKzSPtruFs48nYis0zy5yJz1+ktUhHxoRDJ27RQAWLIJVJw==}
+    engines: {node: '>=16.0.0'}
+
+  defu@6.1.4:
+    resolution: {integrity: sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==}
+
+  delayed-stream@1.0.0:
+    resolution: {integrity: sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==}
+    engines: {node: '>=0.4.0'}
+
+  depd@2.0.0:
+    resolution: {integrity: sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==}
+    engines: {node: '>= 0.8'}
+
+  dequal@2.0.3:
+    resolution: {integrity: sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA==}
+    engines: {node: '>=6'}
+
+  destr@2.0.5:
+    resolution: {integrity: sha512-ugFTXCtDZunbzasqBxrK93Ik/DRYsO6S/fedkWEMKqt04xZ4csmnmwGDBAb07QWNaGMAmnTIemsYZCksjATwsA==}
+
+  dotenv@16.6.1:
+    resolution: {integrity: sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow==}
+    engines: {node: '>=12'}
+
+  dunder-proto@1.0.1:
+    resolution: {integrity: sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==}
+    engines: {node: '>= 0.4'}
+
+  duplexify@4.1.3:
+    resolution: {integrity: sha512-M3BmBhwJRZsSx38lZyhE53Csddgzl5R7xGJNk7CVddZD6CcmwMCH8J+7AprIrQKH7TonKxaCjcv27Qmf+sQ+oA==}
+
+  effect@3.18.4:
+    resolution: {integrity: sha512-b1LXQJLe9D11wfnOKAk3PKxuqYshQ0Heez+y5pnkd3jLj1yx9QhM72zZ9uUrOQyNvrs2GZZd/3maL0ZV18YuDA==}
+
+  empathic@2.0.0:
+    resolution: {integrity: sha512-i6UzDscO/XfAcNYD75CfICkmfLedpyPDdozrLMmQc5ORaQcdMoc21OnlEylMIqI7U8eniKrPMxxtj8k0vhmJhA==}
+    engines: {node: '>=14'}
+
+  enabled@2.0.0:
+    resolution: {integrity: sha512-AKrN98kuwOzMIdAizXGI86UFBoo26CL21UM763y1h/GMSJ4/OHU9k2YlsmBpyScFo/wbLzWQJBMCW4+IO3/+OQ==}
+
+  end-of-stream@1.4.5:
+    resolution: {integrity: sha512-ooEGc6HP26xXq/N+GCGOT0JKCLDGrq2bQUZrQ7gyrJiZANJ/8YDTxTpQBXGMn+WbIQXNVpyWymm7KYVICQnyOg==}
+
+  es-define-property@1.0.1:
+    resolution: {integrity: sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==}
+    engines: {node: '>= 0.4'}
+
+  es-errors@1.3.0:
+    resolution: {integrity: sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==}
+    engines: {node: '>= 0.4'}
+
+  es-module-lexer@1.7.0:
+    resolution: {integrity: sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==}
+
+  es-object-atoms@1.1.1:
+    resolution: {integrity: sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==}
+    engines: {node: '>= 0.4'}
+
+  es-set-tostringtag@2.1.0:
+    resolution: {integrity: sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==}
+    engines: {node: '>= 0.4'}
+
+  esbuild@0.27.4:
+    resolution: {integrity: sha512-Rq4vbHnYkK5fws5NF7MYTU68FPRE1ajX7heQ/8QXXWqNgqqJ/GkmmyxIzUnf2Sr/bakf8l54716CcMGHYhMrrQ==}
+    engines: {node: '>=18'}
+    hasBin: true
+
+  escape-html@1.0.3:
+    resolution: {integrity: sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==}
+
+  escape-string-regexp@4.0.0:
+    resolution: {integrity: sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==}
+    engines: {node: '>=10'}
+
+  eslint-config-prettier@10.1.8:
+    resolution: {integrity: sha512-82GZUjRS0p/jganf6q1rEO25VSoHH0hKPCTrgillPjdI/3bgBhAE1QzHrHTizjpRvy6pGAvKjDJtk2pF9NDq8w==}
+    hasBin: true
+    peerDependencies:
+      eslint: '>=7.0.0'
+
+  eslint-scope@9.1.2:
+    resolution: {integrity: sha512-xS90H51cKw0jltxmvmHy2Iai1LIqrfbw57b79w/J7MfvDfkIkFZ+kj6zC3BjtUwh150HsSSdxXZcsuv72miDFQ==}
+    engines: {node: ^20.19.0 || ^22.13.0 || >=24}
+
+  eslint-visitor-keys@3.4.3:
+    resolution: {integrity: sha512-wpc+LXeiyiisxPlEkUzU6svyS1frIO3Mgxj1fdy7Pm8Ygzguax2N3Fa/D/ag1WqbOprdI+uY6wMUl8/a2G+iag==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+
+  eslint-visitor-keys@5.0.1:
+    resolution: {integrity: sha512-tD40eHxA35h0PEIZNeIjkHoDR4YjjJp34biM0mDvplBe//mB+IHCqHDGV7pxF+7MklTvighcCPPZC7ynWyjdTA==}
+    engines: {node: ^20.19.0 || ^22.13.0 || >=24}
+
+  eslint@10.0.3:
+    resolution: {integrity: sha512-COV33RzXZkqhG9P2rZCFl9ZmJ7WL+gQSCRzE7RhkbclbQPtLAWReL7ysA0Sh4c8Im2U9ynybdR56PV0XcKvqaQ==}
+    engines: {node: ^20.19.0 || ^22.13.0 || >=24}
+    hasBin: true
+    peerDependencies:
+      jiti: '*'
+    peerDependenciesMeta:
+      jiti:
+        optional: true
+
+  espree@11.2.0:
+    resolution: {integrity: sha512-7p3DrVEIopW1B1avAGLuCSh1jubc01H2JHc8B4qqGblmg5gI9yumBgACjWo4JlIc04ufug4xJ3SQI8HkS/Rgzw==}
+    engines: {node: ^20.19.0 || ^22.13.0 || >=24}
+
+  esquery@1.7.0:
+    resolution: {integrity: sha512-Ap6G0WQwcU/LHsvLwON1fAQX9Zp0A2Y6Y/cJBl9r/JbW90Zyg4/zbG6zzKa2OTALELarYHmKu0GhpM5EO+7T0g==}
+    engines: {node: '>=0.10'}
+
+  esrecurse@4.3.0:
+    resolution: {integrity: sha512-KmfKL3b6G+RXvP8N1vr3Tq1kL/oCFgn2NYXEtqP8/L3pKapUA4G8cFVaoF3SU323CD4XypR/ffioHmkti6/Tag==}
+    engines: {node: '>=4.0'}
+
+  estraverse@5.3.0:
+    resolution: {integrity: sha512-MMdARuVEQziNTeJD8DgMqmhwR11BRQ/cBP+pLtYdSTnf3MIO8fFeiINEbX36ZdNlfU/7A9f3gUw49B3oQsvwBA==}
+    engines: {node: '>=4.0'}
+
+  estree-walker@3.0.3:
+    resolution: {integrity: sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==}
+
+  esutils@2.0.3:
+    resolution: {integrity: sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==}
+    engines: {node: '>=0.10.0'}
+
+  events-universal@1.0.1:
+    resolution: {integrity: sha512-LUd5euvbMLpwOF8m6ivPCbhQeSiYVNb8Vs0fQ8QjXo0JTkEHpz8pxdQf0gStltaPpw0Cca8b39KxvK9cfKRiAw==}
+
+  execa@9.6.1:
+    resolution: {integrity: sha512-9Be3ZoN4LmYR90tUoVu2te2BsbzHfhJyfEiAVfz7N5/zv+jduIfLrV2xdQXOHbaD6KgpGdO9PRPM1Y4Q9QkPkA==}
+    engines: {node: ^18.19.0 || >=20.5.0}
+
+  expect-type@1.3.0:
+    resolution: {integrity: sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==}
+    engines: {node: '>=12.0.0'}
+
+  exsolve@1.0.8:
+    resolution: {integrity: sha512-LmDxfWXwcTArk8fUEnOfSZpHOJ6zOMUJKOtFLFqJLoKJetuQG874Uc7/Kki7zFLzYybmZhp1M7+98pfMqeX8yA==}
+
+  fast-check@3.23.2:
+    resolution: {integrity: sha512-h5+1OzzfCC3Ef7VbtKdcv7zsstUQwUDlYpUTvjeUsJAssPgLn7QzbboPtL5ro04Mq0rPOsMzl7q5hIbRs2wD1A==}
+    engines: {node: '>=8.0.0'}
+
+  fast-decode-uri-component@1.0.1:
+    resolution: {integrity: sha512-WKgKWg5eUxvRZGwW8FvfbaH7AXSh2cL+3j5fMGzUMCxWBJ3dV3a7Wz8y2f/uQ0e3B6WmodD3oS54jTQ9HVTIIg==}
+
+  fast-deep-equal@3.1.3:
+    resolution: {integrity: sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==}
+
+  fast-fifo@1.3.2:
+    resolution: {integrity: sha512-/d9sfos4yxzpwkDkuN7k2SqFKtYNmCTzgfEpz82x34IM9/zc8KGxQoXg1liNC/izpRM/MBdt44Nmx41ZWqk+FQ==}
+
+  fast-json-stable-stringify@2.1.0:
+    resolution: {integrity: sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==}
+
+  fast-json-stringify@6.3.0:
+    resolution: {integrity: sha512-oRCntNDY/329HJPlmdNLIdogNtt6Vyjb1WuT01Soss3slIdyUp8kAcDU3saQTOquEK8KFVfwIIF7FebxUAu+yA==}
+
+  fast-levenshtein@2.0.6:
+    resolution: {integrity: sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==}
+
+  fast-querystring@1.1.2:
+    resolution: {integrity: sha512-g6KuKWmFXc0fID8WWH0jit4g0AGBoJhCkJMb1RmbsSEUNvQ+ZC8D6CUZ+GtF8nMzSPXnhiePyyqqipzNNEnHjg==}
+
+  fast-uri@3.1.0:
+    resolution: {integrity: sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==}
+
+  fastify-plugin@5.1.0:
+    resolution: {integrity: sha512-FAIDA8eovSt5qcDgcBvDuX/v0Cjz0ohGhENZ/wpc3y+oZCY2afZ9Baqql3g/lC+OHRnciQol4ww7tuthOb9idw==}
+
+  fastify@5.8.2:
+    resolution: {integrity: sha512-lZmt3navvZG915IE+f7/TIVamxIwmBd+OMB+O9WBzcpIwOo6F0LTh0sluoMFk5VkrKTvvrwIaoJPkir4Z+jtAg==}
+
+  fastq@1.20.1:
+    resolution: {integrity: sha512-GGToxJ/w1x32s/D2EKND7kTil4n8OVk/9mycTc4VDza13lOvpUZTGX3mFSCtV9ksdGBVzvsyAVLM6mHFThxXxw==}
+
+  fdir@6.5.0:
+    resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==}
+    engines: {node: '>=12.0.0'}
+    peerDependencies:
+      picomatch: ^3 || ^4
+    peerDependenciesMeta:
+      picomatch:
+        optional: true
+
+  fecha@4.2.3:
+    resolution: {integrity: sha512-OP2IUU6HeYKJi3i0z4A19kHMQoLVs4Hc+DPqqxI2h/DPZHTm/vjsfC6P0b4jCMy14XizLBqvndQ+UilD7707Jw==}
+
+  figures@6.1.0:
+    resolution: {integrity: sha512-d+l3qxjSesT4V7v2fh+QnmFnUWv9lSpjarhShNTgBOfA0ttejbQUAlHLitbjkoRiDulW0OPoQPYIGhIC8ohejg==}
+    engines: {node: '>=18'}
+
+  file-entry-cache@8.0.0:
+    resolution: {integrity: sha512-XXTUwCvisa5oacNGRP9SfNtYBNAMi+RPwBFmblZEF7N7swHYQS6/Zfk7SRwx4D5j3CH211YNRco1DEMNVfZCnQ==}
+    engines: {node: '>=16.0.0'}
+
+  file-stream-rotator@0.6.1:
+    resolution: {integrity: sha512-u+dBid4PvZw17PmDeRcNOtCP9CCK/9lRN2w+r1xIS7yOL9JFrIBKTvrYsxT4P0pGtThYTn++QS5ChHaUov3+zQ==}
+
+  find-my-way@9.5.0:
+    resolution: {integrity: sha512-VW2RfnmscZO5KgBY5XVyKREMW5nMZcxDy+buTOsL+zIPnBlbKm+00sgzoQzq1EVh4aALZLfKdwv6atBGcjvjrQ==}
+    engines: {node: '>=20'}
+
+  find-up@5.0.0:
+    resolution: {integrity: sha512-78/PXT1wlLLDgTzDs7sjq9hzz0vXD+zn+7wypEe4fXQxCmdmqfGsEPQxmiCSQI3ajFV91bVSsvNtrJRiW6nGng==}
+    engines: {node: '>=10'}
+
+  flat-cache@4.0.1:
+    resolution: {integrity: sha512-f7ccFPK3SXFHpx15UIGyRJ/FJQctuKZ0zVuN3frBo4HnK3cay9VEW0R6yPYFHC0AgqhukPzKjq22t5DmAyqGyw==}
+    engines: {node: '>=16'}
+
+  flatted@3.4.2:
+    resolution: {integrity: sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==}
+
+  fn.name@1.1.0:
+    resolution: {integrity: sha512-GRnmB5gPyJpAhTQdSZTSp9uaPSvl09KoYcMQtsB9rQoOmzs9dH6ffeccH+Z+cv6P68Hu5bC6JjRh4Ah/mHSNRw==}
+
+  foreground-child@3.3.1:
+    resolution: {integrity: sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==}
+    engines: {node: '>=14'}
+
+  form-data@4.0.5:
+    resolution: {integrity: sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==}
+    engines: {node: '>= 6'}
+
+  fsevents@2.3.3:
+    resolution: {integrity: sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==}
+    engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0}
+    os: [darwin]
+
+  function-bind@1.1.2:
+    resolution: {integrity: sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==}
+
+  get-intrinsic@1.3.0:
+    resolution: {integrity: sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==}
+    engines: {node: '>= 0.4'}
+
+  get-proto@1.0.1:
+    resolution: {integrity: sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==}
+    engines: {node: '>= 0.4'}
+
+  get-stream@9.0.1:
+    resolution: {integrity: sha512-kVCxPF3vQM/N0B1PmoqVUqgHP+EeVjmZSQn+1oCRPxd2P21P2F19lIgbR3HBosbB1PUhOAoctJnfEn2GbN2eZA==}
+    engines: {node: '>=18'}
+
+  get-tsconfig@4.13.6:
+    resolution: {integrity: sha512-shZT/QMiSHc/YBLxxOkMtgSid5HFoauqCE3/exfsEcwg1WkeqjG+V40yBbBrsD+jW2HDXcs28xOfcbm2jI8Ddw==}
+
+  giget@2.0.0:
+    resolution: {integrity: sha512-L5bGsVkxJbJgdnwyuheIunkGatUF/zssUoxxjACCseZYAVbaqdh9Tsmmlkl8vYan09H7sbvKt4pS8GqKLBrEzA==}
+    hasBin: true
+
+  glob-parent@6.0.2:
+    resolution: {integrity: sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==}
+    engines: {node: '>=10.13.0'}
+
+  glob@11.1.0:
+    resolution: {integrity: sha512-vuNwKSaKiqm7g0THUBu2x7ckSs3XJLXE+2ssL7/MfTGPLLcrJQ/4Uq1CjPTtO5cCIiRxqvN6Twy1qOwhL0Xjcw==}
+    engines: {node: 20 || >=22}
+    deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
+    hasBin: true
+
+  glob@13.0.6:
+    resolution: {integrity: sha512-Wjlyrolmm8uDpm/ogGyXZXb1Z+Ca2B8NbJwqBVg0axK9GbBeoS7yGV6vjXnYdGm6X53iehEuxxbyiKp8QmN4Vw==}
+    engines: {node: 18 || 20 || >=22}
+
+  gopd@1.2.0:
+    resolution: {integrity: sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==}
+    engines: {node: '>= 0.4'}
+
+  has-symbols@1.1.0:
+    resolution: {integrity: sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==}
+    engines: {node: '>= 0.4'}
+
+  has-tostringtag@1.0.2:
+    resolution: {integrity: sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==}
+    engines: {node: '>= 0.4'}
+
+  hasown@2.0.2:
+    resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==}
+    engines: {node: '>= 0.4'}
+
+  hpagent@1.2.0:
+    resolution: {integrity: sha512-A91dYTeIB6NoXG+PxTQpCCDDnfHsW9kc06Lvpu1TEe9gnd6ZFeiBoRO9JvzEv6xK7EX97/dUE8g/vBMTqTS3CA==}
+    engines: {node: '>=14'}
+
+  http-errors@2.0.1:
+    resolution: {integrity: sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==}
+    engines: {node: '>= 0.8'}
+
+  human-signals@8.0.1:
+    resolution: {integrity: sha512-eKCa6bwnJhvxj14kZk5NCPc6Hb6BdsU9DZcOnmQKSnO1VKrfV0zCvtttPZUsBvjmNDn8rpcJfpwSYnHBjc95MQ==}
+    engines: {node: '>=18.18.0'}
+
+  ignore@5.3.2:
+    resolution: {integrity: sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==}
+    engines: {node: '>= 4'}
+
+  ignore@7.0.5:
+    resolution: {integrity: sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==}
+    engines: {node: '>= 4'}
+
+  imurmurhash@0.1.4:
+    resolution: {integrity: sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==}
+    engines: {node: '>=0.8.19'}
+
+  inherits@2.0.4:
+    resolution: {integrity: sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==}
+
+  ip-address@10.1.0:
+    resolution: {integrity: sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==}
+    engines: {node: '>= 12'}
+
+  ipaddr.js@2.3.0:
+    resolution: {integrity: sha512-Zv/pA+ciVFbCSBBjGfaKUya/CcGmUHzTydLMaTwrUUEM2DIEO3iZvueGxmacvmN50fGpGVKeTXpb2LcYQxeVdg==}
+    engines: {node: '>= 10'}
+
+  is-extglob@2.1.1:
+    resolution: {integrity: sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==}
+    engines: {node: '>=0.10.0'}
+
+  is-glob@4.0.3:
+    resolution: {integrity: sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==}
+    engines: {node: '>=0.10.0'}
+
+  is-plain-obj@4.1.0:
+    resolution: {integrity: sha512-+Pgi+vMuUNkJyExiMBt5IlFoMyKnr5zhJ4Uspz58WOhBF5QoIZkFyNHIbBAtHwzVAgk5RtndVNsDRN61/mmDqg==}
+    engines: {node: '>=12'}
+
+  is-stream@2.0.1:
+    resolution: {integrity: sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==}
+    engines: {node: '>=8'}
+
+  is-stream@4.0.1:
+    resolution: {integrity: sha512-Dnz92NInDqYckGEUJv689RbRiTSEHCQ7wOVeALbkOz999YpqT46yMRIGtSNl2iCL1waAZSx40+h59NV/EwzV/A==}
+    engines: {node: '>=18'}
+
+  is-unicode-supported@2.1.0:
+    resolution: {integrity: sha512-mE00Gnza5EEB3Ds0HfMyllZzbBrmLOX3vfWoj9A9PEnTfratQ/BcaJOuMhnkhjXvb2+FkY3VuHqtAGpTPmglFQ==}
+    engines: {node: '>=18'}
+
+  isexe@2.0.0:
+    resolution: {integrity: sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==}
+
+  isomorphic-ws@5.0.0:
+    resolution: {integrity: sha512-muId7Zzn9ywDsyXgTIafTry2sV3nySZeUDe6YedVd1Hvuuep5AsIlqK+XefWpYTyJG5e503F2xIuT2lcU6rCSw==}
+    peerDependencies:
+      ws: '*'
+
+  jackspeak@4.2.3:
+    resolution: {integrity: sha512-ykkVRwrYvFm1nb2AJfKKYPr0emF6IiXDYUaFx4Zn9ZuIH7MrzEZ3sD5RlqGXNRpHtvUHJyOnCEFxOlNDtGo7wg==}
+    engines: {node: 20 || >=22}
+
+  jiti@2.6.1:
+    resolution: {integrity: sha512-ekilCSN1jwRvIbgeg/57YFh8qQDNbwDb9xT/qu2DAHbFFZUicIl4ygVaAvzveMhMVr3LnpSKTNnwt8PoOfmKhQ==}
+    hasBin: true
+
+  jose@6.2.2:
+    resolution: {integrity: sha512-d7kPDd34KO/YnzaDOlikGpOurfF0ByC2sEV4cANCtdqLlTfBlw2p14O/5d/zv40gJPbIQxfES3nSx1/oYNyuZQ==}
+
+  js-tokens@9.0.1:
+    resolution: {integrity: sha512-mxa9E9ITFOt0ban3j6L5MpjwegGz6lBQmM1IJkWeBZGcMxto50+eWdjC/52xDbS2vy0k7vIMK0Fe2wfL9OQSpQ==}
+
+  js-yaml@4.1.1:
+    resolution: {integrity: sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==}
+    hasBin: true
+
+  jsep@1.4.0:
+    resolution: {integrity: sha512-B7qPcEVE3NVkmSJbaYxvv4cHkVW7DQsZz13pUMrfS8z8Q/BuShN+gcTXrUlPiGqM2/t/EEaI030bpxMqY8gMlw==}
+    engines: {node: '>= 10.16.0'}
+
+  json-buffer@3.0.1:
+    resolution: {integrity: sha512-4bV5BfR2mqfQTJm+V5tPPdf+ZpuhiIvTuAB5g8kcrXOZpTT/QwwVRWBywX1ozr6lEuPdbHxwaJlm9G6mI2sfSQ==}
+
+  json-schema-ref-resolver@3.0.0:
+    resolution: {integrity: sha512-hOrZIVL5jyYFjzk7+y7n5JDzGlU8rfWDuYyHwGa2WA8/pcmMHezp2xsVwxrebD/Q9t8Nc5DboieySDpCp4WG4A==}
+
+  json-schema-traverse@0.4.1:
+    resolution: {integrity: sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==}
+
+  json-schema-traverse@1.0.0:
+    resolution: {integrity: sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==}
+
+  json-stable-stringify-without-jsonify@1.0.1:
+    resolution: {integrity: sha512-Bdboy+l7tA3OGW6FjyFHWkP5LuByj1Tk33Ljyq0axyzdk9//JSi2u3fP1QSmd1KNwq6VOKYGlAu87CisVir6Pw==}
+
+  jsonpath-plus@10.4.0:
+    resolution: {integrity: sha512-T92WWatJXmhBbKsgH/0hl+jxjdXrifi5IKeMY02DWggRxX0UElcbVzPlmgLTbvsPeW1PasQ6xE2Q75stkhGbsA==}
+    engines: {node: '>=18.0.0'}
+    hasBin: true
+
+  keyv@4.5.4:
+    resolution: {integrity: sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw==}
+
+  kuler@2.0.0:
+    resolution: {integrity: sha512-Xq9nH7KlWZmXAtodXDDRE7vs6DU1gTU8zYDHDiWLSip45Egwq3plLHzPn27NgvzL2r1LMPC1vdqh98sQxtqj4A==}
+
+  levn@0.4.1:
+    resolution: {integrity: sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==}
+    engines: {node: '>= 0.8.0'}
+
+  light-my-request@6.6.0:
+    resolution: {integrity: sha512-CHYbu8RtboSIoVsHZ6Ye4cj4Aw/yg2oAFimlF7mNvfDV192LR7nDiKtSIfCuLT7KokPSTn/9kfVLm5OGN0A28A==}
+
+  locate-path@6.0.0:
+    resolution: {integrity: sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==}
+    engines: {node: '>=10'}
+
+  logform@2.7.0:
+    resolution: {integrity: sha512-TFYA4jnP7PVbmlBIfhlSe+WKxs9dklXMTEGcBCIvLhE/Tn3H6Gk1norupVW7m5Cnd4bLcr08AytbyV/xj7f/kQ==}
+    engines: {node: '>= 12.0.0'}
+
+  loupe@3.2.1:
+    resolution: {integrity: sha512-CdzqowRJCeLU72bHvWqwRBBlLcMEtIvGrlvef74kMnV2AolS9Y8xUv1I0U/MNAWMhBlKIoyuEgoJ0t/bbwHbLQ==}
+
+  lru-cache@11.2.7:
+    resolution: {integrity: sha512-aY/R+aEsRelme17KGQa/1ZSIpLpNYYrhcrepKTZgE+W3WM16YMCaPwOHLHsmopZHELU0Ojin1lPVxKR0MihncA==}
+    engines: {node: 20 || >=22}
+
+  magic-string@0.30.21:
+    resolution: {integrity: sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==}
+
+  math-intrinsics@1.1.0:
+    resolution: {integrity: sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==}
+    engines: {node: '>= 0.4'}
+
+  mime-db@1.52.0:
+    resolution: {integrity: sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==}
+    engines: {node: '>= 0.6'}
+
+  mime-types@2.1.35:
+    resolution: {integrity: sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==}
+    engines: {node: '>= 0.6'}
+
+  mime@3.0.0:
+    resolution: {integrity: sha512-jSCU7/VB1loIWBZe14aEYHU/+1UMEHoaO7qxCOVJOw9GgH72VAWppxNcjU+x9a2k3GSIBXNKxXQFqRvvZ7vr3A==}
+    engines: {node: '>=10.0.0'}
+    hasBin: true
+
+  minimatch@10.2.4:
+    resolution: {integrity: sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==}
+    engines: {node: 18 || 20 || >=22}
+
+  minipass@7.1.3:
+    resolution: {integrity: sha512-tEBHqDnIoM/1rXME1zgka9g6Q2lcoCkxHLuc7ODJ5BxbP5d4c2Z5cGgtXAku59200Cx7diuHTOYfSBD8n6mm8A==}
+    engines: {node: '>=16 || 14 >=14.17'}
+
+  moment@2.30.1:
+    resolution: {integrity: sha512-uEmtNhbDOrWPFS+hdjFCBfy9f2YoyzRpwcl+DqpC6taX21FzsTLQVbMV/W7PzNSX6x/bhC1zA3c2UQ5NzH6how==}
+
+  ms@2.1.3:
+    resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}
+
+  nanoid@3.3.11:
+    resolution: {integrity: sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==}
+    engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1}
+    hasBin: true
+
+  natural-compare@1.4.0:
+    resolution: {integrity: sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==}
+
+  node-fetch-native@1.6.7:
+    resolution: {integrity: sha512-g9yhqoedzIUm0nTnTqAQvueMPVOuIY16bqgAJJC8XOOubYFNwz6IER9qs0Gq2Xd0+CecCKFjtdDTMA4u4xG06Q==}
+
+  node-fetch@2.7.0:
+    resolution: {integrity: sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==}
+    engines: {node: 4.x || >=6.0.0}
+    peerDependencies:
+      encoding: ^0.1.0
+    peerDependenciesMeta:
+      encoding:
+        optional: true
+
+  npm-run-path@6.0.0:
+    resolution: {integrity: sha512-9qny7Z9DsQU8Ou39ERsPU4OZQlSTP47ShQzuKZ6PRXpYLtIFgl/DEBYEXKlvcEa+9tHVcK8CF81Y2V72qaZhWA==}
+    engines: {node: '>=18'}
+
+  nypm@0.6.5:
+    resolution: {integrity: sha512-K6AJy1GMVyfyMXRVB88700BJqNUkByijGJM8kEHpLdcAt+vSQAVfkWWHYzuRXHSY6xA2sNc5RjTj0p9rE2izVQ==}
+    engines: {node: '>=18'}
+    hasBin: true
+
+  oauth4webapi@3.8.5:
+    resolution: {integrity: sha512-A8jmyUckVhRJj5lspguklcl90Ydqk61H3dcU0oLhH3Yv13KpAliKTt5hknpGGPZSSfOwGyraNEFmofDYH+1kSg==}
+
+  object-hash@3.0.0:
+    resolution: {integrity: sha512-RSn9F68PjH9HqtltsSnqYC1XXoWe9Bju5+213R98cNGttag9q9yAOTzdbsqvIa7aNm5WffBZFpWYr2aWrklWAw==}
+    engines: {node: '>= 6'}
+
+  ohash@2.0.11:
+    resolution: {integrity: sha512-RdR9FQrFwNBNXAr4GixM8YaRZRJ5PUWbKYbE5eOsrwAjJW0q2REGcf79oYPsLyskQCZG1PLN+S/K1V00joZAoQ==}
+
+  on-exit-leak-free@2.1.2:
+    resolution: {integrity: sha512-0eJJY6hXLGf1udHwfNftBqH+g73EU4B504nZeKpz1sYRKafAghwxEJunB2O7rDZkL4PGfsMVnTXZ2EjibbqcsA==}
+    engines: {node: '>=14.0.0'}
+
+  once@1.4.0:
+    resolution: {integrity: sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==}
+
+  one-time@1.0.0:
+    resolution: {integrity: sha512-5DXOiRKwuSEcQ/l0kGCF6Q3jcADFv5tSmRaJck/OqkVFcOzutB134KRSfF0xDrL39MNnqxbHBbUUcjZIhTgb2g==}
+
+  openid-client@6.8.2:
+    resolution: {integrity: sha512-uOvTCndr4udZsKihJ68H9bUICrriHdUVJ6Az+4Ns6cW55rwM5h0bjVIzDz2SxgOI84LKjFyjOFvERLzdTUROGA==}
+
+  optionator@0.9.4:
+    resolution: {integrity: sha512-6IpQ7mKUxRcZNLIObR0hz7lxsapSSIYNZJwXPGeF0mTVqGKFIXj1DQcMoT22S3ROcLyY/rz0PWaWZ9ayWmad9g==}
+    engines: {node: '>= 0.8.0'}
+
+  p-limit@3.1.0:
+    resolution: {integrity: sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==}
+    engines: {node: '>=10'}
+
+  p-locate@5.0.0:
+    resolution: {integrity: sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==}
+    engines: {node: '>=10'}
+
+  package-json-from-dist@1.0.1:
+    resolution: {integrity: sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==}
+
+  parse-ms@4.0.0:
+    resolution: {integrity: sha512-TXfryirbmq34y8QBwgqCVLi+8oA3oWx2eAnSn62ITyEhEYaWRlVZ2DvMM9eZbMs/RfxPu/PK/aBLyGj4IrqMHw==}
+    engines: {node: '>=18'}
+
+  path-exists@4.0.0:
+    resolution: {integrity: sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==}
+    engines: {node: '>=8'}
+
+  path-key@3.1.1:
+    resolution: {integrity: sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==}
+    engines: {node: '>=8'}
+
+  path-key@4.0.0:
+    resolution: {integrity: sha512-haREypq7xkM7ErfgIyA0z+Bj4AGKlMSdlQE2jvJo6huWD1EdkKYV+G/T4nq0YEF2vgTT8kqMFKo1uHn950r4SQ==}
+    engines: {node: '>=12'}
+
+  path-scurry@2.0.2:
+    resolution: {integrity: sha512-3O/iVVsJAPsOnpwWIeD+d6z/7PmqApyQePUtCndjatj/9I5LylHvt5qluFaBT3I5h3r1ejfR056c+FCv+NnNXg==}
+    engines: {node: 18 || 20 || >=22}
+
+  pathe@2.0.3:
+    resolution: {integrity: sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w==}
+
+  pathval@2.0.1:
+    resolution: {integrity: sha512-//nshmD55c46FuFw26xV/xFAaB5HF9Xdap7HJBBnrKdAd6/GxDBaNA1870O79+9ueg61cZLSVc+OaFlfmObYVQ==}
+    engines: {node: '>= 14.16'}
+
+  perfect-debounce@1.0.0:
+    resolution: {integrity: sha512-xCy9V055GLEqoFaHoC1SoLIaLmWctgCUaBaWxDZ7/Zx4CTyX7cJQLJOok/orfjZAh9kEYpjJa4d0KcJmCbctZA==}
+
+  picocolors@1.1.1:
+    resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==}
+
+  picomatch@4.0.3:
+    resolution: {integrity: sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==}
+    engines: {node: '>=12'}
+
+  pino-abstract-transport@3.0.0:
+    resolution: {integrity: sha512-wlfUczU+n7Hy/Ha5j9a/gZNy7We5+cXp8YL+X+PG8S0KXxw7n/JXA3c46Y0zQznIJ83URJiwy7Lh56WLokNuxg==}
+
+  pino-std-serializers@7.1.0:
+    resolution: {integrity: sha512-BndPH67/JxGExRgiX1dX0w1FvZck5Wa4aal9198SrRhZjH3GxKQUKIBnYJTdj2HDN3UQAS06HlfcSbQj2OHmaw==}
+
+  pino@10.3.1:
+    resolution: {integrity: sha512-r34yH/GlQpKZbU1BvFFqOjhISRo1MNx1tWYsYvmj6KIRHSPMT2+yHOEb1SG6NMvRoHRF0a07kCOox/9yakl1vg==}
+    hasBin: true
+
+  pkg-types@2.3.0:
+    resolution: {integrity: sha512-SIqCzDRg0s9npO5XQ3tNZioRY1uK06lA41ynBC1YmFTmnY6FjUjVt6s4LoADmwoig1qqD0oK8h1p/8mlMx8Oig==}
+
+  postcss@8.5.8:
+    resolution: {integrity: sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==}
+    engines: {node: ^10 || ^12 || >=14}
+
+  prelude-ls@1.2.1:
+    resolution: {integrity: sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==}
+    engines: {node: '>= 0.8.0'}
+
+  pretty-ms@9.3.0:
+    resolution: {integrity: sha512-gjVS5hOP+M3wMm5nmNOucbIrqudzs9v/57bWRHQWLYklXqoXKrVfYW2W9+glfGsqtPgpiz5WwyEEB+ksXIx3gQ==}
+    engines: {node: '>=18'}
+
+  prisma@6.19.2:
+    resolution: {integrity: sha512-XTKeKxtQElcq3U9/jHyxSPgiRgeYDKxWTPOf6NkXA0dNj5j40MfEsZkMbyNpwDWCUv7YBFUl7I2VK/6ALbmhEg==}
+    engines: {node: '>=18.18'}
+    hasBin: true
+    peerDependencies:
+      typescript: '>=5.1.0'
+    peerDependenciesMeta:
+      typescript:
+        optional: true
+
+  process-warning@4.0.1:
+    resolution: {integrity: sha512-3c2LzQ3rY9d0hc1emcsHhfT9Jwz0cChib/QN89oME2R451w5fy3f0afAhERFZAwrbDU43wk12d0ORBpDVME50Q==}
+
+  process-warning@5.0.0:
+    resolution: {integrity: sha512-a39t9ApHNx2L4+HBnQKqxxHNs1r7KF+Intd8Q/g1bUh6q0WIp9voPXJ/x0j+ZL45KF1pJd9+q2jLIRMfvEshkA==}
+
+  pump@3.0.4:
+    resolution: {integrity: sha512-VS7sjc6KR7e1ukRFhQSY5LM2uBWAUPiOPa/A3mkKmiMwSmRFUITt0xuj+/lesgnCv+dPIEYlkzrcyXgquIHMcA==}
+
+  punycode@2.3.1:
+    resolution: {integrity: sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==}
+    engines: {node: '>=6'}
+
+  pure-rand@6.1.0:
+    resolution: {integrity: sha512-bVWawvoZoBYpp6yIoQtQXHZjmz35RSVHnUOTefl8Vcjr8snTPY1wnpSPMWekcFwbxI6gtmT7rSYPFvz71ldiOA==}
+
+  quick-format-unescaped@4.0.4:
+    resolution: {integrity: sha512-tYC1Q1hgyRuHgloV/YXs2w15unPVh8qfu/qCTfhTYamaw7fyhumKa2yGpdSo87vY32rIclj+4fWYQXUMs9EHvg==}
+
+  rc9@2.1.2:
+    resolution: {integrity: sha512-btXCnMmRIBINM2LDZoEmOogIZU7Qe7zn4BpomSKZ/ykbLObuBdvG+mFq11DL6fjH1DRwHhrlgtYWG96bJiC7Cg==}
+
+  readable-stream@3.6.2:
+    resolution: {integrity: sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==}
+    engines: {node: '>= 6'}
+
+  readdirp@4.1.2:
+    resolution: {integrity: sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg==}
+    engines: {node: '>= 14.18.0'}
+
+  real-require@0.2.0:
+    resolution: {integrity: sha512-57frrGM/OCTLqLOAh0mhVA9VBMHd+9U7Zb2THMGdBUoZVOtGbJzjxsYGDJ3A9AYYCP4hn6y1TVbaOfzWtm5GFg==}
+    engines: {node: '>= 12.13.0'}
+
+  require-from-string@2.0.2:
+    resolution: {integrity: sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==}
+    engines: {node: '>=0.10.0'}
+
+  resolve-pkg-maps@1.0.0:
+    resolution: {integrity: sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==}
+
+  ret@0.5.0:
+    resolution: {integrity: sha512-I1XxrZSQ+oErkRR4jYbAyEEu2I0avBvvMM5JN+6EBprOGRCs63ENqZ3vjavq8fBw2+62G5LF5XelKwuJpcvcxw==}
+    engines: {node: '>=10'}
+
+  reusify@1.1.0:
+    resolution: {integrity: sha512-g6QUff04oZpHs0eG5p83rFLhHeV00ug/Yf9nZM6fLeUrPguBTkTQOdpAWWspMh55TZfVQDPaN3NQJfbVRAxdIw==}
+    engines: {iojs: '>=1.0.0', node: '>=0.10.0'}
+
+  rfc4648@1.5.4:
+    resolution: {integrity: sha512-rRg/6Lb+IGfJqO05HZkN50UtY7K/JhxJag1kP23+zyMfrvoB0B7RWv06MbOzoc79RgCdNTiUaNsTT1AJZ7Z+cg==}
+
+  rfdc@1.4.1:
+    resolution: {integrity: sha512-q1b3N5QkRUWUl7iyylaaj3kOpIT0N2i9MqIEQXP73GVsN9cw3fdx8X63cEmWhJGi2PPCF23Ijp7ktmd39rawIA==}
+
+  rimraf@6.1.3:
+    resolution: {integrity: sha512-LKg+Cr2ZF61fkcaK1UdkH2yEBBKnYjTyWzTJT6KNPcSPaiT7HSdhtMXQuN5wkTX0Xu72KQ1l8S42rlmexS2hSA==}
+    engines: {node: 20 || >=22}
+    hasBin: true
+
+  rollup@4.59.0:
+    resolution: {integrity: sha512-2oMpl67a3zCH9H79LeMcbDhXW/UmWG/y2zuqnF2jQq5uq9TbM9TVyXvA4+t+ne2IIkBdrLpAaRQAvo7YI/Yyeg==}
+    engines: {node: '>=18.0.0', npm: '>=8.0.0'}
+    hasBin: true
+
+  safe-buffer@5.2.1:
+    resolution: {integrity: sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==}
+
+  safe-regex2@5.1.0:
+    resolution: {integrity: sha512-pNHAuBW7TrcleFHsxBr5QMi/Iyp0ENjUKz7GCcX1UO7cMh+NmVK6HxQckNL1tJp1XAJVjG6B8OKIPqodqj9rtw==}
+    hasBin: true
+
+  safe-stable-stringify@2.5.0:
+    resolution: {integrity: sha512-b3rppTKm9T+PsVCBEOUR46GWI7fdOs00VKZ1+9c1EWDaDMvjQc6tUwuFyIprgGgTcWoVHSKrU8H31ZHA2e0RHA==}
+    engines: {node: '>=10'}
+
+  secure-json-parse@4.1.0:
+    resolution: {integrity: sha512-l4KnYfEyqYJxDwlNVyRfO2E4NTHfMKAWdUuA8J0yve2Dz/E/PdBepY03RvyJpssIpRFwJoCD55wA+mEDs6ByWA==}
+
+  semver@7.7.4:
+    resolution: {integrity: sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==}
+    engines: {node: '>=10'}
+    hasBin: true
+
+  set-cookie-parser@2.7.2:
+    resolution: {integrity: sha512-oeM1lpU/UvhTxw+g3cIfxXHyJRc/uidd3yK1P242gzHds0udQBYzs3y8j4gCCW+ZJ7ad0yctld8RYO+bdurlvw==}
+
+  setprototypeof@1.2.0:
+    resolution: {integrity: sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==}
+
+  shebang-command@2.0.0:
+    resolution: {integrity: sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==}
+    engines: {node: '>=8'}
+
+  shebang-regex@3.0.0:
+    resolution: {integrity: sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==}
+    engines: {node: '>=8'}
+
+  siginfo@2.0.0:
+    resolution: {integrity: sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==}
+
+  signal-exit@4.1.0:
+    resolution: {integrity: sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==}
+    engines: {node: '>=14'}
+
+  smart-buffer@4.2.0:
+    resolution: {integrity: sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==}
+    engines: {node: '>= 6.0.0', npm: '>= 3.0.0'}
+
+  socks-proxy-agent@8.0.5:
+    resolution: {integrity: sha512-HehCEsotFqbPW9sJ8WVYB6UbmIMv7kUUORIF2Nncq4VQvBfNBLibW9YZR5dlYCSUhwcD628pRllm7n+E+YTzJw==}
+    engines: {node: '>= 14'}
+
+  socks@2.8.7:
+    resolution: {integrity: sha512-HLpt+uLy/pxB+bum/9DzAgiKS8CX1EvbWxI4zlmgGCExImLdiad2iCwXT5Z4c9c3Eq8rP2318mPW2c+QbtjK8A==}
+    engines: {node: '>= 10.0.0', npm: '>= 3.0.0'}
+
+  sonic-boom@4.2.1:
+    resolution: {integrity: sha512-w6AxtubXa2wTXAUsZMMWERrsIRAdrK0Sc+FUytWvYAhBJLyuI4llrMIC1DtlNSdI99EI86KZum2MMq3EAZlF9Q==}
+
+  source-map-js@1.2.1:
+    resolution: {integrity: sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==}
+    engines: {node: '>=0.10.0'}
+
+  split2@4.2.0:
+    resolution: {integrity: sha512-UcjcJOWknrNkF6PLX83qcHM6KHgVKNkV62Y8a5uYDVv9ydGQVwAHMKqHdJje1VTWpljG0WYpCDhrCdAOYH4TWg==}
+    engines: {node: '>= 10.x'}
+
+  stack-trace@0.0.10:
+    resolution: {integrity: sha512-KGzahc7puUKkzyMt+IqAep+TVNbKP+k2Lmwhub39m1AsTSkaDutx56aDCo+HLDzf/D26BIHTJWNiTG1KAJiQCg==}
+
+  stackback@0.0.2:
+    resolution: {integrity: sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==}
+
+  statuses@2.0.2:
+    resolution: {integrity: sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==}
+    engines: {node: '>= 0.8'}
+
+  std-env@3.10.0:
+    resolution: {integrity: sha512-5GS12FdOZNliM5mAOxFRg7Ir0pWz8MdpYm6AY6VPkGpbA7ZzmbzNcBJQ0GPvvyWgcY7QAhCgf9Uy89I03faLkg==}
+
+  stream-buffers@3.0.3:
+    resolution: {integrity: sha512-pqMqwQCso0PBJt2PQmDO0cFj0lyqmiwOMiMSkVtRokl7e+ZTRYgDHKnuZNbqjiJXgsg4nuqtD/zxuo9KqTp0Yw==}
+    engines: {node: '>= 0.10.0'}
+
+  stream-shift@1.0.3:
+    resolution: {integrity: sha512-76ORR0DO1o1hlKwTbi/DM3EXWGf3ZJYO8cXX5RJwnul2DEg2oyoZyjLNoQM8WsvZiFKCRfC1O0J7iCvie3RZmQ==}
+
+  streamx@2.25.0:
+    resolution: {integrity: sha512-0nQuG6jf1w+wddNEEXCF4nTg3LtufWINB5eFEN+5TNZW7KWJp6x87+JFL43vaAUPyCfH1wID+mNVyW6OHtFamg==}
+
+  string_decoder@1.3.0:
+    resolution: {integrity: sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==}
+
+  strip-final-newline@4.0.0:
+    resolution: {integrity: sha512-aulFJcD6YK8V1G7iRB5tigAP4TsHBZZrOV8pjV++zdUwmeV8uzbY7yn6h9MswN62adStNZFuCIx4haBnRuMDaw==}
+    engines: {node: '>=18'}
+
+  strip-literal@3.1.0:
+    resolution: {integrity: sha512-8r3mkIM/2+PpjHoOtiAW8Rg3jJLHaV7xPwG+YRGrv6FP0wwk/toTpATxWYOW0BKdWwl82VT2tFYi5DlROa0Mxg==}
+
+  tar-fs@3.1.2:
+    resolution: {integrity: sha512-QGxxTxxyleAdyM3kpFs14ymbYmNFrfY+pHj7Z8FgtbZ7w2//VAgLMac7sT6nRpIHjppXO2AwwEOg0bPFVRcmXw==}
+
+  tar-stream@3.1.8:
+    resolution: {integrity: sha512-U6QpVRyCGHva435KoNWy9PRoi2IFYCgtEhq9nmrPPpbRacPs9IH4aJ3gbrFC8dPcXvdSZ4XXfXT5Fshbp2MtlQ==}
+
+  teex@1.0.1:
+    resolution: {integrity: sha512-eYE6iEI62Ni1H8oIa7KlDU6uQBtqr4Eajni3wX7rpfXD8ysFx8z0+dri+KWEPWpBsxXfxu58x/0jvTVT1ekOSg==}
+
+  text-decoder@1.2.7:
+    resolution: {integrity: sha512-vlLytXkeP4xvEq2otHeJfSQIRyWxo/oZGEbXrtEEF9Hnmrdly59sUbzZ/QgyWuLYHctCHxFF4tRQZNQ9k60ExQ==}
+
+  text-hex@1.0.0:
+    resolution: {integrity: sha512-uuVGNWzgJ4yhRaNSiubPY7OjISw4sw4E5Uv0wbjp+OzcbmVU/rsT8ujgcXJhn9ypzsgr5vlzpPqP+MBBKcGvbg==}
+
+  thread-stream@4.0.0:
+    resolution: {integrity: sha512-4iMVL6HAINXWf1ZKZjIPcz5wYaOdPhtO8ATvZ+Xqp3BTdaqtAwQkNmKORqcIo5YkQqGXq5cwfswDwMqqQNrpJA==}
+    engines: {node: '>=20'}
+
+  tinybench@2.9.0:
+    resolution: {integrity: sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==}
+
+  tinyexec@0.3.2:
+    resolution: {integrity: sha512-KQQR9yN7R5+OSwaK0XQoj22pwHoTlgYqmUscPYoknOoWCWfj/5/ABTMRi69FrKU5ffPVh5QcFikpWJI/P1ocHA==}
+
+  tinyexec@1.0.4:
+    resolution: {integrity: sha512-u9r3uZC0bdpGOXtlxUIdwf9pkmvhqJdrVCH9fapQtgy/OeTTMZ1nqH7agtvEfmGui6e1XxjcdrlxvxJvc3sMqw==}
+    engines: {node: '>=18'}
+
+  tinyglobby@0.2.15:
+    resolution: {integrity: sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==}
+    engines: {node: '>=12.0.0'}
+
+  tinypool@1.1.1:
+    resolution: {integrity: sha512-Zba82s87IFq9A9XmjiX5uZA/ARWDrB03OHlq+Vw1fSdt0I+4/Kutwy8BP4Y/y/aORMo61FQ0vIb5j44vSo5Pkg==}
+    engines: {node: ^18.0.0 || >=20.0.0}
+
+  tinyrainbow@2.0.0:
+    resolution: {integrity: sha512-op4nsTR47R6p0vMUUoYl/a+ljLFVtlfaXkLQmqfLR1qHma1h/ysYk4hEXZ880bf2CYgTskvTa/e196Vd5dDQXw==}
+    engines: {node: '>=14.0.0'}
+
+  tinyspy@4.0.4:
+    resolution: {integrity: sha512-azl+t0z7pw/z958Gy9svOTuzqIk6xq+NSheJzn5MMWtWTFywIacg2wUlzKFGtt3cthx0r2SxMK0yzJOR0IES7Q==}
+    engines: {node: '>=14.0.0'}
+
+  toad-cache@3.7.0:
+    resolution: {integrity: sha512-/m8M+2BJUpoJdgAHoG+baCwBT+tf2VraSfkBgl0Y00qIWt41DJ8R5B8nsEw0I58YwF5IZH6z24/2TobDKnqSWw==}
+    engines: {node: '>=12'}
+
+  toidentifier@1.0.1:
+    resolution: {integrity: sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==}
+    engines: {node: '>=0.6'}
+
+  tr46@0.0.3:
+    resolution: {integrity: sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==}
+
+  triple-beam@1.4.1:
+    resolution: {integrity: sha512-aZbgViZrg1QNcG+LULa7nhZpJTZSLm/mXnHXnbAbjmN5aSa0y7V+wvv6+4WaBtpISJzThKy+PIPxc1Nq1EJ9mg==}
+    engines: {node: '>= 14.0.0'}
+
+  ts-api-utils@2.4.0:
+    resolution: {integrity: sha512-3TaVTaAv2gTiMB35i3FiGJaRfwb3Pyn/j3m/bfAvGe8FB7CF6u+LMYqYlDh7reQf7UNvoTvdfAqHGmPGOSsPmA==}
+    engines: {node: '>=18.12'}
+    peerDependencies:
+      typescript: '>=4.8.4'
+
+  tsx@4.21.0:
+    resolution: {integrity: sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw==}
+    engines: {node: '>=18.0.0'}
+    hasBin: true
+
+  type-check@0.4.0:
+    resolution: {integrity: sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==}
+    engines: {node: '>= 0.8.0'}
+
+  typescript@5.9.3:
+    resolution: {integrity: sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==}
+    engines: {node: '>=14.17'}
+    hasBin: true
+
+  undici-types@6.21.0:
+    resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}
+
+  undici-types@7.16.0:
+    resolution: {integrity: sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==}
+
+  unicorn-magic@0.3.0:
+    resolution: {integrity: sha512-+QBBXBCvifc56fsbuxZQ6Sic3wqqc3WWaqxs58gvJrcOuN83HGTCwz3oS5phzU9LthRNE9VrJCFCLUgHeeFnfA==}
+    engines: {node: '>=18'}
+
+  uri-js@4.4.1:
+    resolution: {integrity: sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==}
+
+  util-deprecate@1.0.2:
+    resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==}
+
+  vite-node@3.2.4:
+    resolution: {integrity: sha512-EbKSKh+bh1E1IFxeO0pg1n4dvoOTt0UDiXMd/qn++r98+jPO1xtJilvXldeuQ8giIB5IkpjCgMleHMNEsGH6pg==}
+    engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0}
+    hasBin: true
+
+  vite@7.3.1:
+    resolution: {integrity: sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==}
+    engines: {node: ^20.19.0 || >=22.12.0}
+    hasBin: true
+    peerDependencies:
+      '@types/node': ^20.19.0 || >=22.12.0
+      jiti: '>=1.21.0'
+      less: ^4.0.0
+      lightningcss: ^1.21.0
+      sass: ^1.70.0
+      sass-embedded: ^1.70.0
+      stylus: '>=0.54.8'
+      sugarss: ^5.0.0
+      terser: ^5.16.0
+      tsx: ^4.8.1
+      yaml: ^2.4.2
+    peerDependenciesMeta:
+      '@types/node':
+        optional: true
+      jiti:
+        optional: true
+      less:
+        optional: true
+      lightningcss:
+        optional: true
+      sass:
+        optional: true
+      sass-embedded:
+        optional: true
+      stylus:
+        optional: true
+      sugarss:
+        optional: true
+      terser:
+        optional: true
+      tsx:
+        optional: true
+      yaml:
+        optional: true
+
+  vitest@3.2.4:
+    resolution: {integrity: sha512-LUCP5ev3GURDysTWiP47wRRUpLKMOfPh+yKTx3kVIEiu5KOMeqzpnYNsKyOoVrULivR8tLcks4+lga33Whn90A==}
+    engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0}
+    hasBin: true
+    peerDependencies:
+      '@edge-runtime/vm': '*'
+      '@types/debug': ^4.1.12
+      '@types/node': ^18.0.0 || ^20.0.0 || >=22.0.0
+      '@vitest/browser': 3.2.4
+      '@vitest/ui': 3.2.4
+      happy-dom: '*'
+      jsdom: '*'
+    peerDependenciesMeta:
+      '@edge-runtime/vm':
+        optional: true
+      '@types/debug':
+        optional: true
+      '@types/node':
+        optional: true
+      '@vitest/browser':
+        optional: true
+      '@vitest/ui':
+        optional: true
+      happy-dom:
+        optional: true
+      jsdom:
+        optional: true
+
+  webidl-conversions@3.0.1:
+    resolution: {integrity: sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==}
+
+  whatwg-url@5.0.0:
+    resolution: {integrity: sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==}
+
+  which@2.0.2:
+    resolution: {integrity: sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==}
+    engines: {node: '>= 8'}
+    hasBin: true
+
+  why-is-node-running@2.3.0:
+    resolution: {integrity: sha512-hUrmaWBdVDcxvYqnyh09zunKzROWjbZTiNy8dBEjkS7ehEDQibXJ7XvlmtbwuTclUiIyN+CyXQD4Vmko8fNm8w==}
+    engines: {node: '>=8'}
+    hasBin: true
+
+  winston-daily-rotate-file@5.0.0:
+    resolution: {integrity: sha512-JDjiXXkM5qvwY06733vf09I2wnMXpZEhxEVOSPenZMii+g7pcDcTBt2MRugnoi8BwVSuCT2jfRXBUy+n1Zz/Yw==}
+    engines: {node: '>=8'}
+    peerDependencies:
+      winston: ^3
+
+  winston-transport@4.9.0:
+    resolution: {integrity: sha512-8drMJ4rkgaPo1Me4zD/3WLfI/zPdA9o2IipKODunnGDcuqbHwjsbB79ylv04LCGGzU0xQ6vTznOMpQGaLhhm6A==}
+    engines: {node: '>= 12.0.0'}
+
+  winston@3.19.0:
+    resolution: {integrity: sha512-LZNJgPzfKR+/J3cHkxcpHKpKKvGfDZVPS4hfJCc4cCG0CgYzvlD6yE/S3CIL/Yt91ak327YCpiF/0MyeZHEHKA==}
+    engines: {node: '>= 12.0.0'}
+
+  word-wrap@1.2.5:
+    resolution: {integrity: sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==}
+    engines: {node: '>=0.10.0'}
+
+  wrappy@1.0.2:
+    resolution: {integrity: sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==}
+
+  ws@8.19.0:
+    resolution: {integrity: sha512-blAT2mjOEIi0ZzruJfIhb3nps74PRWTCz1IjglWEEpQl5XS/UNama6u2/rjFkDDouqr4L67ry+1aGIALViWjDg==}
+    engines: {node: '>=10.0.0'}
+    peerDependencies:
+      bufferutil: ^4.0.1
+      utf-8-validate: '>=5.0.2'
+    peerDependenciesMeta:
+      bufferutil:
+        optional: true
+      utf-8-validate:
+        optional: true
+
+  yocto-queue@0.1.0:
+    resolution: {integrity: sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==}
+    engines: {node: '>=10'}
+
+  yoctocolors@2.1.2:
+    resolution: {integrity: sha512-CzhO+pFNo8ajLM2d2IW/R93ipy99LWjtwblvC1RsoSUMZgyLbYFr221TnSNT7GjGdYui6P459mw9JH/g/zW2ug==}
+    engines: {node: '>=18'}
+
+  zod@4.3.6:
+    resolution: {integrity: sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==}
+
+snapshots:
+
+  '@colors/colors@1.6.0': {}
+
+  '@dabh/diagnostics@2.0.8':
+    dependencies:
+      '@so-ric/colorspace': 1.1.6
+      enabled: 2.0.0
+      kuler: 2.0.0
+
+  '@esbuild/aix-ppc64@0.27.4':
+    optional: true
+
+  '@esbuild/android-arm64@0.27.4':
+    optional: true
+
+  '@esbuild/android-arm@0.27.4':
+    optional: true
+
+  '@esbuild/android-x64@0.27.4':
+    optional: true
+
+  '@esbuild/darwin-arm64@0.27.4':
+    optional: true
+
+  '@esbuild/darwin-x64@0.27.4':
+    optional: true
+
+  '@esbuild/freebsd-arm64@0.27.4':
+    optional: true
+
+  '@esbuild/freebsd-x64@0.27.4':
+    optional: true
+
+  '@esbuild/linux-arm64@0.27.4':
+    optional: true
+
+  '@esbuild/linux-arm@0.27.4':
+    optional: true
+
+  '@esbuild/linux-ia32@0.27.4':
+    optional: true
+
+  '@esbuild/linux-loong64@0.27.4':
+    optional: true
+
+  '@esbuild/linux-mips64el@0.27.4':
+    optional: true
+
+  '@esbuild/linux-ppc64@0.27.4':
+    optional: true
+
+  '@esbuild/linux-riscv64@0.27.4':
+    optional: true
+
+  '@esbuild/linux-s390x@0.27.4':
+    optional: true
+
+  '@esbuild/linux-x64@0.27.4':
+    optional: true
+
+  '@esbuild/netbsd-arm64@0.27.4':
+    optional: true
+
+  '@esbuild/netbsd-x64@0.27.4':
+    optional: true
+
+  '@esbuild/openbsd-arm64@0.27.4':
+    optional: true
+
+  '@esbuild/openbsd-x64@0.27.4':
+    optional: true
+
+  '@esbuild/openharmony-arm64@0.27.4':
+    optional: true
+
+  '@esbuild/sunos-x64@0.27.4':
+    optional: true
+
+  '@esbuild/win32-arm64@0.27.4':
+    optional: true
+
+  '@esbuild/win32-ia32@0.27.4':
+    optional: true
+
+  '@esbuild/win32-x64@0.27.4':
+    optional: true
+
+  '@eslint-community/eslint-utils@4.9.1(eslint@10.0.3(jiti@2.6.1))':
+    dependencies:
+      eslint: 10.0.3(jiti@2.6.1)
+      eslint-visitor-keys: 3.4.3
+
+  '@eslint-community/regexpp@4.12.2': {}
+
+  '@eslint/config-array@0.23.3':
+    dependencies:
+      '@eslint/object-schema': 3.0.3
+      debug: 4.4.3
+      minimatch: 10.2.4
+    transitivePeerDependencies:
+      - supports-color
+
+  '@eslint/config-helpers@0.5.3':
+    dependencies:
+      '@eslint/core': 1.1.1
+
+  '@eslint/core@1.1.1':
+    dependencies:
+      '@types/json-schema': 7.0.15
+
+  '@eslint/object-schema@3.0.3': {}
+
+  '@eslint/plugin-kit@0.6.1':
+    dependencies:
+      '@eslint/core': 1.1.1
+      levn: 0.4.1
+
+  '@fastify/accept-negotiator@2.0.1': {}
+
+  '@fastify/ajv-compiler@4.0.5':
+    dependencies:
+      ajv: 8.18.0
+      ajv-formats: 3.0.1(ajv@8.18.0)
+      fast-uri: 3.1.0
+
+  '@fastify/error@4.2.0': {}
+
+  '@fastify/fast-json-stringify-compiler@5.0.3':
+    dependencies:
+      fast-json-stringify: 6.3.0
+
+  '@fastify/forwarded@3.0.1': {}
+
+  '@fastify/merge-json-schemas@0.2.1':
+    dependencies:
+      dequal: 2.0.3
+
+  '@fastify/proxy-addr@5.1.0':
+    dependencies:
+      '@fastify/forwarded': 3.0.1
+      ipaddr.js: 2.3.0
+
+  '@fastify/rate-limit@10.3.0':
+    dependencies:
+      '@lukeed/ms': 2.0.2
+      fastify-plugin: 5.1.0
+      toad-cache: 3.7.0
+
+  '@fastify/send@4.1.0':
+    dependencies:
+      '@lukeed/ms': 2.0.2
+      escape-html: 1.0.3
+      fast-decode-uri-component: 1.0.1
+      http-errors: 2.0.1
+      mime: 3.0.0
+
+  '@fastify/static@8.3.0':
+    dependencies:
+      '@fastify/accept-negotiator': 2.0.1
+      '@fastify/send': 4.1.0
+      content-disposition: 0.5.4
+      fastify-plugin: 5.1.0
+      fastq: 1.20.1
+      glob: 11.1.0
+
+  '@fastify/websocket@11.2.0':
+    dependencies:
+      duplexify: 4.1.3
+      fastify-plugin: 5.1.0
+      ws: 8.19.0
+    transitivePeerDependencies:
+      - bufferutil
+      - utf-8-validate
+
+  '@humanfs/core@0.19.1': {}
+
+  '@humanfs/node@0.16.7':
+    dependencies:
+      '@humanfs/core': 0.19.1
+      '@humanwhocodes/retry': 0.4.3
+
+  '@humanwhocodes/module-importer@1.0.1': {}
+
+  '@humanwhocodes/retry@0.4.3': {}
+
+  '@isaacs/cliui@9.0.0': {}
+
+  '@jridgewell/sourcemap-codec@1.5.5': {}
+
+  '@jsep-plugin/assignment@1.3.0(jsep@1.4.0)':
+    dependencies:
+      jsep: 1.4.0
+
+  '@jsep-plugin/regex@1.0.4(jsep@1.4.0)':
+    dependencies:
+      jsep: 1.4.0
+
+  '@kubernetes/client-node@1.4.0':
+    dependencies:
+      '@types/js-yaml': 4.0.9
+      '@types/node': 24.12.0
+      '@types/node-fetch': 2.6.13
+      '@types/stream-buffers': 3.0.8
+      form-data: 4.0.5
+      hpagent: 1.2.0
+      isomorphic-ws: 5.0.0(ws@8.19.0)
+      js-yaml: 4.1.1
+      jsonpath-plus: 10.4.0
+      node-fetch: 2.7.0
+      openid-client: 6.8.2
+      rfc4648: 1.5.4
+      socks-proxy-agent: 8.0.5
+      stream-buffers: 3.0.3
+      tar-fs: 3.1.2
+      ws: 8.19.0
+    transitivePeerDependencies:
+      - bare-abort-controller
+      - bare-buffer
+      - bufferutil
+      - encoding
+      - react-native-b4a
+      - supports-color
+      - utf-8-validate
+
+  '@lukeed/ms@2.0.2': {}
+
+  '@pinojs/redact@0.4.0': {}
+
+  '@prisma/client@6.19.2(prisma@6.19.2(typescript@5.9.3))(typescript@5.9.3)':
+    optionalDependencies:
+      prisma: 6.19.2(typescript@5.9.3)
+      typescript: 5.9.3
+
+  '@prisma/config@6.19.2':
+    dependencies:
+      c12: 3.1.0
+      deepmerge-ts: 7.1.5
+      effect: 3.18.4
+      empathic: 2.0.0
+    transitivePeerDependencies:
+      - magicast
+
+  '@prisma/debug@6.19.2': {}
+
+  '@prisma/engines-version@7.1.1-3.c2990dca591cba766e3b7ef5d9e8a84796e47ab7': {}
+
+  '@prisma/engines@6.19.2':
+    dependencies:
+      '@prisma/debug': 6.19.2
+      '@prisma/engines-version': 7.1.1-3.c2990dca591cba766e3b7ef5d9e8a84796e47ab7
+      '@prisma/fetch-engine': 6.19.2
+      '@prisma/get-platform': 6.19.2
+
+  '@prisma/fetch-engine@6.19.2':
+    dependencies:
+      '@prisma/debug': 6.19.2
+      '@prisma/engines-version': 7.1.1-3.c2990dca591cba766e3b7ef5d9e8a84796e47ab7
+      '@prisma/get-platform': 6.19.2
+
+  '@prisma/get-platform@6.19.2':
+    dependencies:
+      '@prisma/debug': 6.19.2
+
+  '@rollup/rollup-android-arm-eabi@4.59.0':
+    optional: true
+
+  '@rollup/rollup-android-arm64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-darwin-arm64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-darwin-x64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-freebsd-arm64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-freebsd-x64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-arm-gnueabihf@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-arm-musleabihf@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-arm64-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-arm64-musl@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-loong64-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-loong64-musl@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-ppc64-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-ppc64-musl@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-riscv64-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-riscv64-musl@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-s390x-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-x64-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-linux-x64-musl@4.59.0':
+    optional: true
+
+  '@rollup/rollup-openbsd-x64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-openharmony-arm64@4.59.0':
+    optional: true
+
+  '@rollup/rollup-win32-arm64-msvc@4.59.0':
+    optional: true
+
+  '@rollup/rollup-win32-ia32-msvc@4.59.0':
+    optional: true
+
+  '@rollup/rollup-win32-x64-gnu@4.59.0':
+    optional: true
+
+  '@rollup/rollup-win32-x64-msvc@4.59.0':
+    optional: true
+
+  '@sec-ant/readable-stream@0.4.1': {}
+
+  '@sindresorhus/merge-streams@4.0.0': {}
+
+  '@so-ric/colorspace@1.1.6':
+    dependencies:
+      color: 5.0.3
+      text-hex: 1.0.0
+
+  '@standard-schema/spec@1.1.0': {}
+
+  '@types/chai@5.2.3':
+    dependencies:
+      '@types/deep-eql': 4.0.2
+      assertion-error: 2.0.1
+
+  '@types/deep-eql@4.0.2': {}
+
+  '@types/esrecurse@4.3.1': {}
+
+  '@types/estree@1.0.8': {}
+
+  '@types/js-yaml@4.0.9': {}
+
+  '@types/json-schema@7.0.15': {}
+
+  '@types/node-fetch@2.6.13':
+    dependencies:
+      '@types/node': 22.19.15
+      form-data: 4.0.5
+
+  '@types/node@22.19.15':
+    dependencies:
+      undici-types: 6.21.0
+
+  '@types/node@24.12.0':
+    dependencies:
+      undici-types: 7.16.0
+
+  '@types/stream-buffers@3.0.8':
+    dependencies:
+      '@types/node': 22.19.15
+
+  '@types/triple-beam@1.3.5': {}
+
+  '@types/ws@8.18.1':
+    dependencies:
+      '@types/node': 22.19.15
+
+  '@typescript-eslint/eslint-plugin@8.57.1(@typescript-eslint/parser@8.57.1(eslint@10.0.3(jiti@2.6.1))(typescript@5.9.3))(eslint@10.0.3(jiti@2.6.1))(typescript@5.9.3)':
+    dependencies:
+      '@eslint-community/regexpp': 4.12.2
+      '@typescript-eslint/parser': 8.57.1(eslint@10.0.3(jiti@2.6.1))(typescript@5.9.3)
+      '@typescript-eslint/scope-manager': 8.57.1
+      '@typescript-eslint/type-utils': 8.57.1(eslint@10.0.3(jiti@2.6.1))(typescript@5.9.3)
+      '@typescript-eslint/utils': 8.57.1(eslint@10.0.3(jiti@2.6.1))(typescript@5.9.3)
+      '@typescript-eslint/visitor-keys': 8.57.1
+      eslint: 10.0.3(jiti@2.6.1)
+      ignore: 7.0.5
+      natural-compare: 1.4.0
+      ts-api-utils: 2.4.0(typescript@5.9.3)
+      typescript: 5.9.3
+    transitivePeerDependencies:
+      - supports-color
+
+  '@typescript-eslint/parser@8.57.1(eslint@10.0.3(jiti@2.6.1))(typescript@5.9.3)':
+    dependencies:
+      '@typescript-eslint/scope-manager': 8.57.1
+      '@typescript-eslint/types': 8.57.1
+      '@typescript-eslint/typescript-estree': 8.57.1(typescript@5.9.3)
+      '@typescript-eslint/visitor-keys': 8.57.1
+      debug: 4.4.3
+      eslint: 10.0.3(jiti@2.6.1)
+      typescript: 5.9.3
+    transitivePeerDependencies:
+      - supports-color
+
+  '@typescript-eslint/project-service@8.57.1(typescript@5.9.3)':
+    dependencies:
+      '@typescript-eslint/tsconfig-utils': 8.57.1(typescript@5.9.3)
+      '@typescript-eslint/types': 8.57.1
+      debug: 4.4.3
+      typescript: 5.9.3
+    transitivePeerDependencies:
+      - supports-color
+
+  '@typescript-eslint/scope-manager@8.57.1':
+    dependencies:
+      '@typescript-eslint/types': 8.57.1
+      '@typescript-eslint/visitor-keys': 8.57.1
+
+  '@typescript-eslint/tsconfig-utils@8.57.1(typescript@5.9.3)':
+    dependencies:
+      typescript: 5.9.3
+
+  '@typescript-eslint/type-utils@8.57.1(eslint@10.0.3(jiti@2.6.1))(typescript@5.9.3)':
+    dependencies:
+      '@typescript-eslint/types': 8.57.1
+      '@typescript-eslint/typescript-estree': 8.57.1(typescript@5.9.3)
+      '@typescript-eslint/utils': 8.57.1(eslint@10.0.3(jiti@2.6.1))(typescript@5.9.3)
+      debug: 4.4.3
+      eslint: 10.0.3(jiti@2.6.1)
+      ts-api-utils: 2.4.0(typescript@5.9.3)
+      typescript: 5.9.3
+    transitivePeerDependencies:
+      - supports-color
+
+  '@typescript-eslint/types@8.57.1': {}
+
+  '@typescript-eslint/typescript-estree@8.57.1(typescript@5.9.3)':
+    dependencies:
+      '@typescript-eslint/project-service': 8.57.1(typescript@5.9.3)
+      '@typescript-eslint/tsconfig-utils': 8.57.1(typescript@5.9.3)
+      '@typescript-eslint/types': 8.57.1
+      '@typescript-eslint/visitor-keys': 8.57.1
+      debug: 4.4.3
+      minimatch: 10.2.4
+      semver: 7.7.4
+      tinyglobby: 0.2.15
+      ts-api-utils: 2.4.0(typescript@5.9.3)
+      typescript: 5.9.3
+    transitivePeerDependencies:
+      - supports-color
+
+  '@typescript-eslint/utils@8.57.1(eslint@10.0.3(jiti@2.6.1))(typescript@5.9.3)':
+    dependencies:
+      '@eslint-community/eslint-utils': 4.9.1(eslint@10.0.3(jiti@2.6.1))
+      '@typescript-eslint/scope-manager': 8.57.1
+      '@typescript-eslint/types': 8.57.1
+      '@typescript-eslint/typescript-estree': 8.57.1(typescript@5.9.3)
+      eslint: 10.0.3(jiti@2.6.1)
+      typescript: 5.9.3
+    transitivePeerDependencies:
+      - supports-color
+
+  '@typescript-eslint/visitor-keys@8.57.1':
+    dependencies:
+      '@typescript-eslint/types': 8.57.1
+      eslint-visitor-keys: 5.0.1
+
+  '@vitest/expect@3.2.4':
+    dependencies:
+      '@types/chai': 5.2.3
+      '@vitest/spy': 3.2.4
+      '@vitest/utils': 3.2.4
+      chai: 5.3.3
+      tinyrainbow: 2.0.0
+
+  '@vitest/mocker@3.2.4(vite@7.3.1(@types/node@22.19.15)(jiti@2.6.1)(tsx@4.21.0))':
+    dependencies:
+      '@vitest/spy': 3.2.4
+      estree-walker: 3.0.3
+      magic-string: 0.30.21
+    optionalDependencies:
+      vite: 7.3.1(@types/node@22.19.15)(jiti@2.6.1)(tsx@4.21.0)
+
+  '@vitest/pretty-format@3.2.4':
+    dependencies:
+      tinyrainbow: 2.0.0
+
+  '@vitest/runner@3.2.4':
+    dependencies:
+      '@vitest/utils': 3.2.4
+      pathe: 2.0.3
+      strip-literal: 3.1.0
+
+  '@vitest/snapshot@3.2.4':
+    dependencies:
+      '@vitest/pretty-format': 3.2.4
+      magic-string: 0.30.21
+      pathe: 2.0.3
+
+  '@vitest/spy@3.2.4':
+    dependencies:
+      tinyspy: 4.0.4
+
+  '@vitest/utils@3.2.4':
+    dependencies:
+      '@vitest/pretty-format': 3.2.4
+      loupe: 3.2.1
+      tinyrainbow: 2.0.0
+
+  abstract-logging@2.0.1: {}
+
+  acorn-jsx@5.3.2(acorn@8.16.0):
+    dependencies:
+      acorn: 8.16.0
+
+  acorn@8.16.0: {}
+
+  agent-base@7.1.4: {}
+
+  ajv-formats@3.0.1(ajv@8.18.0):
+    optionalDependencies:
+      ajv: 8.18.0
+
+  ajv@6.14.0:
+    dependencies:
+      fast-deep-equal: 3.1.3
+      fast-json-stable-stringify: 2.1.0
+      json-schema-traverse: 0.4.1
+      uri-js: 4.4.1
+
+  ajv@8.18.0:
+    dependencies:
+      fast-deep-equal: 3.1.3
+      fast-uri: 3.1.0
+      json-schema-traverse: 1.0.0
+      require-from-string: 2.0.2
+
+  argparse@2.0.1: {}
+
+  assertion-error@2.0.1: {}
+
+  async@3.2.6: {}
+
+  asynckit@0.4.0: {}
+
+  atomic-sleep@1.0.0: {}
+
+  avvio@9.2.0:
+    dependencies:
+      '@fastify/error': 4.2.0
+      fastq: 1.20.1
+
+  b4a@1.8.0: {}
+
+  balanced-match@4.0.4: {}
+
+  bare-events@2.8.2: {}
+
+  bare-fs@4.5.6:
+    dependencies:
+      bare-events: 2.8.2
+      bare-path: 3.0.0
+      bare-stream: 2.10.0(bare-events@2.8.2)
+      bare-url: 2.4.0
+      fast-fifo: 1.3.2
+    transitivePeerDependencies:
+      - bare-abort-controller
+      - react-native-b4a
+
+  bare-os@3.8.0: {}
+
+  bare-path@3.0.0:
+    dependencies:
+      bare-os: 3.8.0
+
+  bare-stream@2.10.0(bare-events@2.8.2):
+    dependencies:
+      streamx: 2.25.0
+      teex: 1.0.1
+    optionalDependencies:
+      bare-events: 2.8.2
+    transitivePeerDependencies:
+      - bare-abort-controller
+      - react-native-b4a
+
+  bare-url@2.4.0:
+    dependencies:
+      bare-path: 3.0.0
+
+  brace-expansion@5.0.4:
+    dependencies:
+      balanced-match: 4.0.4
+
+  c12@3.1.0:
+    dependencies:
+      chokidar: 4.0.3
+      confbox: 0.2.4
+      defu: 6.1.4
+      dotenv: 16.6.1
+      exsolve: 1.0.8
+      giget: 2.0.0
+      jiti: 2.6.1
+      ohash: 2.0.11
+      pathe: 2.0.3
+      perfect-debounce: 1.0.0
+      pkg-types: 2.3.0
+      rc9: 2.1.2
+
+  cac@6.7.14: {}
+
+  call-bind-apply-helpers@1.0.2:
+    dependencies:
+      es-errors: 1.3.0
+      function-bind: 1.1.2
+
+  chai@5.3.3:
+    dependencies:
+      assertion-error: 2.0.1
+      check-error: 2.1.3
+      deep-eql: 5.0.2
+      loupe: 3.2.1
+      pathval: 2.0.1
+
+  check-error@2.1.3: {}
+
+  chokidar@4.0.3:
+    dependencies:
+      readdirp: 4.1.2
+
+  citty@0.1.6:
+    dependencies:
+      consola: 3.4.2
+
+  citty@0.2.1: {}
+
+  color-convert@3.1.3:
+    dependencies:
+      color-name: 2.1.0
+
+  color-name@2.1.0: {}
+
+  color-string@2.1.4:
+    dependencies:
+      color-name: 2.1.0
+
+  color@5.0.3:
+    dependencies:
+      color-convert: 3.1.3
+      color-string: 2.1.4
+
+  combined-stream@1.0.8:
+    dependencies:
+      delayed-stream: 1.0.0
+
+  commander@13.1.0: {}
+
+  confbox@0.2.4: {}
+
+  consola@3.4.2: {}
+
+  content-disposition@0.5.4:
+    dependencies:
+      safe-buffer: 5.2.1
+
+  cookie@1.1.1: {}
+
+  cross-spawn@7.0.6:
+    dependencies:
+      path-key: 3.1.1
+      shebang-command: 2.0.0
+      which: 2.0.2
+
+  debug@4.4.3:
+    dependencies:
+      ms: 2.1.3
+
+  deep-eql@5.0.2: {}
+
+  deep-is@0.1.4: {}
+
+  deepmerge-ts@7.1.5: {}
+
+  defu@6.1.4: {}
+
+  delayed-stream@1.0.0: {}
+
+  depd@2.0.0: {}
+
+  dequal@2.0.3: {}
+
+  destr@2.0.5: {}
+
+  dotenv@16.6.1: {}
+
+  dunder-proto@1.0.1:
+    dependencies:
+      call-bind-apply-helpers: 1.0.2
+      es-errors: 1.3.0
+      gopd: 1.2.0
+
+  duplexify@4.1.3:
+    dependencies:
+      end-of-stream: 1.4.5
+      inherits: 2.0.4
+      readable-stream: 3.6.2
+      stream-shift: 1.0.3
+
+  effect@3.18.4:
+    dependencies:
+      '@standard-schema/spec': 1.1.0
+      fast-check: 3.23.2
+
+  empathic@2.0.0: {}
+
+  enabled@2.0.0: {}
+
+  end-of-stream@1.4.5:
+    dependencies:
+      once: 1.4.0
+
+  es-define-property@1.0.1: {}
+
+  es-errors@1.3.0: {}
+
+  es-module-lexer@1.7.0: {}
+
+  es-object-atoms@1.1.1:
+    dependencies:
+      es-errors: 1.3.0
+
+  es-set-tostringtag@2.1.0:
+    dependencies:
+      es-errors: 1.3.0
+      get-intrinsic: 1.3.0
+      has-tostringtag: 1.0.2
+      hasown: 2.0.2
+
+  esbuild@0.27.4:
+    optionalDependencies:
+      '@esbuild/aix-ppc64': 0.27.4
+      '@esbuild/android-arm': 0.27.4
+      '@esbuild/android-arm64': 0.27.4
+      '@esbuild/android-x64': 0.27.4
+      '@esbuild/darwin-arm64': 0.27.4
+      '@esbuild/darwin-x64': 0.27.4
+      '@esbuild/freebsd-arm64': 0.27.4
+      '@esbuild/freebsd-x64': 0.27.4
+      '@esbuild/linux-arm': 0.27.4
+      '@esbuild/linux-arm64': 0.27.4
+      '@esbuild/linux-ia32': 0.27.4
+      '@esbuild/linux-loong64': 0.27.4
+      '@esbuild/linux-mips64el': 0.27.4
+      '@esbuild/linux-ppc64': 0.27.4
+      '@esbuild/linux-riscv64': 0.27.4
+      '@esbuild/linux-s390x': 0.27.4
+      '@esbuild/linux-x64': 0.27.4
+      '@esbuild/netbsd-arm64': 0.27.4
+      '@esbuild/netbsd-x64': 0.27.4
+      '@esbuild/openbsd-arm64': 0.27.4
+      '@esbuild/openbsd-x64': 0.27.4
+      '@esbuild/openharmony-arm64': 0.27.4
+      '@esbuild/sunos-x64': 0.27.4
+      '@esbuild/win32-arm64': 0.27.4
+      '@esbuild/win32-ia32': 0.27.4
+      '@esbuild/win32-x64': 0.27.4
+
+  escape-html@1.0.3: {}
+
+  escape-string-regexp@4.0.0: {}
+
+  eslint-config-prettier@10.1.8(eslint@10.0.3(jiti@2.6.1)):
+    dependencies:
+      eslint: 10.0.3(jiti@2.6.1)
+
+  eslint-scope@9.1.2:
+    dependencies:
+      '@types/esrecurse': 4.3.1
+      '@types/estree': 1.0.8
+      esrecurse: 4.3.0
+      estraverse: 5.3.0
+
+  eslint-visitor-keys@3.4.3: {}
+
+  eslint-visitor-keys@5.0.1: {}
+
+  eslint@10.0.3(jiti@2.6.1):
+    dependencies:
+      '@eslint-community/eslint-utils': 4.9.1(eslint@10.0.3(jiti@2.6.1))
+      '@eslint-community/regexpp': 4.12.2
+      '@eslint/config-array': 0.23.3
+      '@eslint/config-helpers': 0.5.3
+      '@eslint/core': 1.1.1
+      '@eslint/plugin-kit': 0.6.1
+      '@humanfs/node': 0.16.7
+      '@humanwhocodes/module-importer': 1.0.1
+      '@humanwhocodes/retry': 0.4.3
+      '@types/estree': 1.0.8
+      ajv: 6.14.0
+      cross-spawn: 7.0.6
+      debug: 4.4.3
+      escape-string-regexp: 4.0.0
+      eslint-scope: 9.1.2
+      eslint-visitor-keys: 5.0.1
+      espree: 11.2.0
+      esquery: 1.7.0
+      esutils: 2.0.3
+      fast-deep-equal: 3.1.3
+      file-entry-cache: 8.0.0
+      find-up: 5.0.0
+      glob-parent: 6.0.2
+      ignore: 5.3.2
+      imurmurhash: 0.1.4
+      is-glob: 4.0.3
+      json-stable-stringify-without-jsonify: 1.0.1
+      minimatch: 10.2.4
+      natural-compare: 1.4.0
+      optionator: 0.9.4
+    optionalDependencies:
+      jiti: 2.6.1
+    transitivePeerDependencies:
+      - supports-color
+
+  espree@11.2.0:
+    dependencies:
+      acorn: 8.16.0
+      acorn-jsx: 5.3.2(acorn@8.16.0)
+      eslint-visitor-keys: 5.0.1
+
+  esquery@1.7.0:
+    dependencies:
+      estraverse: 5.3.0
+
+  esrecurse@4.3.0:
+    dependencies:
+      estraverse: 5.3.0
+
+  estraverse@5.3.0: {}
+
+  estree-walker@3.0.3:
+    dependencies:
+      '@types/estree': 1.0.8
+
+  esutils@2.0.3: {}
+
+  events-universal@1.0.1:
+    dependencies:
+      bare-events: 2.8.2
+    transitivePeerDependencies:
+      - bare-abort-controller
+
+  execa@9.6.1:
+    dependencies:
+      '@sindresorhus/merge-streams': 4.0.0
+      cross-spawn: 7.0.6
+      figures: 6.1.0
+      get-stream: 9.0.1
+      human-signals: 8.0.1
+      is-plain-obj: 4.1.0
+      is-stream: 4.0.1
+      npm-run-path: 6.0.0
+      pretty-ms: 9.3.0
+      signal-exit: 4.1.0
+      strip-final-newline: 4.0.0
+      yoctocolors: 2.1.2
+
+  expect-type@1.3.0: {}
+
+  exsolve@1.0.8: {}
+
+  fast-check@3.23.2:
+    dependencies:
+      pure-rand: 6.1.0
+
+  fast-decode-uri-component@1.0.1: {}
+
+  fast-deep-equal@3.1.3: {}
+
+  fast-fifo@1.3.2: {}
+
+  fast-json-stable-stringify@2.1.0: {}
+
+  fast-json-stringify@6.3.0:
+    dependencies:
+      '@fastify/merge-json-schemas': 0.2.1
+      ajv: 8.18.0
+      ajv-formats: 3.0.1(ajv@8.18.0)
+      fast-uri: 3.1.0
+      json-schema-ref-resolver: 3.0.0
+      rfdc: 1.4.1
+
+  fast-levenshtein@2.0.6: {}
+
+  fast-querystring@1.1.2:
+    dependencies:
+      fast-decode-uri-component: 1.0.1
+
+  fast-uri@3.1.0: {}
+
+  fastify-plugin@5.1.0: {}
+
+  fastify@5.8.2:
+    dependencies:
+      '@fastify/ajv-compiler': 4.0.5
+      '@fastify/error': 4.2.0
+      '@fastify/fast-json-stringify-compiler': 5.0.3
+      '@fastify/proxy-addr': 5.1.0
+      abstract-logging: 2.0.1
+      avvio: 9.2.0
+      fast-json-stringify: 6.3.0
+      find-my-way: 9.5.0
+      light-my-request: 6.6.0
+      pino: 10.3.1
+      process-warning: 5.0.0
+      rfdc: 1.4.1
+      secure-json-parse: 4.1.0
+      semver: 7.7.4
+      toad-cache: 3.7.0
+
+  fastq@1.20.1:
+    dependencies:
+      reusify: 1.1.0
+
+  fdir@6.5.0(picomatch@4.0.3):
+    optionalDependencies:
+      picomatch: 4.0.3
+
+  fecha@4.2.3: {}
+
+  figures@6.1.0:
+    dependencies:
+      is-unicode-supported: 2.1.0
+
+  file-entry-cache@8.0.0:
+    dependencies:
+      flat-cache: 4.0.1
+
+  file-stream-rotator@0.6.1:
+    dependencies:
+      moment: 2.30.1
+
+  find-my-way@9.5.0:
+    dependencies:
+      fast-deep-equal: 3.1.3
+      fast-querystring: 1.1.2
+      safe-regex2: 5.1.0
+
+  find-up@5.0.0:
+    dependencies:
+      locate-path: 6.0.0
+      path-exists: 4.0.0
+
+  flat-cache@4.0.1:
+    dependencies:
+      flatted: 3.4.2
+      keyv: 4.5.4
+
+  flatted@3.4.2: {}
+
+  fn.name@1.1.0: {}
+
+  foreground-child@3.3.1:
+    dependencies:
+      cross-spawn: 7.0.6
+      signal-exit: 4.1.0
+
+  form-data@4.0.5:
+    dependencies:
+      asynckit: 0.4.0
+      combined-stream: 1.0.8
+      es-set-tostringtag: 2.1.0
+      hasown: 2.0.2
+      mime-types: 2.1.35
+
+  fsevents@2.3.3:
+    optional: true
+
+  function-bind@1.1.2: {}
+
+  get-intrinsic@1.3.0:
+    dependencies:
+      call-bind-apply-helpers: 1.0.2
+      es-define-property: 1.0.1
+      es-errors: 1.3.0
+      es-object-atoms: 1.1.1
+      function-bind: 1.1.2
+      get-proto: 1.0.1
+      gopd: 1.2.0
+      has-symbols: 1.1.0
+      hasown: 2.0.2
+      math-intrinsics: 1.1.0
+
+  get-proto@1.0.1:
+    dependencies:
+      dunder-proto: 1.0.1
+      es-object-atoms: 1.1.1
+
+  get-stream@9.0.1:
+    dependencies:
+      '@sec-ant/readable-stream': 0.4.1
+      is-stream: 4.0.1
+
+  get-tsconfig@4.13.6:
+    dependencies:
+      resolve-pkg-maps: 1.0.0
+
+  giget@2.0.0:
+    dependencies:
+      citty: 0.1.6
+      consola: 3.4.2
+      defu: 6.1.4
+      node-fetch-native: 1.6.7
+      nypm: 0.6.5
+      pathe: 2.0.3
+
+  glob-parent@6.0.2:
+    dependencies:
+      is-glob: 4.0.3
+
+  glob@11.1.0:
+    dependencies:
+      foreground-child: 3.3.1
+      jackspeak: 4.2.3
+      minimatch: 10.2.4
+      minipass: 7.1.3
+      package-json-from-dist: 1.0.1
+      path-scurry: 2.0.2
+
+  glob@13.0.6:
+    dependencies:
+      minimatch: 10.2.4
+      minipass: 7.1.3
+      path-scurry: 2.0.2
+
+  gopd@1.2.0: {}
+
+  has-symbols@1.1.0: {}
+
+  has-tostringtag@1.0.2:
+    dependencies:
+      has-symbols: 1.1.0
+
+  hasown@2.0.2:
+    dependencies:
+      function-bind: 1.1.2
+
+  hpagent@1.2.0: {}
+
+  http-errors@2.0.1:
+    dependencies:
+      depd: 2.0.0
+      inherits: 2.0.4
+      setprototypeof: 1.2.0
+      statuses: 2.0.2
+      toidentifier: 1.0.1
+
+  human-signals@8.0.1: {}
+
+  ignore@5.3.2: {}
+
+  ignore@7.0.5: {}
+
+  imurmurhash@0.1.4: {}
+
+  inherits@2.0.4: {}
+
+  ip-address@10.1.0: {}
+
+  ipaddr.js@2.3.0: {}
+
+  is-extglob@2.1.1: {}
+
+  is-glob@4.0.3:
+    dependencies:
+      is-extglob: 2.1.1
+
+  is-plain-obj@4.1.0: {}
+
+  is-stream@2.0.1: {}
+
+  is-stream@4.0.1: {}
+
+  is-unicode-supported@2.1.0: {}
+
+  isexe@2.0.0: {}
+
+  isomorphic-ws@5.0.0(ws@8.19.0):
+    dependencies:
+      ws: 8.19.0
+
+  jackspeak@4.2.3:
+    dependencies:
+      '@isaacs/cliui': 9.0.0
+
+  jiti@2.6.1: {}
+
+  jose@6.2.2: {}
+
+  js-tokens@9.0.1: {}
+
+  js-yaml@4.1.1:
+    dependencies:
+      argparse: 2.0.1
+
+  jsep@1.4.0: {}
+
+  json-buffer@3.0.1: {}
+
+  json-schema-ref-resolver@3.0.0:
+    dependencies:
+      dequal: 2.0.3
+
+  json-schema-traverse@0.4.1: {}
+
+  json-schema-traverse@1.0.0: {}
+
+  json-stable-stringify-without-jsonify@1.0.1: {}
+
+  jsonpath-plus@10.4.0:
+    dependencies:
+      '@jsep-plugin/assignment': 1.3.0(jsep@1.4.0)
+      '@jsep-plugin/regex': 1.0.4(jsep@1.4.0)
+      jsep: 1.4.0
+
+  keyv@4.5.4:
+    dependencies:
+      json-buffer: 3.0.1
+
+  kuler@2.0.0: {}
+
+  levn@0.4.1:
+    dependencies:
+      prelude-ls: 1.2.1
+      type-check: 0.4.0
+
+  light-my-request@6.6.0:
+    dependencies:
+      cookie: 1.1.1
+      process-warning: 4.0.1
+      set-cookie-parser: 2.7.2
+
+  locate-path@6.0.0:
+    dependencies:
+      p-locate: 5.0.0
+
+  logform@2.7.0:
+    dependencies:
+      '@colors/colors': 1.6.0
+      '@types/triple-beam': 1.3.5
+      fecha: 4.2.3
+      ms: 2.1.3
+      safe-stable-stringify: 2.5.0
+      triple-beam: 1.4.1
+
+  loupe@3.2.1: {}
+
+  lru-cache@11.2.7: {}
+
+  magic-string@0.30.21:
+    dependencies:
+      '@jridgewell/sourcemap-codec': 1.5.5
+
+  math-intrinsics@1.1.0: {}
+
+  mime-db@1.52.0: {}
+
+  mime-types@2.1.35:
+    dependencies:
+      mime-db: 1.52.0
+
+  mime@3.0.0: {}
+
+  minimatch@10.2.4:
+    dependencies:
+      brace-expansion: 5.0.4
+
+  minipass@7.1.3: {}
+
+  moment@2.30.1: {}
+
+  ms@2.1.3: {}
+
+  nanoid@3.3.11: {}
+
+  natural-compare@1.4.0: {}
+
+  node-fetch-native@1.6.7: {}
+
+  node-fetch@2.7.0:
+    dependencies:
+      whatwg-url: 5.0.0
+
+  npm-run-path@6.0.0:
+    dependencies:
+      path-key: 4.0.0
+      unicorn-magic: 0.3.0
+
+  nypm@0.6.5:
+    dependencies:
+      citty: 0.2.1
+      pathe: 2.0.3
+      tinyexec: 1.0.4
+
+  oauth4webapi@3.8.5: {}
+
+  object-hash@3.0.0: {}
+
+  ohash@2.0.11: {}
+
+  on-exit-leak-free@2.1.2: {}
+
+  once@1.4.0:
+    dependencies:
+      wrappy: 1.0.2
+
+  one-time@1.0.0:
+    dependencies:
+      fn.name: 1.1.0
+
+  openid-client@6.8.2:
+    dependencies:
+      jose: 6.2.2
+      oauth4webapi: 3.8.5
+
+  optionator@0.9.4:
+    dependencies:
+      deep-is: 0.1.4
+      fast-levenshtein: 2.0.6
+      levn: 0.4.1
+      prelude-ls: 1.2.1
+      type-check: 0.4.0
+      word-wrap: 1.2.5
+
+  p-limit@3.1.0:
+    dependencies:
+      yocto-queue: 0.1.0
+
+  p-locate@5.0.0:
+    dependencies:
+      p-limit: 3.1.0
+
+  package-json-from-dist@1.0.1: {}
+
+  parse-ms@4.0.0: {}
+
+  path-exists@4.0.0: {}
+
+  path-key@3.1.1: {}
+
+  path-key@4.0.0: {}
+
+  path-scurry@2.0.2:
+    dependencies:
+      lru-cache: 11.2.7
+      minipass: 7.1.3
+
+  pathe@2.0.3: {}
+
+  pathval@2.0.1: {}
+
+  perfect-debounce@1.0.0: {}
+
+  picocolors@1.1.1: {}
+
+  picomatch@4.0.3: {}
+
+  pino-abstract-transport@3.0.0:
+    dependencies:
+      split2: 4.2.0
+
+  pino-std-serializers@7.1.0: {}
+
+  pino@10.3.1:
+    dependencies:
+      '@pinojs/redact': 0.4.0
+      atomic-sleep: 1.0.0
+      on-exit-leak-free: 2.1.2
+      pino-abstract-transport: 3.0.0
+      pino-std-serializers: 7.1.0
+      process-warning: 5.0.0
+      quick-format-unescaped: 4.0.4
+      real-require: 0.2.0
+      safe-stable-stringify: 2.5.0
+      sonic-boom: 4.2.1
+      thread-stream: 4.0.0
+
+  pkg-types@2.3.0:
+    dependencies:
+      confbox: 0.2.4
+      exsolve: 1.0.8
+      pathe: 2.0.3
+
+  postcss@8.5.8:
+    dependencies:
+      nanoid: 3.3.11
+      picocolors: 1.1.1
+      source-map-js: 1.2.1
+
+  prelude-ls@1.2.1: {}
+
+  pretty-ms@9.3.0:
+    dependencies:
+      parse-ms: 4.0.0
+
+  prisma@6.19.2(typescript@5.9.3):
+    dependencies:
+      '@prisma/config': 6.19.2
+      '@prisma/engines': 6.19.2
+    optionalDependencies:
+      typescript: 5.9.3
+    transitivePeerDependencies:
+      - magicast
+
+  process-warning@4.0.1: {}
+
+  process-warning@5.0.0: {}
+
+  pump@3.0.4:
+    dependencies:
+      end-of-stream: 1.4.5
+      once: 1.4.0
+
+  punycode@2.3.1: {}
+
+  pure-rand@6.1.0: {}
+
+  quick-format-unescaped@4.0.4: {}
+
+  rc9@2.1.2:
+    dependencies:
+      defu: 6.1.4
+      destr: 2.0.5
+
+  readable-stream@3.6.2:
+    dependencies:
+      inherits: 2.0.4
+      string_decoder: 1.3.0
+      util-deprecate: 1.0.2
+
+  readdirp@4.1.2: {}
+
+  real-require@0.2.0: {}
+
+  require-from-string@2.0.2: {}
+
+  resolve-pkg-maps@1.0.0: {}
+
+  ret@0.5.0: {}
+
+  reusify@1.1.0: {}
+
+  rfc4648@1.5.4: {}
+
+  rfdc@1.4.1: {}
+
+  rimraf@6.1.3:
+    dependencies:
+      glob: 13.0.6
+      package-json-from-dist: 1.0.1
+
+  rollup@4.59.0:
+    dependencies:
+      '@types/estree': 1.0.8
+    optionalDependencies:
+      '@rollup/rollup-android-arm-eabi': 4.59.0
+      '@rollup/rollup-android-arm64': 4.59.0
+      '@rollup/rollup-darwin-arm64': 4.59.0
+      '@rollup/rollup-darwin-x64': 4.59.0
+      '@rollup/rollup-freebsd-arm64': 4.59.0
+      '@rollup/rollup-freebsd-x64': 4.59.0
+      '@rollup/rollup-linux-arm-gnueabihf': 4.59.0
+      '@rollup/rollup-linux-arm-musleabihf': 4.59.0
+      '@rollup/rollup-linux-arm64-gnu': 4.59.0
+      '@rollup/rollup-linux-arm64-musl': 4.59.0
+      '@rollup/rollup-linux-loong64-gnu': 4.59.0
+      '@rollup/rollup-linux-loong64-musl': 4.59.0
+      '@rollup/rollup-linux-ppc64-gnu': 4.59.0
+      '@rollup/rollup-linux-ppc64-musl': 4.59.0
+      '@rollup/rollup-linux-riscv64-gnu': 4.59.0
+      '@rollup/rollup-linux-riscv64-musl': 4.59.0
+      '@rollup/rollup-linux-s390x-gnu': 4.59.0
+      '@rollup/rollup-linux-x64-gnu': 4.59.0
+      '@rollup/rollup-linux-x64-musl': 4.59.0
+      '@rollup/rollup-openbsd-x64': 4.59.0
+      '@rollup/rollup-openharmony-arm64': 4.59.0
+      '@rollup/rollup-win32-arm64-msvc': 4.59.0
+      '@rollup/rollup-win32-ia32-msvc': 4.59.0
+      '@rollup/rollup-win32-x64-gnu': 4.59.0
+      '@rollup/rollup-win32-x64-msvc': 4.59.0
+      fsevents: 2.3.3
+
+  safe-buffer@5.2.1: {}
+
+  safe-regex2@5.1.0:
+    dependencies:
+      ret: 0.5.0
+
+  safe-stable-stringify@2.5.0: {}
+
+  secure-json-parse@4.1.0: {}
+
+  semver@7.7.4: {}
+
+  set-cookie-parser@2.7.2: {}
+
+  setprototypeof@1.2.0: {}
+
+  shebang-command@2.0.0:
+    dependencies:
+      shebang-regex: 3.0.0
+
+  shebang-regex@3.0.0: {}
+
+  siginfo@2.0.0: {}
+
+  signal-exit@4.1.0: {}
+
+  smart-buffer@4.2.0: {}
+
+  socks-proxy-agent@8.0.5:
+    dependencies:
+      agent-base: 7.1.4
+      debug: 4.4.3
+      socks: 2.8.7
+    transitivePeerDependencies:
+      - supports-color
+
+  socks@2.8.7:
+    dependencies:
+      ip-address: 10.1.0
+      smart-buffer: 4.2.0
+
+  sonic-boom@4.2.1:
+    dependencies:
+      atomic-sleep: 1.0.0
+
+  source-map-js@1.2.1: {}
+
+  split2@4.2.0: {}
+
+  stack-trace@0.0.10: {}
+
+  stackback@0.0.2: {}
+
+  statuses@2.0.2: {}
+
+  std-env@3.10.0: {}
+
+  stream-buffers@3.0.3: {}
+
+  stream-shift@1.0.3: {}
+
+  streamx@2.25.0:
+    dependencies:
+      events-universal: 1.0.1
+      fast-fifo: 1.3.2
+      text-decoder: 1.2.7
+    transitivePeerDependencies:
+      - bare-abort-controller
+      - react-native-b4a
+
+  string_decoder@1.3.0:
+    dependencies:
+      safe-buffer: 5.2.1
+
+  strip-final-newline@4.0.0: {}
+
+  strip-literal@3.1.0:
+    dependencies:
+      js-tokens: 9.0.1
+
+  tar-fs@3.1.2:
+    dependencies:
+      pump: 3.0.4
+      tar-stream: 3.1.8
+    optionalDependencies:
+      bare-fs: 4.5.6
+      bare-path: 3.0.0
+    transitivePeerDependencies:
+      - bare-abort-controller
+      - bare-buffer
+      - react-native-b4a
+
+  tar-stream@3.1.8:
+    dependencies:
+      b4a: 1.8.0
+      bare-fs: 4.5.6
+      fast-fifo: 1.3.2
+      streamx: 2.25.0
+    transitivePeerDependencies:
+      - bare-abort-controller
+      - bare-buffer
+      - react-native-b4a
+
+  teex@1.0.1:
+    dependencies:
+      streamx: 2.25.0
+    transitivePeerDependencies:
+      - bare-abort-controller
+      - react-native-b4a
+
+  text-decoder@1.2.7:
+    dependencies:
+      b4a: 1.8.0
+    transitivePeerDependencies:
+      - react-native-b4a
+
+  text-hex@1.0.0: {}
+
+  thread-stream@4.0.0:
+    dependencies:
+      real-require: 0.2.0
+
+  tinybench@2.9.0: {}
+
+  tinyexec@0.3.2: {}
+
+  tinyexec@1.0.4: {}
+
+  tinyglobby@0.2.15:
+    dependencies:
+      fdir: 6.5.0(picomatch@4.0.3)
+      picomatch: 4.0.3
+
+  tinypool@1.1.1: {}
+
+  tinyrainbow@2.0.0: {}
+
+  tinyspy@4.0.4: {}
+
+  toad-cache@3.7.0: {}
+
+  toidentifier@1.0.1: {}
+
+  tr46@0.0.3: {}
+
+  triple-beam@1.4.1: {}
+
+  ts-api-utils@2.4.0(typescript@5.9.3):
+    dependencies:
+      typescript: 5.9.3
+
+  tsx@4.21.0:
+    dependencies:
+      esbuild: 0.27.4
+      get-tsconfig: 4.13.6
+    optionalDependencies:
+      fsevents: 2.3.3
+
+  type-check@0.4.0:
+    dependencies:
+      prelude-ls: 1.2.1
+
+  typescript@5.9.3: {}
+
+  undici-types@6.21.0: {}
+
+  undici-types@7.16.0: {}
+
+  unicorn-magic@0.3.0: {}
+
+  uri-js@4.4.1:
+    dependencies:
+      punycode: 2.3.1
+
+  util-deprecate@1.0.2: {}
+
+  vite-node@3.2.4(@types/node@22.19.15)(jiti@2.6.1)(tsx@4.21.0):
+    dependencies:
+      cac: 6.7.14
+      debug: 4.4.3
+      es-module-lexer: 1.7.0
+      pathe: 2.0.3
+      vite: 7.3.1(@types/node@22.19.15)(jiti@2.6.1)(tsx@4.21.0)
+    transitivePeerDependencies:
+      - '@types/node'
+      - jiti
+      - less
+      - lightningcss
+      - sass
+      - sass-embedded
+      - stylus
+      - sugarss
+      - supports-color
+      - terser
+      - tsx
+      - yaml
+
+  vite@7.3.1(@types/node@22.19.15)(jiti@2.6.1)(tsx@4.21.0):
+    dependencies:
+      esbuild: 0.27.4
+      fdir: 6.5.0(picomatch@4.0.3)
+      picomatch: 4.0.3
+      postcss: 8.5.8
+      rollup: 4.59.0
+      tinyglobby: 0.2.15
+    optionalDependencies:
+      '@types/node': 22.19.15
+      fsevents: 2.3.3
+      jiti: 2.6.1
+      tsx: 4.21.0
+
+  vitest@3.2.4(@types/node@22.19.15)(jiti@2.6.1)(tsx@4.21.0):
+    dependencies:
+      '@types/chai': 5.2.3
+      '@vitest/expect': 3.2.4
+      '@vitest/mocker': 3.2.4(vite@7.3.1(@types/node@22.19.15)(jiti@2.6.1)(tsx@4.21.0))
+      '@vitest/pretty-format': 3.2.4
+      '@vitest/runner': 3.2.4
+      '@vitest/snapshot': 3.2.4
+      '@vitest/spy': 3.2.4
+      '@vitest/utils': 3.2.4
+      chai: 5.3.3
+      debug: 4.4.3
+      expect-type: 1.3.0
+      magic-string: 0.30.21
+      pathe: 2.0.3
+      picomatch: 4.0.3
+      std-env: 3.10.0
+      tinybench: 2.9.0
+      tinyexec: 0.3.2
+      tinyglobby: 0.2.15
+      tinypool: 1.1.1
+      tinyrainbow: 2.0.0
+      vite: 7.3.1(@types/node@22.19.15)(jiti@2.6.1)(tsx@4.21.0)
+      vite-node: 3.2.4(@types/node@22.19.15)(jiti@2.6.1)(tsx@4.21.0)
+      why-is-node-running: 2.3.0
+    optionalDependencies:
+      '@types/node': 22.19.15
+    transitivePeerDependencies:
+      - jiti
+      - less
+      - lightningcss
+      - msw
+      - sass
+      - sass-embedded
+      - stylus
+      - sugarss
+      - supports-color
+      - terser
+      - tsx
+      - yaml
+
+  webidl-conversions@3.0.1: {}
+
+  whatwg-url@5.0.0:
+    dependencies:
+      tr46: 0.0.3
+      webidl-conversions: 3.0.1
+
+  which@2.0.2:
+    dependencies:
+      isexe: 2.0.0
+
+  why-is-node-running@2.3.0:
+    dependencies:
+      siginfo: 2.0.0
+      stackback: 0.0.2
+
+  winston-daily-rotate-file@5.0.0(winston@3.19.0):
+    dependencies:
+      file-stream-rotator: 0.6.1
+      object-hash: 3.0.0
+      triple-beam: 1.4.1
+      winston: 3.19.0
+      winston-transport: 4.9.0
+
+  winston-transport@4.9.0:
+    dependencies:
+      logform: 2.7.0
+      readable-stream: 3.6.2
+      triple-beam: 1.4.1
+
+  winston@3.19.0:
+    dependencies:
+      '@colors/colors': 1.6.0
+      '@dabh/diagnostics': 2.0.8
+      async: 3.2.6
+      is-stream: 2.0.1
+      logform: 2.7.0
+      one-time: 1.0.0
+      readable-stream: 3.6.2
+      safe-stable-stringify: 2.5.0
+      stack-trace: 0.0.10
+      triple-beam: 1.4.1
+      winston-transport: 4.9.0
+
+  word-wrap@1.2.5: {}
+
+  wrappy@1.0.2: {}
+
+  ws@8.19.0: {}
+
+  yocto-queue@0.1.0: {}
+
+  yoctocolors@2.1.2: {}
+
+  zod@4.3.6: {}
diff --git a/bastion/pnpm-workspace.yaml b/bastion/pnpm-workspace.yaml
new file mode 100644
index 0000000..2ddfbd3
--- /dev/null
+++ b/bastion/pnpm-workspace.yaml
@@ -0,0 +1,2 @@
+packages:
+  - "src/*"
diff --git a/bastion/scripts/build-bastion.sh b/bastion/scripts/build-bastion.sh
new file mode 100755
index 0000000..4b4b67a
--- /dev/null
+++ b/bastion/scripts/build-bastion.sh
@@ -0,0 +1,127 @@
+#!/bin/bash
+# Build bastion container image (multi-arch) and push to Gitea container registry
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+cd "$PROJECT_ROOT"
+
+# Load .env for GITEA_TOKEN
+if [ -f .env ]; then
+  set -a; source .env; set +a
+fi
+
+# ── Argument parsing ───────────────────────────────────────────────
+PUSH=false
+PLATFORMS="linux/amd64,linux/arm64"
+
+usage() {
+  cat <<EOF
+Usage: $(basename "$0") [OPTIONS] [TAG]
+
+Build bastion container image (multi-arch) and optionally push to registry.
+
+Options:
+  --push             Push to registry after building
+  --platforms LIST   Comma-separated platforms (default: linux/amd64,linux/arm64)
+  -h, --help         Show this help message
+
+Arguments:
+  TAG                Image tag (default: version from package.json)
+
+Examples:
+  $(basename "$0")                          # build multi-arch, no push
+  $(basename "$0") --push                   # build + push with version tag
+  $(basename "$0") --push latest            # build + push as :latest
+  $(basename "$0") --platforms linux/amd64   # build amd64 only
+EOF
+  exit 0
+}
+
+POSITIONAL_ARGS=()
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --push)
+      PUSH=true
+      shift
+      ;;
+    --platforms)
+      PLATFORMS="$2"
+      shift 2
+      ;;
+    -h|--help)
+      usage
+      ;;
+    *)
+      POSITIONAL_ARGS+=("$1")
+      shift
+      ;;
+  esac
+done
+
+REGISTRY="${GITEA_REGISTRY:-mysources.co.uk}"
+REPO="michal/lab/bastion"
+FULL_IMAGE="$REGISTRY/$REPO"
+VERSION=$(node -p "require('./package.json').version")
+TAG="${POSITIONAL_ARGS[0]:-$VERSION}"
+
+echo "==> Building bastion image"
+echo "    Tag:       $TAG"
+echo "    Platforms: $PLATFORMS"
+echo "    Registry:  $FULL_IMAGE"
+
+# ── Build multi-arch manifest ────────────────────────────────────
+MANIFEST="lab-bastion:$TAG"
+
+# Remove existing manifest/image with the same tag
+podman manifest rm "$MANIFEST" 2>/dev/null || true
+podman rmi "$MANIFEST" 2>/dev/null || true
+
+echo "==> Building for platforms: $PLATFORMS..."
+podman build \
+  --platform "$PLATFORMS" \
+  --manifest "$MANIFEST" \
+  -f Dockerfile.bastion \
+  .
+
+echo "==> Build complete. Manifest:"
+podman manifest inspect "$MANIFEST" | grep -E '"(architecture|os)"'
+
+# ── Push ─────────────────────────────────────────────────────────
+if [ "$PUSH" = true ]; then
+  if [ -z "$GITEA_TOKEN" ]; then
+    # Try reading from ~/.gitea-token
+    if [ -f "$HOME/.gitea-token" ]; then
+      GITEA_TOKEN="$(cat "$HOME/.gitea-token")"
+    else
+      echo "ERROR: GITEA_TOKEN not set and ~/.gitea-token not found"
+      exit 1
+    fi
+  fi
+
+  echo "==> Logging in to $REGISTRY..."
+  podman login -u michal -p "$GITEA_TOKEN" "$REGISTRY"
+
+  echo "==> Pushing $FULL_IMAGE:$TAG..."
+  podman manifest push --all "$MANIFEST" "docker://$FULL_IMAGE:$TAG"
+
+  # Also tag as :latest if not already
+  if [ "$TAG" != "latest" ]; then
+    echo "==> Also pushing as :latest..."
+    podman manifest push --all "$MANIFEST" "docker://$FULL_IMAGE:latest"
+  fi
+
+  # Link package to repository if script exists
+  if [ -f "$SCRIPT_DIR/link-package.sh" ]; then
+    source "$SCRIPT_DIR/link-package.sh"
+    link_package "container" "bastion"
+  fi
+
+  echo "==> Pushed successfully!"
+else
+  echo "==> Skipping push (use --push to push to registry)"
+fi
+
+echo "==> Done!"
+echo "    Image: $FULL_IMAGE:$TAG"
+echo "    Platforms: $PLATFORMS"
diff --git a/bastion/scripts/build-labd.sh b/bastion/scripts/build-labd.sh
new file mode 100755
index 0000000..0084ea5
--- /dev/null
+++ b/bastion/scripts/build-labd.sh
@@ -0,0 +1,118 @@
+#!/bin/bash
+# Build labd container image (multi-arch) and push to Gitea container registry
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+cd "$PROJECT_ROOT"
+
+# Load .env for GITEA_TOKEN
+if [ -f .env ]; then
+  set -a; source .env; set +a
+fi
+
+# ── Argument parsing ───────────────────────────────────────────────
+PUSH=false
+PLATFORMS="linux/amd64,linux/arm64"
+
+usage() {
+  cat <<EOF
+Usage: $(basename "$0") [OPTIONS] [TAG]
+
+Build labd container image (multi-arch) and optionally push to registry.
+
+Options:
+  --push             Push to registry after building
+  --platforms LIST   Comma-separated platforms (default: linux/amd64,linux/arm64)
+  -h, --help         Show this help message
+
+Arguments:
+  TAG                Image tag (default: version from package.json)
+EOF
+  exit 0
+}
+
+POSITIONAL_ARGS=()
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --push)
+      PUSH=true
+      shift
+      ;;
+    --platforms)
+      PLATFORMS="$2"
+      shift 2
+      ;;
+    -h|--help)
+      usage
+      ;;
+    *)
+      POSITIONAL_ARGS+=("$1")
+      shift
+      ;;
+  esac
+done
+
+REGISTRY="${GITEA_REGISTRY:-mysources.co.uk}"
+REPO="michal/lab/labd"
+FULL_IMAGE="$REGISTRY/$REPO"
+VERSION=$(node -p "require('./package.json').version")
+TAG="${POSITIONAL_ARGS[0]:-$VERSION}"
+
+echo "==> Building labd image"
+echo "    Tag:       $TAG"
+echo "    Platforms: $PLATFORMS"
+echo "    Registry:  $FULL_IMAGE"
+
+# ── Build multi-arch manifest ────────────────────────────────────
+MANIFEST="lab-labd:$TAG"
+
+# Remove existing manifest/image with the same tag
+podman manifest rm "$MANIFEST" 2>/dev/null || true
+podman rmi "$MANIFEST" 2>/dev/null || true
+
+echo "==> Building for platforms: $PLATFORMS..."
+podman build \
+  --platform "$PLATFORMS" \
+  --manifest "$MANIFEST" \
+  -f Dockerfile.labd \
+  .
+
+echo "==> Build complete. Manifest:"
+podman manifest inspect "$MANIFEST" | grep -E '"(architecture|os)"'
+
+# ── Push ─────────────────────────────────────────────────────────
+if [ "$PUSH" = true ]; then
+  if [ -z "$GITEA_TOKEN" ]; then
+    if [ -f "$HOME/.gitea-token" ]; then
+      GITEA_TOKEN="$(cat "$HOME/.gitea-token")"
+    else
+      echo "ERROR: GITEA_TOKEN not set and ~/.gitea-token not found"
+      exit 1
+    fi
+  fi
+
+  echo "==> Logging in to $REGISTRY..."
+  podman login -u michal -p "$GITEA_TOKEN" "$REGISTRY"
+
+  echo "==> Pushing $FULL_IMAGE:$TAG..."
+  podman manifest push --all "$MANIFEST" "docker://$FULL_IMAGE:$TAG"
+
+  if [ "$TAG" != "latest" ]; then
+    echo "==> Also pushing as :latest..."
+    podman manifest push --all "$MANIFEST" "docker://$FULL_IMAGE:latest"
+  fi
+
+  if [ -f "$SCRIPT_DIR/link-package.sh" ]; then
+    source "$SCRIPT_DIR/link-package.sh"
+    link_package "container" "labd"
+  fi
+
+  echo "==> Pushed successfully!"
+else
+  echo "==> Skipping push (use --push to push to registry)"
+fi
+
+echo "==> Done!"
+echo "    Image: $FULL_IMAGE:$TAG"
+echo "    Platforms: $PLATFORMS"
diff --git a/bastion/scripts/build-rpm.sh b/bastion/scripts/build-rpm.sh
new file mode 100755
index 0000000..70cee22
--- /dev/null
+++ b/bastion/scripts/build-rpm.sh
@@ -0,0 +1,180 @@
+#!/bin/bash
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+cd "$PROJECT_ROOT"
+
+# Load .env if present
+if [ -f .env ]; then
+  set -a; source .env; set +a
+fi
+
+# Ensure tools are on PATH
+export PATH="$HOME/.npm-global/bin:$HOME/.bun/bin:$HOME/.local/bin:$PATH"
+
+# ── Argument parsing ───────────────────────────────────────────────
+BUILD_ALL=false
+TARGET_ARCH=""
+SKIP_TESTS=false
+
+usage() {
+  cat <<EOF
+Usage: $(basename "$0") [OPTIONS]
+
+Build labctl binary and produce RPM/DEB packages.
+
+Options:
+  --arch ARCH    Target architecture: x86_64 or arm64 (default: host arch)
+  --all          Build for both x86_64 and arm64
+  --skip-tests   Skip unit tests (useful in CI where tests ran separately)
+  -h, --help     Show this help message
+EOF
+  exit 0
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --arch)
+      TARGET_ARCH="$2"
+      shift 2
+      ;;
+    --all)
+      BUILD_ALL=true
+      shift
+      ;;
+    --skip-tests)
+      SKIP_TESTS=true
+      shift
+      ;;
+    -h|--help)
+      usage
+      ;;
+    *)
+      echo "Unknown option: $1"
+      usage
+      ;;
+  esac
+done
+
+# ── Resolve host architecture ─────────────────────────────────────
+detect_host_arch() {
+  local machine
+  machine="$(uname -m)"
+  case "$machine" in
+    x86_64)  echo "x86_64" ;;
+    aarch64) echo "arm64" ;;
+    arm64)   echo "arm64" ;;
+    *)       echo "$machine" ;;
+  esac
+}
+
+# ── Architecture mapping helpers ──────────────────────────────────
+# Maps our canonical arch names to the values each tool expects.
+bun_target_for() {
+  case "$1" in
+    x86_64) echo "bun-linux-x64" ;;
+    arm64)  echo "bun-linux-arm64" ;;
+  esac
+}
+
+nfpm_arch_for() {
+  case "$1" in
+    x86_64) echo "amd64" ;;
+    arm64)  echo "arm64" ;;
+  esac
+}
+
+rpm_arch_for() {
+  case "$1" in
+    x86_64) echo "x86_64" ;;
+    arm64)  echo "aarch64" ;;
+  esac
+}
+
+deb_arch_for() {
+  case "$1" in
+    x86_64) echo "amd64" ;;
+    arm64)  echo "arm64" ;;
+  esac
+}
+
+# ── Build one architecture ────────────────────────────────────────
+build_arch() {
+  local arch="$1"
+  local bun_target nfpm_arch binary_name
+
+  bun_target="$(bun_target_for "$arch")"
+  nfpm_arch="$(nfpm_arch_for "$arch")"
+  binary_name="dist/labctl-${arch}"
+
+  echo ""
+  echo "==> Bundling standalone binary for ${arch}..."
+  bun build src/cli/src/index.ts --compile --target="${bun_target}" --outfile "${binary_name}"
+
+  echo "==> Packaging RPM (${arch})..."
+  # Create a temporary nfpm config with the correct arch and binary path
+  local tmpconfig
+  tmpconfig="$(mktemp /tmp/nfpm-XXXXXX.yaml)"
+  sed -e "s|^arch:.*|arch: ${nfpm_arch}|" \
+      -e "s|src: ./dist/labctl$|src: ./${binary_name}|" \
+      nfpm.yaml > "$tmpconfig"
+
+  nfpm pkg --config "$tmpconfig" --packager rpm --target dist/
+  rm -f "$tmpconfig"
+
+  local rpm_arch
+  rpm_arch="$(rpm_arch_for "$arch")"
+  RPM_FILE=$(ls dist/labctl-*.${rpm_arch}.rpm 2>/dev/null | head -1)
+  echo "==> Built: $RPM_FILE"
+  echo "    Size: $(du -h "$RPM_FILE" | cut -f1)"
+
+  echo ""
+  echo "==> Packaging DEB (${arch})..."
+  local deb_arch
+  deb_arch="$(deb_arch_for "$arch")"
+
+  tmpconfig="$(mktemp /tmp/nfpm-XXXXXX.yaml)"
+  sed -e "s|^arch:.*|arch: ${nfpm_arch}|" \
+      -e "s|src: ./dist/labctl$|src: ./${binary_name}|" \
+      nfpm.yaml > "$tmpconfig"
+
+  nfpm pkg --config "$tmpconfig" --packager deb --target dist/
+  rm -f "$tmpconfig"
+
+  DEB_FILE=$(ls dist/labctl_*_${deb_arch}.deb 2>/dev/null | head -1)
+  echo "==> Built: $DEB_FILE"
+  echo "    Size: $(du -h "$DEB_FILE" | cut -f1)"
+}
+
+# ── Main ──────────────────────────────────────────────────────────
+
+if [ "$SKIP_TESTS" = false ]; then
+  echo "==> Running unit tests..."
+  pnpm test:run
+  echo ""
+fi
+
+echo "==> Building TypeScript..."
+pnpm build
+
+echo "==> Generating shell completions..."
+pnpm completions:generate
+
+mkdir -p dist
+rm -f dist/labctl dist/labctl-x86_64 dist/labctl-arm64 dist/labctl-*.rpm dist/labctl*.deb
+
+if [ "$BUILD_ALL" = true ]; then
+  build_arch "x86_64"
+  build_arch "arm64"
+elif [ -n "$TARGET_ARCH" ]; then
+  build_arch "$TARGET_ARCH"
+else
+  # Default to host architecture
+  HOST_ARCH="$(detect_host_arch)"
+  build_arch "$HOST_ARCH"
+fi
+
+echo ""
+echo "==> Build complete. Artifacts in dist/:"
+ls -lh dist/labctl* 2>/dev/null || echo "  (none)"
diff --git a/bastion/scripts/generate-completions.ts b/bastion/scripts/generate-completions.ts
new file mode 100644
index 0000000..5a1e36f
--- /dev/null
+++ b/bastion/scripts/generate-completions.ts
@@ -0,0 +1,444 @@
+#!/usr/bin/env tsx
+/**
+ * generate-completions.ts -- auto-generates shell completions from the commander.js command tree.
+ *
+ * Usage:
+ *   tsx scripts/generate-completions.ts           # print generated files to stdout
+ *   tsx scripts/generate-completions.ts --write   # write completions/ files
+ *   tsx scripts/generate-completions.ts --check   # exit 0 if files match, 1 if stale
+ *
+ * Requires `pnpm build` to have run first (workspace packages must be compiled).
+ */
+
+import { Command, type Option, type Argument } from 'commander';
+import { readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const ROOT = join(__dirname, '..');
+
+// ============================================================
+// Command tree extraction
+// ============================================================
+
+interface CmdInfo {
+  name: string;
+  description: string;
+  hidden: boolean;
+  options: OptInfo[];
+  args: ArgInfo[];
+  subcommands: CmdInfo[];
+}
+
+interface OptInfo {
+  short?: string;
+  long: string;
+  description: string;
+  takesValue: boolean;
+  choices?: string[];
+  negate: boolean;
+}
+
+interface ArgInfo {
+  name: string;
+  description: string;
+  required: boolean;
+  variadic: boolean;
+  choices?: string[];
+}
+
+function extractOption(opt: Option): OptInfo {
+  return {
+    short: (opt as unknown as Record<string, string>).short || undefined,
+    long: (opt as unknown as Record<string, string>).long,
+    description: opt.description,
+    takesValue: (opt as unknown as Record<string, boolean>).required || (opt as unknown as Record<string, boolean>).optional || false,
+    choices: (opt as unknown as Record<string, string[] | undefined>).argChoices || undefined,
+    negate: (opt as unknown as Record<string, boolean>).negate || false,
+  };
+}
+
+function extractArgument(arg: Argument): ArgInfo {
+  return {
+    name: (arg as unknown as Record<string, string>)._name ?? arg.name(),
+    description: arg.description,
+    required: (arg as unknown as Record<string, boolean>).required,
+    variadic: (arg as unknown as Record<string, boolean>).variadic,
+    choices: (arg as unknown as Record<string, string[] | undefined>)._choices || undefined,
+  };
+}
+
+function extractCommand(cmd: Command): CmdInfo {
+  const options = (cmd.options as Option[])
+    .filter((o) => {
+      const long = (o as unknown as Record<string, string>).long;
+      return long !== '--help' && long !== '--version';
+    })
+    .map(extractOption);
+
+  const args = ((cmd as unknown as Record<string, Argument[]>).registeredArguments ?? [])
+    .map(extractArgument);
+
+  const subcommands = (cmd.commands as Command[])
+    .filter((sub) => sub.name() !== 'help')
+    .map(extractCommand);
+
+  if ((cmd.commands as Command[]).some((sub) => sub.name() === 'help')) {
+    subcommands.push({
+      name: 'help',
+      description: 'display help for command',
+      hidden: false,
+      options: [],
+      args: [],
+      subcommands: [],
+    });
+  }
+
+  return {
+    name: cmd.name(),
+    description: cmd.description(),
+    hidden: (cmd as unknown as Record<string, boolean>)._hidden ?? false,
+    options,
+    args,
+    subcommands,
+  };
+}
+
+async function extractTree(): Promise<CmdInfo> {
+  const { createProgram } = await import('../src/cli/src/index.js') as { createProgram: () => Command };
+  const program = createProgram();
+  return extractCommand(program);
+}
+
+// ============================================================
+// Utilities
+// ============================================================
+
+function esc(s: string): string {
+  return s.replace(/'/g, "\\'");
+}
+
+/** Collect all commands recursively with their full path. */
+function collectCommands(cmd: CmdInfo, prefix: string[] = []): { path: string[]; cmd: CmdInfo }[] {
+  const result: { path: string[]; cmd: CmdInfo }[] = [];
+  for (const sub of cmd.subcommands) {
+    const fullPath = [...prefix, sub.name];
+    result.push({ path: fullPath, cmd: sub });
+    result.push(...collectCommands(sub, fullPath));
+  }
+  return result;
+}
+
+// ============================================================
+// Fish completion generator
+// ============================================================
+
+function generateFish(root: CmdInfo): string {
+  const lines: string[] = [];
+  const emit = (s: string): void => { lines.push(s); };
+  const BIN = root.name;
+
+  emit(`# ${BIN} fish completions -- auto-generated by scripts/generate-completions.ts`);
+  emit('# DO NOT EDIT MANUALLY -- run: pnpm completions:generate');
+  emit('');
+  emit(`complete -c ${BIN} -e`);
+  emit(`complete -c ${BIN} -f`);
+  emit('');
+
+  // Global options
+  emit('# Global options');
+  emit(`complete -c ${BIN} -s v -l version -d 'Show version'`);
+  emit(`complete -c ${BIN} -s h -l help -d 'Show help'`);
+  emit('');
+
+  const allCmds = collectCommands(root);
+
+  // Helper: test if EXACTLY the given subcommand chain is present (for subcommand suggestions)
+  emit('# Helper: test if exactly a subcommand chain is active (no extra positional args)');
+  emit(`function __${BIN}_using_cmd`);
+  emit('    set -l tokens (commandline -opc)');
+  emit('    set -l expected $argv');
+  emit('    set -l depth (count $expected)');
+  emit('    set -l found 0');
+  emit('    set -l i 1');
+  emit('    for tok in $tokens[2..]');
+  emit('        if string match -q -- "-*" $tok');
+  emit('            continue');
+  emit('        end');
+  emit('        set i (math $i + 1)');
+  emit('        set -l idx (math $i - 1)');
+  emit('        if test $idx -le $depth');
+  emit('            if test "$tok" != "$expected[$idx]"');
+  emit('                return 1');
+  emit('            end');
+  emit('            set found (math $found + 1)');
+  emit('        else');
+  emit('            return 1');
+  emit('        end');
+  emit('    end');
+  emit('    test $found -eq $depth');
+  emit('end');
+  emit('');
+
+  // Helper: test if command chain STARTS WITH the given prefix (for options that apply after args)
+  emit('# Helper: test if command starts with a subcommand chain (options still apply after args)');
+  emit(`function __${BIN}_in_cmd`);
+  emit('    set -l tokens (commandline -opc)');
+  emit('    set -l expected $argv');
+  emit('    set -l depth (count $expected)');
+  emit('    set -l found 0');
+  emit('    for tok in $tokens[2..]');
+  emit('        if string match -q -- "-*" $tok');
+  emit('            continue');
+  emit('        end');
+  emit('        set found (math $found + 1)');
+  emit('        if test $found -le $depth');
+  emit('            if test "$tok" != "$expected[$found]"');
+  emit('                return 1');
+  emit('            end');
+  emit('        end');
+  emit('    end');
+  emit('    test $found -ge $depth');
+  emit('end');
+  emit('');
+
+  // Dynamic completions: fetch machine data from bastion API
+  emit('# Dynamic: fetch machine hostnames from bastion (installed + queued)');
+  emit(`function __${BIN}_installed_hosts`);
+  emit('    curl -s http://localhost:8080/api/machines 2>/dev/null | ');
+  emit("        python3 -c 'import sys,json; d=json.load(sys.stdin); hosts=[v.get(\"hostname\",\"\") for v in {**d.get(\"install_queue\",{}), **d.get(\"installed\",{})}.values() if v.get(\"hostname\")]; [print(h) for h in set(hosts)]' 2>/dev/null");
+  emit('end');
+  emit('');
+
+  emit('# Dynamic: fetch all known MAC addresses (discovered + queue + installed)');
+  emit(`function __${BIN}_known_macs`);
+  emit('    curl -s http://localhost:8080/api/machines 2>/dev/null | ');
+  emit("        python3 -c 'import sys,json; d=json.load(sys.stdin); [print(k) for k in {**d.get(\"discovered\",{}), **d.get(\"install_queue\",{}), **d.get(\"installed\",{})}]' 2>/dev/null");
+  emit('end');
+  emit('');
+
+  emit('# Dynamic: fetch hostnames and MACs from all states');
+  emit(`function __${BIN}_hosts_and_macs`);
+  emit('    curl -s http://localhost:8080/api/machines 2>/dev/null | ');
+  emit("        python3 -c 'import sys,json; d=json.load(sys.stdin); a={**d.get(\"discovered\",{}), **d.get(\"install_queue\",{}), **d.get(\"installed\",{})}; macs=list(a.keys()); hosts=[v.get(\"hostname\",\"\") for v in {**d.get(\"install_queue\",{}), **d.get(\"installed\",{})}.values() if v.get(\"hostname\")]; [print(x) for x in set(macs+hosts)]' 2>/dev/null");
+  emit('end');
+  emit('');
+
+  // Target completions for commands that accept hostname/IP/MAC
+  emit('# Target argument completions');
+  // app k3s — takes hostname/IP
+  emit(`complete -c ${BIN} -n "__${BIN}_using_cmd app k3s install" -a "(__${BIN}_installed_hosts)" -d 'installed host'`);
+  emit(`complete -c ${BIN} -n "__${BIN}_using_cmd app k3s health" -a "(__${BIN}_installed_hosts)" -d 'installed host'`);
+  emit(`complete -c ${BIN} -n "__${BIN}_using_cmd app labcontroller deploy" -a "(__${BIN}_installed_hosts)" -d 'installed host'`);
+  emit(`complete -c ${BIN} -n "__${BIN}_using_cmd app labcontroller status" -a "(__${BIN}_installed_hosts)" -d 'installed host'`);
+  // provision install — takes MAC then hostname
+  emit(`complete -c ${BIN} -n "__${BIN}_using_cmd provision install" -a "(__${BIN}_known_macs)" -d 'MAC address'`);
+  // provision reprovision/forget/logs — takes MAC or hostname
+  emit(`complete -c ${BIN} -n "__${BIN}_using_cmd provision reprovision" -a "(__${BIN}_hosts_and_macs)" -d 'host or MAC'`);
+  emit(`complete -c ${BIN} -n "__${BIN}_using_cmd provision forget" -a "(__${BIN}_hosts_and_macs)" -d 'host or MAC'`);
+  emit(`complete -c ${BIN} -n "__${BIN}_using_cmd provision logs" -a "(__${BIN}_hosts_and_macs)" -d 'host or MAC'`);
+  emit('');
+
+  // Top-level commands
+  const topCmds = root.subcommands.filter((c) => !c.hidden);
+  emit('# Top-level commands');
+  for (const cmd of topCmds) {
+    emit(`complete -c ${BIN} -n "not __fish_seen_subcommand_from ${topCmds.map((c) => c.name).join(' ')}" -a ${cmd.name} -d '${esc(cmd.description)}'`);
+  }
+  emit('');
+
+  // Subcommands and options at each level
+  for (const { path, cmd } of allCmds) {
+    if (cmd.hidden) continue;
+
+    // If this command has subcommands, offer them
+    const visibleSubs = cmd.subcommands.filter((s) => !s.hidden);
+    if (visibleSubs.length > 0) {
+      const parentCondition = `__${BIN}_using_cmd ${path.join(' ')}`;
+      emit(`# ${path.join(' ')} subcommands`);
+      for (const sub of visibleSubs) {
+        emit(`complete -c ${BIN} -n "${parentCondition}" -a ${sub.name} -d '${esc(sub.description)}'`);
+      }
+      emit('');
+    }
+
+    // Options for this command (use __in_cmd so options complete even after positional args)
+    if (cmd.options.length > 0) {
+      const condition = `__${BIN}_in_cmd ${path.join(' ')}`;
+      emit(`# ${path.join(' ')} options`);
+      for (const opt of cmd.options) {
+        const parts = [`complete -c ${BIN} -n "${condition}"`];
+        if (opt.short) parts.push(`-s ${opt.short.replace('-', '')}`);
+        parts.push(`-l ${opt.long.replace(/^--/, '')}`);
+        parts.push(`-d '${esc(opt.description)}'`);
+        if (opt.takesValue) {
+          if (opt.choices) {
+            parts.push(`-xa '${opt.choices.join(' ')}'`);
+          } else {
+            parts.push('-x');
+          }
+        }
+        emit(parts.join(' '));
+      }
+      emit('');
+    }
+  }
+
+  return lines.join('\n') + '\n';
+}
+
+// ============================================================
+// Bash completion generator
+// ============================================================
+
+function generateBash(root: CmdInfo): string {
+  const lines: string[] = [];
+  const emit = (s: string): void => { lines.push(s); };
+  const BIN = root.name;
+
+  emit(`# ${BIN} bash completions -- auto-generated by scripts/generate-completions.ts`);
+  emit('# DO NOT EDIT MANUALLY -- run: pnpm completions:generate');
+  emit('');
+
+  const allCmds = collectCommands(root);
+  const topCmds = root.subcommands.filter((c) => !c.hidden).map((c) => c.name);
+
+  emit(`_${BIN}() {`);
+  emit('  local cur prev words cword');
+  emit('  _init_completion || return');
+  emit('');
+  emit(`  local top_commands="${topCmds.join(' ')}"`);
+  emit('');
+
+  // Build chain of subcommands from command line
+  emit('  # Extract the subcommand chain (skip options and their values)');
+  emit('  local -a subcmd_chain=()');
+  emit('  local i skip_next=false');
+  emit('  for ((i=1; i < cword; i++)); do');
+  emit('    if $skip_next; then skip_next=false; continue; fi');
+  emit('    case "${words[i]}" in');
+  emit('      -*) ;;  # skip options');
+  emit('      *) subcmd_chain+=("${words[i]}") ;;');
+  emit('    esac');
+  emit('  done');
+  emit('');
+  emit('  local chain_len=${#subcmd_chain[@]}');
+  emit('  local chain_str="${subcmd_chain[*]}"');
+  emit('');
+
+  // Build case statement for each command path
+  emit('  case "$chain_str" in');
+
+  // Start with the deepest paths first to match longest
+  const sortedCmds = [...allCmds].sort((a, b) => b.path.length - a.path.length);
+
+  for (const { path, cmd } of sortedCmds) {
+    if (cmd.hidden) continue;
+    const pathStr = path.join(' ');
+    const visibleSubs = cmd.subcommands.filter((s) => !s.hidden).map((s) => s.name);
+    const optFlags: string[] = [];
+    for (const opt of cmd.options) {
+      if (opt.short) optFlags.push(opt.short);
+      optFlags.push(opt.long);
+    }
+    optFlags.push('-h', '--help');
+
+    const completions = [...visibleSubs, ...optFlags].join(' ');
+    emit(`    "${pathStr}")`);
+    emit(`      COMPREPLY=($(compgen -W "${completions}" -- "$cur"))`);
+    emit('      return ;;');
+  }
+
+  // Top-level (no subcommand yet)
+  emit('    "")');
+  emit(`      COMPREPLY=($(compgen -W "$top_commands -h --help -v --version" -- "$cur"))`);
+  emit('      return ;;');
+
+  // Default
+  emit('    *)');
+  emit('      COMPREPLY=($(compgen -W "-h --help" -- "$cur"))');
+  emit('      return ;;');
+
+  emit('  esac');
+  emit('}');
+  emit('');
+  emit(`complete -F _${BIN} ${BIN}`);
+
+  return lines.join('\n') + '\n';
+}
+
+// ============================================================
+// Main
+// ============================================================
+
+async function main(): Promise<void> {
+  const mode = process.argv[2] ?? '';
+
+  let tree: CmdInfo;
+  try {
+    tree = await extractTree();
+  } catch (err) {
+    console.error('Failed to extract command tree from createProgram().');
+    console.error('Make sure workspace packages are built: pnpm build');
+    console.error(err);
+    process.exit(1);
+  }
+
+  const fishContent = generateFish(tree);
+  const bashContent = generateBash(tree);
+
+  const completionsDir = join(ROOT, 'completions');
+  const fishPath = join(completionsDir, 'labctl.fish');
+  const bashPath = join(completionsDir, 'labctl.bash');
+
+  if (mode === '--check') {
+    let stale = false;
+    try {
+      const currentFish = readFileSync(fishPath, 'utf-8');
+      if (currentFish !== fishContent) {
+        console.error('completions/labctl.fish is stale');
+        stale = true;
+      }
+    } catch {
+      console.error('completions/labctl.fish does not exist');
+      stale = true;
+    }
+    try {
+      const currentBash = readFileSync(bashPath, 'utf-8');
+      if (currentBash !== bashContent) {
+        console.error('completions/labctl.bash is stale');
+        stale = true;
+      }
+    } catch {
+      console.error('completions/labctl.bash does not exist');
+      stale = true;
+    }
+    if (stale) {
+      console.error('Run: pnpm completions:generate');
+      process.exit(1);
+    }
+    console.log('Completions are up to date.');
+    process.exit(0);
+  }
+
+  if (mode === '--write') {
+    mkdirSync(completionsDir, { recursive: true });
+    writeFileSync(fishPath, fishContent);
+    writeFileSync(bashPath, bashContent);
+    console.log(`Wrote ${fishPath}`);
+    console.log(`Wrote ${bashPath}`);
+    process.exit(0);
+  }
+
+  // Default: print to stdout
+  console.log('=== completions/labctl.fish ===');
+  console.log(fishContent);
+  console.log('=== completions/labctl.bash ===');
+  console.log(bashContent);
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});
diff --git a/bastion/scripts/link-package.sh b/bastion/scripts/link-package.sh
new file mode 100755
index 0000000..16e2227
--- /dev/null
+++ b/bastion/scripts/link-package.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+# Link a Gitea package to a repository.
+# Works automatically on Gitea 1.24+ (uses API), warns on older versions.
+#
+# Usage: source scripts/link-package.sh
+#        link_package <type> <name>
+#
+# Requires: GITEA_URL, GITEA_TOKEN, GITEA_OWNER, GITEA_REPO
+
+link_package() {
+  local PKG_TYPE="$1"  # e.g. "rpm", "container"
+  local PKG_NAME="$2"  # e.g. "lab", "lab-bastion"
+
+  if [ -z "$PKG_TYPE" ] || [ -z "$PKG_NAME" ]; then
+    echo "Usage: link_package <type> <name>"
+    return 1
+  fi
+
+  local GITEA_URL="${GITEA_URL:-http://10.0.0.194:3012}"
+  local GITEA_OWNER="${GITEA_OWNER:-michal}"
+  local GITEA_REPO="${GITEA_REPO:-lab}"
+
+  if [ -z "$GITEA_TOKEN" ]; then
+    echo "WARNING: GITEA_TOKEN not set, skipping package-repo linking."
+    return 0
+  fi
+
+  # Check if already linked (search all packages, filter by type+name client-side)
+  local REPO_LINK
+  REPO_LINK=$(curl -s -H "Authorization: token ${GITEA_TOKEN}" \
+    "${GITEA_URL}/api/v1/packages/${GITEA_OWNER}" \
+    | python3 -c "
+import json,sys
+for p in json.load(sys.stdin):
+    if p['type']=='$PKG_TYPE' and p['name']=='$PKG_NAME':
+        r=p.get('repository')
+        if r: print(r['full_name'])
+        break
+" 2>/dev/null)
+
+  if [ -n "$REPO_LINK" ]; then
+    echo "==> Package ${PKG_TYPE}/${PKG_NAME} already linked to ${REPO_LINK}"
+    return 0
+  fi
+
+  # Try Gitea 1.24+ link API
+  local HTTP_CODE
+  HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    "${GITEA_URL}/api/v1/packages/${GITEA_OWNER}/${PKG_TYPE}/${PKG_NAME}/-/link/${GITEA_REPO}")
+
+  if [ "$HTTP_CODE" = "201" ] || [ "$HTTP_CODE" = "200" ]; then
+    echo "==> Linked ${PKG_TYPE}/${PKG_NAME} to ${GITEA_OWNER}/${GITEA_REPO}"
+    return 0
+  fi
+
+  # API not available (Gitea < 1.24) -- warn with manual instructions
+  local PUBLIC_URL="${GITEA_PUBLIC_URL:-${GITEA_URL}}"
+  echo ""
+  echo "WARNING: Could not auto-link ${PKG_TYPE}/${PKG_NAME} to repository (Gitea < 1.24)."
+  echo "Link it manually in the Gitea UI:"
+  echo "  ${PUBLIC_URL}/${GITEA_OWNER}/-/packages/${PKG_TYPE}/${PKG_NAME}/settings"
+  echo "  -> Link to repository: ${GITEA_OWNER}/${GITEA_REPO}"
+  return 0
+}
diff --git a/bastion/scripts/publish-deb.sh b/bastion/scripts/publish-deb.sh
new file mode 100755
index 0000000..7929ec0
--- /dev/null
+++ b/bastion/scripts/publish-deb.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+cd "$PROJECT_ROOT"
+
+# Load .env if present
+if [ -f .env ]; then
+  set -a; source .env; set +a
+fi
+
+GITEA_URL="${GITEA_URL:-http://10.0.0.194:3012}"
+GITEA_PUBLIC_URL="${GITEA_PUBLIC_URL:-https://mysources.co.uk}"
+GITEA_OWNER="${GITEA_OWNER:-michal}"
+GITEA_REPO="${GITEA_REPO:-lab}"
+
+GITEA_TOKEN="${GITEA_TOKEN:-$PACKAGES_TOKEN}"
+if [ -z "$GITEA_TOKEN" ]; then
+  echo "Error: GITEA_TOKEN (or PACKAGES_TOKEN) not set. Add it to .env or export it."
+  exit 1
+fi
+
+DEB_FILE=$(ls dist/labctl*.deb 2>/dev/null | head -1)
+if [ -z "$DEB_FILE" ]; then
+  echo "Error: No DEB found in dist/. Run scripts/build-rpm.sh first."
+  exit 1
+fi
+
+# Extract version from the deb filename
+DEB_VERSION=$(dpkg-deb --field "$DEB_FILE" Version 2>/dev/null || echo "unknown")
+
+echo "==> Publishing $DEB_FILE (version $DEB_VERSION) to ${GITEA_URL}..."
+
+# Gitea Debian registry: PUT /api/packages/{owner}/debian/pool/{distribution}/{component}/upload
+# Publish to each supported distribution.
+# Debian: trixie (13/stable), forky (14/testing)
+# Ubuntu: noble (24.04 LTS), plucky (25.04)
+DISTRIBUTIONS="trixie forky noble plucky"
+
+for DIST in $DISTRIBUTIONS; do
+  echo "  -> $DIST..."
+  HTTP_CODE=$(curl -s -o /tmp/deb-upload-$DIST.out -w "%{http_code}" \
+    -X PUT \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    --upload-file "$DEB_FILE" \
+    "${GITEA_URL}/api/packages/${GITEA_OWNER}/debian/pool/${DIST}/main/upload")
+
+  if [ "$HTTP_CODE" = "201" ] || [ "$HTTP_CODE" = "200" ]; then
+    echo "     Published to $DIST"
+  elif [ "$HTTP_CODE" = "409" ]; then
+    echo "     Already exists in $DIST (skipping)"
+  else
+    echo "     WARNING: Upload to $DIST returned HTTP $HTTP_CODE"
+    cat /tmp/deb-upload-$DIST.out 2>/dev/null || true
+    echo ""
+  fi
+  rm -f /tmp/deb-upload-$DIST.out
+done
+
+echo ""
+echo "==> Published successfully!"
+
+# Ensure package is linked to the repository
+source "$SCRIPT_DIR/link-package.sh"
+link_package "debian" "labctl"
+
+echo ""
+echo "Install with:"
+echo "  echo \"deb ${GITEA_PUBLIC_URL}/api/packages/${GITEA_OWNER}/debian trixie main\" | sudo tee /etc/apt/sources.list.d/labctl.list"
+echo "  curl -fsSL ${GITEA_PUBLIC_URL}/api/packages/${GITEA_OWNER}/debian/repository.key | sudo gpg --dearmor -o /etc/apt/keyrings/labctl.gpg"
+echo "  sudo apt update && sudo apt install labctl"
diff --git a/bastion/scripts/publish-rpm.sh b/bastion/scripts/publish-rpm.sh
new file mode 100755
index 0000000..1a72e63
--- /dev/null
+++ b/bastion/scripts/publish-rpm.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+cd "$PROJECT_ROOT"
+
+# Load .env if present
+if [ -f .env ]; then
+  set -a; source .env; set +a
+fi
+
+GITEA_URL="${GITEA_URL:-http://10.0.0.194:3012}"
+GITEA_PUBLIC_URL="${GITEA_PUBLIC_URL:-https://mysources.co.uk}"
+GITEA_OWNER="${GITEA_OWNER:-michal}"
+GITEA_REPO="${GITEA_REPO:-lab}"
+
+GITEA_TOKEN="${GITEA_TOKEN:-$PACKAGES_TOKEN}"
+if [ -z "$GITEA_TOKEN" ]; then
+  echo "Error: GITEA_TOKEN (or PACKAGES_TOKEN) not set. Add it to .env or export it."
+  exit 1
+fi
+
+RPM_FILE=$(ls dist/labctl-*.rpm 2>/dev/null | head -1)
+if [ -z "$RPM_FILE" ]; then
+  echo "Error: No RPM found in dist/. Run scripts/build-rpm.sh first."
+  exit 1
+fi
+
+# Get version string as it appears in Gitea (e.g. "0.1.0-1")
+RPM_VERSION=$(rpm -qp --queryformat '%{VERSION}-%{RELEASE}' "$RPM_FILE")
+
+echo "==> Publishing $RPM_FILE (version $RPM_VERSION) to ${GITEA_URL}..."
+
+# Check if version already exists and delete it first
+EXISTING=$(curl -s -o /dev/null -w "%{http_code}" \
+  -H "Authorization: token ${GITEA_TOKEN}" \
+  "${GITEA_URL}/api/v1/packages/${GITEA_OWNER}/rpm/labctl/${RPM_VERSION}")
+
+if [ "$EXISTING" = "200" ]; then
+  echo "==> Version $RPM_VERSION already exists, replacing..."
+  curl -s -o /dev/null -X DELETE \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    "${GITEA_URL}/api/v1/packages/${GITEA_OWNER}/rpm/labctl/${RPM_VERSION}"
+fi
+
+# Upload
+curl --fail -s -X PUT \
+  -H "Authorization: token ${GITEA_TOKEN}" \
+  --upload-file "$RPM_FILE" \
+  "${GITEA_URL}/api/packages/${GITEA_OWNER}/rpm/upload"
+
+echo ""
+echo "==> Published successfully!"
+
+# Ensure package is linked to the repository
+source "$SCRIPT_DIR/link-package.sh"
+link_package "rpm" "labctl"
+
+echo ""
+echo "Install with:"
+echo "  sudo dnf install labctl  # if repo already configured"
diff --git a/bastion/scripts/release.sh b/bastion/scripts/release.sh
new file mode 100755
index 0000000..2bbee68
--- /dev/null
+++ b/bastion/scripts/release.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+cd "$PROJECT_ROOT"
+
+# Load .env if present
+if [ -f .env ]; then
+  set -a; source .env; set +a
+fi
+
+echo "=== lab-bastion release ==="
+echo ""
+
+# 1. Build binaries & packages (both architectures)
+bash scripts/build-rpm.sh --all
+
+echo ""
+
+# 2. Publish RPM
+bash scripts/publish-rpm.sh
+
+echo ""
+
+# 3. Publish DEB
+bash scripts/publish-deb.sh
+
+echo ""
+
+# 4. Build & push Docker image
+bash scripts/build-bastion.sh
+
+echo ""
+
+# 5. Install locally (Fedora/RHEL only)
+if [ -f /etc/fedora-release ] || [ -f /etc/redhat-release ]; then
+  echo "==> Installing locally..."
+  RPM_FILE=$(ls dist/labctl-*.rpm 2>/dev/null | head -1)
+  if [ -n "$RPM_FILE" ]; then
+    sudo rpm -U --force "$RPM_FILE"
+    echo ""
+    echo "==> Installed:"
+    labctl --version || echo "(labctl binary installed)"
+  else
+    echo "==> WARNING: No RPM found in dist/, skipping local install."
+  fi
+else
+  echo "==> Not Fedora/RHEL — skipping local RPM install."
+fi
+
+echo ""
+
+# 6. Summary
+GITEA_PUBLIC_URL="${GITEA_PUBLIC_URL:-https://mysources.co.uk}"
+GITEA_OWNER="${GITEA_OWNER:-michal}"
+REGISTRY="${GITEA_REGISTRY:-mysources.co.uk}"
+VERSION=$(node -p "require('./package.json').version")
+
+echo "=== Done! ==="
+echo ""
+echo "RPM install:"
+echo "  sudo dnf config-manager --add-repo ${GITEA_PUBLIC_URL}/api/packages/${GITEA_OWNER}/rpm.repo"
+echo "  sudo dnf install labctl"
+echo ""
+echo "DEB install (Debian/Ubuntu):"
+echo "  echo \"deb ${GITEA_PUBLIC_URL}/api/packages/${GITEA_OWNER}/debian trixie main\" | sudo tee /etc/apt/sources.list.d/labctl.list"
+echo "  curl -fsSL ${GITEA_PUBLIC_URL}/api/packages/${GITEA_OWNER}/debian/repository.key | sudo gpg --dearmor -o /etc/apt/keyrings/labctl.gpg"
+echo "  sudo apt update && sudo apt install labctl"
+echo ""
+echo "Docker image:"
+echo "  podman pull ${REGISTRY}/michal/lab-bastion:${VERSION}"
+echo ""
+echo "k3s deployment:"
+echo "  kubectl apply -k deploy/k3s/"
diff --git a/bastion/scripts/test-integration.sh b/bastion/scripts/test-integration.sh
new file mode 100755
index 0000000..84dc22d
--- /dev/null
+++ b/bastion/scripts/test-integration.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+# Run integration tests inside a Node container with access to host libvirt.
+#
+# Usage: sudo ./scripts/test-integration.sh [vitest args...]
+# Example: sudo ./scripts/test-integration.sh -t k3s
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+
+# Detect real user (even when running via sudo)
+REAL_USER="${SUDO_USER:-$(whoami)}"
+REAL_HOME="/home/${REAL_USER}"
+
+echo "==> Running integration tests in container"
+echo "    Project: ${PROJECT_ROOT}"
+echo "    User: ${REAL_USER}"
+echo "    SSH key: ${REAL_HOME}/.ssh/"
+echo ""
+
+# Check prerequisites
+if ! command -v podman &>/dev/null && ! command -v docker &>/dev/null; then
+  echo "ERROR: podman or docker required"
+  exit 1
+fi
+
+RUNTIME="podman"
+if ! command -v podman &>/dev/null; then
+  RUNTIME="docker"
+fi
+
+# Check libvirt socket
+if [ ! -S /var/run/libvirt/libvirt-sock ]; then
+  echo "ERROR: libvirt socket not found at /var/run/libvirt/libvirt-sock"
+  echo "       Is libvirtd running? Try: sudo systemctl start libvirtd"
+  exit 1
+fi
+
+# Create a temp dir for cloud-init artifacts (avoids SELinux /tmp relabel)
+WORK_TMP="/var/tmp/lab-integration-$$"
+mkdir -p "${WORK_TMP}"
+trap "rm -rf ${WORK_TMP}" EXIT
+
+exec $RUNTIME run --rm \
+  --name lab-integration-test \
+  --privileged \
+  --security-opt label=disable \
+  --network=host \
+  -v "${PROJECT_ROOT}:${PROJECT_ROOT}" \
+  -v "${REAL_HOME}/.ssh:${REAL_HOME}/.ssh:ro" \
+  -v "/var/run/libvirt/libvirt-sock:/var/run/libvirt/libvirt-sock" \
+  -v "/var/lib/libvirt/images:/var/lib/libvirt/images" \
+  -v "${WORK_TMP}:/tmp/lab-integration-tests" \
+  -w "${PROJECT_ROOT}" \
+  -e "SSH_KEY_PATH=${REAL_HOME}/.ssh/id_rsa" \
+  -e "HOME=${REAL_HOME}" \
+  node:22-bookworm \
+  bash -c "
+    # Install system deps for libvirt client + cloud-init ISO creation
+    apt-get update -qq && apt-get install -y -qq libvirt-clients virtinst genisoimage openssh-client qemu-utils sudo >/dev/null 2>&1
+
+    # Install pnpm
+    corepack enable && corepack prepare pnpm@9 --activate >/dev/null 2>&1
+
+    echo '==> Installing project dependencies...'
+    pnpm install --frozen-lockfile 2>/dev/null
+
+    echo '==> Running integration tests...'
+    echo ''
+    pnpm run test:integration $*
+  "
diff --git a/bastion/scripts/test-provision.sh b/bastion/scripts/test-provision.sh
new file mode 100755
index 0000000..4bc20c6
--- /dev/null
+++ b/bastion/scripts/test-provision.sh
@@ -0,0 +1,152 @@
+#!/bin/bash
+# Run PXE and/or ISO boot integration tests.
+#
+# Usage:
+#   sudo ./scripts/test-provision.sh          # run PXE + ISO (x86_64)
+#   sudo ./scripts/test-provision.sh pxe      # PXE only
+#   sudo ./scripts/test-provision.sh iso      # ISO only (x86_64)
+#   sudo ./scripts/test-provision.sh arm      # ARM ISO boot (emulated, SLOW ~60min)
+#   sudo ./scripts/test-provision.sh all      # all tests including ARM
+#
+# Prerequisites:
+#   libvirtd, OVMF (edk2-ovmf), iPXE (ipxe-bootimgs-x86),
+#   dnsmasq, xorriso, mtools, virt-install, qemu-img
+#   ARM: qemu-system-aarch64, edk2-aarch64
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+
+cd "$PROJECT_ROOT"
+
+# Detect real user for SSH keys
+REAL_USER="${SUDO_USER:-$(whoami)}"
+REAL_HOME=$(getent passwd "$REAL_USER" | cut -d: -f6)
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BOLD='\033[1m'
+RESET='\033[0m'
+
+echo ""
+echo -e "${BOLD}Lab Bastion -- Provision Integration Tests${RESET}"
+echo "==========================================="
+echo ""
+
+# --- Prerequisite checks ---
+MISSING=""
+for cmd in virsh virt-install qemu-img dnsmasq xorriso mformat mcopy curl; do
+    if ! command -v "$cmd" &>/dev/null; then
+        MISSING="$MISSING $cmd"
+    fi
+done
+
+if [ -n "$MISSING" ]; then
+    echo -e "${RED}Missing tools:${RESET}$MISSING"
+    echo "Install: sudo dnf install libvirt virt-install qemu-img dnsmasq xorriso mtools curl"
+    exit 1
+fi
+
+if ! systemctl is-active libvirtd &>/dev/null; then
+    echo -e "${RED}libvirtd not running.${RESET} Start with: sudo systemctl start libvirtd"
+    exit 1
+fi
+
+if [ ! -f /usr/share/edk2/ovmf/OVMF_CODE.fd ]; then
+    echo -e "${RED}OVMF firmware not found.${RESET} Install: sudo dnf install edk2-ovmf"
+    exit 1
+fi
+
+IPXE_EFI=""
+for f in /usr/share/ipxe/ipxe-snponly-x86_64.efi /usr/share/ipxe/ipxe-snp-x86_64.efi /usr/share/ipxe/ipxe-x86_64.efi; do
+    [ -f "$f" ] && IPXE_EFI="$f" && break
+done
+if [ -z "$IPXE_EFI" ]; then
+    echo -e "${RED}iPXE EFI binary not found.${RESET} Install: sudo dnf install ipxe-bootimgs-x86"
+    exit 1
+fi
+
+# Find SSH key
+SSH_KEY=""
+for name in id_ed25519 id_ecdsa id_rsa; do
+    if [ -f "$REAL_HOME/.ssh/$name" ] && [ -f "$REAL_HOME/.ssh/$name.pub" ]; then
+        SSH_KEY="$REAL_HOME/.ssh/$name"
+        break
+    fi
+done
+if [ -z "$SSH_KEY" ]; then
+    echo -e "${RED}No SSH key found in $REAL_HOME/.ssh/${RESET}"
+    exit 1
+fi
+
+echo -e "  User:    ${BOLD}$REAL_USER${RESET}"
+echo -e "  SSH key: ${BOLD}$SSH_KEY${RESET}"
+echo -e "  iPXE:    ${BOLD}$IPXE_EFI${RESET}"
+echo ""
+
+# --- Determine which tests to run ---
+MODE="${1:-both}"
+
+run_test() {
+    local name="$1" pattern="$2"
+    echo ""
+    echo -e "${YELLOW}━━━ Running $name test ━━━${RESET}"
+    echo ""
+
+    if SSH_KEY_PATH="$SSH_KEY" HOME="$REAL_HOME" \
+       npx vitest run -c tests/integration/vitest.config.ts -t "$pattern" 2>&1; then
+        echo ""
+        echo -e "${GREEN}✔ $name test passed${RESET}"
+        return 0
+    else
+        echo ""
+        echo -e "${RED}✘ $name test failed${RESET}"
+        return 1
+    fi
+}
+
+FAILED=0
+
+case "$MODE" in
+    pxe)
+        run_test "PXE boot" "PXE boot" || FAILED=1
+        ;;
+    iso)
+        run_test "ISO boot" "ISO boot" || FAILED=1
+        ;;
+    arm|arm-iso)
+        if ! command -v qemu-system-aarch64 &>/dev/null; then
+            echo -e "${RED}qemu-system-aarch64 not found.${RESET} Install: sudo dnf install qemu-system-aarch64 edk2-aarch64"
+            exit 1
+        fi
+        echo -e "${YELLOW}ARM emulation is ~10x slower than native. Expect 30-60 minutes.${RESET}"
+        run_test "ARM ISO boot" "ARM ISO" || FAILED=1
+        ;;
+    both)
+        run_test "PXE boot" "PXE boot" || FAILED=1
+        run_test "ISO boot" "ISO boot" || FAILED=1
+        ;;
+    all)
+        run_test "PXE boot" "PXE boot" || FAILED=1
+        run_test "ISO boot" "ISO boot" || FAILED=1
+        if command -v qemu-system-aarch64 &>/dev/null; then
+            echo -e "${YELLOW}ARM emulation is ~10x slower than native.${RESET}"
+            run_test "ARM ISO boot" "ARM ISO" || FAILED=1
+        else
+            echo -e "${YELLOW}Skipping ARM test (qemu-system-aarch64 not installed)${RESET}"
+        fi
+        ;;
+    *)
+        echo "Usage: $0 [pxe|iso|arm|both|all]"
+        exit 1
+        ;;
+esac
+
+echo ""
+if [ "$FAILED" -eq 0 ]; then
+    echo -e "${GREEN}${BOLD}All provision tests passed.${RESET}"
+else
+    echo -e "${RED}${BOLD}Some tests failed.${RESET}"
+    exit 1
+fi
diff --git a/bastion/src/bastion/package.json b/bastion/src/bastion/package.json
new file mode 100644
index 0000000..095ebcb
--- /dev/null
+++ b/bastion/src/bastion/package.json
@@ -0,0 +1,38 @@
+{
+  "name": "@lab/bastion",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "main": "./dist/main.js",
+  "types": "./dist/main.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/main.js",
+      "types": "./dist/main.d.ts"
+    },
+    "./iso-builder": {
+      "import": "./dist/services/iso-builder.js",
+      "types": "./dist/services/iso-builder.d.ts"
+    }
+  },
+  "scripts": {
+    "build": "tsc --build",
+    "clean": "rimraf dist",
+    "dev": "tsx src/main.ts",
+    "test": "vitest",
+    "test:run": "vitest run"
+  },
+  "dependencies": {
+    "@fastify/static": "^8.0.0",
+    "@lab/modules": "workspace:*",
+    "@lab/shared": "workspace:*",
+    "execa": "^9.5.0",
+    "fastify": "^5.0.0",
+    "winston": "^3.17.0",
+    "ws": "^8.19.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.0",
+    "@types/ws": "^8.18.0"
+  }
+}
diff --git a/bastion/src/bastion/src/config.ts b/bastion/src/bastion/src/config.ts
new file mode 100644
index 0000000..4ebfe9b
--- /dev/null
+++ b/bastion/src/bastion/src/config.ts
@@ -0,0 +1,58 @@
+// Configuration from environment variables with sensible defaults.
+
+import type { BastionConfig } from "@lab/shared";
+
+export function loadConfig(overrides: Partial<BastionConfig> = {}): BastionConfig {
+  const fedoraVersion = overrides.fedoraVersion ?? process.env["FEDORA_VERSION"] ?? "43";
+  const arch = overrides.arch ?? process.env["ARCH"] ?? "x86_64";
+  const httpPort = overrides.httpPort ?? parseInt(process.env["HTTP_PORT"] ?? "8080", 10);
+  const timezone = overrides.timezone ?? process.env["TIMEZONE"] ?? "Europe/London";
+  const locale = overrides.locale ?? process.env["LOCALE"] ?? "en_GB.UTF-8";
+  const bastionDir = overrides.bastionDir ?? process.env["BASTION_DIR"] ?? "/tmp/lab-bastion";
+  const domain = overrides.domain ?? process.env["DOMAIN"] ?? "ad.itaz.eu";
+  const dhcpMode = (overrides.dhcpMode ?? process.env["DHCP_MODE"] ?? "proxy") as "proxy" | "full";
+  const dhcpRangeStart = overrides.dhcpRangeStart ?? process.env["DHCP_RANGE_START"] ?? "";
+  const dhcpRangeEnd = overrides.dhcpRangeEnd ?? process.env["DHCP_RANGE_END"] ?? "";
+
+  const syslogPort = overrides.syslogPort ?? parseInt(process.env["SYSLOG_PORT"] ?? "5514", 10);
+
+  const ubuntuVersion = overrides.ubuntuVersion ?? process.env["UBUNTU_VERSION"] ?? "26.04";
+  const ubuntuMirror = overrides.ubuntuMirror ?? process.env["UBUNTU_MIRROR"]
+    ?? `https://releases.ubuntu.com/${ubuntuVersion}`;
+
+  const fedoraMirror = `https://download.fedoraproject.org/pub/fedora/linux/releases/${fedoraVersion}/Everything/${arch}/os`;
+  const tftpDir = `${bastionDir}/tftp`;
+  const httpDir = `${bastionDir}/http`;
+  const stateFile = `${bastionDir}/state.json`;
+
+  return {
+    fedoraVersion,
+    arch,
+    httpPort,
+    timezone,
+    locale,
+    bastionDir,
+    domain,
+    dhcpMode,
+    dhcpRangeStart,
+    dhcpRangeEnd,
+    ubuntuVersion,
+    ubuntuMirror,
+    // These are populated at runtime by the network service
+    iface: overrides.iface ?? "",
+    serverIp: overrides.serverIp ?? "",
+    network: overrides.network ?? "",
+    gateway: overrides.gateway ?? "",
+    sshKeys: overrides.sshKeys ?? [],
+    adminUser: overrides.adminUser ?? "",
+    syslogPort,
+    skipDnsmasq: overrides.skipDnsmasq,
+    skipArtifacts: overrides.skipArtifacts,
+    labdUrl: overrides.labdUrl ?? process.env["LABD_URL"],
+    bastionJoinToken: overrides.bastionJoinToken ?? process.env["BASTION_JOIN_TOKEN"],
+    fedoraMirror,
+    tftpDir,
+    httpDir,
+    stateFile,
+  };
+}
diff --git a/bastion/src/bastion/src/main.ts b/bastion/src/bastion/src/main.ts
new file mode 100644
index 0000000..6b2a621
--- /dev/null
+++ b/bastion/src/bastion/src/main.ts
@@ -0,0 +1,359 @@
+// Entry point for the bastion server.
+// Starts the Fastify HTTP server, dnsmasq, and handles graceful shutdown.
+
+import { mkdirSync, writeFileSync, readFileSync, existsSync, copyFileSync, symlinkSync, unlinkSync } from "node:fs";
+import { execSync } from "node:child_process";
+import type { BastionConfig } from "@lab/shared";
+import { loadConfig } from "./config.js";
+import { populateNetworkConfig } from "./services/network.js";
+import { createApp } from "./server.js";
+import { startDnsmasq, stopDnsmasq, generateDnsmasqConf } from "./services/dnsmasq.js";
+import { generateDiscoverKickstart } from "./services/kickstart-generator.js";
+import { renderBootIpxe } from "./templates/boot.ipxe.js";
+import { logger } from "./services/logger.js";
+import { BastionConnection } from "./services/labd-connection.js";
+import { progressBus } from "./services/progress-events.js";
+import { ensureBootIso } from "./routes/boot-iso.js";
+
+function copyIfMissing(src: string, dest: string, label: string): void {
+  if (existsSync(dest)) {
+    logger.info(`  ${label} -- cached`);
+    return;
+  }
+  if (!existsSync(src)) {
+    throw new Error(`${label}: source not found at ${src}`);
+  }
+  copyFileSync(src, dest);
+  logger.info(`  ${label} -- copied from ${src}`);
+}
+
+function download(url: string, dest: string, label: string): void {
+  if (existsSync(dest)) {
+    logger.info(`  ${label} -- cached`);
+    return;
+  }
+  logger.info(`  ${label} -- downloading...`);
+  try {
+    execSync(`curl -# -L -f -o "${dest}" "${url}"`, { stdio: "inherit" });
+  } catch {
+    throw new Error(`Failed to download ${label} from ${url}`);
+  }
+}
+
+function symlinkSafe(target: string, linkPath: string): void {
+  try {
+    symlinkSync(target, linkPath);
+  } catch {
+    // Link may already exist
+  }
+}
+
+function runCmd(cmd: string, args: string[]): boolean {
+  try {
+    execSync(`${cmd} ${args.join(" ")}`, { stdio: "pipe" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+let fwZoneFlag = "";
+let fwOpened = false;
+
+function openFirewall(config: BastionConfig): void {
+  // Check if firewalld is running
+  if (!runCmd("firewall-cmd", ["--state"])) return;
+
+  // Detect zone for our interface
+  try {
+    const zone = execSync(`firewall-cmd --get-zone-of-interface=${config.iface} 2>/dev/null`, { encoding: "utf-8" }).trim();
+    if (zone) fwZoneFlag = `--zone=${zone}`;
+  } catch { /* use default zone */ }
+
+  const zf = fwZoneFlag ? [fwZoneFlag] : [];
+  logger.info(`Opening firewall ports (DHCP, TFTP, HTTP:${config.httpPort})...`);
+  runCmd("firewall-cmd", ["--quiet", ...zf, "--add-service=dhcp"]);
+  runCmd("firewall-cmd", ["--quiet", ...zf, "--add-service=tftp"]);
+  runCmd("firewall-cmd", ["--quiet", ...zf, `--add-port=${config.httpPort}/tcp`]);
+  runCmd("firewall-cmd", ["--quiet", ...zf, "--add-port=4011/udp"]);
+  fwOpened = true;
+}
+
+function closeFirewall(config: BastionConfig): void {
+  if (!fwOpened) return;
+  const zf = fwZoneFlag ? [fwZoneFlag] : [];
+  logger.info("Removing firewall rules...");
+  runCmd("firewall-cmd", ["--quiet", ...zf, "--remove-service=dhcp"]);
+  runCmd("firewall-cmd", ["--quiet", ...zf, "--remove-service=tftp"]);
+  runCmd("firewall-cmd", ["--quiet", ...zf, `--remove-port=${config.httpPort}/tcp`]);
+  runCmd("firewall-cmd", ["--quiet", ...zf, "--remove-port=4011/udp"]);
+}
+
+export async function startBastion(overrides: Partial<BastionConfig> = {}): Promise<void> {
+  // Load and populate config
+  let config = loadConfig(overrides);
+  config = populateNetworkConfig(config);
+
+  // Bastion needs root for dnsmasq (DHCP port 67)
+  if (!config.skipDnsmasq && process.getuid?.() !== 0) {
+    throw new Error("Must run as root (dnsmasq needs DHCP/TFTP ports). Use: sudo labctl init bastion standalone start");
+  }
+
+  mkdirSync(config.bastionDir, { recursive: true, mode: 0o755 });
+  const pidFile = `${config.bastionDir}/bastion.pid`;
+
+  // Kill old instance if running
+  try {
+    if (existsSync(pidFile)) {
+      const oldPid = parseInt(readFileSync(pidFile, "utf-8").trim(), 10);
+      if (!isNaN(oldPid)) {
+        try {
+          process.kill(oldPid, "SIGTERM");
+          logger.info(`Killed old bastion process (PID ${oldPid})`);
+          await new Promise((r) => setTimeout(r, 1000));
+        } catch {
+          // Process already dead
+        }
+      }
+      // Remove stale PID file (may be owned by different user)
+      try { unlinkSync(pidFile); } catch { /* ignore */ }
+    }
+  } catch {
+    // Can't read PID file — try to remove it
+    try { unlinkSync(pidFile); } catch { /* ignore */ }
+  }
+
+  // Write current PID
+  writeFileSync(pidFile, String(process.pid), { mode: 0o644 });
+
+  // Prepare directories
+  mkdirSync(config.tftpDir, { recursive: true });
+  mkdirSync(config.httpDir, { recursive: true });
+
+  // Prepare boot artifacts
+  if (config.skipArtifacts !== true) {
+    logger.info(`Preparing boot artifacts (Fedora ${config.fedoraVersion} ${config.arch})...`);
+
+    copyIfMissing(
+      "/usr/share/ipxe/undionly.kpxe",
+      `${config.tftpDir}/undionly.kpxe`,
+      "iPXE BIOS",
+    );
+    copyIfMissing(
+      "/usr/share/ipxe/ipxe-snponly-x86_64.efi",
+      `${config.tftpDir}/ipxe.efi`,
+      "iPXE UEFI x86_64",
+    );
+    try {
+      copyIfMissing(
+        "/usr/share/ipxe/arm64-efi/snponly.efi",
+        `${config.tftpDir}/ipxe-arm64.efi`,
+        "iPXE UEFI arm64",
+      );
+    } catch {
+      logger.warn("arm64 iPXE not available -- skipping");
+    }
+
+    download(
+      `${config.fedoraMirror}/images/pxeboot/vmlinuz`,
+      `${config.httpDir}/vmlinuz`,
+      "Fedora kernel",
+    );
+    download(
+      `${config.fedoraMirror}/images/pxeboot/initrd.img`,
+      `${config.httpDir}/initrd.img`,
+      "Fedora initrd",
+    );
+
+    // Ubuntu netboot artifacts (non-fatal — Ubuntu version may not be released yet)
+    try {
+      logger.info(`Preparing Ubuntu ${config.ubuntuVersion} netboot artifacts...`);
+      download(
+        `${config.ubuntuMirror}/casper/vmlinuz`,
+        `${config.httpDir}/ubuntu-vmlinuz`,
+        "Ubuntu kernel",
+      );
+      download(
+        `${config.ubuntuMirror}/casper/initrd`,
+        `${config.httpDir}/ubuntu-initrd`,
+        "Ubuntu initrd",
+      );
+    } catch {
+      logger.warn(`Ubuntu ${config.ubuntuVersion} artifacts not available -- Ubuntu provisioning disabled`);
+    }
+
+    // Symlink iPXE binaries into HTTP dir for UEFI HTTP Boot
+    for (const name of ["ipxe.efi", "ipxe-arm64.efi"]) {
+      const src = `${config.tftpDir}/${name}`;
+      const dest = `${config.httpDir}/${name}`;
+      if (existsSync(src)) {
+        symlinkSafe(src, dest);
+      }
+    }
+
+    // Generate boot ISO (served as static file for Range request support)
+    try {
+      ensureBootIso(config);
+    } catch (err) {
+      logger.warn(`Boot ISO generation failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  } else {
+    logger.info("Skipping boot artifacts (--skip-artifacts)");
+  }
+
+  // Write discovery kickstart
+  const discoverKs = generateDiscoverKickstart(config);
+  writeFileSync(`${config.httpDir}/discover.ks`, discoverKs);
+
+  // Write iPXE boot script
+  const bootIpxe = renderBootIpxe({
+    serverIp: config.serverIp,
+    httpPort: config.httpPort,
+  });
+  writeFileSync(`${config.httpDir}/boot.ipxe`, bootIpxe);
+
+  // Generate dnsmasq config
+  generateDnsmasqConf(config);
+
+  // Open firewall ports
+  if (config.skipDnsmasq !== true) {
+    openFirewall(config);
+  }
+
+  // Start HTTP server + syslog listener
+  const { app, state, syslog } = createApp(config);
+  await app.listen({ port: config.httpPort, host: "0.0.0.0" });
+  logger.info(`HTTP server listening on :${config.httpPort}`);
+  syslog.start();
+
+  // Start dnsmasq (unless skipped)
+  if (config.skipDnsmasq !== true) {
+    const dnsmasqProc = startDnsmasq(config);
+
+    // Monitor dnsmasq
+    void dnsmasqProc.then(() => {
+      logger.error("dnsmasq exited unexpectedly");
+      logger.error("Check if another DHCP/TFTP service is running.");
+      process.exit(1);
+    }).catch((err: unknown) => {
+      const message = err instanceof Error ? err.message : String(err);
+      if (!message.includes("was killed")) {
+        logger.error(`dnsmasq error: ${message}`);
+        process.exit(1);
+      }
+    });
+  } else {
+    logger.info("Skipping dnsmasq (--skip-dnsmasq)");
+  }
+
+  // Connect to labd if configured (otherwise run standalone)
+  let labdConn: BastionConnection | null = null;
+  if (config.labdUrl) {
+    labdConn = new BastionConnection(config, () => state.load());
+
+    // Wire up command handlers so labd can send install/forget/role commands
+    labdConn.onCommand("command-install", async (msg) => {
+      if (msg.type !== "command-install") throw new Error("unexpected");
+      state.update((s) => {
+        s.install_queue[msg.mac] = {
+          hostname: msg.hostname,
+          disk: msg.disk ?? "/dev/sda",
+          role: msg.role as import("@lab/shared").Role,
+          os: msg.os as import("@lab/shared").OsId,
+          queued_at: new Date().toISOString(),
+        };
+      });
+      return { status: "ok", data: { mac: msg.mac, hostname: msg.hostname } };
+    });
+
+    labdConn.onCommand("command-forget", async (msg) => {
+      if (msg.type !== "command-forget") throw new Error("unexpected");
+      const mac = msg.mac.toLowerCase();
+      state.update((s) => {
+        delete s.discovered[mac];
+        delete s.install_queue[mac];
+        delete s.installed[mac];
+      });
+      return { status: "ok", data: { mac } };
+    });
+
+    labdConn.onCommand("command-role-update", async (msg) => {
+      if (msg.type !== "command-role-update") throw new Error("unexpected");
+      const mac = msg.mac.toLowerCase();
+      const current = state.load();
+      if (!current.installed[mac]) {
+        return { status: "error", error: `MAC ${mac} not found in installed machines` };
+      }
+      state.update((s) => {
+        const inst = s.installed[mac];
+        if (inst) inst.role = msg.role;
+      });
+      return { status: "ok", data: { mac, role: msg.role } };
+    });
+
+    // Push state to labd on every local state change
+    state.onChange(() => labdConn?.syncState());
+
+    // Forward progress events (stages only, not raw log lines) to labd
+    progressBus.on((event) => {
+      if (event.stage !== "log") {
+        labdConn?.sendProgress(event.mac, event.stage, event.detail);
+      }
+    });
+
+    labdConn.connect();
+    logger.info(`Registering with labd at ${config.labdUrl}`);
+  }
+
+  // Print banner
+  printBanner(config);
+
+  // Graceful shutdown
+  const shutdown = async (): Promise<void> => {
+    logger.info("Shutting down...");
+    syslog.stop();
+    if (labdConn) labdConn.close();
+    if (config.skipDnsmasq !== true) stopDnsmasq();
+    closeFirewall(config);
+    await app.close();
+    try { unlinkSync(pidFile); } catch { /* ignore */ }
+    logger.info(`State preserved in ${config.stateFile}`);
+    process.exit(0);
+  };
+
+  process.on("SIGINT", () => void shutdown());
+  process.on("SIGTERM", () => void shutdown());
+
+  // Keep process alive
+  await new Promise(() => {});
+}
+
+function printBanner(config: BastionConfig): void {
+  const dhcpInfo = config.dhcpMode === "full"
+    ? `full (${config.dhcpRangeStart}-${config.dhcpRangeEnd})`
+    : "proxy (alongside existing DHCP)";
+
+  console.log("");
+  console.log("\x1b[36m\x1b[1m" + "=".repeat(60) + "\x1b[0m");
+  console.log("\x1b[36m\x1b[1m  Lab PXE Bastion -- Discovery Mode\x1b[0m");
+  console.log("\x1b[36m\x1b[1m" + "=".repeat(60) + "\x1b[0m");
+  console.log("");
+  console.log(`  Network:   \x1b[1m${config.network}/24\x1b[0m via \x1b[1m${config.iface}\x1b[0m`);
+  console.log(`  DHCP:      \x1b[1m${dhcpInfo}\x1b[0m`);
+  console.log(`  HTTP:      \x1b[1mhttp://${config.serverIp}:${config.httpPort}/\x1b[0m`);
+  console.log(`  OS:        \x1b[1mFedora ${config.fedoraVersion} (${config.arch})\x1b[0m`);
+  console.log(`  Domain:    \x1b[1m${config.domain}\x1b[0m`);
+  console.log(`  State:     \x1b[1m${config.stateFile}\x1b[0m`);
+  console.log("");
+  console.log("  \x1b[33mPXE boot any machine on this network.\x1b[0m");
+  console.log("  \x1b[33mIt will be inventoried and rebooted automatically.\x1b[0m");
+  console.log("");
+  console.log("  Commands (from another terminal):");
+  console.log("    \x1b[1mlabctl provision list\x1b[0m               -- show machines");
+  console.log("    \x1b[1mlabctl provision install <mac> <hostname>\x1b[0m -- queue install");
+  console.log("");
+  console.log("  Press \x1b[1mCtrl-C\x1b[0m to stop.");
+  console.log("");
+  console.log("\x1b[36m---- Waiting for PXE boot requests... ----\x1b[0m");
+  console.log("");
+}
diff --git a/bastion/src/bastion/src/routes/api.ts b/bastion/src/bastion/src/routes/api.ts
new file mode 100644
index 0000000..96e1e7f
--- /dev/null
+++ b/bastion/src/bastion/src/routes/api.ts
@@ -0,0 +1,401 @@
+// REST API routes for machine management.
+// /api/machines  - list all machines by state
+// /api/install   - queue a machine for install
+// /api/progress  - receive install progress callbacks from kickstart
+// /api/discover  - receive hardware discovery reports from PXE-booted machines
+
+import type { FastifyInstance } from "fastify";
+import type { HardwareInfo, InstalledInfo, Role } from "@lab/shared";
+import { isValidOsId, SUPPORTED_ROLES } from "@lab/shared";
+import type { StateManager } from "../services/state.js";
+import { logger } from "../services/logger.js";
+import { triggerPostProvisionK3s } from "../services/post-provision.js";
+import { progressBus } from "../services/progress-events.js";
+import type { ProgressEvent } from "../services/progress-events.js";
+import type { InstallLogBuffer } from "../services/install-log.js";
+
+export function registerApiRoutes(
+  app: FastifyInstance,
+  state: StateManager,
+  installLog: InstallLogBuffer,
+): void {
+  // List all machines
+  app.get("/api/machines", async (_request, reply) => {
+    return reply.send(state.load());
+  });
+
+  // Queue a machine for install
+  app.post<{
+    Body: {
+      mac?: string;
+      hostname?: string;
+      disk?: string;
+      role?: string;
+      os?: string;
+    };
+  }>("/api/install", async (request, reply) => {
+    const { mac: rawMac, hostname, disk, role, os } = request.body ?? {};
+    const mac = (rawMac ?? "").toLowerCase().replace(/-/g, ":");
+
+    if (mac === "") {
+      return reply.status(400).send({ error: "mac is required" });
+    }
+
+    const validRole = role ?? "worker";
+    if (!(SUPPORTED_ROLES as readonly string[]).includes(validRole)) {
+      return reply.status(400).send({ error: `invalid role: '${validRole}'. Supported: ${SUPPORTED_ROLES.join(", ")}` });
+    }
+
+    const osId = os ?? "fedora-43";
+    if (!isValidOsId(osId)) {
+      return reply.status(400).send({ error: `invalid os: '${osId}'. Supported: fedora-43, ubuntu-26.04` });
+    }
+
+    state.update((s) => {
+      s.install_queue[mac] = {
+        hostname: hostname ?? "lab-node",
+        disk: disk ?? "",
+        role: validRole as Role,
+        os: osId,
+        queued_at: new Date().toISOString(),
+      };
+    });
+
+    logger.info(`INSTALL QUEUED: ${mac} -> hostname=${hostname ?? "lab-node"} role=${validRole} os=${osId}`);
+
+    return reply.send({
+      status: "queued",
+      mac,
+      hostname: hostname ?? "lab-node",
+      role: validRole,
+      os: osId,
+      message: `PXE boot the machine to start installation (role=${validRole}, os=${osId})`,
+    });
+  });
+
+  // Receive install progress callbacks
+  app.post<{
+    Body: {
+      mac?: string;
+      stage?: string;
+      detail?: string;
+    };
+  }>("/api/progress", async (request, reply) => {
+    const { mac: rawMac, stage, detail } = request.body ?? {};
+    const mac = (rawMac ?? "unknown").toLowerCase();
+    const stageName = stage ?? "unknown";
+    const detailStr = detail ?? "";
+
+    const GREEN = "\x1b[0;32m";
+    const YELLOW = "\x1b[1;33m";
+    const RED = "\x1b[0;31m";
+    const BOLD = "\x1b[1m";
+    const RESET = "\x1b[0m";
+    const icons: Record<string, string> = {
+      partitioning: "◆", installing: "◆◆", "post-install": "◆◆◆",
+      complete: "✔", error: "✘",
+    };
+    const icon = icons[stageName] ?? "·";
+    const color = stageName === "complete" ? GREEN : stageName === "error" ? RED : YELLOW;
+    console.log(`  ${color}${icon}${RESET} ${mac}  ${BOLD}${stageName}${RESET}${detailStr ? ` -- ${detailStr}` : ""}`);
+
+    // Emit progress event for SSE clients
+    const hostname = state.load().install_queue[mac]?.hostname ?? mac;
+    progressBus.emit({
+      mac, hostname, stage: stageName, detail: detailStr,
+      timestamp: new Date().toISOString(),
+    });
+
+    state.update((s) => {
+      const queueEntry = s.install_queue[mac];
+      if (queueEntry) {
+        queueEntry.progress = stageName;
+        queueEntry.progress_at = new Date().toISOString();
+        if (detailStr !== "") {
+          queueEntry.progress_detail = detailStr;
+        }
+
+        // Append to progress log history
+        if (!queueEntry.log) queueEntry.log = [];
+        queueEntry.log.push({
+          stage: stageName,
+          detail: detailStr,
+          timestamp: new Date().toISOString(),
+        });
+
+        // Move to installed on completion
+        if (stageName === "complete") {
+          const cfg = s.install_queue[mac];
+          delete s.install_queue[mac];
+
+          const ip = detailStr.startsWith("ready at ")
+            ? detailStr.replace("ready at ", "").trim()
+            : "";
+
+          const installedInfo: InstalledInfo = {
+            hostname: cfg?.hostname ?? "?",
+            role: cfg?.role ?? "?",
+            ...(cfg?.os !== undefined ? { os: cfg.os } : {}),
+            ip,
+            installed_at: new Date().toISOString(),
+          };
+          s.installed[mac] = installedInfo;
+
+          const admin = installedInfo.role !== "vanilla" && installedInfo.role !== "" ? "michal" : "root";
+          console.log(`\n  \x1b[0;32m\x1b[1m  ssh ${admin}@${ip}\x1b[0m\n`);  // eslint-disable-line no-console
+
+          // Auto-install k3s for non-vanilla roles
+          if (installedInfo.role !== "vanilla" && ip !== "") {
+            void triggerPostProvisionK3s(installedInfo.hostname, ip, installedInfo.role, admin, mac);
+          }
+        }
+      }
+    });
+
+    return reply.send({ status: "ok" });
+  });
+
+  // Receive raw log lines from kickstart scripts
+  app.post<{
+    Body: {
+      mac?: string;
+      line?: string;
+      lines?: string[];
+      tail?: string;
+    };
+  }>("/api/log", async (request, reply) => {
+    const { mac: rawMac, line, lines: rawLines, tail } = request.body ?? {};
+    const mac = (rawMac ?? "unknown").toLowerCase();
+
+    // Collect all lines from the various input formats
+    const allLines: string[] = [];
+    if (line) allLines.push(line);
+    if (rawLines) allLines.push(...rawLines);
+    if (tail) {
+      // tail is a string with escaped \n — split it into lines
+      allLines.push(...tail.split("\\n").filter(Boolean));
+    }
+
+    if (allLines.length === 0) {
+      return reply.send({ status: "ok", lines: 0 });
+    }
+
+    // Look up hostname from install queue for enriching events
+    const hostname = state.load().install_queue[mac]?.hostname ?? mac;
+
+    // Append to the install log buffer (this also emits to progressBus)
+    installLog.append(mac, allLines, hostname);
+
+    return reply.send({ status: "ok", lines: allLines.length });
+  });
+
+  // Delete a machine from all state
+  app.delete<{
+    Params: { mac: string };
+  }>("/api/machines/:mac", async (request, reply) => {
+    const mac = request.params.mac.toLowerCase().replace(/-/g, ":");
+
+    if (mac === "") {
+      return reply.status(400).send({ error: "mac is required" });
+    }
+
+    let found = false;
+    state.update((s) => {
+      if (s.discovered[mac] !== undefined) {
+        delete s.discovered[mac];
+        found = true;
+      }
+      if (s.install_queue[mac] !== undefined) {
+        delete s.install_queue[mac];
+        found = true;
+      }
+      if (s.installed[mac] !== undefined) {
+        delete s.installed[mac];
+        found = true;
+      }
+    });
+
+    if (!found) {
+      return reply.status(404).send({ error: "machine not found", mac });
+    }
+
+    logger.info(`MACHINE FORGOTTEN: ${mac}`);
+    return reply.send({ status: "forgotten", mac });
+  });
+
+  // Receive discovery reports
+  app.post<{
+    Body: {
+      mac?: string;
+      product?: string;
+      board?: string;
+      serial?: string;
+      manufacturer?: string;
+      cpu_model?: string;
+      cpu_cores?: number;
+      memory_gb?: number;
+      arch?: string;
+      disks?: Array<{ name: string; size_gb: number; model: string }>;
+      nics?: Array<{ name: string; mac: string; state: string }>;
+    };
+  }>("/api/discover", async (request, reply) => {
+    const data = request.body;
+    if (data === null || data === undefined) {
+      return reply.status(400).send({ error: "invalid JSON" });
+    }
+
+    const mac = (data.mac ?? "unknown").toLowerCase();
+    const now = new Date().toISOString();
+
+    const isNew = state.load().discovered[mac] === undefined;
+
+    state.update((s) => {
+      const existing = s.discovered[mac];
+      const hwInfo: HardwareInfo = {
+        mac,
+        product: data.product ?? "unknown",
+        board: data.board ?? "unknown",
+        serial: data.serial ?? "unknown",
+        manufacturer: data.manufacturer ?? "unknown",
+        cpu_model: data.cpu_model ?? "unknown",
+        cpu_cores: data.cpu_cores ?? 0,
+        memory_gb: data.memory_gb ?? 0,
+        arch: data.arch ?? "unknown",
+        disks: data.disks ?? [],
+        nics: data.nics ?? [],
+        first_seen: existing?.first_seen ?? now,
+        last_seen: now,
+      };
+      s.discovered[mac] = hwInfo;
+    });
+
+    const label = isNew ? "NEW MACHINE DISCOVERED" : "MACHINE RE-DISCOVERED";
+    const cpu = data.cpu_model ?? "?";
+    const cores = data.cpu_cores ?? "?";
+    const mem = data.memory_gb ?? "?";
+    logger.info(`${label}: ${mac} -- ${data.manufacturer ?? "?"} ${data.product ?? "?"} (${cpu}, ${cores} cores, ${mem}GB RAM)`);
+
+    return reply.send({ status: "ok", mac, new: isNew });
+  });
+
+  // Update a machine's role (e.g. promote infra -> labcontroller)
+  app.post<{
+    Body: {
+      mac?: string;
+      role?: string;
+    };
+  }>("/api/role", async (request, reply) => {
+    const { mac: rawMac, role } = request.body ?? {};
+    const mac = (rawMac ?? "").toLowerCase().replace(/-/g, ":");
+
+    if (mac === "") {
+      return reply.status(400).send({ error: "mac is required" });
+    }
+    if (!role) {
+      return reply.status(400).send({ error: "role is required" });
+    }
+
+    let found = false;
+    state.update((s) => {
+      if (s.installed[mac]) {
+        const oldRole = s.installed[mac].role;
+        s.installed[mac].role = role;
+        found = true;
+        logger.info(`ROLE UPDATED: ${mac} (${s.installed[mac].hostname}) ${oldRole} -> ${role}`);
+      }
+    });
+
+    if (!found) {
+      return reply.status(404).send({ error: "machine not found in installed state", mac });
+    }
+
+    return reply.send({ status: "updated", mac, role });
+  });
+
+  // Get provision logs for a machine (current state snapshot + raw log lines)
+  app.get<{
+    Params: { mac: string };
+    Querystring: { lines?: string; offset?: string };
+  }>("/api/logs/:mac", async (request, reply) => {
+    const mac = request.params.mac.toLowerCase().replace(/-/g, ":");
+    const logLimit = parseInt(request.query.lines ?? "200", 10);
+    const logOffset = parseInt(request.query.offset ?? "0", 10);
+    const currentState = state.load();
+
+    const queueEntry = currentState.install_queue[mac];
+    const installedEntry = currentState.installed[mac];
+
+    if (queueEntry) {
+      return reply.send({
+        mac,
+        hostname: queueEntry.hostname,
+        status: "installing",
+        progress: queueEntry.progress ?? "queued",
+        progress_detail: queueEntry.progress_detail ?? "",
+        progress_at: queueEntry.progress_at ?? queueEntry.queued_at,
+        role: queueEntry.role,
+        os: queueEntry.os,
+        stages: queueEntry.log ?? [],
+        log_lines: installLog.getLines(mac, logOffset, logLimit),
+        log_total: installLog.lineCount(mac),
+      });
+    }
+    if (installedEntry) {
+      return reply.send({
+        mac,
+        hostname: installedEntry.hostname,
+        status: "installed",
+        progress: "complete",
+        progress_detail: `ready at ${installedEntry.ip}`,
+        progress_at: installedEntry.installed_at,
+        role: installedEntry.role,
+        ip: installedEntry.ip,
+        log_lines: installLog.getLines(mac, logOffset, logLimit),
+        log_total: installLog.lineCount(mac),
+      });
+    }
+
+    return reply.status(404).send({ error: "machine not found", mac });
+  });
+
+  // SSE stream: follow provision progress for a machine (or all machines)
+  app.get<{
+    Params: { mac: string };
+  }>("/api/logs/:mac/follow", async (request, reply) => {
+    const filterMac = request.params.mac === "all"
+      ? null
+      : request.params.mac.toLowerCase().replace(/-/g, ":");
+
+    void reply.raw.writeHead(200, {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      "Connection": "keep-alive",
+    });
+
+    // Send current state as first event
+    const currentState = state.load();
+    const queueEntry = filterMac ? currentState.install_queue[filterMac] : undefined;
+    if (queueEntry) {
+      const initData = JSON.stringify({
+        mac: filterMac, hostname: queueEntry.hostname,
+        stage: queueEntry.progress ?? "queued",
+        detail: queueEntry.progress_detail ?? "",
+        timestamp: queueEntry.progress_at ?? queueEntry.queued_at,
+      });
+      reply.raw.write(`data: ${initData}\n\n`);
+    }
+
+    const onProgress = (event: ProgressEvent): void => {
+      if (filterMac && event.mac !== filterMac) return;
+      // Use SSE event types so clients can filter: "stage" for progress, "log" for raw lines
+      const eventType = event.stage === "log" ? "log" : "stage";
+      reply.raw.write(`event: ${eventType}\ndata: ${JSON.stringify(event)}\n\n`);
+    };
+
+    progressBus.on(onProgress);
+
+    request.raw.on("close", () => {
+      progressBus.off(onProgress);
+    });
+  });
+}
diff --git a/bastion/src/bastion/src/routes/boot-iso.ts b/bastion/src/bastion/src/routes/boot-iso.ts
new file mode 100644
index 0000000..1a5a5f4
--- /dev/null
+++ b/bastion/src/bastion/src/routes/boot-iso.ts
@@ -0,0 +1,249 @@
+// Boot ISO generation.
+// Generates a UEFI-bootable iPXE ISO using xorriso+mtools.
+// The ISO is placed in httpDir so @fastify/static serves it with Range request
+// support (required by JetKVM, which streams via HTTP Range + NBD).
+//
+// The ISO embeds kernel + initrd so machines without UEFI NIC support
+// (no SNP protocol) can still boot. iPXE loads them from file:/ and the
+// Linux kernel handles networking with its own drivers.
+
+import { createHash } from "node:crypto";
+import { execSync } from "node:child_process";
+import { existsSync, readFileSync, statSync, writeFileSync, mkdirSync, rmSync, unlinkSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import type { BastionConfig } from "@lab/shared";
+import { logger } from "../services/logger.js";
+
+// iPXE SNP variant (scans all UEFI SNP handles, works from CD-ROM/USB boot).
+const IPXE_ISO_PATHS: Record<string, { src: string[]; efiName: string }> = {
+  x86_64: {
+    src: [
+      "/usr/share/ipxe/ipxe-snp-x86_64.efi",
+      "/usr/share/ipxe/ipxe-x86_64.efi",
+    ],
+    efiName: "BOOTX64.EFI",
+  },
+  aarch64: {
+    src: [
+      "/usr/share/ipxe/arm64-efi/ipxe-snp.efi",
+      "/usr/share/ipxe/arm64-efi/ipxe.efi",
+    ],
+    efiName: "BOOTAA64.EFI",
+  },
+};
+
+// Fedora PXE kernel/initrd paths per architecture
+const FEDORA_MIRROR_BASE = "https://download.fedoraproject.org/pub/fedora/linux/releases";
+
+interface BootPayload {
+  arch: string;
+  vmlinuz: string;
+  initrd: string;
+}
+
+function downloadIfMissing(url: string, dest: string, label: string): void {
+  if (existsSync(dest)) {
+    logger.info(`  ${label} -- cached`);
+    return;
+  }
+  logger.info(`  ${label} -- downloading...`);
+  execSync(`curl -# -L -f -o "${dest}" "${url}"`, { stdio: "inherit" });
+}
+
+function generateIso(config: BastionConfig, outputPath: string): void {
+  const work = join(tmpdir(), `bastion-iso-${process.pid}`);
+  mkdirSync(join(work, "EFI", "BOOT"), { recursive: true });
+
+  const bastionUrl = `http://${config.serverIp}:${config.httpPort}`;
+
+  // Copy available iPXE EFI binaries
+  const archs: string[] = [];
+  for (const [arch, paths] of Object.entries(IPXE_ISO_PATHS)) {
+    const srcFile = paths.src.find((s) => existsSync(s));
+    if (srcFile) {
+      execSync(`cp "${srcFile}" "${join(work, "EFI", "BOOT", paths.efiName)}"`, { stdio: "pipe" });
+      archs.push(arch);
+      logger.info(`  iPXE ISO ${arch}: ${srcFile}`);
+    }
+  }
+
+  if (archs.length === 0) throw new Error("No iPXE EFI binaries found");
+
+  // Download and stage kernel/initrd for each architecture.
+  // These are embedded in the ISO so machines without UEFI NIC support
+  // can boot the Linux installer (which has its own NIC drivers).
+  const cacheDir = join(config.bastionDir, "iso-cache");
+  mkdirSync(cacheDir, { recursive: true });
+
+  const payloads: BootPayload[] = [];
+  for (const arch of ["x86_64", "aarch64"]) {
+    const mirror = `${FEDORA_MIRROR_BASE}/${config.fedoraVersion}/Everything/${arch}/os`;
+    const vmlinuzCache = join(cacheDir, `vmlinuz-${arch}`);
+    const initrdCache = join(cacheDir, `initrd-${arch}`);
+
+    try {
+      downloadIfMissing(
+        `${mirror}/images/pxeboot/vmlinuz`,
+        vmlinuzCache,
+        `Fedora ${arch} kernel`,
+      );
+      downloadIfMissing(
+        `${mirror}/images/pxeboot/initrd.img`,
+        initrdCache,
+        `Fedora ${arch} initrd`,
+      );
+      payloads.push({ arch, vmlinuz: vmlinuzCache, initrd: initrdCache });
+    } catch {
+      logger.warn(`  Fedora ${arch} kernel/initrd not available -- skipping`);
+    }
+  }
+
+  // Write iPXE autoexec script.
+  // Strategy: try DHCP (for machines with UEFI NIC support), then fall back
+  // to booting the embedded kernel/initrd from the ISO filesystem.
+  // iPXE's ${buildarch} resolves to "x86_64" or "arm64".
+  const ipxeScript = [
+    "#!ipxe",
+    "",
+    "echo",
+    "echo =============================================",
+    "echo   Lab PXE Bastion -- ISO Boot",
+    "echo =============================================",
+    "echo",
+    "",
+    "# Try DHCP (works if UEFI has NIC driver / SNP support)",
+    "set attempts:int32 0",
+    ":retry",
+    "dhcp && goto netboot ||",
+    "inc attempts",
+    "iseq ${attempts} 3 || goto retry_wait",
+    "goto localboot",
+    ":retry_wait",
+    "echo DHCP failed (attempt ${attempts}/3), retrying...",
+    "sleep 2",
+    "goto retry",
+    "",
+    "# Network available -- chain to bastion for dynamic dispatch",
+    ":netboot",
+    "echo Network OK. Chaining to bastion...",
+    `chain ${bastionUrl}/boot.ipxe || shell`,
+    "",
+    "# No network -- boot embedded kernel (Linux has its own NIC drivers)",
+    ":localboot",
+    "echo No UEFI network support. Booting embedded installer...",
+    "echo Linux will configure networking with its own drivers.",
+    "echo",
+    "# Map iPXE arch names to Fedora mirror paths (arm64 -> aarch64)",
+    "set fedarch ${buildarch}",
+    "iseq ${buildarch} arm64 && set fedarch aarch64 ||",
+    `kernel file:/vmlinuz-\${buildarch} inst.ks=${bastionUrl}/discover.ks inst.repo=${FEDORA_MIRROR_BASE}/${config.fedoraVersion}/Everything/\${fedarch}/os inst.text || goto no_kernel`,
+    `initrd file:/initrd-\${buildarch} || goto no_kernel`,
+    "boot || shell",
+    "",
+    ":no_kernel",
+    "echo ERROR: kernel not found for this architecture. Dropping to shell.",
+    "shell",
+  ].join("\n");
+
+  writeFileSync(join(work, "autoexec.ipxe"), ipxeScript);
+
+  // Calculate EFI partition size: iPXE binaries + autoexec + kernel/initrd + margin
+  let payloadSize = 2 * 1024 * 1024; // 2MB base for iPXE + autoexec + FAT overhead
+  for (const p of payloads) {
+    payloadSize += statSync(p.vmlinuz).size;
+    payloadSize += statSync(p.initrd).size;
+  }
+  const efiSizeMB = Math.ceil(payloadSize / (1024 * 1024)) + 4; // +4MB margin
+  logger.info(`  EFI partition: ${efiSizeMB}MB (${payloads.length} arch payloads)`);
+
+  // Create FAT EFI system partition
+  const efiImg = join(work, "efi.img");
+  execSync(`dd if=/dev/zero of="${efiImg}" bs=1M count=${efiSizeMB} 2>/dev/null`, { stdio: "pipe" });
+  execSync(`mformat -i "${efiImg}" -v LABBOOT ::`, { stdio: "pipe" });
+  execSync(`mmd -i "${efiImg}" ::/EFI`, { stdio: "pipe" });
+  execSync(`mmd -i "${efiImg}" ::/EFI/BOOT`, { stdio: "pipe" });
+
+  for (const arch of archs) {
+    const paths = IPXE_ISO_PATHS[arch]!;
+    execSync(`mcopy -i "${efiImg}" "${join(work, "EFI", "BOOT", paths.efiName)}" ::/EFI/BOOT/${paths.efiName}`, { stdio: "pipe" });
+  }
+  execSync(`mcopy -i "${efiImg}" "${join(work, "autoexec.ipxe")}" ::/autoexec.ipxe`, { stdio: "pipe" });
+
+  // Copy kernel/initrd onto EFI partition with arch-specific names
+  for (const p of payloads) {
+    // iPXE ${buildarch} returns "x86_64" or "arm64"
+    const archLabel = p.arch === "aarch64" ? "arm64" : p.arch;
+    execSync(`mcopy -i "${efiImg}" "${p.vmlinuz}" ::/vmlinuz-${archLabel}`, { stdio: "pipe" });
+    execSync(`mcopy -i "${efiImg}" "${p.initrd}" ::/initrd-${archLabel}`, { stdio: "pipe" });
+    logger.info(`  Embedded ${archLabel}: vmlinuz + initrd`);
+  }
+
+  // Build hybrid ISO: El Torito EFI boot + GPT EFI partition
+  execSync([
+    `xorriso -as mkisofs`,
+    `-o "${outputPath}"`,
+    `-R`,
+    `-V LAB_BOOT`,
+    `-e efi.img`,
+    `-no-emul-boot`,
+    `-partition_offset 16`,
+    `-append_partition 2 0xEF "${efiImg}"`,
+    `-appended_part_as_gpt`,
+    `"${work}"`,
+  ].join(" "), { stdio: "pipe" });
+
+  rmSync(work, { recursive: true, force: true });
+  logger.info(`Generated boot ISO (${archs.join(", ")}): ${outputPath}`);
+}
+
+/** Compute a short hash of all inputs that affect ISO content. */
+function computeIsoHash(config: BastionConfig): string {
+  const h = createHash("sha256");
+  h.update(`${config.serverIp}:${config.httpPort}`);
+  h.update(config.fedoraVersion);
+  for (const paths of Object.values(IPXE_ISO_PATHS)) {
+    const srcFile = paths.src.find((s) => existsSync(s));
+    if (srcFile) {
+      const st = statSync(srcFile);
+      h.update(`${srcFile}:${st.size}:${st.mtimeMs}`);
+    }
+  }
+  // Include kernel/initrd cache state
+  const cacheDir = join(config.bastionDir, "iso-cache");
+  for (const arch of ["x86_64", "aarch64"]) {
+    const vmlinuz = join(cacheDir, `vmlinuz-${arch}`);
+    if (existsSync(vmlinuz)) {
+      const st = statSync(vmlinuz);
+      h.update(`${vmlinuz}:${st.size}`);
+    }
+  }
+  return h.digest("hex").slice(0, 16);
+}
+
+/**
+ * Ensure boot.iso exists and is up-to-date in httpDir.
+ * Called during startup so @fastify/static can serve it with Range support.
+ */
+export function ensureBootIso(config: BastionConfig): void {
+  const isoPath = join(config.httpDir, "boot.iso");
+  const hashPath = join(config.httpDir, "boot.iso.hash");
+
+  const currentHash = computeIsoHash(config);
+  const cachedHash = existsSync(hashPath) ? readFileSync(hashPath, "utf-8").trim() : "";
+
+  if (existsSync(isoPath) && currentHash === cachedHash) {
+    logger.info("  Boot ISO -- cached (up to date)");
+    return;
+  }
+
+  if (existsSync(isoPath)) {
+    logger.info("  Boot ISO -- inputs changed, regenerating...");
+    try { unlinkSync(isoPath); } catch { /* ignore */ }
+  } else {
+    logger.info("  Boot ISO -- generating...");
+  }
+
+  generateIso(config, isoPath);
+  writeFileSync(hashPath, currentHash);
+}
diff --git a/bastion/src/bastion/src/routes/dispatch.ts b/bastion/src/bastion/src/routes/dispatch.ts
new file mode 100644
index 0000000..54221fc
--- /dev/null
+++ b/bastion/src/bastion/src/routes/dispatch.ts
@@ -0,0 +1,77 @@
+// iPXE dispatch route.
+// Routes PXE boot requests based on machine state:
+//   - install_queue -> install mode (serve Fedora installer + per-MAC kickstart)
+//   - installed     -> exit (boot from local disk)
+//   - unknown       -> discovery mode (collect hardware, POST to bastion)
+
+import type { FastifyInstance } from "fastify";
+import type { BastionConfig } from "@lab/shared";
+import type { StateManager } from "../services/state.js";
+import {
+  renderDiscoverIpxe,
+  renderInstallIpxe,
+  renderLocalBootIpxe,
+} from "../templates/boot.ipxe.js";
+import { renderUbuntuInstallIpxe } from "../templates/ubuntu-boot.ipxe.js";
+import { logger } from "../services/logger.js";
+
+export function registerDispatchRoutes(
+  app: FastifyInstance,
+  config: BastionConfig,
+  state: StateManager,
+): void {
+  app.get<{ Querystring: { mac?: string } }>("/dispatch", async (request, reply) => {
+    const mac = (request.query.mac ?? "").toLowerCase().replace(/-/g, ":");
+    const currentState = state.load();
+
+    const queueEntry = currentState.install_queue[mac];
+    if (queueEntry) {
+      const hostname = queueEntry.hostname ?? "lab-node";
+      const os = queueEntry.os ?? "fedora-43";
+      logger.info(`INSTALL STARTED: ${mac} -> ${hostname} (${os})`);
+
+      let script: string;
+      if (os.startsWith("ubuntu")) {
+        script = renderUbuntuInstallIpxe({
+          mac,
+          hostname,
+          serverIp: config.serverIp,
+          httpPort: config.httpPort,
+          ubuntuVersion: config.ubuntuVersion,
+        });
+      } else {
+        script = renderInstallIpxe({
+          mac,
+          hostname,
+          serverIp: config.serverIp,
+          httpPort: config.httpPort,
+          fedoraVersion: config.fedoraVersion,
+          fedoraMirror: config.fedoraMirror,
+        });
+      }
+
+      return reply.type("text/plain").send(script);
+    }
+
+    const installedEntry = currentState.installed[mac];
+    if (installedEntry) {
+      const hostname = installedEntry.hostname ?? "?";
+      logger.info(`PXE request from ${mac} (${hostname}) - already installed, booting local disk`);
+
+      const script = renderLocalBootIpxe(hostname);
+      return reply.type("text/plain").send(script);
+    }
+
+    // Unknown MAC -> discovery mode
+    logger.info(`PXE request from ${mac} -> discovery mode`);
+
+    const script = renderDiscoverIpxe({
+      mac,
+      serverIp: config.serverIp,
+      httpPort: config.httpPort,
+      fedoraMirror: config.fedoraMirror,
+    });
+
+    return reply.type("text/plain").send(script);
+  });
+}
diff --git a/bastion/src/bastion/src/routes/kickstart.ts b/bastion/src/bastion/src/routes/kickstart.ts
new file mode 100644
index 0000000..bce0e04
--- /dev/null
+++ b/bastion/src/bastion/src/routes/kickstart.ts
@@ -0,0 +1,71 @@
+// Kickstart generation routes.
+// Serves per-MAC install kickstart, static discovery kickstart,
+// and Ubuntu autoinstall cloud-init endpoints.
+
+import type { FastifyInstance } from "fastify";
+import type { BastionConfig } from "@lab/shared";
+import type { StateManager } from "../services/state.js";
+import { generateInstallKickstart, generateDiscoverKickstart } from "../services/kickstart-generator.js";
+import { renderUbuntuAutoinstall, renderUbuntuMetaData, type UbuntuAutoinstallParams } from "../templates/ubuntu-autoinstall.js";
+
+export function registerKickstartRoutes(
+  app: FastifyInstance,
+  config: BastionConfig,
+  state: StateManager,
+): void {
+  // Per-MAC install kickstart
+  app.get<{ Querystring: { mac?: string } }>("/ks", async (request, reply) => {
+    const mac = (request.query.mac ?? "").toLowerCase().replace(/-/g, ":");
+    const currentState = state.load();
+    const queueEntry = currentState.install_queue[mac];
+
+    const ks = generateInstallKickstart(config, {
+      hostname: queueEntry?.hostname ?? "lab-node",
+      disk: queueEntry?.disk ?? "",
+      role: queueEntry?.role ?? "worker",
+    });
+
+    return reply.type("text/plain").send(ks);
+  });
+
+  // Static discovery kickstart
+  app.get("/discover.ks", async (_request, reply) => {
+    const ks = generateDiscoverKickstart(config);
+    return reply.type("text/plain").send(ks);
+  });
+
+  // Ubuntu autoinstall user-data (cloud-init)
+  app.get<{ Params: { mac: string } }>("/autoinstall/:mac/user-data", async (request, reply) => {
+    const mac = request.params.mac.toLowerCase().replace(/-/g, ":");
+    const currentState = state.load();
+    const queueEntry = currentState.install_queue[mac];
+
+    const aiParams: UbuntuAutoinstallParams = {
+      hostname: queueEntry?.hostname ?? "lab-node",
+      disk: queueEntry?.disk ?? "",
+      role: queueEntry?.role ?? "worker",
+      domain: config.domain,
+      ubuntuVersion: config.ubuntuVersion,
+      timezone: config.timezone,
+      locale: config.locale,
+      serverIp: config.serverIp,
+      httpPort: config.httpPort,
+      sshKeys: config.sshKeys,
+      adminUser: config.adminUser,
+    };
+
+    const userData = renderUbuntuAutoinstall(aiParams);
+    return reply.type("text/plain").send(userData);
+  });
+
+  // Ubuntu autoinstall meta-data (cloud-init)
+  app.get<{ Params: { mac: string } }>("/autoinstall/:mac/meta-data", async (request, reply) => {
+    const mac = request.params.mac.toLowerCase().replace(/-/g, ":");
+    const currentState = state.load();
+    const queueEntry = currentState.install_queue[mac];
+    const hostname = queueEntry?.hostname ?? "lab-node";
+
+    const metaData = renderUbuntuMetaData(hostname);
+    return reply.type("text/plain").send(metaData);
+  });
+}
diff --git a/bastion/src/bastion/src/server.ts b/bastion/src/bastion/src/server.ts
new file mode 100644
index 0000000..8bdaf6d
--- /dev/null
+++ b/bastion/src/bastion/src/server.ts
@@ -0,0 +1,69 @@
+// Fastify application setup with all routes registered.
+
+import Fastify from "fastify";
+import fastifyStatic from "@fastify/static";
+import { mkdirSync, existsSync } from "node:fs";
+import type { BastionConfig } from "@lab/shared";
+import { StateManager } from "./services/state.js";
+import { InstallLogBuffer } from "./services/install-log.js";
+import { SyslogListener } from "./services/syslog-listener.js";
+import { logger } from "./services/logger.js";
+import { registerDispatchRoutes } from "./routes/dispatch.js";
+import { registerKickstartRoutes } from "./routes/kickstart.js";
+import { registerApiRoutes } from "./routes/api.js";
+
+
+export function createApp(config: BastionConfig): { app: ReturnType<typeof Fastify>; state: StateManager; installLog: InstallLogBuffer; syslog: SyslogListener } {
+  const app = Fastify({
+    logger: false, // We use winston instead
+  });
+
+  const state = new StateManager(config.stateFile);
+  state.init();
+
+  const installLog = new InstallLogBuffer(config.bastionDir);
+  const syslog = new SyslogListener(config.syslogPort, installLog, state);
+
+  // Serve static files (vmlinuz, initrd.img, iPXE binaries) from the HTTP directory
+  mkdirSync(config.httpDir, { recursive: true });
+  app.register(fastifyStatic, {
+    root: config.httpDir,
+    prefix: "/",
+    decorateReply: false,
+  });
+
+  // Also serve TFTP files (iPXE EFI binaries) over HTTP for UEFI HTTP Boot
+  if (existsSync(config.tftpDir)) {
+    app.register(fastifyStatic, {
+      root: config.tftpDir,
+      prefix: "/tftp/",
+      decorateReply: false,
+    });
+  }
+
+  // Register route handlers
+  registerDispatchRoutes(app, config, state);
+  registerKickstartRoutes(app, config, state);
+  registerApiRoutes(app, state, installLog);
+  // boot.iso is generated at startup and served as a static file from httpDir
+  // (static serving supports HTTP Range requests, required by JetKVM streaming)
+
+  // Log all requests
+  app.addHook("onRequest", async (request) => {
+    logger.info(`HTTP: ${request.ip} ${request.method} ${request.url}`);
+  });
+
+  return { app, state, installLog, syslog };
+}
+
+export async function startServer(config: BastionConfig): Promise<void> {
+  const { app } = createApp(config);
+
+  try {
+    await app.listen({ port: config.httpPort, host: "0.0.0.0" });
+    logger.info(`HTTP server listening on :${config.httpPort}`);
+  } catch (err) {
+    logger.error(`Failed to start HTTP server: ${err instanceof Error ? err.message : String(err)}`);
+    throw err;
+  }
+}
diff --git a/bastion/src/bastion/src/services/dnsmasq.ts b/bastion/src/bastion/src/services/dnsmasq.ts
new file mode 100644
index 0000000..d1bfa87
--- /dev/null
+++ b/bastion/src/bastion/src/services/dnsmasq.ts
@@ -0,0 +1,70 @@
+// Generate dnsmasq configuration and manage the dnsmasq process lifecycle.
+
+import { writeFileSync, mkdirSync } from "node:fs";
+import { dirname } from "node:path";
+import type { ResultPromise } from "execa";
+import { execa } from "execa";
+import type { BastionConfig } from "@lab/shared";
+import { renderDnsmasqConf } from "../templates/dnsmasq.conf.js";
+import { logger } from "./logger.js";
+
+type DnsmasqProcess = ResultPromise<{ stdout: "pipe"; stderr: "pipe" }>;
+let dnsmasqProcess: DnsmasqProcess | null = null;
+
+/**
+ * Generate the dnsmasq.conf file from the current configuration.
+ */
+export function generateDnsmasqConf(config: BastionConfig): string {
+  const confPath = `${config.bastionDir}/dnsmasq.conf`;
+  const content = renderDnsmasqConf(config);
+  mkdirSync(dirname(confPath), { recursive: true });
+  writeFileSync(confPath, content);
+  logger.info(`Generated dnsmasq config: ${confPath}`);
+  return confPath;
+}
+
+/**
+ * Start dnsmasq in the foreground as a child process.
+ */
+export async function startDnsmasq(config: BastionConfig): Promise<DnsmasqProcess> {
+  const confPath = generateDnsmasqConf(config);
+
+  logger.info(`Starting PXE server (${config.dhcpMode}DHCP on ${config.iface})...`);
+
+  const proc = execa("dnsmasq", ["--no-daemon", `--conf-file=${confPath}`], {
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+
+  dnsmasqProcess = proc;
+
+  proc.stdout?.on("data", (data: Buffer) => {
+    const line = data.toString().trim();
+    if (line) logger.info(`dnsmasq: ${line}`);
+  });
+
+  proc.stderr?.on("data", (data: Buffer) => {
+    const line = data.toString().trim();
+    if (line) logger.info(`dnsmasq: ${line}`);
+  });
+
+  proc.on("exit", (code) => {
+    if (code !== null && code !== 0) {
+      logger.error(`dnsmasq exited with code ${code}. Check if another DHCP/TFTP service is running.`);
+    }
+    dnsmasqProcess = null;
+  });
+
+  return proc;
+}
+
+/**
+ * Stop the running dnsmasq process.
+ */
+export function stopDnsmasq(): void {
+  if (dnsmasqProcess) {
+    logger.info("Stopping dnsmasq...");
+    dnsmasqProcess.kill("SIGTERM");
+    dnsmasqProcess = null;
+  }
+}
diff --git a/bastion/src/bastion/src/services/install-log.ts b/bastion/src/bastion/src/services/install-log.ts
new file mode 100644
index 0000000..b376e70
--- /dev/null
+++ b/bastion/src/bastion/src/services/install-log.ts
@@ -0,0 +1,86 @@
+// Per-machine install log buffer.
+// Stores raw log lines in memory (ring buffer) and persists to disk.
+// Used by /api/log for ingestion and /api/logs/:mac/follow for SSE streaming.
+
+import { mkdirSync, appendFileSync, readFileSync, existsSync } from "node:fs";
+import { join } from "node:path";
+import { progressBus } from "./progress-events.js";
+
+const MAX_LINES_IN_MEMORY = 2000;
+
+export interface LogLine {
+  line: string;
+  timestamp: string;
+}
+
+export class InstallLogBuffer {
+  /** In-memory ring buffer per MAC */
+  private buffers = new Map<string, LogLine[]>();
+  private logDir: string;
+
+  constructor(bastionDir: string) {
+    this.logDir = join(bastionDir, "logs");
+    mkdirSync(this.logDir, { recursive: true });
+  }
+
+  /** Append log lines for a machine. Stores in memory + appends to file. */
+  append(mac: string, lines: string[], hostname?: string): void {
+    const now = new Date().toISOString();
+    const buffer = this.buffers.get(mac) ?? [];
+
+    const newEntries: LogLine[] = lines.map((line) => ({ line, timestamp: now }));
+    buffer.push(...newEntries);
+
+    // Trim to ring buffer size
+    if (buffer.length > MAX_LINES_IN_MEMORY) {
+      buffer.splice(0, buffer.length - MAX_LINES_IN_MEMORY);
+    }
+
+    this.buffers.set(mac, buffer);
+
+    // Persist to file
+    const filePath = this.logFilePath(mac);
+    const fileContent = lines.map((l) => `${now} ${l}`).join("\n") + "\n";
+    appendFileSync(filePath, fileContent);
+
+    // Emit to SSE via progressBus (use "log" stage for log lines)
+    const host = hostname ?? mac;
+    for (const line of lines) {
+      progressBus.emit({
+        mac,
+        hostname: host,
+        stage: "log",
+        detail: line,
+        timestamp: now,
+      });
+    }
+  }
+
+  /** Get buffered log lines for a machine. */
+  getLines(mac: string, offset = 0, limit = 500): LogLine[] {
+    const buffer = this.buffers.get(mac) ?? [];
+    return buffer.slice(offset, offset + limit);
+  }
+
+  /** Get total line count for a machine. */
+  lineCount(mac: string): number {
+    return this.buffers.get(mac)?.length ?? 0;
+  }
+
+  /** Read full log from disk (for machines no longer in memory). */
+  readFromDisk(mac: string): string | null {
+    const filePath = this.logFilePath(mac);
+    if (!existsSync(filePath)) return null;
+    return readFileSync(filePath, "utf-8");
+  }
+
+  /** Clear log for a machine (after install complete or forget). */
+  clear(mac: string): void {
+    this.buffers.delete(mac);
+  }
+
+  private logFilePath(mac: string): string {
+    // Replace colons with dashes for filesystem safety
+    return join(this.logDir, `${mac.replace(/:/g, "-")}.log`);
+  }
+}
diff --git a/bastion/src/bastion/src/services/iso-builder.ts b/bastion/src/bastion/src/services/iso-builder.ts
new file mode 100644
index 0000000..6238ed1
--- /dev/null
+++ b/bastion/src/bastion/src/services/iso-builder.ts
@@ -0,0 +1,437 @@
+// Pure TypeScript UEFI-bootable ISO builder.
+// Creates an ISO 9660 image with an embedded FAT EFI system partition
+// containing iPXE EFI binaries and an autoexec script.
+// No external tools required (no xorriso, mtools).
+
+import { readFileSync } from "node:fs";
+
+const SECTOR_SIZE = 2048; // ISO 9660 logical sector
+const FAT_SECTOR_SIZE = 512;
+
+// --- Utility helpers ---
+
+function asciiPad(s: string, len: number, pad = " "): Buffer {
+  const buf = Buffer.alloc(len, pad.charCodeAt(0));
+  buf.write(s, 0, Math.min(s.length, len), "ascii");
+  return buf;
+}
+
+function u16le(n: number): Buffer {
+  const buf = Buffer.alloc(2);
+  buf.writeUInt16LE(n);
+  return buf;
+}
+
+function u32le(n: number): Buffer {
+  const buf = Buffer.alloc(4);
+  buf.writeUInt32LE(n);
+  return buf;
+}
+
+function u16be(n: number): Buffer {
+  const buf = Buffer.alloc(2);
+  buf.writeUInt16BE(n);
+  return buf;
+}
+
+function u32be(n: number): Buffer {
+  const buf = Buffer.alloc(4);
+  buf.writeUInt32BE(n);
+  return buf;
+}
+
+/** Both-endian 16-bit (ISO 9660 "both-byte" format) */
+function u16both(n: number): Buffer {
+  return Buffer.concat([u16le(n), u16be(n)]);
+}
+
+/** Both-endian 32-bit */
+function u32both(n: number): Buffer {
+  return Buffer.concat([u32le(n), u32be(n)]);
+}
+
+function isoDate(d: Date): Buffer {
+  // ISO 9660 date: 17 bytes ASCII "YYYYMMDDHHMMSSCC" + timezone offset
+  const s =
+    d.getUTCFullYear().toString().padStart(4, "0") +
+    (d.getUTCMonth() + 1).toString().padStart(2, "0") +
+    d.getUTCDate().toString().padStart(2, "0") +
+    d.getUTCHours().toString().padStart(2, "0") +
+    d.getUTCMinutes().toString().padStart(2, "0") +
+    d.getUTCSeconds().toString().padStart(2, "0") +
+    "00"; // hundredths
+  const buf = Buffer.alloc(17, 0);
+  buf.write(s, 0, 16, "ascii");
+  buf[16] = 0; // UTC offset (0 = UTC)
+  return buf;
+}
+
+function dirRecordDate(d: Date): Buffer {
+  // 7-byte recording date
+  const buf = Buffer.alloc(7, 0);
+  buf[0] = d.getUTCFullYear() - 1900;
+  buf[1] = d.getUTCMonth() + 1;
+  buf[2] = d.getUTCDate();
+  buf[3] = d.getUTCHours();
+  buf[4] = d.getUTCMinutes();
+  buf[5] = d.getUTCSeconds();
+  buf[6] = 0; // UTC
+  return buf;
+}
+
+// --- FAT12 filesystem builder ---
+
+function buildFatImage(files: Array<{ path: string; data: Buffer }>): Buffer {
+  // Build a minimal FAT12 filesystem in memory
+  // Layout: BPB | FAT | FAT copy | Root dir | Data clusters
+
+  const bytesPerSector = FAT_SECTOR_SIZE;
+  const sectorsPerCluster = 4; // 2KB clusters
+  const clusterSize = bytesPerSector * sectorsPerCluster;
+  const reservedSectors = 1;
+  const numFats = 2;
+  const rootEntryCount = 64; // 64 * 32 = 2048 bytes = 4 sectors
+  const rootDirSectors = Math.ceil((rootEntryCount * 32) / bytesPerSector);
+
+  // Calculate data size needed
+  let totalDataBytes = 0;
+  for (const f of files) totalDataBytes += Math.ceil(f.data.length / clusterSize) * clusterSize;
+  // Add directory clusters for EFI and EFI/BOOT
+  totalDataBytes += clusterSize * 2;
+
+  const dataClusters = Math.ceil(totalDataBytes / clusterSize) + 2; // +2 safety
+  const fatEntries = dataClusters + 2; // clusters start at 2
+  const fatBytes = Math.ceil((fatEntries * 3) / 2); // FAT12: 1.5 bytes per entry
+  const sectorsPerFat = Math.ceil(fatBytes / bytesPerSector);
+
+  const totalSectors = reservedSectors + (numFats * sectorsPerFat) + rootDirSectors + (dataClusters * sectorsPerCluster);
+  const image = Buffer.alloc(totalSectors * bytesPerSector, 0);
+
+  // --- BPB (BIOS Parameter Block) ---
+  image[0] = 0xEB; image[1] = 0x3C; image[2] = 0x90; // Jump + NOP
+  image.write("LABCTL  ", 3, 8, "ascii"); // OEM
+  image.writeUInt16LE(bytesPerSector, 11);
+  image[13] = sectorsPerCluster;
+  image.writeUInt16LE(reservedSectors, 14);
+  image[16] = numFats;
+  image.writeUInt16LE(rootEntryCount, 17);
+  image.writeUInt16LE(totalSectors < 0x10000 ? totalSectors : 0, 19);
+  image[21] = 0xF0; // media descriptor (removable)
+  image.writeUInt16LE(sectorsPerFat, 22);
+  image.writeUInt16LE(1, 24); // sectors per track
+  image.writeUInt16LE(1, 26); // heads
+  image[38] = 0x29; // Extended boot sig
+  image.writeUInt32LE(0x12345678, 39); // volume serial
+  image.write("IPXE BOOT  ", 43, 11, "ascii"); // volume label
+  image.write("FAT12   ", 54, 8, "ascii"); // filesystem type
+  image[510] = 0x55; image[511] = 0xAA; // Boot signature
+
+  // --- FAT table ---
+  const fatOffset = reservedSectors * bytesPerSector;
+  const rootDirOffset = fatOffset + (numFats * sectorsPerFat * bytesPerSector);
+  const dataOffset = rootDirOffset + (rootDirSectors * bytesPerSector);
+
+  // FAT12 helper: write a 12-bit entry
+  function fatSet(fat: number, cluster: number, value: number): void {
+    const off = fatOffset + (fat * sectorsPerFat * bytesPerSector);
+    const byteIdx = Math.floor(cluster * 3 / 2);
+    if (cluster % 2 === 0) {
+      image[off + byteIdx] = value & 0xFF;
+      image[off + byteIdx + 1] = (image[off + byteIdx + 1]! & 0xF0) | ((value >> 8) & 0x0F);
+    } else {
+      image[off + byteIdx] = (image[off + byteIdx]! & 0x0F) | ((value & 0x0F) << 4);
+      image[off + byteIdx + 1] = (value >> 4) & 0xFF;
+    }
+  }
+
+  // Media descriptor in FAT
+  for (let f = 0; f < numFats; f++) {
+    fatSet(f, 0, 0xFF0);
+    fatSet(f, 1, 0xFFF);
+  }
+
+  let nextCluster = 2;
+
+  function allocClusters(size: number): number {
+    const needed = Math.max(1, Math.ceil(size / clusterSize));
+    const startCluster = nextCluster;
+    for (let i = 0; i < needed; i++) {
+      const c = nextCluster++;
+      const next = (i === needed - 1) ? 0xFFF : c + 1;
+      for (let f = 0; f < numFats; f++) fatSet(f, c, next);
+    }
+    return startCluster;
+  }
+
+  function clusterOffset(cluster: number): number {
+    return dataOffset + (cluster - 2) * clusterSize;
+  }
+
+  function writeDirEntry(dirBuf: Buffer, entryIdx: number, name: string, ext: string, cluster: number, size: number, isDir: boolean): void {
+    const off = entryIdx * 32;
+    dirBuf.write(name.toUpperCase().padEnd(8, " "), off, 8, "ascii");
+    dirBuf.write(ext.toUpperCase().padEnd(3, " "), off + 8, 3, "ascii");
+    dirBuf[off + 11] = isDir ? 0x10 : 0x20; // attributes
+    dirBuf.writeUInt16LE(cluster & 0xFFFF, off + 26); // first cluster low
+    dirBuf.writeUInt32LE(isDir ? 0 : size, off + 28); // file size
+  }
+
+  // --- Create directory structure ---
+  // Root: EFI dir + autoexec.ipxe
+  // EFI: BOOT dir
+  // BOOT: BOOTX64.EFI, BOOTAA64.EFI
+
+  // EFI directory cluster
+  const efiDirCluster = allocClusters(clusterSize);
+  const efiDirBuf = Buffer.alloc(clusterSize, 0);
+
+  // BOOT directory cluster
+  const bootDirCluster = allocClusters(clusterSize);
+  const bootDirBuf = Buffer.alloc(clusterSize, 0);
+
+  // Write . and .. entries for EFI
+  writeDirEntry(efiDirBuf, 0, ".", "", efiDirCluster, 0, true);
+  writeDirEntry(efiDirBuf, 1, "..", "", 0, 0, true);
+  // BOOT subdir in EFI
+  writeDirEntry(efiDirBuf, 2, "BOOT", "", bootDirCluster, 0, true);
+
+  // Write . and .. entries for BOOT
+  writeDirEntry(bootDirBuf, 0, ".", "", bootDirCluster, 0, true);
+  writeDirEntry(bootDirBuf, 1, "..", "", efiDirCluster, 0, true);
+
+  let bootEntryIdx = 2;
+
+  // Root directory entries
+  let rootEntryIdx = 0;
+  // Volume label
+  const rootBuf = image.subarray(rootDirOffset, rootDirOffset + rootDirSectors * bytesPerSector);
+  rootBuf.write("IPXE BOOT  ", rootEntryIdx * 32, 11, "ascii");
+  rootBuf[rootEntryIdx * 32 + 11] = 0x08; // volume label attribute
+  rootEntryIdx++;
+
+  // EFI directory in root
+  writeDirEntry(rootBuf, rootEntryIdx++, "EFI", "", efiDirCluster, 0, true);
+
+  // Write files
+  for (const file of files) {
+    const parts = file.path.toUpperCase().split("/").filter(Boolean);
+    const fileName = parts[parts.length - 1]!;
+    const nameParts = fileName.split(".");
+    const name = nameParts[0]!.substring(0, 8);
+    const ext = (nameParts[1] ?? "").substring(0, 3);
+
+    const fileCluster = allocClusters(file.data.length);
+    file.data.copy(image, clusterOffset(fileCluster));
+
+    if (parts.length === 1) {
+      // Root level file
+      writeDirEntry(rootBuf, rootEntryIdx++, name, ext, fileCluster, file.data.length, false);
+    } else if (parts.length === 3 && parts[0] === "EFI" && parts[1] === "BOOT") {
+      // EFI/BOOT/ file
+      writeDirEntry(bootDirBuf, bootEntryIdx++, name, ext, fileCluster, file.data.length, false);
+    }
+  }
+
+  // Write directory clusters to image
+  efiDirBuf.copy(image, clusterOffset(efiDirCluster));
+  bootDirBuf.copy(image, clusterOffset(bootDirCluster));
+
+  return image;
+}
+
+// --- ISO 9660 builder ---
+
+export function buildBootIso(efiFiles: Array<{ path: string; data: Buffer }>, scriptContent?: string): Buffer {
+  const now = new Date();
+
+  // Build FAT image with all files
+  const allFiles = [...efiFiles];
+  if (scriptContent) {
+    allFiles.push({ path: "autoexec.ipxe", data: Buffer.from(scriptContent, "utf-8") });
+  }
+  const fatImage = buildFatImage(allFiles);
+
+  // ISO layout:
+  // Sector 0-15: System area (unused)
+  // Sector 16: Primary Volume Descriptor
+  // Sector 17: Boot Record Volume Descriptor (El Torito)
+  // Sector 18: Volume Descriptor Set Terminator
+  // Sector 19: Root directory record
+  // Sector 20: El Torito boot catalog
+  // Sector 21: El Torito boot image (the FAT image, this gets large)
+  // After FAT: EFI boot image reference for files visible in ISO
+
+  const fatSectors = Math.ceil(fatImage.length / SECTOR_SIZE);
+  const rootDirSector = 19;
+  const bootCatalogSector = 20;
+  const efiImageSector = 21;
+  const totalSectors = efiImageSector + fatSectors + 1;
+
+  const iso = Buffer.alloc(totalSectors * SECTOR_SIZE, 0);
+
+  // --- Primary Volume Descriptor (sector 16) ---
+  const pvd = iso.subarray(16 * SECTOR_SIZE, 17 * SECTOR_SIZE);
+  pvd[0] = 1; // type: Primary
+  pvd.write("CD001", 1, 5, "ascii"); // standard identifier
+  pvd[6] = 1; // version
+  asciiPad("LABCTL", 32).copy(pvd, 8); // system identifier
+  asciiPad("IPXE_BOOT", 32).copy(pvd, 40); // volume identifier
+  u32both(totalSectors).copy(pvd, 80); // volume space size
+  u16both(1).copy(pvd, 120); // volume set size
+  u16both(1).copy(pvd, 124); // volume sequence number
+  u16both(SECTOR_SIZE).copy(pvd, 128); // logical block size
+
+  // Root directory record (34 bytes)
+  const rootRec = Buffer.alloc(34, 0);
+  rootRec[0] = 34; // length
+  rootRec[1] = 0; // extended attribute length
+  u32both(rootDirSector).copy(rootRec, 2); // extent location
+  u32both(SECTOR_SIZE).copy(rootRec, 10); // data length
+  dirRecordDate(now).copy(rootRec, 18);
+  rootRec[25] = 0x02; // flags: directory
+  rootRec[28] = 1; // file unit size
+  u16both(1).copy(rootRec, 30); // volume sequence
+  rootRec[32] = 1; // name length
+  rootRec[33] = 0; // name: root
+  rootRec.copy(pvd, 156); // copy to PVD
+
+  // Volume dates
+  isoDate(now).copy(pvd, 813); // creation
+  isoDate(now).copy(pvd, 830); // modification
+  Buffer.alloc(17, 0x30).copy(pvd, 847); // expiration (none)
+  isoDate(now).copy(pvd, 864); // effective
+  pvd[881] = 1; // file structure version
+
+  // --- Boot Record Volume Descriptor (El Torito, sector 17) ---
+  const brvd = iso.subarray(17 * SECTOR_SIZE, 18 * SECTOR_SIZE);
+  brvd[0] = 0; // type: Boot Record
+  brvd.write("CD001", 1, 5, "ascii");
+  brvd[6] = 1; // version
+  brvd.write("EL TORITO SPECIFICATION", 7, 32, "ascii");
+  u32le(bootCatalogSector).copy(brvd, 0x47); // boot catalog pointer
+
+  // --- Volume Descriptor Set Terminator (sector 18) ---
+  const vdst = iso.subarray(18 * SECTOR_SIZE, 19 * SECTOR_SIZE);
+  vdst[0] = 255; // type: terminator
+  vdst.write("CD001", 1, 5, "ascii");
+  vdst[6] = 1;
+
+  // --- Root Directory (sector 19) ---
+  const rootDir = iso.subarray(rootDirSector * SECTOR_SIZE, (rootDirSector + 1) * SECTOR_SIZE);
+  let offset = 0;
+
+  // "." entry
+  const dotRec = Buffer.alloc(34, 0);
+  dotRec[0] = 34;
+  u32both(rootDirSector).copy(dotRec, 2);
+  u32both(SECTOR_SIZE).copy(dotRec, 10);
+  dirRecordDate(now).copy(dotRec, 18);
+  dotRec[25] = 0x02;
+  u16both(1).copy(dotRec, 28);
+  dotRec[32] = 1;
+  dotRec[33] = 0;
+  dotRec.copy(rootDir, offset);
+  offset += 34;
+
+  // ".." entry
+  const dotdotRec = Buffer.alloc(34, 0);
+  dotdotRec[0] = 34;
+  u32both(rootDirSector).copy(dotdotRec, 2);
+  u32both(SECTOR_SIZE).copy(dotdotRec, 10);
+  dirRecordDate(now).copy(dotdotRec, 18);
+  dotdotRec[25] = 0x02;
+  u16both(1).copy(dotdotRec, 28);
+  dotdotRec[32] = 1;
+  dotdotRec[33] = 1;
+  dotdotRec.copy(rootDir, offset);
+  offset += 34;
+
+  // EFI boot image file entry (the FAT image visible as a file)
+  const efiFileName = "EFI.IMG;1";
+  const efiRec = Buffer.alloc(33 + efiFileName.length + ((efiFileName.length % 2 === 0) ? 1 : 0), 0);
+  efiRec[0] = efiRec.length;
+  u32both(efiImageSector).copy(efiRec, 2);
+  u32both(fatImage.length).copy(efiRec, 10);
+  dirRecordDate(now).copy(efiRec, 18);
+  efiRec[25] = 0x00; // flags: file
+  u16both(1).copy(efiRec, 28);
+  efiRec[32] = efiFileName.length;
+  efiRec.write(efiFileName, 33, efiFileName.length, "ascii");
+  efiRec.copy(rootDir, offset);
+  offset += efiRec.length;
+
+  // Boot catalog file entry
+  const catFileName = "BOOT.CAT;1";
+  const catRec = Buffer.alloc(33 + catFileName.length + ((catFileName.length % 2 === 0) ? 1 : 0), 0);
+  catRec[0] = catRec.length;
+  u32both(bootCatalogSector).copy(catRec, 2);
+  u32both(SECTOR_SIZE).copy(catRec, 10);
+  dirRecordDate(now).copy(catRec, 18);
+  catRec[25] = 0x01; // flags: hidden
+  u16both(1).copy(catRec, 28);
+  catRec[32] = catFileName.length;
+  catRec.write(catFileName, 33, catFileName.length, "ascii");
+  catRec.copy(rootDir, offset);
+
+  // --- El Torito Boot Catalog (sector 20) ---
+  const catalog = iso.subarray(bootCatalogSector * SECTOR_SIZE, (bootCatalogSector + 1) * SECTOR_SIZE);
+
+  // Validation entry (32 bytes)
+  catalog[0] = 1; // header ID
+  catalog[1] = 0xEF; // platform: EFI
+  catalog.write("LABCTL", 4, 24, "ascii"); // ID string
+  // Calculate checksum for validation entry
+  let cksum = 0;
+  for (let i = 0; i < 32; i += 2) {
+    cksum += catalog[i]! + (catalog[i + 1]! << 8);
+  }
+  catalog.writeUInt16LE((0x10000 - (cksum & 0xFFFF)) & 0xFFFF, 28); // checksum
+  catalog[30] = 0x55;
+  catalog[31] = 0xAA;
+
+  // Default/Initial entry (32 bytes, offset 32)
+  catalog[32] = 0x88; // bootable
+  catalog[33] = 0xEF; // type: EFI
+  catalog.writeUInt16LE(0, 34); // load segment
+  catalog[36] = 0; // system type
+  const efiImageSectors512 = Math.ceil(fatImage.length / FAT_SECTOR_SIZE);
+  catalog.writeUInt16LE(efiImageSectors512 & 0xFFFF, 38); // sector count
+  catalog.writeUInt32LE(efiImageSector, 40); // load LBA
+
+  // --- EFI boot image (FAT filesystem, starting at sector 21) ---
+  fatImage.copy(iso, efiImageSector * SECTOR_SIZE);
+
+  return iso;
+}
+
+/** Build a ready-to-serve iPXE boot ISO from system iPXE binaries. */
+export function buildBastionBootIso(bastionUrl: string): Buffer {
+  const efiFiles: Array<{ path: string; data: Buffer }> = [];
+
+  const PATHS: Record<string, { src: string; dest: string }> = {
+    x86_64: { src: "/usr/share/ipxe/ipxe-snponly-x86_64.efi", dest: "EFI/BOOT/BOOTX64.EFI" },
+    aarch64: { src: "/usr/share/ipxe/arm64-efi/snponly.efi", dest: "EFI/BOOT/BOOTAA64.EFI" },
+  };
+
+  for (const [, paths] of Object.entries(PATHS)) {
+    try {
+      efiFiles.push({ path: paths.dest, data: readFileSync(paths.src) });
+    } catch {
+      // Architecture not available, skip
+    }
+  }
+
+  if (efiFiles.length === 0) {
+    throw new Error("No iPXE EFI binaries found on system");
+  }
+
+  const script = [
+    "#!ipxe",
+    "",
+    "echo Booting from iPXE ISO -- connecting to bastion...",
+    "dhcp || ( echo DHCP failed, retrying... && sleep 3 && dhcp )",
+    `chain ${bastionUrl}/boot.ipxe || shell`,
+  ].join("\n");
+
+  return buildBootIso(efiFiles, script);
+}
diff --git a/bastion/src/bastion/src/services/kickstart-generator.ts b/bastion/src/bastion/src/services/kickstart-generator.ts
new file mode 100644
index 0000000..d1de988
--- /dev/null
+++ b/bastion/src/bastion/src/services/kickstart-generator.ts
@@ -0,0 +1,45 @@
+// Generate kickstart content for discovery and install modes.
+// Uses template literal functions -- no external template engine.
+
+import type { BastionConfig, Role } from "@lab/shared";
+import { renderDiscoverKickstart } from "../templates/discover.ks.js";
+import { renderInstallKickstart, type InstallKickstartParams } from "../templates/install.ks.js";
+
+/**
+ * Generate a discovery kickstart that collects hardware info and POSTs to bastion.
+ */
+export function generateDiscoverKickstart(config: BastionConfig): string {
+  return renderDiscoverKickstart({
+    serverIp: config.serverIp,
+    httpPort: config.httpPort,
+  });
+}
+
+/**
+ * Generate an install kickstart with LVM partitioning, packages, and post-install configuration.
+ */
+export function generateInstallKickstart(
+  config: BastionConfig,
+  params: {
+    hostname: string;
+    disk: string;
+    role: Role;
+  },
+): string {
+  const ksParams: InstallKickstartParams = {
+    hostname: params.hostname,
+    disk: params.disk,
+    role: params.role,
+    domain: config.domain,
+    fedoraVersion: config.fedoraVersion,
+    timezone: config.timezone,
+    locale: config.locale,
+    serverIp: config.serverIp,
+    httpPort: config.httpPort,
+    syslogPort: config.syslogPort,
+    sshKeys: config.sshKeys,
+    adminUser: config.adminUser,
+  };
+
+  return renderInstallKickstart(ksParams);
+}
diff --git a/bastion/src/bastion/src/services/labd-connection.ts b/bastion/src/bastion/src/services/labd-connection.ts
new file mode 100644
index 0000000..bfcd574
--- /dev/null
+++ b/bastion/src/bastion/src/services/labd-connection.ts
@@ -0,0 +1,252 @@
+// WebSocket connection from bastion to labd for registration and state sync.
+// If LABD_URL is configured, bastion registers with labd on startup and pushes
+// state changes. If not configured, bastion runs standalone (backward compatible).
+
+import WebSocket from "ws";
+import { readFileSync, writeFileSync, existsSync } from "node:fs";
+import { hostname as osHostname } from "node:os";
+import type { BastionState, BastionConfig } from "@lab/shared";
+import {
+  type BastionMessage,
+  type LabdBastionMessage,
+  isLabdBastionMessage,
+} from "@lab/shared";
+import { logger } from "./logger.js";
+
+const HEARTBEAT_INTERVAL_MS = 10_000;
+const RECONNECT_BASE_DELAY_MS = 1_000;
+const RECONNECT_MAX_DELAY_MS = 30_000;
+
+type CommandHandler = (msg: LabdBastionMessage) => Promise<{ status: "ok" | "error"; data?: unknown; error?: string }>;
+
+export class BastionConnection {
+  private ws: WebSocket | null = null;
+  private bastionId: string | null = null;
+  private heartbeatTimer: NodeJS.Timeout | null = null;
+  private reconnectTimer: NodeJS.Timeout | null = null;
+  private retryCount = 0;
+  private closed = false;
+  private startTime = Date.now();
+  private commandHandlers = new Map<string, CommandHandler>();
+
+  constructor(
+    private readonly config: BastionConfig,
+    private readonly getState: () => BastionState,
+  ) {
+    // Load persisted bastionId if we've enrolled before
+    const idFile = `${config.bastionDir}/bastion-id`;
+    if (existsSync(idFile)) {
+      this.bastionId = readFileSync(idFile, "utf-8").trim();
+    }
+  }
+
+  /** Register a handler for incoming commands from labd. */
+  onCommand(type: string, handler: CommandHandler): void {
+    this.commandHandlers.set(type, handler);
+  }
+
+  connect(): void {
+    if (this.closed) return;
+    if (!this.config.labdUrl) return;
+
+    const wsUrl = this.config.labdUrl
+      .replace(/^https:/, "wss:")
+      .replace(/^http:/, "ws:");
+
+    const token = this.config.bastionJoinToken ?? "";
+    const url = `${wsUrl}/ws/bastion?token=${encodeURIComponent(token)}`;
+
+    logger.info(`Connecting to labd at ${this.config.labdUrl}...`);
+
+    this.ws = new WebSocket(url);
+
+    this.ws.on("open", () => {
+      logger.info("Connected to labd");
+      this.retryCount = 0;
+
+      // Send enrollment or re-registration
+      if (this.bastionId) {
+        // Already enrolled — send state sync immediately
+        this.sendStateSync();
+      } else {
+        // First time — enroll
+        this.send({
+          type: "bastion-enroll",
+          token,
+          hostname: osHostname(),
+          network: this.config.network,
+          serverIp: this.config.serverIp,
+        });
+      }
+
+      this.startHeartbeat();
+    });
+
+    this.ws.on("message", (data: WebSocket.Data) => {
+      try {
+        const raw = data.toString();
+        const msg: unknown = JSON.parse(raw);
+
+        if (!isLabdBastionMessage(msg)) {
+          logger.warn(`Unknown message from labd: ${(msg as { type?: string }).type}`);
+          return;
+        }
+
+        this.handleMessage(msg);
+      } catch (err) {
+        logger.error(`Failed to parse labd message: ${err instanceof Error ? err.message : String(err)}`);
+      }
+    });
+
+    this.ws.on("close", () => {
+      logger.warn("Disconnected from labd");
+      this.stopHeartbeat();
+      this.scheduleReconnect();
+    });
+
+    this.ws.on("error", (err) => {
+      logger.error(`WebSocket error: ${err.message}`);
+      // close event will fire after this, triggering reconnect
+    });
+  }
+
+  /** Push current state to labd. Call this after any state change. */
+  syncState(): void {
+    if (!this.bastionId || !this.ws || this.ws.readyState !== WebSocket.OPEN) return;
+    this.sendStateSync();
+  }
+
+  /** Forward a progress event to labd. */
+  sendProgress(mac: string, stage: string, detail: string): void {
+    if (!this.bastionId || !this.ws || this.ws.readyState !== WebSocket.OPEN) return;
+    this.send({
+      type: "bastion-progress",
+      bastionId: this.bastionId,
+      mac,
+      stage,
+      detail,
+      timestamp: new Date().toISOString(),
+    });
+  }
+
+  close(): void {
+    this.closed = true;
+    this.stopHeartbeat();
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+    if (this.ws) {
+      this.ws.close();
+      this.ws = null;
+    }
+  }
+
+  private handleMessage(msg: LabdBastionMessage): void {
+    switch (msg.type) {
+      case "bastion-enrolled":
+        this.bastionId = msg.bastionId;
+        // Persist for reconnects
+        writeFileSync(`${this.config.bastionDir}/bastion-id`, msg.bastionId);
+        logger.info(`Enrolled with labd as bastion ${msg.bastionId}`);
+        // Send initial state
+        this.sendStateSync();
+        break;
+
+      case "bastion-heartbeat-ack":
+        // No-op, confirms labd is alive
+        break;
+
+      case "server-shutdown":
+        logger.info(`labd shutting down, will reconnect in ${msg.reconnectAfter}ms`);
+        break;
+
+      case "command-install":
+      case "command-forget":
+      case "command-role-update":
+        void this.handleCommand(msg);
+        break;
+    }
+  }
+
+  private async handleCommand(msg: LabdBastionMessage & { requestId: string }): Promise<void> {
+    const handler = this.commandHandlers.get(msg.type);
+    if (!handler) {
+      this.send({
+        type: "command-response",
+        requestId: msg.requestId,
+        status: "error",
+        error: `No handler for command: ${msg.type}`,
+      });
+      return;
+    }
+
+    try {
+      const result = await handler(msg);
+      this.send({
+        type: "command-response",
+        requestId: msg.requestId,
+        ...result,
+      });
+    } catch (err) {
+      this.send({
+        type: "command-response",
+        requestId: msg.requestId,
+        status: "error",
+        error: err instanceof Error ? err.message : String(err),
+      });
+    }
+  }
+
+  private sendStateSync(): void {
+    if (!this.bastionId) return;
+    this.send({
+      type: "bastion-state-sync",
+      bastionId: this.bastionId,
+      state: this.getState(),
+    });
+  }
+
+  private startHeartbeat(): void {
+    this.stopHeartbeat();
+    this.heartbeatTimer = setInterval(() => {
+      if (!this.bastionId) return;
+      const state = this.getState();
+      const machineCount =
+        Object.keys(state.discovered).length +
+        Object.keys(state.install_queue).length +
+        Object.keys(state.installed).length;
+
+      this.send({
+        type: "bastion-heartbeat",
+        bastionId: this.bastionId,
+        uptime: Math.floor((Date.now() - this.startTime) / 1000),
+        machineCount,
+      });
+    }, HEARTBEAT_INTERVAL_MS);
+  }
+
+  private stopHeartbeat(): void {
+    if (this.heartbeatTimer) {
+      clearInterval(this.heartbeatTimer);
+      this.heartbeatTimer = null;
+    }
+  }
+
+  private scheduleReconnect(): void {
+    if (this.closed) return;
+    const delay = Math.min(
+      RECONNECT_BASE_DELAY_MS * Math.pow(2, this.retryCount),
+      RECONNECT_MAX_DELAY_MS,
+    );
+    this.retryCount++;
+    logger.info(`Reconnecting to labd in ${delay}ms (attempt ${this.retryCount})...`);
+    this.reconnectTimer = setTimeout(() => this.connect(), delay);
+  }
+
+  private send(msg: BastionMessage): void {
+    if (this.ws && this.ws.readyState === WebSocket.OPEN) {
+      this.ws.send(JSON.stringify(msg));
+    }
+  }
+}
diff --git a/bastion/src/bastion/src/services/logger.ts b/bastion/src/bastion/src/services/logger.ts
new file mode 100644
index 0000000..7f80de9
--- /dev/null
+++ b/bastion/src/bastion/src/services/logger.ts
@@ -0,0 +1,17 @@
+// Winston logger instance shared across the bastion application.
+
+import winston from "winston";
+
+export const logger = winston.createLogger({
+  level: "info",
+  format: winston.format.combine(
+    winston.format.timestamp({ format: "HH:mm:ss" }),
+    winston.format.printf(({ timestamp, level, message }) => {
+      const prefix = level === "error" ? "\x1b[31m[bastion]\x1b[0m"
+        : level === "warn" ? "\x1b[33m[bastion]\x1b[0m"
+        : "\x1b[32m[bastion]\x1b[0m";
+      return `${prefix} ${timestamp as string} ${message as string}`;
+    }),
+  ),
+  transports: [new winston.transports.Console()],
+});
diff --git a/bastion/src/bastion/src/services/network.ts b/bastion/src/bastion/src/services/network.ts
new file mode 100644
index 0000000..beb603e
--- /dev/null
+++ b/bastion/src/bastion/src/services/network.ts
@@ -0,0 +1,166 @@
+// Auto-detect network interface, IP, gateway, SSH keys, and admin user.
+
+import { execSync } from "node:child_process";
+import { readFileSync, existsSync, mkdirSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import type { BastionConfig } from "@lab/shared";
+import { logger } from "./logger.js";
+
+/**
+ * Detect the default network interface from the routing table.
+ */
+export function detectInterface(): string {
+  const output = execSync("ip route", { encoding: "utf-8" });
+  const match = output.match(/default\s+.*\s+dev\s+(\S+)/);
+  const ifaceMatch = match?.[1];
+  if (ifaceMatch === undefined) {
+    throw new Error("Cannot detect default network interface");
+  }
+  return ifaceMatch;
+}
+
+/**
+ * Detect the IPv4 address on a given interface.
+ */
+export function detectIp(iface: string): string {
+  const output = execSync(`ip -4 addr show ${iface}`, { encoding: "utf-8" });
+  const match = output.match(/inet\s+(\d+\.\d+\.\d+\.\d+)/);
+  const ipMatch = match?.[1];
+  if (ipMatch === undefined) {
+    throw new Error(`Cannot detect IP on interface ${iface}`);
+  }
+  return ipMatch;
+}
+
+/**
+ * Derive the /24 network address from an IP.
+ */
+export function deriveNetwork(ip: string): string {
+  const parts = ip.split(".");
+  return `${parts[0]}.${parts[1]}.${parts[2]}.0`;
+}
+
+/**
+ * Detect the default gateway.
+ */
+export function detectGateway(): string {
+  const output = execSync("ip route", { encoding: "utf-8" });
+  const match = output.match(/default\s+via\s+(\S+)/);
+  const gwMatch = match?.[1];
+  if (gwMatch === undefined) {
+    throw new Error("Cannot detect default gateway");
+  }
+  return gwMatch;
+}
+
+/**
+ * Collect SSH public keys from the current user's SSH directory.
+ * Sources: authorized_keys, then id_ed25519.pub, id_rsa.pub, id_ecdsa.pub (deduplicated).
+ */
+export function collectSshKeys(bastionDir: string): { keys: string[]; source: string } {
+  const sudoUser = process.env["SUDO_USER"];
+  let realHome: string;
+  if (sudoUser !== undefined) {
+    const passwdEntry = execSync(`getent passwd ${sudoUser}`, { encoding: "utf-8" })
+      .split(":")[5]
+      ?.trim();
+    realHome = passwdEntry !== undefined && passwdEntry !== "" ? passwdEntry : homedir();
+  } else {
+    realHome = homedir();
+  }
+
+  const keys: string[] = [];
+  const fingerprints = new Set<string>();
+  let source = "";
+
+  // Read authorized_keys
+  const authKeysPath = join(realHome, ".ssh", "authorized_keys");
+  if (existsSync(authKeysPath)) {
+    const content = readFileSync(authKeysPath, "utf-8");
+    for (const line of content.split("\n")) {
+      const trimmed = line.trim();
+      if (trimmed && !trimmed.startsWith("#")) {
+        const fp = trimmed.split(/\s+/)[1];
+        if (fp !== undefined && fp !== "" && !fingerprints.has(fp)) {
+          keys.push(trimmed);
+          fingerprints.add(fp);
+        }
+      }
+    }
+    source = authKeysPath;
+  }
+
+  // Also include local pubkey files
+  const pubKeyFiles = ["id_ed25519.pub", "id_rsa.pub", "id_ecdsa.pub"];
+  for (const keyFile of pubKeyFiles) {
+    const keyPath = join(realHome, ".ssh", keyFile);
+    if (existsSync(keyPath)) {
+      const keyData = readFileSync(keyPath, "utf-8").trim();
+      const fp = keyData.split(/\s+/)[1];
+      if (fp !== undefined && fp !== "" && !fingerprints.has(fp)) {
+        keys.push(keyData);
+        fingerprints.add(fp);
+        source = source ? `${source} + ${keyPath}` : keyPath;
+      }
+    }
+  }
+
+  // Generate a keypair if no keys found
+  if (keys.length === 0) {
+    const generatedKey = join(bastionDir, "bastion_ed25519");
+    if (!existsSync(generatedKey)) {
+      mkdirSync(bastionDir, { recursive: true });
+      logger.warn("No SSH keys found -- generating ed25519 keypair...");
+      execSync(`ssh-keygen -t ed25519 -f "${generatedKey}" -N "" -C "bastion-generated@$(hostname)"`, {
+        encoding: "utf-8",
+        stdio: "pipe",
+      });
+    }
+    const pubKey = readFileSync(`${generatedKey}.pub`, "utf-8").trim();
+    keys.push(pubKey);
+    source = `${generatedKey} (generated)`;
+    logger.warn(`Using generated keypair: ${generatedKey}`);
+    logger.warn("Save this private key -- it is the only way to access installed machines.");
+  }
+
+  return { keys, source };
+}
+
+/**
+ * Detect the admin username (SUDO_USER or current user, excluding root).
+ */
+export function detectAdminUser(): string {
+  const user = process.env["SUDO_USER"] ?? process.env["USER"] ?? "";
+  return user === "root" ? "" : user;
+}
+
+/**
+ * Populate runtime network config fields on the config object.
+ */
+export function populateNetworkConfig(config: BastionConfig): BastionConfig {
+  const iface = config.iface !== "" ? config.iface : detectInterface();
+  const serverIp = config.serverIp !== "" ? config.serverIp : detectIp(iface);
+  const network = config.network !== "" ? config.network : deriveNetwork(serverIp);
+  const gateway = config.gateway !== "" ? config.gateway : detectGateway();
+  const { keys: sshKeys, source: sshSource } = config.sshKeys.length > 0
+    ? { keys: config.sshKeys, source: "config" }
+    : collectSshKeys(config.bastionDir);
+  const adminUser = config.adminUser !== "" ? config.adminUser : detectAdminUser();
+
+  logger.info(`Interface: ${iface}  IP: ${serverIp}  Network: ${network}`);
+  logger.info(`SSH keys: ${sshKeys.length} key(s) from ${sshSource}`);
+  if (adminUser !== "") {
+    logger.info(`Admin user: ${adminUser} (will be created on installed machines)`);
+  }
+
+  return {
+    ...config,
+    iface,
+    serverIp,
+    network,
+    gateway,
+    sshKeys,
+    adminUser,
+  };
+}
diff --git a/bastion/src/bastion/src/services/post-provision.ts b/bastion/src/bastion/src/services/post-provision.ts
new file mode 100644
index 0000000..e8509b9
--- /dev/null
+++ b/bastion/src/bastion/src/services/post-provision.ts
@@ -0,0 +1,233 @@
+// Post-provision automation: installs k3s after OS provisioning completes.
+// Runs asynchronously — does not block the progress callback.
+
+import { spawn } from "node:child_process";
+import { existsSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { logger } from "./logger.js";
+import { progressBus } from "./progress-events.js";
+
+function findSshKey(): string | undefined {
+  const sudoUser = process.env["SUDO_USER"];
+  const realHome = sudoUser ? join("/home", sudoUser) : homedir();
+  for (const name of ["id_ed25519", "id_ecdsa", "id_rsa"]) {
+    const p = join(realHome, ".ssh", name);
+    if (existsSync(p)) return p;
+  }
+  return undefined;
+}
+
+/** Wait for SSH to become available, with retries. */
+async function waitForSsh(ip: string, user: string, keyPath: string | undefined, timeoutMs: number): Promise<boolean> {
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    try {
+      const result = await sshExec(ip, user, "echo ok", keyPath);
+      if (result.includes("ok")) return true;
+    } catch { /* retry */ }
+    await new Promise((r) => setTimeout(r, 5000));
+  }
+  return false;
+}
+
+function sshExec(ip: string, user: string, command: string, keyPath: string | undefined): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const args = [
+      "-o", "StrictHostKeyChecking=no",
+      "-o", "ConnectTimeout=10",
+      "-o", "BatchMode=yes",
+      ...(keyPath ? ["-i", keyPath] : []),
+      `${user}@${ip}`,
+      command,
+    ];
+    const proc = spawn("ssh", args, { stdio: ["ignore", "pipe", "pipe"] });
+    let stdout = "";
+    proc.stdout.on("data", (d: Buffer) => { stdout += d.toString(); });
+    proc.on("close", (code) => {
+      if (code === 0) resolve(stdout);
+      else reject(new Error(`SSH exit ${code}`));
+    });
+    proc.on("error", reject);
+  });
+}
+
+function sshRunStreaming(ip: string, user: string, command: string, keyPath: string | undefined, label: string, mac?: string): Promise<number> {
+  return new Promise((resolve) => {
+    const args = [
+      "-o", "StrictHostKeyChecking=no",
+      "-o", "ConnectTimeout=10",
+      "-o", "BatchMode=yes",
+      ...(keyPath ? ["-i", keyPath] : []),
+      `${user}@${ip}`,
+      command,
+    ];
+    const proc = spawn("ssh", args, { stdio: ["ignore", "pipe", "pipe"] });
+    proc.stdout.on("data", (d: Buffer) => {
+      for (const line of d.toString().split("\n").filter(Boolean)) {
+        logger.info(`[k3s:${label}] ${line}`);
+        if (mac) {
+          progressBus.emit({ mac, hostname: label, stage: "log", detail: `[k3s] ${line}`, timestamp: new Date().toISOString() });
+        }
+      }
+    });
+    proc.stderr.on("data", (d: Buffer) => {
+      for (const line of d.toString().split("\n").filter(Boolean)) {
+        logger.info(`[k3s:${label}] ${line}`);
+        if (mac) {
+          progressBus.emit({ mac, hostname: label, stage: "log", detail: `[k3s] ${line}`, timestamp: new Date().toISOString() });
+        }
+      }
+    });
+    proc.on("close", (code) => resolve(code ?? 1));
+    proc.on("error", () => resolve(1));
+  });
+}
+
+/**
+ * Trigger k3s installation on a freshly provisioned machine.
+ * Runs in the background — logs progress to bastion console and progressBus.
+ */
+export async function triggerPostProvisionK3s(
+  hostname: string,
+  ip: string,
+  role: string,
+  sshUser: string,
+  mac?: string,
+): Promise<void> {
+  const keyPath = findSshKey();
+
+  const emitStage = (stage: string, detail: string): void => {
+    logger.info(`[k3s] ${detail}`);
+    if (mac) {
+      progressBus.emit({ mac, hostname, stage, detail, timestamp: new Date().toISOString() });
+    }
+  };
+
+  emitStage("post-provision", `auto-installing k3s on ${hostname} (${ip}) role=${role}`);
+  emitStage("post-provision", "waiting for SSH (machine may still be rebooting)");
+
+  // Wait up to 5 minutes for SSH (machine just finished kickstart and is rebooting)
+  const sshReady = await waitForSsh(ip, sshUser, keyPath, 300_000);
+  if (!sshReady) {
+    emitStage("error", `SSH not available on ${hostname} (${ip}) after 5 minutes`);
+    logger.error(`[k3s] Run manually: labctl app k3s install ${hostname}`);
+    return;
+  }
+
+  emitStage("post-provision", "SSH ready, installing k3s prerequisites");
+
+  // Step 1: Prerequisites
+  await sshRunStreaming(ip, sshUser, "sudo modprobe br_netfilter overlay 2>/dev/null; sudo swapoff -a", keyPath, hostname, mac);
+
+  // Step 2: Sysctl
+  emitStage("post-provision", "configuring sysctl for k3s");
+  await sshRunStreaming(ip, sshUser, `sudo bash -c 'cat > /etc/sysctl.d/90-k3s.conf << EOF
+net.bridge.bridge-nf-call-iptables=1
+net.bridge.bridge-nf-call-ip6tables=1
+net.ipv4.ip_forward=1
+vm.panic_on_oom=0
+vm.overcommit_memory=1
+kernel.panic=10
+kernel.panic_on_oops=1
+EOF
+sysctl --system > /dev/null'`, keyPath, hostname, mac);
+
+  // Step 3: SELinux + firewalld + stale CNI cleanup
+  emitStage("post-provision", "disabling firewalld and cleaning stale CNI");
+  await sshRunStreaming(ip, sshUser, [
+    "sudo setenforce 0 2>/dev/null || true",
+    "sudo systemctl disable --now firewalld 2>/dev/null || true",
+    "sudo systemctl mask firewalld 2>/dev/null || true",
+    // Clean stale CNI interfaces that conflict with Cilium (flannel.1 uses same vxlan port 8472)
+    "sudo systemctl stop k3s 2>/dev/null || true",
+    "sudo ip link delete flannel.1 2>/dev/null || true",
+    "sudo ip link delete cilium_vxlan 2>/dev/null || true",
+    "sudo ip link delete cilium_host 2>/dev/null || true",
+    "sudo ip link delete cilium_net 2>/dev/null || true",
+    "sudo rm -rf /etc/cni/net.d/* /var/lib/cni/ 2>/dev/null || true",
+  ].join("; "), keyPath, hostname, mac);
+
+  // Step 4: Install k3s
+  // labcontroller extends infra — both are k3s servers
+  const k3sRole = (role === "infra" || role === "labcontroller") ? "server" : "agent";
+  emitStage("post-provision", `installing k3s ${k3sRole}`);
+  const code = await sshRunStreaming(ip, sshUser,
+    `curl -sfL https://get.k3s.io | sudo INSTALL_K3S_EXEC="${k3sRole}" INSTALL_K3S_SKIP_SELINUX_RPM=true sh -`,
+    keyPath, hostname, mac,
+  );
+
+  if (code !== 0) {
+    emitStage("error", `k3s install failed on ${hostname} (exit ${code})`);
+    logger.error(`[k3s] Run manually: labctl app k3s install ${hostname}`);
+    return;
+  }
+
+  // Step 5: Wait for ready
+  emitStage("post-provision", "waiting for k3s node to become Ready");
+  await sshRunStreaming(ip, sshUser,
+    "for i in $(seq 1 60); do sudo k3s kubectl get nodes 2>/dev/null | grep -q Ready && break; sleep 2; done",
+    keyPath, hostname, mac,
+  );
+
+  emitStage("post-provision", `k3s ${k3sRole} installed on ${hostname} (${ip})`);
+
+  // Step 6: Deploy role-specific apps from ROLE_REGISTRY chain
+  const { ROLE_REGISTRY } = await import("@lab/shared");
+  const roleInfo = ROLE_REGISTRY.find((r: { name: string }) => r.name === role);
+
+  if (roleInfo && roleInfo.apps.length > 0) {
+    emitStage("post-provision", `deploying apps: ${roleInfo.apps.join(", ")}`);
+
+    if (roleInfo.apps.includes("cockroachdb") || roleInfo.apps.includes("labd") || roleInfo.apps.includes("bastion")) {
+      // This is a labcontroller — deploy the full stack
+      emitStage("post-provision", `deploying labcontroller stack on ${hostname}`);
+
+      try {
+        const { cockroachDbManifests } = await import("@lab/modules/dist/modules/labcontroller/src/cockroachdb.js");
+        const { labdManifests } = await import("@lab/modules/dist/modules/labcontroller/src/labd.js");
+        const { bastionManifests } = await import("@lab/modules/dist/modules/labcontroller/src/bastion.js");
+
+        const crdb = cockroachDbManifests();
+        const labd = labdManifests({ databaseUrl: crdb.connectionString });
+        const bastion = bastionManifests();
+
+        const manifests = [
+          crdb.namespace, crdb.headlessService, crdb.clientService, crdb.statefulSet,
+          labd.service, labd.deployment,
+          bastion.daemonSet,
+        ];
+
+        for (const manifest of manifests) {
+          const json = JSON.stringify(manifest);
+          const kind = (manifest as { kind?: string }).kind ?? "?";
+          const name = ((manifest as { metadata?: { name?: string } }).metadata)?.name ?? "?";
+          const result = await sshRunStreaming(ip, sshUser,
+            `echo '${json.replace(/'/g, "'\\''")}' | sudo k3s kubectl apply -f -`,
+            keyPath, hostname, mac,
+          );
+          if (result === 0) {
+            emitStage("post-provision", `applied ${kind}/${name}`);
+          } else {
+            emitStage("error", `failed to apply ${kind}/${name}`);
+          }
+        }
+
+        // Init CockroachDB
+        const initJson = JSON.stringify(crdb.initJob);
+        await sshRunStreaming(ip, sshUser,
+          `echo '${initJson.replace(/'/g, "'\\''")}' | sudo k3s kubectl apply -f - 2>/dev/null; sleep 30; sudo k3s kubectl exec cockroachdb-0 -n lab-system -- /cockroach/cockroach sql --insecure -e 'CREATE DATABASE IF NOT EXISTS lab' 2>/dev/null || true`,
+          keyPath, hostname, mac,
+        );
+
+        emitStage("post-provision", `labcontroller stack deployed on ${hostname}`);
+      } catch (err) {
+        const errMsg = err instanceof Error ? err.message : String(err);
+        emitStage("error", `failed to deploy labcontroller stack: ${errMsg}`);
+        logger.error(`[post-provision] Run manually: labctl app labcontroller deploy ${hostname}`);
+      }
+    }
+  }
+
+  emitStage("post-provision", `${hostname} (${ip}) provisioning complete (role: ${role})`);
+}
diff --git a/bastion/src/bastion/src/services/progress-events.ts b/bastion/src/bastion/src/services/progress-events.ts
new file mode 100644
index 0000000..90d8587
--- /dev/null
+++ b/bastion/src/bastion/src/services/progress-events.ts
@@ -0,0 +1,28 @@
+// In-memory event bus for provision progress updates.
+// Allows SSE clients to subscribe to real-time progress and log lines.
+
+import { EventEmitter } from "node:events";
+
+export interface ProgressEvent {
+  mac: string;
+  hostname: string;
+  /** "log" for raw log lines, anything else is a progress stage name */
+  stage: string;
+  detail: string;
+  timestamp: string;
+}
+
+// Simple typed wrapper around EventEmitter for progress events.
+const _bus = new EventEmitter();
+
+export const progressBus = {
+  emit(event: ProgressEvent): void {
+    _bus.emit("progress", event);
+  },
+  on(listener: (event: ProgressEvent) => void): void {
+    _bus.on("progress", listener);
+  },
+  off(listener: (event: ProgressEvent) => void): void {
+    _bus.off("progress", listener);
+  },
+};
diff --git a/bastion/src/bastion/src/services/state.ts b/bastion/src/bastion/src/services/state.ts
new file mode 100644
index 0000000..ea90218
--- /dev/null
+++ b/bastion/src/bastion/src/services/state.ts
@@ -0,0 +1,69 @@
+// JSON file-backed state management for discovered machines, install queue, and installed machines.
+
+import { readFileSync, writeFileSync, renameSync, mkdirSync } from "node:fs";
+import { dirname } from "node:path";
+import type { BastionState } from "@lab/shared";
+
+// Re-export types for consumers that import from this module
+export type { HardwareInfo, InstallConfig, InstalledInfo, BastionState } from "@lab/shared";
+
+const EMPTY_STATE: BastionState = {
+  discovered: {},
+  install_queue: {},
+  installed: {},
+};
+
+export type StateChangeListener = (state: BastionState) => void;
+
+export class StateManager {
+  private changeListeners: StateChangeListener[] = [];
+
+  constructor(private readonly stateFile: string) {}
+
+  /** Register a listener that fires after every state update. */
+  onChange(listener: StateChangeListener): void {
+    this.changeListeners.push(listener);
+  }
+
+  load(): BastionState {
+    try {
+      const raw = readFileSync(this.stateFile, "utf-8");
+      const parsed = JSON.parse(raw) as Partial<BastionState>;
+      return {
+        discovered: parsed.discovered ?? {},
+        install_queue: parsed.install_queue ?? {},
+        installed: parsed.installed ?? {},
+      };
+    } catch {
+      return { ...EMPTY_STATE };
+    }
+  }
+
+  save(state: BastionState): void {
+    mkdirSync(dirname(this.stateFile), { recursive: true });
+    const tmp = `${this.stateFile}.tmp`;
+    writeFileSync(tmp, JSON.stringify(state, null, 2));
+    renameSync(tmp, this.stateFile);
+  }
+
+  init(): void {
+    try {
+      readFileSync(this.stateFile, "utf-8");
+    } catch {
+      this.save({ ...EMPTY_STATE });
+    }
+  }
+
+  /**
+   * Atomically read, modify, and write state.
+   */
+  update(fn: (state: BastionState) => void): BastionState {
+    const state = this.load();
+    fn(state);
+    this.save(state);
+    for (const listener of this.changeListeners) {
+      try { listener(state); } catch { /* don't let listener errors break state updates */ }
+    }
+    return state;
+  }
+}
diff --git a/bastion/src/bastion/src/services/syslog-listener.ts b/bastion/src/bastion/src/services/syslog-listener.ts
new file mode 100644
index 0000000..07c384e
--- /dev/null
+++ b/bastion/src/bastion/src/services/syslog-listener.ts
@@ -0,0 +1,99 @@
+// UDP syslog listener for receiving Anaconda install logs.
+// Anaconda's `logging --host` sends RFC 3164 syslog over UDP.
+// We parse the messages and route them to InstallLogBuffer.
+
+import { createSocket, type Socket } from "node:dgram";
+import type { InstallLogBuffer } from "./install-log.js";
+import type { StateManager } from "./state.js";
+import { logger } from "./logger.js";
+
+/**
+ * Parse a BSD syslog (RFC 3164) message.
+ * Format: <PRI>TIMESTAMP HOSTNAME APP[PID]: MESSAGE
+ * Anaconda messages look like: <13>Mar 28 19:32:01 anaconda[1234]: some message
+ */
+function parseSyslogLine(raw: string): { program: string; message: string } {
+  // Strip priority: <NN>
+  const noPri = raw.replace(/^<\d+>/, "");
+  // Try to extract program and message after the timestamp + hostname
+  // RFC 3164: "Mon DD HH:MM:SS HOSTNAME PROGRAM[PID]: MESSAGE"
+  const match = noPri.match(/^\w+\s+\d+\s+[\d:]+\s+\S+\s+(\S+?)(?:\[\d+\])?:\s*(.*)/);
+  if (match) {
+    return { program: match[1], message: match[2] };
+  }
+  // Fallback: just return the whole line
+  return { program: "unknown", message: noPri.trim() };
+}
+
+export class SyslogListener {
+  private socket: Socket | null = null;
+  private port: number;
+  private installLog: InstallLogBuffer;
+  private state: StateManager;
+
+  constructor(port: number, installLog: InstallLogBuffer, state: StateManager) {
+    this.port = port;
+    this.installLog = installLog;
+    this.state = state;
+  }
+
+  /** Resolve a source IP to a MAC address using the install queue. */
+  private resolveIpToMac(ip: string): string | null {
+    const currentState = this.state.load();
+
+    // Check install queue — machines being installed have an IP from DHCP
+    for (const [mac, entry] of Object.entries(currentState.install_queue)) {
+      // The progress callback sends IP in "complete" detail, but during install
+      // we need to match by what we know. Check if any progress mentions this IP.
+      if (entry.progress_detail?.includes(ip)) return mac;
+    }
+
+    // Check installed machines
+    for (const [mac, info] of Object.entries(currentState.installed)) {
+      if (info.ip === ip) return mac;
+    }
+
+    return null;
+  }
+
+  /** Resolve a MAC to the hostname from install queue or installed state. */
+  private resolveHostname(mac: string): string {
+    const s = this.state.load();
+    return s.install_queue[mac]?.hostname ?? s.installed[mac]?.hostname ?? mac;
+  }
+
+  start(): void {
+    this.socket = createSocket("udp4");
+
+    this.socket.on("message", (msg, rinfo) => {
+      const raw = msg.toString("utf-8").trim();
+      if (!raw) return;
+
+      const { program, message } = parseSyslogLine(raw);
+      const mac = this.resolveIpToMac(rinfo.address);
+
+      if (mac) {
+        const hostname = this.resolveHostname(mac);
+        const line = program !== "unknown" ? `[${program}] ${message}` : message;
+        this.installLog.append(mac, [line], hostname);
+      }
+      // If we can't resolve the IP, we still log it for debugging
+      // but don't store it in the install log buffer
+    });
+
+    this.socket.on("error", (err) => {
+      logger.error(`Syslog listener error: ${err.message}`);
+    });
+
+    this.socket.bind(this.port, "0.0.0.0", () => {
+      logger.info(`Syslog listener on UDP :${this.port}`);
+    });
+  }
+
+  stop(): void {
+    if (this.socket) {
+      this.socket.close();
+      this.socket = null;
+    }
+  }
+}
diff --git a/bastion/src/bastion/src/templates/boot.ipxe.ts b/bastion/src/bastion/src/templates/boot.ipxe.ts
new file mode 100644
index 0000000..72f329f
--- /dev/null
+++ b/bastion/src/bastion/src/templates/boot.ipxe.ts
@@ -0,0 +1,93 @@
+// iPXE boot script templates for dispatch routing.
+
+export interface BootIpxeParams {
+  serverIp: string;
+  httpPort: number;
+}
+
+/**
+ * Initial iPXE boot script that chains to the dispatch endpoint.
+ * This is what dnsmasq serves to iPXE clients via HTTP.
+ */
+export function renderBootIpxe(params: BootIpxeParams): string {
+  return `#!ipxe
+
+echo
+echo ============================================
+echo   Lab PXE Bastion
+echo   Contacting server for instructions...
+echo ============================================
+echo
+
+chain http://${params.serverIp}:${params.httpPort}/dispatch?mac=\${net0/mac}
+`;
+}
+
+/**
+ * iPXE script for discovery mode -- boots Fedora installer with discovery kickstart.
+ */
+export function renderDiscoverIpxe(params: {
+  mac: string;
+  serverIp: string;
+  httpPort: number;
+  fedoraMirror: string;
+}): string {
+  return `#!ipxe
+
+echo
+echo =============================================
+echo   Lab PXE Bastion - DISCOVERY MODE
+echo   MAC: ${params.mac}
+echo   Collecting hardware info...
+echo =============================================
+echo
+
+kernel http://${params.serverIp}:${params.httpPort}/vmlinuz inst.ks=http://${params.serverIp}:${params.httpPort}/discover.ks inst.stage2=${params.fedoraMirror} inst.text console=ttyS0,115200n8 console=tty0
+initrd http://${params.serverIp}:${params.httpPort}/initrd.img
+boot
+`;
+}
+
+/**
+ * iPXE script for install mode -- boots Fedora installer with per-MAC kickstart.
+ */
+export function renderInstallIpxe(params: {
+  mac: string;
+  hostname: string;
+  serverIp: string;
+  httpPort: number;
+  fedoraVersion: string;
+  fedoraMirror: string;
+}): string {
+  return `#!ipxe
+
+echo
+echo =============================================
+echo   Lab PXE Bastion - INSTALLING Fedora ${params.fedoraVersion}
+echo   Target: ${params.hostname}
+echo   MAC:    ${params.mac}
+echo =============================================
+echo
+
+kernel http://${params.serverIp}:${params.httpPort}/vmlinuz inst.ks=http://${params.serverIp}:${params.httpPort}/ks?mac=${params.mac} inst.repo=${params.fedoraMirror} inst.text console=ttyS0,115200n8 console=tty0
+initrd http://${params.serverIp}:${params.httpPort}/initrd.img
+boot
+`;
+}
+
+/**
+ * iPXE script for already-installed machines -- exits to boot from local disk.
+ */
+export function renderLocalBootIpxe(hostname: string): string {
+  return `#!ipxe
+
+echo
+echo =============================================
+echo   Lab PXE Bastion - ${hostname}
+echo   Already installed, booting from local disk
+echo =============================================
+echo
+sleep 3
+exit 1
+`;
+}
diff --git a/bastion/src/bastion/src/templates/discover.ks.ts b/bastion/src/bastion/src/templates/discover.ks.ts
new file mode 100644
index 0000000..79497ba
--- /dev/null
+++ b/bastion/src/bastion/src/templates/discover.ks.ts
@@ -0,0 +1,118 @@
+// Discovery kickstart template.
+// Boots Fedora installer, collects hardware info, POSTs to bastion, reboots.
+// Never touches the disk.
+
+export interface DiscoverKickstartParams {
+  serverIp: string;
+  httpPort: number;
+}
+
+export function renderDiscoverKickstart(params: DiscoverKickstartParams): string {
+  const bastionUrl = `http://${params.serverIp}:${params.httpPort}`;
+
+  return `# Lab Bastion -- Discovery Mode
+# Collects hardware inventory and reboots. Does NOT install anything.
+
+%pre --erroronfail --log=/tmp/discover.log
+#!/bin/bash
+set -x
+
+# -- Collect hardware info from /proc, /sys, and available tools --
+
+MAC=$(ip link show | awk '/ether/ && !/00:00:00:00/ {print $2; exit}')
+PRODUCT=$(cat /sys/class/dmi/id/product_name 2>/dev/null || echo "unknown")
+BOARD=$(cat /sys/class/dmi/id/board_name 2>/dev/null || echo "unknown")
+SERIAL=$(cat /sys/class/dmi/id/product_serial 2>/dev/null || echo "unknown")
+MANUFACTURER=$(cat /sys/class/dmi/id/sys_vendor 2>/dev/null || echo "unknown")
+CPUMODEL=$(grep -m1 'model name' /proc/cpuinfo | cut -d: -f2 | sed 's/^ //')
+CPUCORES=$(grep -c '^processor' /proc/cpuinfo)
+MEMGB=$(awk '/MemTotal/ {printf "%d", $2/1024/1024}' /proc/meminfo)
+ARCHTYPE=$(uname -m)
+
+# Disk info
+DISKS_JSON=$(lsblk -Jb -o NAME,SIZE,TYPE,MODEL 2>/dev/null | python3 -c "
+import sys, json
+data = json.load(sys.stdin)
+disks = [d for d in data.get('blockdevices', []) if d.get('type') == 'disk']
+result = []
+for d in disks:
+    size_gb = round(int(d.get('size', 0)) / 1073741824, 1)
+    result.append({
+        'name': d.get('name', '?'),
+        'size_gb': size_gb,
+        'model': (d.get('model') or 'unknown').strip()
+    })
+print(json.dumps(result))
+" 2>/dev/null || echo '[]')
+
+# Network interfaces
+NICS_JSON=$(ip -j link show 2>/dev/null | python3 -c "
+import sys, json
+nics = json.load(sys.stdin)
+result = []
+for n in nics:
+    if n.get('link_type') == 'loopback':
+        continue
+    result.append({
+        'name': n.get('ifname', '?'),
+        'mac': n.get('address', '?'),
+        'state': n.get('operstate', '?')
+    })
+print(json.dumps(result))
+" 2>/dev/null || echo '[]')
+
+# -- Build and POST discovery payload --
+
+PAYLOAD=$(python3 -c "
+import json
+print(json.dumps({
+    'mac': '$MAC',
+    'product': '$PRODUCT',
+    'board': '$BOARD',
+    'serial': '$SERIAL',
+    'manufacturer': '$MANUFACTURER',
+    'cpu_model': '$CPUMODEL',
+    'cpu_cores': int('$CPUCORES' or 0),
+    'memory_gb': int('$MEMGB' or 0),
+    'arch': '$ARCHTYPE',
+    'disks': $DISKS_JSON,
+    'nics': $NICS_JSON
+}))
+")
+
+# POST to bastion
+BASTION_URL="${bastionUrl}/api/discover"
+
+if command -v curl >/dev/null 2>&1; then
+    curl -sf -X POST "$BASTION_URL" \\
+        -H "Content-Type: application/json" \\
+        -d "$PAYLOAD" || true
+else
+    python3 -c "
+import urllib.request
+req = urllib.request.Request('$BASTION_URL',
+    data=b'''$PAYLOAD''',
+    headers={'Content-Type': 'application/json'})
+try:
+    urllib.request.urlopen(req, timeout=10)
+except Exception as e:
+    print(f'POST failed: {e}')
+"
+fi
+
+# -- Reboot -- do NOT let Anaconda proceed --
+echo ""
+echo "=== Discovery complete, rebooting ==="
+echo ""
+sleep 3
+echo 1 > /proc/sys/kernel/sysrq
+echo b > /proc/sysrq-trigger
+sleep 5
+reboot -f
+
+%end
+
+# Anaconda should never get here, but just in case:
+reboot
+`;
+}
diff --git a/bastion/src/bastion/src/templates/dnsmasq.conf.ts b/bastion/src/bastion/src/templates/dnsmasq.conf.ts
new file mode 100644
index 0000000..af972da
--- /dev/null
+++ b/bastion/src/bastion/src/templates/dnsmasq.conf.ts
@@ -0,0 +1,97 @@
+// dnsmasq configuration template.
+// Supports proxy DHCP mode (alongside existing DHCP) and full DHCP mode.
+// Handles UEFI HTTP Boot, iPXE chainloading, and PXE service directives.
+
+import type { BastionConfig } from "@lab/shared";
+
+export function renderDnsmasqConf(config: BastionConfig): string {
+  const {
+    iface,
+    serverIp,
+    httpPort,
+    network,
+    gateway,
+    dhcpMode,
+    tftpDir,
+  } = config;
+
+  // Derive DHCP range for full mode
+  let dhcpRangeStart = config.dhcpRangeStart;
+  let dhcpRangeEnd = config.dhcpRangeEnd;
+  if (dhcpMode === "full") {
+    const networkBase = network.replace(/\.0$/, "");
+    dhcpRangeStart = dhcpRangeStart || `${networkBase}.100`;
+    dhcpRangeEnd = dhcpRangeEnd || `${networkBase}.200`;
+  }
+
+  const dhcpSection = dhcpMode === "full"
+    ? `# Full DHCP mode -- bastion is the only DHCP server on this network
+dhcp-range=${dhcpRangeStart},${dhcpRangeEnd},255.255.255.0,12h
+dhcp-option=3,${gateway}
+dhcp-option=6,${gateway}`
+    : `# ProxyDHCP -- works alongside existing DHCP (UniFi etc)
+dhcp-range=${network},proxy`;
+
+  return `# Lab PXE Bastion -- dnsmasq config
+
+# Disable DNS (we only want DHCP/TFTP)
+port=0
+
+# Listen on the right interface
+interface=${iface}
+bind-dynamic
+
+${dhcpSection}
+
+# TFTP for initial PXE boot
+enable-tftp
+tftp-root=${tftpDir}
+tftp-no-blocksize
+
+# Detect client architecture -- PXE (TFTP) clients
+dhcp-match=set:bios,option:client-arch,0
+dhcp-match=set:efi-x86_64,option:client-arch,7
+dhcp-match=set:efi-x86_64,option:client-arch,9
+dhcp-match=set:efi-arm64,option:client-arch,11
+
+# Detect client architecture -- UEFI HTTP Boot clients (no TFTP size limit)
+dhcp-match=set:httpboot-x86_64,option:client-arch,16
+dhcp-match=set:httpboot-arm64,option:client-arch,20
+
+# Detect iPXE clients (already chainloaded)
+dhcp-userclass=set:ipxe,iPXE
+
+# UEFI HTTP Boot -> serve full iPXE EFI via HTTP (no TFTP size limit)
+dhcp-boot=tag:httpboot-x86_64,http://${serverIp}:${httpPort}/ipxe.efi
+dhcp-boot=tag:httpboot-arm64,http://${serverIp}:${httpPort}/ipxe-arm64.efi
+# Echo vendor class back to HTTP Boot clients (required by UEFI HTTP Boot spec)
+dhcp-option-force=tag:httpboot-x86_64,60,HTTPClient
+dhcp-option-force=tag:httpboot-arm64,60,HTTPClient
+
+# First PXE boot -> serve iPXE binary via TFTP (BIOS and UEFI fallback)
+dhcp-boot=tag:bios,tag:!ipxe,undionly.kpxe
+dhcp-boot=tag:efi-x86_64,tag:!ipxe,ipxe.efi
+dhcp-boot=tag:efi-arm64,tag:!ipxe,ipxe-arm64.efi
+# Echo vendor class back to PXE clients (OVMF requires this, real hardware usually doesn't)
+dhcp-option-force=tag:efi-x86_64,60,PXEClient
+dhcp-option-force=tag:efi-arm64,60,PXEClient
+dhcp-option-force=tag:bios,60,PXEClient
+
+# iPXE clients -> chain to boot script via HTTP
+dhcp-boot=tag:ipxe,http://${serverIp}:${httpPort}/boot.ipxe
+
+${dhcpMode === "proxy" ? `# PXE service directives (proxy DHCP needs these to respond on port 4011)
+pxe-service=tag:!ipxe,x86PC,"PXE Boot",undionly.kpxe
+pxe-service=tag:!ipxe,X86-64_EFI,"PXE Boot",ipxe.efi
+pxe-service=tag:!ipxe,BC_EFI,"PXE Boot",ipxe.efi
+pxe-service=tag:!ipxe,ARM64_EFI,"PXE Boot",ipxe-arm64.efi` : `# Full DHCP mode -- pxe-service directives omitted (they trigger PXE Boot Server
+# Discovery protocol which some UEFI implementations don't support). The dhcp-boot
+# directives above provide the boot filename directly in the DHCP offer.`}
+
+# Lease file in bastion directory (avoid default /var/lib/dnsmasq which needs root)
+dhcp-leasefile=${config.bastionDir}/dnsmasq.leases
+
+# Verbose logging
+log-dhcp
+`;
+}
diff --git a/bastion/src/bastion/src/templates/install.ks.ts b/bastion/src/bastion/src/templates/install.ks.ts
new file mode 100644
index 0000000..019bbb8
--- /dev/null
+++ b/bastion/src/bastion/src/templates/install.ks.ts
@@ -0,0 +1,427 @@
+// Install kickstart template.
+// Full Fedora server install with LVM partitioning, %pre for reprovision detection,
+// packages, and %post with SSH keys, user creation, k3s prereqs, progress callbacks.
+
+import type { Role } from "@lab/shared";
+
+export interface InstallKickstartParams {
+  hostname: string;
+  disk: string;
+  role: Role;
+  domain: string;
+  fedoraVersion: string;
+  timezone: string;
+  locale: string;
+  serverIp: string;
+  httpPort: number;
+  syslogPort: number;
+  sshKeys: string[];
+  adminUser: string;
+}
+
+export function renderInstallKickstart(params: InstallKickstartParams): string {
+  const {
+    hostname,
+    disk,
+    role,
+    domain,
+    fedoraVersion,
+    timezone,
+    locale,
+    serverIp,
+    httpPort,
+    syslogPort,
+    sshKeys,
+    adminUser,
+  } = params;
+
+  const fqdn = domain ? `${hostname}.${domain}` : hostname;
+  const vg = "labvg";
+  const now = new Date().toISOString();
+  const hasLonghorn = role === "worker";
+  const hasRancher = role === "infra";
+  const isVanilla = role === "vanilla";
+
+  // -- Auth section --
+  // Always set a root password (for serial console debugging) + SSH keys
+  const auth = sshKeys.length > 0
+    ? `rootpw --plaintext lab-root-pw\nsshkey --username=root "${sshKeys[0]}"`
+    : "rootpw --plaintext lab-root-pw";
+
+  // -- Admin user directive --
+  const userDirective = adminUser
+    ? `user --name=${adminUser} --groups=wheel --lock`
+    : "";
+
+  // -- SSH keys for %post --
+  const allKeys = sshKeys.join("\n");
+  let sshPostBlock = "";
+  if (sshKeys.length > 0) {
+    sshPostBlock = `
+# Set up SSH keys for root
+mkdir -p /root/.ssh && chmod 700 /root/.ssh
+cat > /root/.ssh/authorized_keys << 'SSHKEYS'
+${allKeys}
+SSHKEYS
+chmod 600 /root/.ssh/authorized_keys`;
+  }
+
+  if (adminUser && sshKeys.length > 0) {
+    sshPostBlock += `
+
+# Set up SSH keys for ${adminUser}
+ADMIN_HOME=$(getent passwd ${adminUser} | cut -d: -f6)
+mkdir -p "$ADMIN_HOME/.ssh" && chmod 700 "$ADMIN_HOME/.ssh"
+cp /root/.ssh/authorized_keys "$ADMIN_HOME/.ssh/authorized_keys"
+chown -R ${adminUser}:${adminUser} "$ADMIN_HOME/.ssh"
+chmod 600 "$ADMIN_HOME/.ssh/authorized_keys"
+
+# Fix SELinux contexts for SSH
+restorecon -R /root/.ssh "$ADMIN_HOME/.ssh" 2>/dev/null || true
+
+# Passwordless sudo for ${adminUser}
+echo '${adminUser} ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/${adminUser}
+chmod 440 /etc/sudoers.d/${adminUser}`;
+  }
+
+  // -- Disk detection --
+  const diskLine = disk
+    ? `DISK="${disk}"`
+    : `DISK=""
+for d in /dev/nvme0n1 /dev/sda /dev/vda; do
+    [ -b "$d" ] && { DISK="$(basename $d)"; break; }
+done
+[ -z "$DISK" ] && { echo "ERROR: no disk found"; exit 1; }`;
+
+  // -- Longhorn LV for fresh install --
+  const longhornFreshLine = hasLonghorn
+    ? `logvol /var/lib/longhorn --vgname=${vg} --name=longhorn --fstype=xfs --grow --size=1`
+    : "";
+
+  // -- Rancher LV for fresh install (infra role) --
+  const rancherFreshLine = hasRancher
+    ? `logvol /var/lib/rancher --vgname=${vg} --name=rancher --fstype=xfs --size=20480`
+    : "";
+
+  return `# Lab Bastion -- Fedora ${fedoraVersion} server install
+# Generated: ${now}
+# Target: ${fqdn} (role=${role})
+
+text
+reboot
+
+lang ${locale}
+keyboard uk
+timezone ${timezone} --utc
+
+network --bootproto=dhcp --activate --hostname=${fqdn}
+
+${auth}
+${userDirective}
+
+bootloader --append="console=tty0 console=ttyS0,115200n8"
+
+logging --host=${serverIp} --port=${syslogPort}
+
+url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch
+
+# Partitioning is generated dynamically by %pre (supports reprovision preservation)
+%include /tmp/part.ks
+
+%pre --log=/tmp/pre-partition.log
+#!/bin/bash
+set -x
+
+# Progress callback helper
+bastion_progress() {
+    local stage="$1" detail="\${2:-}"
+    local mac=$(ip link show | awk '/ether/ && !/00:00:00:00/ {print $2; exit}')
+    curl -sf -X POST "http://${serverIp}:${httpPort}/api/progress" \\
+        -H "Content-Type: application/json" \\
+        -d "{\\"mac\\":\\"$mac\\",\\"stage\\":\\"$stage\\",\\"detail\\":\\"$detail\\"}" 2>/dev/null || true
+}
+
+bastion_progress "partitioning" "detecting disk"
+
+VG="${vg}"
+${diskLine}
+
+REPROVISION=no
+
+# Check if VG exists (reprovision scenario)
+if vgs $VG &>/dev/null; then
+    echo "=== Existing VG found - reprovision mode ==="
+    REPROVISION=yes
+
+    # Detect which data LVs to preserve
+    PRESERVE_LONGHORN=no; PRESERVE_SRV=no; PRESERVE_HOME=no; PRESERVE_RANCHER=no
+    lvs $VG/longhorn &>/dev/null && PRESERVE_LONGHORN=yes
+    lvs $VG/srv      &>/dev/null && PRESERVE_SRV=yes
+    lvs $VG/home     &>/dev/null && PRESERVE_HOME=yes
+    lvs $VG/rancher  &>/dev/null && PRESERVE_RANCHER=yes
+
+    echo "Preserving: longhorn=$PRESERVE_LONGHORN srv=$PRESERVE_SRV home=$PRESERVE_HOME rancher=$PRESERVE_RANCHER"
+
+    # Remove only OS logical volumes (keep data LVs)
+    for lv in root var varlog swap; do
+        lvremove -f $VG/$lv 2>/dev/null || true
+    done
+else
+    bastion_progress "partitioning" "fresh install on $DISK"
+fi
+
+if [ "$REPROVISION" = "yes" ]; then
+    # Find existing boot partitions by type
+    EFI_PART=$(blkid -t TYPE=vfat -o device /dev/\${DISK}* 2>/dev/null | head -1)
+    BOOT_PART=$(blkid -t TYPE=ext4 -o device /dev/\${DISK}* 2>/dev/null | head -1)
+    EFI_PART=\${EFI_PART:-/dev/\${DISK}1}
+    BOOT_PART=\${BOOT_PART:-/dev/\${DISK}2}
+    echo "Reusing EFI=$EFI_PART BOOT=$BOOT_PART"
+
+    # Build partition config reusing existing PV/VG
+    cat > /tmp/part.ks << PARTEOF
+ignoredisk --only-use=$DISK
+clearpart --none
+part /boot/efi --onpart=$EFI_PART --fstype=efi
+part /boot --onpart=$BOOT_PART --fstype=ext4
+volgroup ${vg} --useexisting --noformat
+logvol swap --vgname=${vg} --name=swap --fstype=swap --size=27648
+logvol / --vgname=${vg} --name=root --fstype=xfs --size=33792
+logvol /var --vgname=${vg} --name=var --fstype=xfs --size=102400
+logvol /var/log --vgname=${vg} --name=varlog --fstype=xfs --size=10240
+PARTEOF
+
+    # Preserve or recreate data LVs
+    if [ "$PRESERVE_HOME" = "yes" ]; then
+        echo "logvol /home --vgname=${vg} --name=home --useexisting --noformat" >> /tmp/part.ks
+    else
+        echo "logvol /home --vgname=${vg} --name=home --fstype=xfs --size=10240" >> /tmp/part.ks
+    fi
+
+    if [ "$PRESERVE_SRV" = "yes" ]; then
+        echo "logvol /srv --vgname=${vg} --name=srv --useexisting --noformat" >> /tmp/part.ks
+    else
+        echo "logvol /srv --vgname=${vg} --name=srv --fstype=xfs --size=20480" >> /tmp/part.ks
+    fi
+
+    if [ "$PRESERVE_LONGHORN" = "yes" ]; then
+        echo "logvol /var/lib/longhorn --vgname=${vg} --name=longhorn --useexisting --noformat" >> /tmp/part.ks
+    fi
+
+    if [ "$PRESERVE_RANCHER" = "yes" ]; then
+        echo "logvol /var/lib/rancher --vgname=${vg} --name=rancher --useexisting --noformat" >> /tmp/part.ks
+    fi
+
+else
+    # Fresh install
+    cat > /tmp/part.ks << PARTEOF
+ignoredisk --only-use=$DISK
+clearpart --all --initlabel --drives=$DISK
+part /boot/efi --fstype=efi --size=600 --ondisk=$DISK
+part /boot --fstype=ext4 --size=3072 --ondisk=$DISK
+part pv.01 --size=1 --grow --ondisk=$DISK
+volgroup ${vg} pv.01
+logvol swap --vgname=${vg} --name=swap --fstype=swap --size=27648
+logvol / --vgname=${vg} --name=root --fstype=xfs --size=33792
+logvol /var --vgname=${vg} --name=var --fstype=xfs --size=102400
+logvol /var/log --vgname=${vg} --name=varlog --fstype=xfs --size=10240
+logvol /home --vgname=${vg} --name=home --fstype=xfs --size=10240
+logvol /srv --vgname=${vg} --name=srv --fstype=xfs --size=20480
+${longhornFreshLine}
+${rancherFreshLine}
+PARTEOF
+fi
+
+echo "=== Generated partition config ==="
+cat /tmp/part.ks
+echo "==================================="
+
+bastion_progress "partitioning" "disk layout ready"
+
+%end
+
+%packages
+@core
+openssh-server
+vim-enhanced
+tmux
+git
+curl
+wget
+python3
+lshw
+dmidecode
+dnf-plugins-core
+
+# Networking and diagnostics
+NetworkManager
+bind-utils
+net-tools
+iproute
+iputils
+traceroute
+tcpdump
+htop
+iotop
+strace
+jq
+
+${isVanilla ? "# vanilla role -- skipping k3s prerequisites" : `# k3s prerequisites
+container-selinux
+iptables-nft
+nftables
+policycoreutils-python-utils
+chrony
+tar
+socat
+conntrack-tools
+ethtool`}
+
+# Boot management
+efibootmgr
+
+# Puppet prerequisites
+ruby
+ruby-libs
+
+# Exclude desktop
+-@workstation-product
+-@gnome-desktop
+-gnome-shell
+-gdm
+-PackageKit
+-PackageKit-glib
+%end
+
+%post --log=/root/bastion-post-install.log
+#!/bin/bash
+set -x
+
+# Progress callback helper
+bastion_progress() {
+    local stage="$1" detail="\${2:-}"
+    local mac=$(ip link show | awk '/ether/ && !/00:00:00:00/ {print $2; exit}')
+    curl -sf -X POST "http://${serverIp}:${httpPort}/api/progress" \\
+        -H "Content-Type: application/json" \\
+        -d "{\\"mac\\":\\"$mac\\",\\"stage\\":\\"$stage\\",\\"detail\\":\\"$detail\\"}" 2>/dev/null || true
+}
+
+# Send log lines to bastion
+bastion_log() {
+    local line="$1"
+    local mac=$(ip link show | awk '/ether/ && !/00:00:00:00/ {print $2; exit}')
+    curl -sf -X POST "http://${serverIp}:${httpPort}/api/log" \\
+        -H "Content-Type: application/json" \\
+        -d "{\\"mac\\":\\"$mac\\",\\"line\\":\\"$(echo "$line" | sed 's/\\\\/\\\\\\\\/g; s/"/\\\\"/g')\\"}\" \\
+        --connect-timeout 5 --max-time 10 2>/dev/null || true
+}
+
+# Send an error stage to bastion
+bastion_error() {
+    local detail="$1"
+    bastion_progress "error" "$detail"
+}
+
+# --- Error trap: catch any failure and report to bastion ---
+_post_error_handler() {
+    local exit_code=$? lineno=$1
+    bastion_error "%post failed at line $lineno (exit $exit_code)"
+}
+trap '_post_error_handler $LINENO' ERR
+
+bastion_progress "post-install" "configuring system"
+
+# -- SSH --
+systemctl enable --now sshd
+sed -i 's/^#\\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
+sed -i 's/^#\\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+${sshPostBlock}
+
+# -- Hostname and domain --
+hostnamectl set-hostname ${fqdn}
+
+# -- tmpfs for /tmp --
+echo "tmpfs /tmp tmpfs defaults,noatime,nosuid,nodev,size=4G 0 0" >> /etc/fstab
+
+${isVanilla ? `# -- vanilla role: skip k3s kernel/sysctl/firewall setup --
+# -- Enable chronyd for time sync --
+systemctl enable chronyd || true
+
+# -- Serial console (for debugging — auto-login as root on ttyS0) --
+# AWS EC2 compatible: ttyS0 @ 115200n8
+systemctl enable serial-getty@ttyS0.service || true
+
+# -- Forward all system logs to serial console --
+cat > /etc/rsyslog.d/serial-console.conf << 'RSYSLOG'
+*.* /dev/ttyS0
+RSYSLOG
+systemctl enable rsyslog || true` : `# -- Kernel modules for k3s --
+cat > /etc/modules-load.d/k3s.conf << 'MODULES'
+br_netfilter
+overlay
+ip_conntrack
+MODULES
+modprobe br_netfilter || true
+modprobe overlay || true
+
+# -- Sysctl for k3s networking --
+cat > /etc/sysctl.d/90-k3s.conf << 'SYSCTL'
+net.bridge.bridge-nf-call-iptables  = 1
+net.bridge.bridge-nf-call-ip6tables = 1
+net.ipv4.ip_forward                 = 1
+net.ipv6.conf.all.forwarding        = 1
+fs.inotify.max_user_instances       = 524288
+fs.inotify.max_user_watches         = 1048576
+SYSCTL
+sysctl --system || true
+
+# -- Disable firewalld permanently (k3s/Cilium manage iptables directly) --
+systemctl disable --now firewalld || true
+systemctl mask firewalld || true
+
+# -- Enable chronyd for time sync --
+systemctl enable chronyd || true`}
+
+# -- Boot order: restore network first (Anaconda sets disk first, we undo it) --
+# Network boot must stay first so the bastion intercepts every reboot.
+if command -v efibootmgr >/dev/null 2>&1; then
+    PXE_ENTRY=$(efibootmgr | grep -iE 'network|pxe|ipv4|ipv6|http' | head -1 | grep -oP 'Boot\\K[0-9A-F]+')
+    if [ -n "$PXE_ENTRY" ]; then
+        CURRENT_ORDER=$(efibootmgr | grep BootOrder | cut -d: -f2 | tr -d ' ')
+        REST=$(echo "$CURRENT_ORDER" | sed "s/$PXE_ENTRY,\\\\?//;s/,$//" | sed 's/^,//')
+        NEW_ORDER="$PXE_ENTRY,$REST"
+        efibootmgr -o "$NEW_ORDER" || true
+    fi
+fi
+
+# -- Provisioning metadata --
+cat > /etc/lab-provisioned << PROVEOF
+hostname: ${fqdn}
+role: ${role}
+provisioned: $(date -Iseconds)
+bastion: ${serverIp}
+PROVEOF
+
+cat > /root/README << 'README'
+# Lab Node -- ${fqdn} (role: ${role})
+#
+# Next steps:
+#   1. Install puppet agent:
+#      dnf install -y puppet-agent
+#
+#   2. Install k3s:
+#      curl -sfL https://get.k3s.io | sh -
+#
+#   3. Or join existing cluster:
+#      curl -sfL https://get.k3s.io | K3S_URL=https://<server>:6443 K3S_TOKEN=<token> sh -
+README
+
+${hasRancher ? `# Install k3s server (skip start - will be configured manually)
+curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true sh -
+` : ""}
+IP_ADDR=$(ip -4 addr show | awk '/inet / && !/127.0.0/ {split($2,a,"/"); print a[1]; exit}')
+bastion_progress "complete" "ready at $IP_ADDR"
+
+%end
+`;
+}
diff --git a/bastion/src/bastion/src/templates/ubuntu-autoinstall.ts b/bastion/src/bastion/src/templates/ubuntu-autoinstall.ts
new file mode 100644
index 0000000..2594bab
--- /dev/null
+++ b/bastion/src/bastion/src/templates/ubuntu-autoinstall.ts
@@ -0,0 +1,299 @@
+// Ubuntu autoinstall template (cloud-init).
+// Equivalent of the Fedora kickstart: LVM partitioning, packages,
+// SSH keys, k3s prereqs, progress callbacks.
+
+export interface UbuntuAutoinstallParams {
+  hostname: string;
+  disk: string;
+  role: string;  // "vanilla" | "worker" | "infra"
+  domain: string;
+  ubuntuVersion: string;
+  timezone: string;
+  locale: string;
+  serverIp: string;
+  httpPort: number;
+  sshKeys: string[];
+  adminUser: string;
+}
+
+export function renderUbuntuAutoinstall(params: UbuntuAutoinstallParams): string {
+  const {
+    hostname,
+    disk,
+    role,
+    domain,
+    timezone,
+    serverIp,
+    httpPort,
+    sshKeys,
+    adminUser,
+  } = params;
+
+  const fqdn = domain ? `${hostname}.${domain}` : hostname;
+  const vg = "labvg";
+  const hasLonghorn = role === "worker";
+  const hasRancher = role === "infra";
+
+  // Determine disk device -- default to biggest NVMe/SCSI/virtio
+  const diskDevice = disk || "/dev/sda";
+
+  // Build the LVM layout to match Fedora kickstart sizes
+  const extraLvs: string[] = [];
+  if (hasLonghorn) {
+    extraLvs.push(`        - id: lv-longhorn
+          name: longhorn
+          type: lvm_partition
+          volgroup: vg0
+          size: -1
+        - id: fs-longhorn
+          type: format
+          volume: lv-longhorn
+          fstype: xfs
+        - id: mount-longhorn
+          type: mount
+          device: fs-longhorn
+          path: /var/lib/longhorn`);
+  }
+  if (hasRancher) {
+    extraLvs.push(`        - id: lv-rancher
+          name: rancher
+          type: lvm_partition
+          volgroup: vg0
+          size: 20G
+        - id: fs-rancher
+          type: format
+          volume: lv-rancher
+          fstype: xfs
+        - id: mount-rancher
+          type: mount
+          device: fs-rancher
+          path: /var/lib/rancher`);
+  }
+
+  const extraLvsBlock = extraLvs.length > 0 ? "\n" + extraLvs.join("\n") : "";
+
+  // SSH keys YAML list
+  const sshKeysYaml = sshKeys.map((k) => `          - "${k}"`).join("\n");
+
+  // late-commands for k3s prereqs, firewall, chrony, admin user, progress callback
+  const lateCommands: string[] = [
+    // Kernel modules for k3s
+    `curtin in-target -- bash -c 'cat > /etc/modules-load.d/k3s.conf << EOF\nbr_netfilter\noverlay\nip_conntrack\nEOF'`,
+    // Sysctl for k3s networking
+    `curtin in-target -- bash -c 'cat > /etc/sysctl.d/90-k3s.conf << EOF\nnet.bridge.bridge-nf-call-iptables  = 1\nnet.bridge.bridge-nf-call-ip6tables = 1\nnet.ipv4.ip_forward                 = 1\nnet.ipv6.conf.all.forwarding        = 1\nfs.inotify.max_user_instances       = 524288\nfs.inotify.max_user_watches         = 1048576\nEOF'`,
+    // Disable ufw firewall
+    `curtin in-target -- systemctl disable ufw || true`,
+    // Enable chrony/ntp
+    `curtin in-target -- systemctl enable chrony || true`,
+    // tmpfs for /tmp
+    `curtin in-target -- bash -c 'echo "tmpfs /tmp tmpfs defaults,noatime,nosuid,nodev,size=4G 0 0" >> /etc/fstab'`,
+  ];
+
+  // Admin user creation + SSH keys + sudoers
+  if (adminUser) {
+    lateCommands.push(
+      `curtin in-target -- useradd -m -G sudo -s /bin/bash ${adminUser}`,
+      `curtin in-target -- usermod -L ${adminUser}`,
+      `curtin in-target -- mkdir -p /home/${adminUser}/.ssh`,
+      `curtin in-target -- bash -c 'cat > /home/${adminUser}/.ssh/authorized_keys << EOF\n${sshKeys.join("\n")}\nEOF'`,
+      `curtin in-target -- chmod 700 /home/${adminUser}/.ssh`,
+      `curtin in-target -- chmod 600 /home/${adminUser}/.ssh/authorized_keys`,
+      `curtin in-target -- chown -R ${adminUser}:${adminUser} /home/${adminUser}/.ssh`,
+      `curtin in-target -- bash -c 'echo "${adminUser} ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/${adminUser}'`,
+      `curtin in-target -- chmod 440 /etc/sudoers.d/${adminUser}`,
+    );
+  }
+
+  // Provisioning metadata
+  lateCommands.push(
+    `curtin in-target -- bash -c 'cat > /etc/lab-provisioned << EOF\nhostname: ${fqdn}\nrole: ${role}\nprovisioned: $(date -Iseconds)\nbastion: ${serverIp}\nEOF'`,
+  );
+
+  // k3s install for infra role
+  if (hasRancher) {
+    lateCommands.push(
+      `curtin in-target -- bash -c 'curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true sh -'`,
+    );
+  }
+
+  // Progress callback (complete)
+  lateCommands.push(
+    `curtin in-target -- bash -c 'IP_ADDR=$(ip -4 addr show | awk "/inet / && !/127.0.0/ {split(\\$2,a,\\"/\\"); print a[1]; exit}"); curl -sf -X POST "http://${serverIp}:${httpPort}/api/progress" -H "Content-Type: application/json" -d "{\\"mac\\":\\"$(ip link show | awk "/ether/ && !/00:00:00:00/ {print \\$2; exit}")\\",\\"stage\\":\\"complete\\",\\"detail\\":\\"ready at $IP_ADDR\\"}" || true'`,
+  );
+
+  const lateCommandsYaml = lateCommands.map((c) => `        - "${c}"`).join("\n");
+
+  return `#cloud-config
+autoinstall:
+  version: 1
+  locale: ${params.locale}
+  keyboard:
+    layout: gb
+  timezone: ${timezone}
+  identity:
+    hostname: ${fqdn}
+    username: ${adminUser || "root"}
+    password: "!"
+  ssh:
+    install-server: true
+    allow-pw: false
+    authorized-keys:
+${sshKeysYaml}
+  storage:
+    config:
+      - id: disk0
+        type: disk
+        ptable: gpt
+        path: ${diskDevice}
+        wipe: superblock-recursive
+        grub_device: true
+      - id: part-efi
+        type: partition
+        device: disk0
+        size: 600M
+        flag: boot
+        grub_device: true
+      - id: fs-efi
+        type: format
+        volume: part-efi
+        fstype: fat32
+      - id: mount-efi
+        type: mount
+        device: fs-efi
+        path: /boot/efi
+      - id: part-boot
+        type: partition
+        device: disk0
+        size: 3G
+      - id: fs-boot
+        type: format
+        volume: part-boot
+        fstype: ext4
+      - id: mount-boot
+        type: mount
+        device: fs-boot
+        path: /boot
+      - id: part-pv
+        type: partition
+        device: disk0
+        size: -1
+      - id: vg0
+        type: lvm_volgroup
+        name: ${vg}
+        devices:
+          - part-pv
+      - id: lv-swap
+        name: swap
+        type: lvm_partition
+        volgroup: vg0
+        size: 27G
+      - id: fs-swap
+        type: format
+        volume: lv-swap
+        fstype: swap
+      - id: mount-swap
+        type: mount
+        device: fs-swap
+        path: none
+      - id: lv-root
+        name: root
+        type: lvm_partition
+        volgroup: vg0
+        size: 33G
+      - id: fs-root
+        type: format
+        volume: lv-root
+        fstype: xfs
+      - id: mount-root
+        type: mount
+        device: fs-root
+        path: /
+      - id: lv-var
+        name: var
+        type: lvm_partition
+        volgroup: vg0
+        size: 100G
+      - id: fs-var
+        type: format
+        volume: lv-var
+        fstype: xfs
+      - id: mount-var
+        type: mount
+        device: fs-var
+        path: /var
+      - id: lv-varlog
+        name: varlog
+        type: lvm_partition
+        volgroup: vg0
+        size: 10G
+      - id: fs-varlog
+        type: format
+        volume: lv-varlog
+        fstype: xfs
+      - id: mount-varlog
+        type: mount
+        device: fs-varlog
+        path: /var/log
+      - id: lv-home
+        name: home
+        type: lvm_partition
+        volgroup: vg0
+        size: 10G
+      - id: fs-home
+        type: format
+        volume: lv-home
+        fstype: xfs
+      - id: mount-home
+        type: mount
+        device: fs-home
+        path: /home
+      - id: lv-srv
+        name: srv
+        type: lvm_partition
+        volgroup: vg0
+        size: 20G
+      - id: fs-srv
+        type: format
+        volume: lv-srv
+        fstype: xfs
+      - id: mount-srv
+        type: mount
+        device: fs-srv
+        path: /srv${extraLvsBlock}
+  packages:
+    - openssh-server
+    - curl
+    - wget
+    - git
+    - jq
+    - htop
+    - vim
+    - tmux
+    - python3
+    - lshw
+    - dmidecode
+    - net-tools
+    - iproute2
+    - iputils-ping
+    - traceroute
+    - tcpdump
+    - iotop
+    - strace
+    - tar
+    - containerd
+    - socat
+    - conntrack
+    - ethtool
+    - iptables
+    - chrony
+    - efibootmgr
+  late-commands:
+${lateCommandsYaml}
+`;
+}
+
+export function renderUbuntuMetaData(hostname: string): string {
+  return `instance-id: ${hostname}
+local-hostname: ${hostname}
+`;
+}
diff --git a/bastion/src/bastion/src/templates/ubuntu-boot.ipxe.ts b/bastion/src/bastion/src/templates/ubuntu-boot.ipxe.ts
new file mode 100644
index 0000000..2a7895f
--- /dev/null
+++ b/bastion/src/bastion/src/templates/ubuntu-boot.ipxe.ts
@@ -0,0 +1,24 @@
+// iPXE boot script template for Ubuntu autoinstall.
+
+export function renderUbuntuInstallIpxe(params: {
+  mac: string;
+  hostname: string;
+  serverIp: string;
+  httpPort: number;
+  ubuntuVersion: string;
+}): string {
+  return `#!ipxe
+
+echo
+echo =============================================
+echo   Lab PXE Bastion - INSTALLING Ubuntu ${params.ubuntuVersion}
+echo   Target: ${params.hostname}
+echo   MAC:    ${params.mac}
+echo =============================================
+echo
+
+kernel http://${params.serverIp}:${params.httpPort}/ubuntu-vmlinuz autoinstall ds=nocloud-net;seedfrom=http://${params.serverIp}:${params.httpPort}/autoinstall/${params.mac}/ ---
+initrd http://${params.serverIp}:${params.httpPort}/ubuntu-initrd
+boot
+`;
+}
diff --git a/bastion/src/bastion/tests/dispatch.test.ts b/bastion/src/bastion/tests/dispatch.test.ts
new file mode 100644
index 0000000..0b9572b
--- /dev/null
+++ b/bastion/src/bastion/tests/dispatch.test.ts
@@ -0,0 +1,328 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdirSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import type { BastionConfig } from "@lab/shared";
+import { createApp } from "../src/server.js";
+import type { FastifyInstance } from "fastify";
+import type { StateManager } from "../src/services/state.js";
+import type { InstallLogBuffer } from "../src/services/install-log.js";
+
+function createTestConfig(testDir: string): BastionConfig {
+  return {
+    fedoraVersion: "43",
+    arch: "x86_64",
+    httpPort: 0,
+    timezone: "Europe/London",
+    locale: "en_GB.UTF-8",
+    bastionDir: testDir,
+    domain: "test.local",
+    dhcpMode: "proxy",
+    dhcpRangeStart: "",
+    dhcpRangeEnd: "",
+    ubuntuVersion: "26.04",
+    ubuntuMirror: "https://releases.ubuntu.com/26.04",
+    iface: "eth0",
+    serverIp: "10.0.0.1",
+    network: "10.0.0.0",
+    gateway: "10.0.0.1",
+    sshKeys: ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAITEST test@test"],
+    adminUser: "testadmin",
+    skipDnsmasq: true,
+    skipArtifacts: true,
+    fedoraMirror: "https://download.fedoraproject.org/pub/fedora/linux/releases/43/Everything/x86_64/os",
+    tftpDir: join(testDir, "tftp"),
+    httpDir: join(testDir, "http"),
+    stateFile: join(testDir, "state.json"),
+  };
+}
+
+describe("dispatch routes", () => {
+  let testDir: string;
+  let app: FastifyInstance;
+  let state: StateManager;
+  let installLog: InstallLogBuffer;
+
+  beforeEach(() => {
+    testDir = join(tmpdir(), `bastion-dispatch-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+    mkdirSync(testDir, { recursive: true });
+    mkdirSync(join(testDir, "http"), { recursive: true });
+    mkdirSync(join(testDir, "tftp"), { recursive: true });
+
+    const config = createTestConfig(testDir);
+    const result = createApp(config);
+    app = result.app;
+    state = result.state;
+    installLog = result.installLog;
+  });
+
+  afterEach(async () => {
+    await app.close();
+    rmSync(testDir, { recursive: true, force: true });
+  });
+
+  it("unknown MAC returns discovery iPXE script", async () => {
+    const response = await app.inject({
+      method: "GET",
+      url: "/dispatch?mac=aa:bb:cc:dd:ee:ff",
+    });
+
+    expect(response.statusCode).toBe(200);
+    expect(response.headers["content-type"]).toContain("text/plain");
+    const body = response.body;
+    expect(body).toContain("#!ipxe");
+    expect(body).toContain("DISCOVERY MODE");
+    expect(body).toContain("discover.ks");
+  });
+
+  it("MAC in install_queue returns install iPXE script", async () => {
+    const mac = "aa:bb:cc:dd:ee:ff";
+    state.update((s) => {
+      s.install_queue[mac] = {
+        hostname: "worker-1",
+        disk: "/dev/sda",
+        role: "worker",
+        queued_at: new Date().toISOString(),
+      };
+    });
+
+    const response = await app.inject({
+      method: "GET",
+      url: `/dispatch?mac=${mac}`,
+    });
+
+    expect(response.statusCode).toBe(200);
+    const body = response.body;
+    expect(body).toContain("#!ipxe");
+    expect(body).toContain("INSTALLING");
+    expect(body).toContain("worker-1");
+    expect(body).toContain(`ks?mac=${mac}`);
+  });
+
+  it("MAC in installed returns local boot (exit) script", async () => {
+    const mac = "aa:bb:cc:dd:ee:ff";
+    state.update((s) => {
+      s.installed[mac] = {
+        hostname: "installed-node",
+        role: "worker",
+        ip: "10.0.0.50",
+        installed_at: new Date().toISOString(),
+      };
+    });
+
+    const response = await app.inject({
+      method: "GET",
+      url: `/dispatch?mac=${mac}`,
+    });
+
+    expect(response.statusCode).toBe(200);
+    const body = response.body;
+    expect(body).toContain("#!ipxe");
+    expect(body).toContain("installed-node");
+    expect(body).toContain("Already installed");
+    expect(body).toContain("exit");
+  });
+
+  it("progress endpoint updates state", async () => {
+    const mac = "aa:bb:cc:dd:ee:ff";
+    state.update((s) => {
+      s.install_queue[mac] = {
+        hostname: "worker-1",
+        disk: "/dev/sda",
+        role: "worker",
+        queued_at: new Date().toISOString(),
+      };
+    });
+
+    const response = await app.inject({
+      method: "POST",
+      url: "/api/progress",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        mac,
+        stage: "post-install",
+        detail: "configuring system",
+      }),
+    });
+
+    expect(response.statusCode).toBe(200);
+    const result = JSON.parse(response.body);
+    expect(result.status).toBe("ok");
+
+    // Verify state was updated
+    const currentState = state.load();
+    expect(currentState.install_queue[mac]?.progress).toBe("post-install");
+    expect(currentState.install_queue[mac]?.progress_detail).toBe("configuring system");
+  });
+
+  it("progress endpoint with 'complete' stage moves machine to installed", async () => {
+    const mac = "aa:bb:cc:dd:ee:ff";
+    state.update((s) => {
+      s.install_queue[mac] = {
+        hostname: "worker-1",
+        disk: "/dev/sda",
+        role: "worker",
+        queued_at: new Date().toISOString(),
+      };
+    });
+
+    const response = await app.inject({
+      method: "POST",
+      url: "/api/progress",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        mac,
+        stage: "complete",
+        detail: "ready at 10.0.0.50",
+      }),
+    });
+
+    expect(response.statusCode).toBe(200);
+
+    const currentState = state.load();
+    expect(currentState.install_queue[mac]).toBeUndefined();
+    expect(currentState.installed[mac]).toBeDefined();
+    expect(currentState.installed[mac]?.hostname).toBe("worker-1");
+    expect(currentState.installed[mac]?.ip).toBe("10.0.0.50");
+  });
+
+  it("DELETE /api/machines/:mac removes machine from state", async () => {
+    const mac = "aa:bb:cc:dd:ee:ff";
+    state.update((s) => {
+      s.discovered[mac] = {
+        mac,
+        product: "TestBox",
+        board: "TestBoard",
+        serial: "SN123",
+        manufacturer: "TestCorp",
+        cpu_model: "Test CPU",
+        cpu_cores: 4,
+        memory_gb: 16,
+        arch: "x86_64",
+        disks: [],
+        nics: [],
+        first_seen: new Date().toISOString(),
+        last_seen: new Date().toISOString(),
+      };
+    });
+
+    const response = await app.inject({
+      method: "DELETE",
+      url: `/api/machines/${encodeURIComponent(mac)}`,
+    });
+
+    expect(response.statusCode).toBe(200);
+    const result = JSON.parse(response.body);
+    expect(result.status).toBe("forgotten");
+
+    const currentState = state.load();
+    expect(currentState.discovered[mac]).toBeUndefined();
+  });
+
+  it("DELETE /api/machines/:mac returns 404 for unknown machine", async () => {
+    const response = await app.inject({
+      method: "DELETE",
+      url: "/api/machines/ff:ff:ff:ff:ff:ff",
+    });
+
+    expect(response.statusCode).toBe(404);
+    const result = JSON.parse(response.body);
+    expect(result.error).toBe("machine not found");
+  });
+
+  it("POST /api/log accepts a single line", async () => {
+    const mac = "aa:bb:cc:dd:ee:ff";
+    const response = await app.inject({
+      method: "POST",
+      url: "/api/log",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ mac, line: "hello from kickstart" }),
+    });
+
+    expect(response.statusCode).toBe(200);
+    const result = JSON.parse(response.body);
+    expect(result.status).toBe("ok");
+    expect(result.lines).toBe(1);
+
+    // Verify line is stored
+    const lines = installLog.getLines(mac);
+    expect(lines).toHaveLength(1);
+    expect(lines[0]!.line).toBe("hello from kickstart");
+  });
+
+  it("POST /api/log accepts multiple lines", async () => {
+    const mac = "aa:bb:cc:dd:ee:ff";
+    const response = await app.inject({
+      method: "POST",
+      url: "/api/log",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ mac, lines: ["line 1", "line 2", "line 3"] }),
+    });
+
+    expect(response.statusCode).toBe(200);
+    const result = JSON.parse(response.body);
+    expect(result.lines).toBe(3);
+
+    const lines = installLog.getLines(mac);
+    expect(lines).toHaveLength(3);
+  });
+
+  it("GET /api/logs/:mac includes log lines for installing machine", async () => {
+    const mac = "aa:bb:cc:dd:ee:ff";
+    state.update((s) => {
+      s.install_queue[mac] = {
+        hostname: "test-node",
+        disk: "/dev/sda",
+        role: "worker",
+        queued_at: new Date().toISOString(),
+      };
+    });
+
+    // Add some log lines
+    installLog.append(mac, ["log line 1", "log line 2"], "test-node");
+
+    const response = await app.inject({
+      method: "GET",
+      url: `/api/logs/${encodeURIComponent(mac)}`,
+    });
+
+    expect(response.statusCode).toBe(200);
+    const result = JSON.parse(response.body);
+    expect(result.status).toBe("installing");
+    expect(result.log_lines).toHaveLength(2);
+    expect(result.log_total).toBe(2);
+    expect(result.log_lines[0].line).toBe("log line 1");
+  });
+
+  it("progress endpoint with 'error' stage keeps machine in install_queue", async () => {
+    const mac = "aa:bb:cc:dd:ee:ff";
+    state.update((s) => {
+      s.install_queue[mac] = {
+        hostname: "failing-node",
+        disk: "/dev/sda",
+        role: "worker",
+        queued_at: new Date().toISOString(),
+      };
+    });
+
+    const response = await app.inject({
+      method: "POST",
+      url: "/api/progress",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        mac,
+        stage: "error",
+        detail: "%post failed at line 42",
+      }),
+    });
+
+    expect(response.statusCode).toBe(200);
+
+    // Machine should still be in install_queue (not moved to installed)
+    const currentState = state.load();
+    expect(currentState.install_queue[mac]).toBeDefined();
+    expect(currentState.install_queue[mac]?.progress).toBe("error");
+    expect(currentState.install_queue[mac]?.progress_detail).toBe("%post failed at line 42");
+    expect(currentState.installed[mac]).toBeUndefined();
+  });
+});
diff --git a/bastion/src/bastion/tests/kickstart.test.ts b/bastion/src/bastion/tests/kickstart.test.ts
new file mode 100644
index 0000000..2629877
--- /dev/null
+++ b/bastion/src/bastion/tests/kickstart.test.ts
@@ -0,0 +1,215 @@
+import { describe, it, expect } from "vitest";
+import { renderInstallKickstart, type InstallKickstartParams } from "../src/templates/install.ks.js";
+
+function baseParams(overrides: Partial<InstallKickstartParams> = {}): InstallKickstartParams {
+  return {
+    hostname: "testnode",
+    disk: "",
+    role: "worker",
+    domain: "lab.local",
+    fedoraVersion: "43",
+    timezone: "Europe/London",
+    locale: "en_GB.UTF-8",
+    serverIp: "192.168.1.100",
+    httpPort: 8080,
+    syslogPort: 5514,
+    sshKeys: [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAITEST1 user1@host",
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQTEST2 user2@host",
+    ],
+    adminUser: "admin",
+    ...overrides,
+  };
+}
+
+describe("renderInstallKickstart", () => {
+  it("worker role includes longhorn partition", () => {
+    const ks = renderInstallKickstart(baseParams({ role: "worker" }));
+    expect(ks).toContain("longhorn");
+    expect(ks).toContain("/var/lib/longhorn");
+  });
+
+  it("infra role does NOT include longhorn partition", () => {
+    const ks = renderInstallKickstart(baseParams({ role: "infra" }));
+    // The fresh install longhorn line should not be present
+    expect(ks).not.toContain("logvol /var/lib/longhorn --vgname=labvg --name=longhorn --fstype=xfs --grow --size=1");
+  });
+
+  it("all SSH keys appear between SSHKEYS markers", () => {
+    const keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAITEST1 user1@host",
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQTEST2 user2@host",
+    ];
+    const ks = renderInstallKickstart(baseParams({ sshKeys: keys }));
+    // Both keys should appear between the SSHKEYS markers
+    const sshkeysMatch = ks.match(/cat > \/root\/\.ssh\/authorized_keys << 'SSHKEYS'\n([\s\S]*?)\nSSHKEYS/);
+    expect(sshkeysMatch).not.toBeNull();
+    const keysBlock = sshkeysMatch![1]!;
+    for (const key of keys) {
+      expect(keysBlock).toContain(key);
+    }
+  });
+
+  it("admin user directive appears when adminUser is set", () => {
+    const ks = renderInstallKickstart(baseParams({ adminUser: "myadmin" }));
+    expect(ks).toContain("user --name=myadmin --groups=wheel --lock");
+  });
+
+  it("no admin user directive when adminUser is empty", () => {
+    const ks = renderInstallKickstart(baseParams({ adminUser: "" }));
+    expect(ks).not.toContain("user --name=");
+  });
+
+  it("FQDN is hostname.domain", () => {
+    const ks = renderInstallKickstart(baseParams({
+      hostname: "myhost",
+      domain: "example.com",
+    }));
+    expect(ks).toContain("myhost.example.com");
+    expect(ks).toContain("--hostname=myhost.example.com");
+  });
+
+  it("restorecon is present", () => {
+    const ks = renderInstallKickstart(baseParams());
+    expect(ks).toContain("restorecon");
+  });
+
+  it("sudoers line for admin user", () => {
+    const ks = renderInstallKickstart(baseParams({ adminUser: "admin" }));
+    expect(ks).toContain("admin ALL=(ALL) NOPASSWD: ALL");
+    expect(ks).toContain("/etc/sudoers.d/admin");
+  });
+
+  it("boot order restores network first (bastion controls boot)", () => {
+    const ks = renderInstallKickstart(baseParams());
+    expect(ks).toContain("restore network first");
+    expect(ks).toContain("PXE_ENTRY");
+    expect(ks).toContain("efibootmgr -o");
+  });
+
+  it("progress callback URLs use correct serverIp and httpPort", () => {
+    const ks = renderInstallKickstart(baseParams({
+      serverIp: "10.0.0.5",
+      httpPort: 9090,
+    }));
+    expect(ks).toContain("http://10.0.0.5:9090");
+    expect(ks).toContain("/api/progress");
+  });
+
+  it("infra role has /var/lib/rancher partition", () => {
+    const ks = renderInstallKickstart(baseParams({ role: "infra" }));
+    expect(ks).toContain("logvol /var/lib/rancher --vgname=labvg --name=rancher --fstype=xfs --size=20480");
+  });
+
+  it("infra role has k3s install", () => {
+    const ks = renderInstallKickstart(baseParams({ role: "infra" }));
+    expect(ks).toContain("curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true sh -");
+  });
+
+  it("worker role does NOT have /var/lib/rancher partition in fresh install", () => {
+    const ks = renderInstallKickstart(baseParams({ role: "worker" }));
+    // Worker should not have the fresh-install rancher partition line
+    expect(ks).not.toContain("logvol /var/lib/rancher --vgname=labvg --name=rancher --fstype=xfs --size=20480");
+  });
+
+  it("worker role does NOT have k3s install", () => {
+    const ks = renderInstallKickstart(baseParams({ role: "worker" }));
+    expect(ks).not.toContain("INSTALL_K3S_SKIP_START");
+  });
+
+  it("reprovision preserves rancher partition", () => {
+    const ks = renderInstallKickstart(baseParams({ role: "infra" }));
+    expect(ks).toContain("PRESERVE_RANCHER=no");
+    expect(ks).toContain('lvs $VG/rancher');
+    expect(ks).toContain("PRESERVE_RANCHER=yes");
+    expect(ks).toContain('logvol /var/lib/rancher --vgname=labvg --name=rancher --useexisting --noformat');
+  });
+
+  it("partition sizes are correct", () => {
+    const ks = renderInstallKickstart(baseParams());
+    // root = 33792
+    expect(ks).toContain("--name=root --fstype=xfs --size=33792");
+    // var = 102400
+    expect(ks).toContain("--name=var --fstype=xfs --size=102400");
+    // varlog = 10240
+    expect(ks).toContain("--name=varlog --fstype=xfs --size=10240");
+    // home = 10240
+    expect(ks).toContain("--name=home --fstype=xfs --size=10240");
+    // srv = 20480
+    expect(ks).toContain("--name=srv --fstype=xfs --size=20480");
+    // swap = 27648
+    expect(ks).toContain("--name=swap --fstype=swap --size=27648");
+  });
+
+  it("vanilla role skips k3s setup", () => {
+    const ks = renderInstallKickstart(baseParams({ role: "vanilla" }));
+    expect(ks).toContain("vanilla role");
+    expect(ks).not.toContain("modules-load.d/k3s.conf");
+    expect(ks).not.toContain("firewalld");
+  });
+
+  it("worker role has k3s setup", () => {
+    const ks = renderInstallKickstart(baseParams({ role: "worker" }));
+    expect(ks).toContain("modules-load.d/k3s.conf");
+    expect(ks).toContain("sysctl.d/90-k3s.conf");
+    expect(ks).toContain("firewalld");
+  });
+
+  it("kickstart syntax: no merged partition lines", () => {
+    for (const role of ["vanilla", "worker", "infra"] as const) {
+      const ks = renderInstallKickstart(baseParams({ role }));
+      const lines = ks.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const l = lines[i].trim();
+        if (l.startsWith("part ")) {
+          const partCount = (l.match(/\bpart\b/g) || []).length;
+          expect(partCount, `line ${i + 1} has ${partCount} 'part' commands (role=${role}): ${l}`).toBe(1);
+        }
+      }
+    }
+  });
+
+  it("kickstart syntax: each section-opening has a %end", () => {
+    const ks = renderInstallKickstart(baseParams());
+    // Only match section openers at start of line
+    const sections = (ks.match(/^%(?:pre|post|packages)\b/gm) || []).length;
+    const ends = (ks.match(/^%end$/gm) || []).length;
+    expect(ends, `${sections} sections but ${ends} %end markers`).toBe(sections);
+  });
+
+  it("has complete progress stage", () => {
+    const ks = renderInstallKickstart(baseParams());
+    expect(ks).toContain('"complete"');
+    expect(ks).toContain("ready at");
+  });
+
+  it("sends install logs to bastion via syslog", () => {
+    const ks = renderInstallKickstart(baseParams({ syslogPort: 5514 }));
+    expect(ks).toContain("logging --host=192.168.1.100 --port=5514");
+  });
+
+  it("passes ksvalidator syntax check", () => {
+    for (const role of ["vanilla", "worker", "infra"] as const) {
+      const ks = renderInstallKickstart(baseParams({ role }));
+      const { execSync } = require("node:child_process");
+      const { writeFileSync, unlinkSync } = require("node:fs");
+      const tmp = `/tmp/ks-test-${role}.ks`;
+      writeFileSync(tmp, ks);
+      try {
+        execSync(`ksvalidator -v F43 ${tmp}`, { encoding: "utf-8" });
+      } catch (err: unknown) {
+        const msg = err instanceof Error ? (err as { stderr?: string }).stderr ?? err.message : String(err);
+        throw new Error(`ksvalidator failed for role=${role}: ${msg}`);
+      } finally {
+        try { unlinkSync(tmp); } catch {}
+      }
+    }
+  });
+
+  it("forwards system logs to serial console", () => {
+    const ks = renderInstallKickstart(baseParams({ role: "vanilla" }));
+    expect(ks).toContain("serial-console.conf");
+    expect(ks).toContain("/dev/ttyS0");
+    expect(ks).toContain("rsyslog");
+  });
+});
diff --git a/bastion/src/bastion/tests/state.test.ts b/bastion/src/bastion/tests/state.test.ts
new file mode 100644
index 0000000..494b479
--- /dev/null
+++ b/bastion/src/bastion/tests/state.test.ts
@@ -0,0 +1,140 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdirSync, rmSync, existsSync, readFileSync, writeFileSync, chmodSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { StateManager } from "../src/services/state.js";
+
+describe("StateManager", () => {
+  let testDir: string;
+  let stateFile: string;
+  let state: StateManager;
+
+  beforeEach(() => {
+    testDir = join(tmpdir(), `bastion-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+    mkdirSync(testDir, { recursive: true });
+    stateFile = join(testDir, "state.json");
+    state = new StateManager(stateFile);
+  });
+
+  afterEach(() => {
+    rmSync(testDir, { recursive: true, force: true });
+  });
+
+  it("creates empty state on first load", () => {
+    const loaded = state.load();
+    expect(loaded).toEqual({
+      discovered: {},
+      install_queue: {},
+      installed: {},
+    });
+  });
+
+  it("init creates the state file", () => {
+    expect(existsSync(stateFile)).toBe(false);
+    state.init();
+    expect(existsSync(stateFile)).toBe(true);
+
+    const content = JSON.parse(readFileSync(stateFile, "utf-8"));
+    expect(content).toEqual({
+      discovered: {},
+      install_queue: {},
+      installed: {},
+    });
+  });
+
+  it("saves and loads state correctly", () => {
+    state.init();
+
+    state.update((s) => {
+      s.discovered["aa:bb:cc:dd:ee:ff"] = {
+        mac: "aa:bb:cc:dd:ee:ff",
+        product: "TestBox",
+        board: "TestBoard",
+        serial: "SN123",
+        manufacturer: "TestCorp",
+        cpu_model: "Test CPU",
+        cpu_cores: 8,
+        memory_gb: 32,
+        arch: "x86_64",
+        disks: [{ name: "sda", size_gb: 500, model: "TestDisk" }],
+        nics: [{ name: "eth0", mac: "aa:bb:cc:dd:ee:ff", state: "UP" }],
+        first_seen: "2025-01-01T00:00:00Z",
+        last_seen: "2025-01-01T00:00:00Z",
+      };
+
+      s.install_queue["11:22:33:44:55:66"] = {
+        hostname: "worker-1",
+        disk: "/dev/sda",
+        role: "worker",
+        queued_at: "2025-01-01T01:00:00Z",
+      };
+    });
+
+    // Load in a fresh StateManager to verify persistence
+    const state2 = new StateManager(stateFile);
+    const loaded = state2.load();
+
+    expect(loaded.discovered["aa:bb:cc:dd:ee:ff"]?.product).toBe("TestBox");
+    expect(loaded.discovered["aa:bb:cc:dd:ee:ff"]?.cpu_cores).toBe(8);
+    expect(loaded.install_queue["11:22:33:44:55:66"]?.hostname).toBe("worker-1");
+    expect(loaded.installed).toEqual({});
+  });
+
+  it("uses atomic writes (tmp file + rename)", () => {
+    state.init();
+
+    // After save, there should be no .tmp file left behind
+    state.update((s) => {
+      s.installed["aa:bb:cc:dd:ee:ff"] = {
+        hostname: "node1",
+        role: "worker",
+        ip: "10.0.0.1",
+        installed_at: "2025-01-01T00:00:00Z",
+      };
+    });
+
+    const tmpFile = `${stateFile}.tmp`;
+    expect(existsSync(tmpFile)).toBe(false);
+    expect(existsSync(stateFile)).toBe(true);
+
+    // Verify data was written correctly
+    const raw = readFileSync(stateFile, "utf-8");
+    const parsed = JSON.parse(raw);
+    expect(parsed.installed["aa:bb:cc:dd:ee:ff"].hostname).toBe("node1");
+  });
+});
+
+describe("PID file handling", () => {
+  let testDir: string;
+
+  beforeEach(() => {
+    testDir = join(tmpdir(), `bastion-pid-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+    mkdirSync(testDir, { recursive: true });
+  });
+
+  afterEach(() => {
+    rmSync(testDir, { recursive: true, force: true });
+  });
+
+  it("handles stale PID file from previous run", () => {
+    const pidFile = join(testDir, "bastion.pid");
+    // Simulate a stale PID file with a dead process
+    writeFileSync(pidFile, "999999999");
+    // Should be readable
+    const pid = parseInt(readFileSync(pidFile, "utf-8").trim(), 10);
+    expect(pid).toBe(999999999);
+  });
+
+  it("handles corrupted PID file gracefully", () => {
+    const pidFile = join(testDir, "bastion.pid");
+    writeFileSync(pidFile, "not-a-number\n");
+    const pid = parseInt(readFileSync(pidFile, "utf-8").trim(), 10);
+    expect(isNaN(pid)).toBe(true);
+  });
+
+  it("handles missing bastion directory", () => {
+    const missingDir = join(testDir, "nonexistent", "deep");
+    mkdirSync(missingDir, { recursive: true });
+    expect(existsSync(missingDir)).toBe(true);
+  });
+});
diff --git a/bastion/src/bastion/tsconfig.json b/bastion/src/bastion/tsconfig.json
new file mode 100644
index 0000000..d0e99e9
--- /dev/null
+++ b/bastion/src/bastion/tsconfig.json
@@ -0,0 +1,13 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist",
+    "types": ["node"]
+  },
+  "include": ["src/**/*.ts"],
+  "references": [
+    { "path": "../shared" },
+    { "path": "../modules" }
+  ]
+}
diff --git a/bastion/src/bastion/vitest.config.ts b/bastion/src/bastion/vitest.config.ts
new file mode 100644
index 0000000..aebf14f
--- /dev/null
+++ b/bastion/src/bastion/vitest.config.ts
@@ -0,0 +1,8 @@
+import { defineProject } from 'vitest/config';
+
+export default defineProject({
+  test: {
+    name: 'bastion',
+    include: ['tests/**/*.test.ts'],
+  },
+});
diff --git a/bastion/src/cli/package.json b/bastion/src/cli/package.json
new file mode 100644
index 0000000..f8aaf75
--- /dev/null
+++ b/bastion/src/cli/package.json
@@ -0,0 +1,29 @@
+{
+  "name": "@lab/cli",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "bin": {
+    "labctl": "./dist/index.js"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "scripts": {
+    "build": "tsc --build",
+    "clean": "rimraf dist",
+    "dev": "tsx src/index.ts",
+    "test": "vitest",
+    "test:run": "vitest run"
+  },
+  "dependencies": {
+    "@lab/bastion": "workspace:*",
+    "@lab/modules": "workspace:*",
+    "@lab/shared": "workspace:*",
+    "commander": "^13.0.0",
+    "ws": "^8.19.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.0",
+    "@types/ws": "^8.18.1"
+  }
+}
diff --git a/bastion/src/cli/src/api/client.ts b/bastion/src/cli/src/api/client.ts
new file mode 100644
index 0000000..c68f0e9
--- /dev/null
+++ b/bastion/src/cli/src/api/client.ts
@@ -0,0 +1,161 @@
+// Typed API client for communicating with labd.
+
+import https from "node:https";
+import { readFileSync } from "node:fs";
+import { LabdApiError } from "./errors.js";
+import type {
+  Server,
+  ServerFilters,
+  JoinToken,
+  CreateTokenOpts,
+  EnrollmentRequest,
+  EnrollmentResponse,
+  HealthStatus,
+  RequestOpts,
+} from "./types.js";
+
+export interface LabdClientConfig {
+  baseUrl: string;
+  certPath?: string;
+  keyPath?: string;
+  caPath?: string;
+  timeoutMs?: number;
+}
+
+export class LabdClient {
+  private config: LabdClientConfig;
+  private agent: https.Agent | undefined;
+  private sessionId: string | undefined;
+
+  constructor(config: LabdClientConfig) {
+    this.config = config;
+    if (config.certPath && config.keyPath) {
+      this.agent = new https.Agent({
+        cert: readFileSync(config.certPath),
+        key: readFileSync(config.keyPath),
+        ca: config.caPath ? readFileSync(config.caPath) : undefined,
+        rejectUnauthorized: true,
+      });
+    }
+  }
+
+  setSessionId(id: string): void {
+    this.sessionId = id;
+  }
+
+  // --- Server endpoints ---
+
+  async getServers(filters?: ServerFilters): Promise<Server[]> {
+    return this.request("GET", "/api/servers", { query: filters as Record<string, string | undefined> });
+  }
+
+  async getServer(id: string): Promise<Server> {
+    return this.request("GET", `/api/servers/${encodeURIComponent(id)}`);
+  }
+
+  // --- Token endpoints ---
+
+  async createJoinToken(opts: CreateTokenOpts): Promise<JoinToken> {
+    return this.request("POST", "/api/tokens", { body: opts });
+  }
+
+  async listTokens(): Promise<JoinToken[]> {
+    return this.request("GET", "/api/tokens");
+  }
+
+  async revokeToken(id: string): Promise<{ status: string; id: string }> {
+    return this.request("DELETE", `/api/tokens/${encodeURIComponent(id)}`);
+  }
+
+  // --- Auth endpoints ---
+
+  async enroll(req: EnrollmentRequest): Promise<EnrollmentResponse> {
+    return this.request("POST", "/api/auth/enroll", { body: req });
+  }
+
+  // --- Bastion endpoints ---
+
+  async getBastions(): Promise<Array<{
+    id: string; hostname: string; network: string; serverIp: string;
+    status: string; machineCount: number; lastHeartbeat?: string; connectedAt?: string;
+  }>> {
+    return this.request("GET", "/api/bastions");
+  }
+
+  // --- Machine endpoints (aggregated through labd from bastions) ---
+
+  async getMachines(): Promise<import("@lab/shared").BastionState> {
+    return this.request("GET", "/api/machines");
+  }
+
+  async installMachine(opts: {
+    mac: string; hostname: string; disk?: string; role?: string; os?: string;
+  }): Promise<{ status: string; data?: unknown; error?: string }> {
+    return this.request("POST", "/api/machines/install", { body: opts });
+  }
+
+  async forgetMachine(mac: string): Promise<{ status: string }> {
+    return this.request("DELETE", `/api/machines/${encodeURIComponent(mac)}`);
+  }
+
+  async updateRole(mac: string, role: string): Promise<{ status: string }> {
+    return this.request("POST", "/api/machines/role", { body: { mac, role } });
+  }
+
+  async getMachineLogs(mac: string): Promise<Record<string, unknown>> {
+    return this.request("GET", `/api/machines/${encodeURIComponent(mac)}/logs`);
+  }
+
+  // --- Health endpoints ---
+
+  async getHealth(): Promise<HealthStatus> {
+    return this.request("GET", "/healthz");
+  }
+
+  // --- Internal ---
+
+  private async request<T>(method: string, path: string, opts?: RequestOpts): Promise<T> {
+    const url = new URL(path, this.config.baseUrl);
+    if (opts?.query) {
+      for (const [k, v] of Object.entries(opts.query)) {
+        if (v !== undefined) url.searchParams.set(k, String(v));
+      }
+    }
+
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+    };
+    if (this.sessionId) {
+      headers["X-Session-ID"] = this.sessionId;
+    }
+
+    const timeoutMs = this.config.timeoutMs ?? 30_000;
+
+    try {
+      const resp = await fetch(url.toString(), {
+        method,
+        headers,
+        body: opts?.body ? JSON.stringify(opts.body) : undefined,
+        signal: AbortSignal.timeout(timeoutMs),
+        // @ts-expect-error -- Node fetch supports dispatcher/agent
+        agent: this.agent,
+      });
+
+      if (!resp.ok) {
+        const body = await resp.json().catch(() => ({ error: resp.statusText }));
+        throw LabdApiError.fromResponse(resp.status, body);
+      }
+
+      return (await resp.json()) as T;
+    } catch (err) {
+      if (err instanceof LabdApiError) throw err;
+      if (err instanceof TypeError && (err.message.includes("fetch") || err.message.includes("ECONNREFUSED"))) {
+        throw LabdApiError.notConnected(this.config.baseUrl);
+      }
+      if (err instanceof DOMException && err.name === "TimeoutError") {
+        throw LabdApiError.timeout(timeoutMs);
+      }
+      throw err;
+    }
+  }
+}
diff --git a/bastion/src/cli/src/api/config.ts b/bastion/src/cli/src/api/config.ts
new file mode 100644
index 0000000..18ea7f8
--- /dev/null
+++ b/bastion/src/cli/src/api/config.ts
@@ -0,0 +1,47 @@
+// CLI configuration loading for labd client.
+// Bridges the CLI config module into LabdClient configuration.
+
+import { loadConfig, CONFIG_DIR, CONFIG_FILE, CERT_DIR } from "../config/index.js";
+import { LabdClient, type LabdClientConfig } from "./client.js";
+
+export { CONFIG_DIR, CONFIG_FILE, CERT_DIR };
+
+export function loadClientConfig(
+  overrides?: Partial<LabdClientConfig>,
+): LabdClientConfig {
+  const cliConfig = loadConfig();
+
+  let config: LabdClientConfig = {
+    baseUrl: cliConfig.labdUrl,
+    ...(cliConfig.certPath ? { certPath: cliConfig.certPath } : {}),
+    ...(cliConfig.keyPath ? { keyPath: cliConfig.keyPath } : {}),
+    ...(cliConfig.caPath ? { caPath: cliConfig.caPath } : {}),
+  };
+
+  // Environment variable overrides (cert paths)
+  if (process.env["LABCTL_CERT_PATH"]) config.certPath = process.env["LABCTL_CERT_PATH"];
+  if (process.env["LABCTL_KEY_PATH"]) config.keyPath = process.env["LABCTL_KEY_PATH"];
+  if (process.env["LABCTL_CA_PATH"]) config.caPath = process.env["LABCTL_CA_PATH"];
+
+  if (overrides) {
+    config = { ...config, ...overrides };
+  }
+
+  return config;
+}
+
+export function createLabdClient(
+  overrides?: Partial<LabdClientConfig>,
+): LabdClient {
+  const config = loadClientConfig(overrides);
+  return new LabdClient(config);
+}
+
+let _singleton: LabdClient | undefined;
+
+export function getLabdClient(): LabdClient {
+  if (!_singleton) {
+    _singleton = createLabdClient();
+  }
+  return _singleton;
+}
diff --git a/bastion/src/cli/src/api/errors.ts b/bastion/src/cli/src/api/errors.ts
new file mode 100644
index 0000000..d397624
--- /dev/null
+++ b/bastion/src/cli/src/api/errors.ts
@@ -0,0 +1,59 @@
+// Structured API error class for labd communication.
+
+export class LabdApiError extends Error {
+  readonly statusCode: number;
+  readonly errorCode: string;
+  readonly detail: string | undefined;
+
+  constructor(statusCode: number, message: string, detail?: string) {
+    super(message);
+    this.name = "LabdApiError";
+    this.statusCode = statusCode;
+    this.errorCode = statusCodeToErrorCode(statusCode);
+    this.detail = detail;
+  }
+
+  static fromResponse(statusCode: number, body: unknown): LabdApiError {
+    if (typeof body === "object" && body !== null) {
+      const b = body as Record<string, unknown>;
+      const message = typeof b["error"] === "string" ? b["error"] : `HTTP ${statusCode}`;
+      const detail = typeof b["detail"] === "string" ? b["detail"] : undefined;
+      return new LabdApiError(statusCode, message, detail);
+    }
+    return new LabdApiError(statusCode, `HTTP ${statusCode}`);
+  }
+
+  static notConnected(url: string): LabdApiError {
+    return new LabdApiError(
+      0,
+      `Cannot connect to labd at ${url}`,
+      "Check that labd is running and the URL is correct.",
+    );
+  }
+
+  static timeout(timeoutMs: number): LabdApiError {
+    return new LabdApiError(
+      0,
+      `Request timed out after ${timeoutMs}ms`,
+      "The server may be overloaded. Try again later.",
+    );
+  }
+}
+
+export function isLabdApiError(err: unknown): err is LabdApiError {
+  return err instanceof LabdApiError;
+}
+
+function statusCodeToErrorCode(code: number): string {
+  switch (code) {
+    case 400: return "BAD_REQUEST";
+    case 401: return "UNAUTHORIZED";
+    case 403: return "FORBIDDEN";
+    case 404: return "NOT_FOUND";
+    case 409: return "CONFLICT";
+    case 429: return "RATE_LIMITED";
+    case 500: return "INTERNAL_ERROR";
+    case 503: return "UNAVAILABLE";
+    default:  return code === 0 ? "CONNECTION_ERROR" : "UNKNOWN";
+  }
+}
diff --git a/bastion/src/cli/src/api/index.ts b/bastion/src/cli/src/api/index.ts
new file mode 100644
index 0000000..a478014
--- /dev/null
+++ b/bastion/src/cli/src/api/index.ts
@@ -0,0 +1,18 @@
+// Public API for labd client.
+
+export { LabdClient, type LabdClientConfig } from "./client.js";
+export { LabdApiError, isLabdApiError } from "./errors.js";
+export { loadClientConfig, createLabdClient, getLabdClient, CONFIG_DIR, CONFIG_FILE, CERT_DIR } from "./config.js";
+export type {
+  Server,
+  ServerFilters,
+  Agent,
+  JoinToken,
+  CreateTokenOpts,
+  EnrollmentRequest,
+  EnrollmentResponse,
+  HealthStatus,
+  ApiErrorBody,
+  RequestOpts,
+} from "./types.js";
+export { createLabdWebSocket, streamExec, streamLogs, type StreamOptions } from "./websocket.js";
diff --git a/bastion/src/cli/src/api/types.ts b/bastion/src/cli/src/api/types.ts
new file mode 100644
index 0000000..e6d80c5
--- /dev/null
+++ b/bastion/src/cli/src/api/types.ts
@@ -0,0 +1,96 @@
+// Typed interfaces for labd API requests and responses.
+// Matches Prisma schema models and labd route contracts.
+
+// --- Server ---
+
+export interface Server {
+  id: string;
+  hostname: string;
+  mac: string | null;
+  cloud: string;
+  environment: string;
+  role: string;
+  labels: Record<string, string>;
+  ip: string | null;
+  agentVersion: string | null;
+  status: string;
+  lastHeartbeat: string | null;
+  createdAt: string;
+  updatedAt: string;
+  agent?: Agent | null;
+}
+
+export interface Agent {
+  id: string;
+  serverId: string;
+  certificatePem: string | null;
+  enrolledAt: string;
+  lastSeen: string | null;
+}
+
+export interface ServerFilters {
+  cloud?: string;
+  environment?: string;
+  status?: string;
+}
+
+// --- Join Tokens ---
+
+export interface JoinToken {
+  id: string;
+  token?: string; // Only present on creation
+  type: string;
+  label: string | null;
+  usedBy: string | null;
+  usedAt: string | null;
+  revokedAt: string | null;
+  createdAt: string;
+  expiresAt: string | null;
+}
+
+export interface CreateTokenOpts {
+  type?: "one-time" | "reusable";
+  label?: string;
+  expiresInHours?: number;
+}
+
+// --- Auth / Enrollment ---
+
+export interface EnrollmentRequest {
+  token: string;
+  hostname: string;
+  csr?: string;
+}
+
+export interface EnrollmentResponse {
+  status: string;
+  hostname: string;
+  message: string;
+  certificatePem: string | null;
+}
+
+// --- Health ---
+
+export interface HealthStatus {
+  status: "healthy" | "degraded";
+  uptime: number;
+  timestamp: string;
+  checks: {
+    database: "ok" | "error";
+  };
+}
+
+// --- API Error ---
+
+export interface ApiErrorBody {
+  error: string;
+  detail?: string;
+  code?: string;
+}
+
+// --- Request helpers ---
+
+export interface RequestOpts {
+  query?: Record<string, string | number | boolean | undefined>;
+  body?: unknown;
+}
diff --git a/bastion/src/cli/src/api/websocket.ts b/bastion/src/cli/src/api/websocket.ts
new file mode 100644
index 0000000..cb751ef
--- /dev/null
+++ b/bastion/src/cli/src/api/websocket.ts
@@ -0,0 +1,160 @@
+// WebSocket client for real-time streaming operations (exec, logs).
+
+import { WebSocket } from "ws";
+import { loadConfig } from "../config/index.js";
+import { readFileSync } from "node:fs";
+import { LabdApiError } from "./errors.js";
+
+export interface StreamOptions {
+  onData: (data: string) => void;
+  onError: (error: Error) => void;
+  onClose: () => void;
+}
+
+export async function createLabdWebSocket(path: string): Promise<WebSocket> {
+  const config = loadConfig();
+  const baseUrl = config.labdUrl.replace("https:", "wss:").replace("http:", "ws:");
+  const url = new URL(path, baseUrl);
+
+  const wsOptions: WebSocket.ClientOptions = {};
+  if (config.certPath && config.keyPath) {
+    wsOptions.cert = readFileSync(config.certPath);
+    wsOptions.key = readFileSync(config.keyPath);
+    if (config.caPath) wsOptions.ca = readFileSync(config.caPath);
+  }
+
+  return new Promise((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      ws.terminate();
+      reject(LabdApiError.timeout(10_000));
+    }, 10_000);
+
+    const ws = new WebSocket(url.toString(), wsOptions);
+
+    ws.on("open", () => {
+      clearTimeout(timeout);
+      resolve(ws);
+    });
+
+    ws.on("error", (err: Error) => {
+      clearTimeout(timeout);
+      reject(
+        LabdApiError.notConnected(config.labdUrl + " — " + err.message),
+      );
+    });
+  });
+}
+
+export async function streamExec(
+  serverName: string,
+  command: string[],
+  options: StreamOptions & { tty?: boolean; timeout?: number },
+): Promise<number> {
+  const ws = await createLabdWebSocket("/ws/exec");
+  const requestId = crypto.randomUUID();
+
+  return new Promise<number>((resolve, reject) => {
+    ws.on("message", (raw: Buffer) => {
+      try {
+        const msg = JSON.parse(raw.toString()) as {
+          type: string;
+          data?: string;
+          exitCode?: number;
+          message?: string;
+        };
+        switch (msg.type) {
+          case "exec-stdout":
+          case "exec-stderr":
+            if (msg.data) options.onData(msg.data);
+            break;
+          case "exec-exit":
+            ws.close();
+            resolve(msg.exitCode ?? 1);
+            break;
+          case "error":
+            ws.close();
+            reject(new Error(msg.message ?? "Remote execution error"));
+            break;
+        }
+      } catch (err) {
+        options.onError(err instanceof Error ? err : new Error(String(err)));
+      }
+    });
+
+    ws.on("close", () => {
+      options.onClose();
+    });
+
+    ws.on("error", (err: Error) => {
+      options.onError(err);
+    });
+
+    ws.send(
+      JSON.stringify({
+        type: "exec",
+        requestId,
+        server: serverName,
+        command,
+        tty: options.tty ?? false,
+        timeout: options.timeout ?? 30_000,
+      }),
+    );
+  });
+}
+
+export async function streamLogs(
+  serverName: string,
+  logOptions: {
+    follow?: boolean;
+    lines?: number;
+    unit?: string;
+    since?: string;
+    priority?: string;
+    kernel?: boolean;
+  },
+  options: StreamOptions,
+): Promise<void> {
+  const ws = await createLabdWebSocket("/ws/logs");
+  const requestId = crypto.randomUUID();
+
+  ws.on("message", (raw: Buffer) => {
+    try {
+      const msg = JSON.parse(raw.toString()) as {
+        type: string;
+        line?: string;
+        message?: string;
+      };
+      switch (msg.type) {
+        case "log-line":
+          if (msg.line) options.onData(msg.line);
+          break;
+        case "log-end":
+          ws.close();
+          break;
+        case "error":
+          ws.close();
+          options.onError(new Error(msg.message ?? "Log streaming error"));
+          break;
+      }
+    } catch (err) {
+      options.onError(err instanceof Error ? err : new Error(String(err)));
+    }
+  });
+
+  ws.on("close", () => {
+    options.onClose();
+  });
+
+  ws.on("error", (err) => {
+    options.onError(err);
+  });
+
+  ws.send(
+    JSON.stringify({
+      type: "log-subscribe",
+      requestId,
+      server: serverName,
+      options: logOptions,
+    }),
+  );
+}
diff --git a/bastion/src/cli/src/commands/app.ts b/bastion/src/cli/src/commands/app.ts
new file mode 100644
index 0000000..19a4a47
--- /dev/null
+++ b/bastion/src/cli/src/commands/app.ts
@@ -0,0 +1,403 @@
+// CLI command: labctl app k3s install/health <target>
+// Install or check k3s on a target machine via SSH.
+
+import { existsSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import type { Command } from "commander";
+import type { BastionState } from "@lab/shared";
+import { K3sModule, sshExec } from "@lab/modules";
+import { getLabdClient } from "../api/config.js";
+
+function resolveTarget(
+  target: string,
+  state: BastionState | null,
+): { ip: string; hostname: string; role: string } | null {
+  // Direct IP
+  if (/^\d+\.\d+\.\d+\.\d+$/.test(target)) {
+    return { ip: target, hostname: target, role: "infra" };
+  }
+
+  if (!state) return null;
+
+  // Check by MAC
+  const mac = target.toLowerCase().replace(/-/g, ":");
+  const installed = state.installed[mac];
+  if (installed?.ip) {
+    return { ip: installed.ip, hostname: installed.hostname, role: installed.role };
+  }
+
+  // Check by hostname
+  for (const [, info] of Object.entries(state.installed)) {
+    if (info.hostname === target || info.hostname.startsWith(target + ".")) {
+      return { ip: info.ip, hostname: info.hostname, role: info.role };
+    }
+  }
+
+  return null;
+}
+
+function findSshKey(): string | undefined {
+  const sudoUser = process.env["SUDO_USER"];
+  const realHome = sudoUser ? join("/home", sudoUser) : homedir();
+  for (const name of ["id_ed25519", "id_ecdsa", "id_rsa"]) {
+    const keyPath = join(realHome, ".ssh", name);
+    if (existsSync(keyPath)) return keyPath;
+  }
+  return undefined;
+}
+
+async function fetchState(): Promise<BastionState | null> {
+  try {
+    return await getLabdClient().getMachines();
+  } catch {
+    return null;
+  }
+}
+
+import { registerLabcontrollerCommands } from "./labcontroller.js";
+
+export function registerAppCommand(program: Command): void {
+  const appCmd = program.command("app").description("Application management");
+
+  // labcontroller subcommands
+  registerLabcontrollerCommands(appCmd);
+
+  const k3sCmd = appCmd.command("k3s").description("k3s cluster management");
+
+  k3sCmd
+    .command("install <target>")
+    .description("Install k3s on a target machine (hostname, IP, or MAC)")
+    .option("--role <role>", "k3s role: infra (server) or worker (agent)", "infra")
+    .option("--user <user>", "SSH user", "michal")
+    .option("--k3s-server <url>", "k3s server URL (required for worker role)")
+    .option("--k3s-token <token>", "k3s join token (required for worker role)")
+    .action(async (target: string, opts: {
+      role: string;
+      user: string;
+      k3sServer?: string;
+      k3sToken?: string;
+    }) => {
+      const state = await fetchState();
+      const resolved = resolveTarget(target, state);
+
+      if (!resolved) {
+        console.error(`Cannot resolve target: ${target}`);
+        console.error("Provide an IP address, hostname, or MAC of an installed machine.");
+        process.exit(1);
+      }
+
+      const role = opts.role === "worker" ? "worker" : "infra";
+      const sshKey = findSshKey();
+
+      console.log(`Installing k3s on ${resolved.hostname} (${resolved.ip}) as ${role}...`);
+      console.log("");
+
+      const k3s = new K3sModule();
+      const moduleCtx = {
+        hostname: resolved.hostname,
+        ip: resolved.ip,
+        role,
+        os: "fedora-43" as const,
+        arch: "x86_64" as const,
+        sshUser: opts.user,
+        ...(sshKey ? { sshKeyPath: sshKey } : {}),
+        config: {
+          ...(opts.k3sServer ? { k3sServerUrl: opts.k3sServer } : {}),
+          ...(opts.k3sToken ? { k3sToken: opts.k3sToken } : {}),
+        },
+      };
+
+      const installResult = await k3s.install(moduleCtx);
+      for (const line of installResult.output) {
+        console.log(`  ${line}`);
+      }
+      if (!installResult.success) {
+        console.error(`\nk3s install failed: ${installResult.errors.join(", ")}`);
+        process.exit(1);
+      }
+
+      console.log("\nRunning post-install configuration...\n");
+      const configResult = await k3s.configure(moduleCtx);
+      for (const line of configResult.output) {
+        console.log(`  ${line}`);
+      }
+      if (!configResult.success) {
+        console.error(`\nk3s configure failed: ${configResult.errors.join(", ")}`);
+        process.exit(1);
+      }
+
+      console.log("\nk3s installed successfully.");
+
+      // Check if the machine's role requires additional app deployments
+      try {
+        const { ROLE_REGISTRY } = await import("@lab/shared");
+        const freshState = await fetchState();
+        if (freshState) {
+          for (const [, info] of Object.entries(freshState.installed)) {
+            if (info.ip === resolved.ip || info.hostname === resolved.hostname) {
+              const roleInfo = ROLE_REGISTRY.find((r: { name: string }) => r.name === info.role);
+              if (roleInfo && roleInfo.apps.length > 0) {
+                console.log(`\nRole ${info.role} requires: ${roleInfo.apps.join(", ")}`);
+                console.log(`Deploying automatically...`);
+                const { execFileSync } = await import("node:child_process");
+                try {
+                  execFileSync("node", [
+                    process.argv[1] ?? "",
+                    "app", "labcontroller", "deploy", resolved.hostname,
+                    "--user", opts.user,
+                  ], { stdio: "inherit" });
+                } catch {
+                  console.error(`\nAuto-deploy failed. Run manually: labctl app labcontroller deploy ${resolved.hostname}`);
+                }
+              }
+              break;
+            }
+          }
+        }
+      } catch { /* best-effort chain */ }
+
+      console.log(`\nTo get kubeconfig:  ssh ${opts.user}@${resolved.ip} sudo cat /etc/rancher/k3s/k3s.yaml`);
+    });
+
+  k3sCmd
+    .command("health [target]")
+    .description("Check k3s health (all hosts if no target given)")
+    .option("--user <user>", "SSH user", "michal")
+    .action(async (target: string | undefined, opts: { user: string }) => {
+      const sshKey = findSshKey();
+
+      if (!target) {
+        let state: BastionState;
+        try {
+          state = await getLabdClient().getMachines();
+        } catch (err) {
+          console.error(`Cannot reach labd: ${err instanceof Error ? err.message : String(err)}`);
+          process.exit(1);
+        }
+
+        const entries = Object.entries(state.installed);
+        if (entries.length === 0) {
+          console.log("No installed machines.");
+          return;
+        }
+
+        const BOLD = "\x1b[1m";
+        const GREEN = "\x1b[32m";
+        const RED = "\x1b[31m";
+        const DIM = "\x1b[2m";
+        const RESET = "\x1b[0m";
+        const pad = (s: string, w: number) => s.padEnd(w);
+
+        console.log(
+          `${BOLD}${pad("HOST", 22)}${pad("IP", 16)}${pad("ROLE", 8)}${pad("K3S", 14)}${pad("NODE", 10)}${pad("ENCRYPT", 10)}${pad("CNI", 14)}${pad("PODS", 6)}${RESET}`,
+        );
+
+        interface HealthRow {
+          host: string; ip: string; role: string;
+          k3s: string; node: string; encrypt: string; cni: string; pods: string;
+          k3sC: string; nodeC: string; encC: string; cniC: string;
+        }
+
+        const probes = entries.map(async ([_mac, info]): Promise<HealthRow> => {
+          const r: HealthRow = {
+            host: info.hostname, ip: info.ip, role: info.role,
+            k3s: "—", node: "—", encrypt: "—", cni: "—", pods: "—",
+            k3sC: DIM, nodeC: DIM, encC: DIM, cniC: DIM,
+          };
+
+          if (!info.ip || info.role === "vanilla") {
+            r.k3s = info.role === "vanilla" ? "n/a" : "no ip";
+            return r;
+          }
+
+          try {
+            const svc = await sshExec(info.ip, opts.user, "systemctl is-active k3s 2>/dev/null || systemctl is-active k3s-agent 2>/dev/null", {
+              ...(sshKey ? { keyPath: sshKey } : {}), timeoutMs: 8_000,
+            });
+
+            if (svc.stdout.trim() !== "active") {
+              r.k3s = svc.stdout.trim() === "inactive" ? "stopped" : "not installed";
+              r.k3sC = svc.stdout.trim() === "inactive" ? RED : DIM;
+              return r;
+            }
+
+            r.k3s = "running"; r.k3sC = GREEN;
+
+            const [nodeRes, encRes, cniRes, podRes] = await Promise.all([
+              sshExec(info.ip, opts.user,
+                "sudo k3s kubectl get nodes -o jsonpath='{.items[0].status.conditions[?(@.type==\"Ready\")].status}' 2>/dev/null",
+                { ...(sshKey ? { keyPath: sshKey } : {}), timeoutMs: 8_000 }),
+              sshExec(info.ip, opts.user,
+                "sudo k3s secrets-encrypt status 2>/dev/null | head -1",
+                { ...(sshKey ? { keyPath: sshKey } : {}), timeoutMs: 8_000 }),
+              sshExec(info.ip, opts.user,
+                "sudo k3s kubectl get pods -n kube-system -l k8s-app=cilium --no-headers 2>/dev/null | head -1",
+                { ...(sshKey ? { keyPath: sshKey } : {}), timeoutMs: 8_000 }),
+              sshExec(info.ip, opts.user,
+                "sudo k3s kubectl get pods -A --no-headers 2>/dev/null | wc -l",
+                { ...(sshKey ? { keyPath: sshKey } : {}), timeoutMs: 8_000 }),
+            ]);
+
+            r.node = nodeRes.stdout.includes("True") ? "Ready" : "NotReady";
+            r.nodeC = nodeRes.stdout.includes("True") ? GREEN : RED;
+
+            r.encrypt = encRes.stdout.includes("Enabled") ? "yes" : "no";
+            r.encC = encRes.stdout.includes("Enabled") ? GREEN : RED;
+
+            r.cni = cniRes.stdout.includes("Running") ? "cilium" : "flannel";
+            r.cniC = cniRes.stdout.includes("Running") ? GREEN : DIM;
+
+            r.pods = podRes.stdout.trim() || "?";
+          } catch {
+            r.k3s = "unreachable"; r.k3sC = RED;
+          }
+
+          return r;
+        });
+
+        const results = await Promise.all(probes);
+        for (const r of results) {
+          console.log(
+            `${pad(r.host, 22)}${pad(r.ip, 16)}${pad(r.role, 8)}${r.k3sC}${pad(r.k3s, 14)}${RESET}${r.nodeC}${pad(r.node, 10)}${RESET}${r.encC}${pad(r.encrypt, 10)}${RESET}${r.cniC}${pad(r.cni, 14)}${RESET}${pad(r.pods, 6)}`,
+          );
+        }
+        return;
+      }
+
+      // Single target: detailed health check
+      const state = await fetchState();
+      const resolved = resolveTarget(target, state);
+
+      if (!resolved) {
+        console.error(`Cannot resolve target: ${target}`);
+        process.exit(1);
+      }
+
+      console.log(`Checking k3s health on ${resolved.hostname} (${resolved.ip})...\n`);
+
+      const k3s = new K3sModule();
+      const healthResult = await k3s.health({
+        hostname: resolved.hostname,
+        ip: resolved.ip,
+        role: resolved.role,
+        os: "fedora-43" as const,
+        arch: "x86_64" as const,
+        sshUser: opts.user,
+        ...(sshKey ? { sshKeyPath: sshKey } : {}),
+        config: {},
+      });
+
+      for (const line of healthResult.output) {
+        console.log(`  ${line}`);
+      }
+      if (healthResult.errors.length > 0) {
+        for (const err of healthResult.errors) {
+          console.error(`  ERROR: ${err}`);
+        }
+      }
+
+      process.exit(healthResult.success ? 0 : 1);
+    });
+
+  k3sCmd
+    .command("list")
+    .description("List installed machines and their k3s status")
+    .option("--user <user>", "SSH user", "michal")
+    .action(async (opts: { user: string }) => {
+      let state: BastionState;
+      try {
+        state = await getLabdClient().getMachines();
+      } catch (err) {
+        console.error(`Cannot reach labd: ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+      }
+
+      const entries = Object.entries(state.installed);
+      if (entries.length === 0) {
+        console.log("No installed machines.");
+        return;
+      }
+
+      const sshKey = findSshKey();
+      const BOLD = "\x1b[1m";
+      const GREEN = "\x1b[32m";
+      const RED = "\x1b[31m";
+      const DIM = "\x1b[2m";
+      const RESET = "\x1b[0m";
+
+      const hdr = (s: string, w: number) => s.padEnd(w);
+      console.log(
+        `${BOLD}${hdr("HOSTNAME", 28)}${hdr("IP", 18)}${hdr("ROLE", 10)}${hdr("K3S", 16)}${hdr("NODE", 12)}${hdr("PODS", 6)}${RESET}`,
+      );
+
+      const probes = entries.map(async ([_mac, info]) => {
+        const row = {
+          hostname: info.hostname,
+          ip: info.ip,
+          role: info.role,
+          k3s: "—",
+          node: "—",
+          pods: "—",
+          k3sColor: DIM,
+          nodeColor: DIM,
+        };
+
+        if (!info.ip || info.role === "vanilla") {
+          row.k3s = info.role === "vanilla" ? "n/a" : "no ip";
+          return row;
+        }
+
+        try {
+          const svcResult = await sshExec(info.ip, opts.user, "systemctl is-active k3s 2>/dev/null || systemctl is-active k3s-agent 2>/dev/null", {
+            ...(sshKey ? { keyPath: sshKey } : {}),
+            timeoutMs: 8_000,
+          });
+          const svcStatus = svcResult.stdout.trim();
+
+          if (svcStatus === "active") {
+            row.k3s = "running";
+            row.k3sColor = GREEN;
+
+            const nodeResult = await sshExec(info.ip, opts.user,
+              "sudo k3s kubectl get nodes -o jsonpath='{.items[0].status.conditions[?(@.type==\"Ready\")].status}' 2>/dev/null || echo unknown",
+              { ...(sshKey ? { keyPath: sshKey } : {}), timeoutMs: 8_000 },
+            );
+            const nodeReady = nodeResult.stdout.trim();
+            if (nodeReady.includes("True")) {
+              row.node = "Ready";
+              row.nodeColor = GREEN;
+            } else {
+              row.node = "NotReady";
+              row.nodeColor = RED;
+            }
+
+            const podResult = await sshExec(info.ip, opts.user,
+              "sudo k3s kubectl get pods -A --no-headers 2>/dev/null | wc -l",
+              { ...(sshKey ? { keyPath: sshKey } : {}), timeoutMs: 8_000 },
+            );
+            row.pods = podResult.stdout.trim() || "?";
+          } else if (svcStatus === "inactive" || svcStatus === "dead") {
+            row.k3s = "stopped";
+            row.k3sColor = RED;
+          } else {
+            row.k3s = "not installed";
+            row.k3sColor = DIM;
+          }
+        } catch {
+          row.k3s = "unreachable";
+          row.k3sColor = RED;
+        }
+
+        return row;
+      });
+
+      const results = await Promise.all(probes);
+
+      for (const r of results) {
+        console.log(
+          `${hdr(r.hostname, 28)}${hdr(r.ip, 18)}${hdr(r.role, 10)}${r.k3sColor}${hdr(r.k3s, 16)}${RESET}${r.nodeColor}${hdr(r.node, 12)}${RESET}${hdr(r.pods, 6)}`,
+        );
+      }
+    });
+}
diff --git a/bastion/src/cli/src/commands/config.ts b/bastion/src/cli/src/commands/config.ts
new file mode 100644
index 0000000..286e35d
--- /dev/null
+++ b/bastion/src/cli/src/commands/config.ts
@@ -0,0 +1,76 @@
+// labctl config — view and modify CLI configuration.
+
+import type { Command } from "commander";
+import {
+  loadConfig,
+  saveConfig,
+  getConfigValue,
+  setConfigValue,
+  isValidConfigKey,
+  CONFIG_FILE,
+} from "../config/index.js";
+
+export function registerConfigCommand(parent: Command): void {
+  const configCmd = parent
+    .command("config")
+    .description("View and modify CLI configuration");
+
+  // config list
+  configCmd
+    .command("list")
+    .description("Show all configuration values")
+    .action(() => {
+      const config = loadConfig();
+      console.log(`# Configuration (${CONFIG_FILE})\n`);
+      for (const [k, v] of Object.entries(config)) {
+        if (v !== undefined) {
+          console.log(`${k}: ${v}`);
+        }
+      }
+    });
+
+  // config get <key>
+  configCmd
+    .command("get <key>")
+    .description("Get a configuration value")
+    .action((key: string) => {
+      if (!isValidConfigKey(key)) {
+        console.error(`Unknown config key: ${key}`);
+        console.error(`Valid keys: labdUrl, certPath, keyPath, caPath, defaultEnvironment, defaultCloud, outputFormat`);
+        process.exit(1);
+      }
+      const config = loadConfig();
+      const value = getConfigValue(config, key);
+      if (value) {
+        console.log(value);
+      }
+    });
+
+  // config set <key> <value>
+  configCmd
+    .command("set <key> <value>")
+    .description("Set a configuration value")
+    .action((key: string, value: string) => {
+      if (!isValidConfigKey(key)) {
+        console.error(`Unknown config key: ${key}`);
+        console.error(`Valid keys: labdUrl, certPath, keyPath, caPath, defaultEnvironment, defaultCloud, outputFormat`);
+        process.exit(1);
+      }
+      if (key === "outputFormat" && !["table", "json", "yaml"].includes(value)) {
+        console.error(`Invalid output format: ${value}. Must be table, json, or yaml.`);
+        process.exit(1);
+      }
+      let config = loadConfig();
+      config = setConfigValue(config, key, value);
+      saveConfig(config);
+      console.log(`Set ${key} = ${value}`);
+    });
+
+  // config path
+  configCmd
+    .command("path")
+    .description("Show configuration file path")
+    .action(() => {
+      console.log(CONFIG_FILE);
+    });
+}
diff --git a/bastion/src/cli/src/commands/doctor.ts b/bastion/src/cli/src/commands/doctor.ts
new file mode 100644
index 0000000..53af4e2
--- /dev/null
+++ b/bastion/src/cli/src/commands/doctor.ts
@@ -0,0 +1,126 @@
+// labctl doctor — diagnose configuration and connectivity issues.
+
+import { existsSync, readFileSync } from "node:fs";
+import { X509Certificate } from "node:crypto";
+import type { Command } from "commander";
+import { loadConfig, CONFIG_FILE, CERT_DIR } from "../config/index.js";
+
+interface DiagnosticResult {
+  name: string;
+  status: "ok" | "warn" | "error";
+  message: string;
+}
+
+const GREEN = "\x1b[32m";
+const YELLOW = "\x1b[33m";
+const RED = "\x1b[31m";
+const RESET = "\x1b[0m";
+
+export function registerDoctorCommand(program: Command): void {
+  program
+    .command("doctor")
+    .description("Diagnose configuration and connectivity issues")
+    .option("--json", "Output results as JSON")
+    .action(async (opts: { json?: boolean }) => {
+      const results: DiagnosticResult[] = [];
+      const config = loadConfig();
+
+      // Check config file
+      results.push({
+        name: "Configuration file",
+        status: existsSync(CONFIG_FILE) ? "ok" : "warn",
+        message: existsSync(CONFIG_FILE) ? CONFIG_FILE : "Using defaults — run 'labctl config set labdUrl <url>'",
+      });
+
+      // Check labd URL
+      results.push({
+        name: "labd URL",
+        status: config.labdUrl ? "ok" : "error",
+        message: config.labdUrl || "Not configured",
+      });
+
+      // Check client certificate
+      if (config.certPath && existsSync(config.certPath)) {
+        try {
+          const certPem = readFileSync(config.certPath, "utf-8");
+          const cert = new X509Certificate(certPem);
+          const expiresIn = new Date(cert.validTo).getTime() - Date.now();
+          const daysLeft = Math.floor(expiresIn / (1000 * 60 * 60 * 24));
+
+          results.push({
+            name: "Client certificate",
+            status: daysLeft > 7 ? "ok" : daysLeft > 0 ? "warn" : "error",
+            message: daysLeft > 0 ? `Valid for ${daysLeft} days` : "Expired!",
+          });
+        } catch {
+          results.push({
+            name: "Client certificate",
+            status: "error",
+            message: "Failed to parse certificate",
+          });
+        }
+      } else {
+        results.push({
+          name: "Client certificate",
+          status: "warn",
+          message: `Not configured — run 'labctl login'`,
+        });
+      }
+
+      // Check cert directory
+      results.push({
+        name: "Certificate directory",
+        status: existsSync(CERT_DIR) ? "ok" : "warn",
+        message: existsSync(CERT_DIR) ? CERT_DIR : "Not created yet",
+      });
+
+      // Test labd connectivity
+      try {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 5000);
+        const resp = await fetch(`${config.labdUrl}/healthz`, {
+          signal: controller.signal,
+        });
+        clearTimeout(timeout);
+
+        const body = (await resp.json()) as { status?: string };
+        results.push({
+          name: "labd connectivity",
+          status: resp.ok ? "ok" : "warn",
+          message: resp.ok
+            ? `Connected — ${body.status ?? "ok"}`
+            : `HTTP ${resp.status}: ${body.status ?? "unknown"}`,
+        });
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        results.push({
+          name: "labd connectivity",
+          status: "error",
+          message: msg.includes("abort")
+            ? "Connection timed out (5s)"
+            : msg.includes("ECONNREFUSED")
+              ? "Connection refused"
+              : msg,
+        });
+      }
+
+      // Output
+      if (opts.json) {
+        console.log(JSON.stringify(results, null, 2));
+      } else {
+        console.log("Running diagnostics...\n");
+        for (const r of results) {
+          const icon = r.status === "ok" ? "\u2713" : r.status === "warn" ? "!" : "\u2717";
+          const color = r.status === "ok" ? GREEN : r.status === "warn" ? YELLOW : RED;
+          console.log(`${color}${icon}${RESET} ${r.name}: ${r.message}`);
+        }
+
+        const errors = results.filter((r) => r.status === "error").length;
+        const warns = results.filter((r) => r.status === "warn").length;
+        const oks = results.filter((r) => r.status === "ok").length;
+        console.log(`\n${oks} passed, ${warns} warnings, ${errors} errors`);
+
+        if (errors > 0) process.exitCode = 1;
+      }
+    });
+}
diff --git a/bastion/src/cli/src/commands/forget.ts b/bastion/src/cli/src/commands/forget.ts
new file mode 100644
index 0000000..b9dfacd
--- /dev/null
+++ b/bastion/src/cli/src/commands/forget.ts
@@ -0,0 +1,22 @@
+// CLI command: provision forget
+// Remove a machine from all bastion state via labd.
+
+import type { Command } from "commander";
+import { getLabdClient } from "../api/config.js";
+
+export function registerForgetCommand(parent: Command): void {
+  parent
+    .command("forget <mac>")
+    .description("Remove a machine from bastion state")
+    .action(async (mac: string) => {
+      const normalizedMac = mac.toLowerCase().replace(/-/g, ":");
+
+      try {
+        const result = await getLabdClient().forgetMachine(normalizedMac);
+        console.log(JSON.stringify(result, null, 2));
+      } catch (err) {
+        console.error(`Failed: ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+      }
+    });
+}
diff --git a/bastion/src/cli/src/commands/install.ts b/bastion/src/cli/src/commands/install.ts
new file mode 100644
index 0000000..6da3f11
--- /dev/null
+++ b/bastion/src/cli/src/commands/install.ts
@@ -0,0 +1,69 @@
+// CLI command: provision install
+// Queue a discovered machine for OS installation via labd.
+
+import { Command, Option } from "commander";
+import { isValidOsId, SUPPORTED_OS, SUPPORTED_ROLES, ROLE_REGISTRY } from "@lab/shared";
+import { getLabdClient } from "../api/config.js";
+
+function roleTable(): string {
+  const lines: string[] = ["", "Available roles:"];
+  for (const r of ROLE_REGISTRY) {
+    const parent = r.parent ? ` (extends ${r.parent})` : "";
+    const apps = r.apps.length > 0 ? ` [auto: ${r.apps.join(", ")}]` : "";
+    lines.push(`  ${r.name.padEnd(16)} ${r.description}${parent}${apps}`);
+  }
+  return lines.join("\n");
+}
+
+export function registerInstallCommand(parent: Command): void {
+  parent
+    .command("install <mac> <hostname>")
+    .description("Queue a discovered machine for OS installation")
+    .showHelpAfterError(true)
+    .addHelpText("after", roleTable())
+    .addOption(new Option("--role <role>", "Machine role (see below)").choices([...SUPPORTED_ROLES]).default("worker"))
+    .addOption(new Option("--os <os>", "Operating system").choices([...SUPPORTED_OS]).default("fedora-43"))
+    .option("--disk <device>", "Target disk device (auto-detect if omitted)")
+    .action(async (mac: string, hostname: string, opts: {
+      role: string;
+      os: string;
+      disk?: string;
+    }) => {
+      if (!isValidOsId(opts.os)) {
+        console.error(`Unknown OS: ${opts.os}. Supported: ${SUPPORTED_OS.join(", ")}`);
+        process.exit(1);
+      }
+      if (!(SUPPORTED_ROLES as readonly string[]).includes(opts.role)) {
+        console.error(`Unknown role: ${opts.role}`);
+        console.error(roleTable());
+        process.exit(1);
+      }
+
+      try {
+        const result = await getLabdClient().installMachine({
+          mac,
+          hostname,
+          role: opts.role,
+          os: opts.os,
+          ...(opts.disk ? { disk: opts.disk } : {}),
+        });
+
+        console.log(JSON.stringify(result, null, 2));
+        console.log("");
+        const osLabel = opts.os.startsWith("ubuntu") ? "Ubuntu" : "Fedora";
+        console.log(`Power on the machine to start ${osLabel} installation.`);
+
+        const roleInfo = ROLE_REGISTRY.find(r => r.name === opts.role);
+        if (roleInfo?.k3s) {
+          console.log(`After install completes, k3s will be installed automatically (role=${opts.role}).`);
+          if (roleInfo.apps.length > 0) {
+            console.log(`Then: ${roleInfo.apps.join(", ")} will be deployed.`);
+          }
+          console.log(`To install k3s manually later: labctl app k3s install ${hostname}`);
+        }
+      } catch (err) {
+        console.error(`Failed: ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+      }
+    });
+}
diff --git a/bastion/src/cli/src/commands/labcontroller.ts b/bastion/src/cli/src/commands/labcontroller.ts
new file mode 100644
index 0000000..6262f12
--- /dev/null
+++ b/bastion/src/cli/src/commands/labcontroller.ts
@@ -0,0 +1,298 @@
+// CLI command: labctl app labcontroller deploy/status
+// Deploy bastion + labd + CockroachDB to a k3s labcontroller node.
+
+import { existsSync, writeFileSync, mkdirSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import type { Command } from "commander";
+import type { BastionState } from "@lab/shared";
+import { sshExec } from "@lab/modules";
+import { getLabdClient } from "../api/config.js";
+
+function findSshKey(): string | undefined {
+  const sudoUser = process.env["SUDO_USER"];
+  const realHome = sudoUser ? join("/home", sudoUser) : homedir();
+  for (const name of ["id_ed25519", "id_ecdsa", "id_rsa"]) {
+    const p = join(realHome, ".ssh", name);
+    if (existsSync(p)) return p;
+  }
+  return undefined;
+}
+
+async function resolveIp(target: string): Promise<string> {
+  if (/^\d+\.\d+\.\d+\.\d+$/.test(target)) return target;
+  try {
+    const state = await getLabdClient().getMachines();
+    for (const [, info] of Object.entries(state.installed)) {
+      if (info.hostname === target || info.hostname.startsWith(target + ".")) {
+        return info.ip;
+      }
+    }
+  } catch { /* use target as-is */ }
+  return target;
+}
+
+export function registerLabcontrollerCommands(appCmd: Command): void {
+  const lcCmd = appCmd.command("labcontroller").description("Labcontroller deployment (bastion + labd + CockroachDB)");
+
+  lcCmd
+    .command("deploy <target>")
+    .description("Deploy labcontroller stack to a k3s node")
+    .option("--user <user>", "SSH user", "michal")
+    .option("--crdb-replicas <n>", "CockroachDB replicas", "1")
+    .action(async (target: string, opts: {
+      user: string;
+      crdbReplicas: string;
+    }) => {
+      const ip = await resolveIp(target);
+      const sshKey = findSshKey();
+      const sshOpts = sshKey ? { keyPath: sshKey } : {};
+
+      console.log(`Deploying labcontroller stack to ${target} (${ip})...\n`);
+
+      // 1. Fetch kubeconfig from target
+      console.log("[1/4] Fetching kubeconfig...");
+      const kcResult = await sshExec(ip, opts.user, "sudo cat /etc/rancher/k3s/k3s.yaml", { ...sshOpts, timeoutMs: 10_000 });
+      if (kcResult.exitCode !== 0) {
+        console.error("  Failed to fetch kubeconfig. Is k3s running?");
+        process.exit(1);
+      }
+
+      const kubeconfigDir = join(homedir(), ".kube");
+      mkdirSync(kubeconfigDir, { recursive: true });
+
+      const contextName = `lab-${target}`;
+      const kubeconfig = kcResult.stdout
+        .replace(/server:\s*https:\/\/127\.0\.0\.1:6443/, `server: https://${ip}:6443`)
+        .replace(/name:\s*default/g, `name: ${contextName}`)
+        .replace(/cluster:\s*default/g, `cluster: ${contextName}`)
+        .replace(/user:\s*default/g, `user: ${contextName}`);
+
+      const tmpPath = join(kubeconfigDir, `.lab-${target}-tmp`);
+      writeFileSync(tmpPath, kubeconfig, { mode: 0o600 });
+
+      const mainConfig = join(kubeconfigDir, "config");
+      const { spawnSync } = await import("node:child_process");
+      const mergeResult = spawnSync("kubectl", ["config", "view", "--flatten"], {
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "pipe"],
+        env: { ...process.env, KUBECONFIG: `${mainConfig}:${tmpPath}` },
+      });
+
+      if (mergeResult.status === 0 && mergeResult.stdout) {
+        writeFileSync(mainConfig, mergeResult.stdout, { mode: 0o600 });
+        spawnSync("kubectl", ["config", "use-context", contextName], {
+          stdio: "pipe",
+          env: { ...process.env, KUBECONFIG: mainConfig },
+        });
+        console.log(`  Merged into ~/.kube/config as context "${contextName}"`);
+        console.log(`  Active context set to "${contextName}"`);
+      } else {
+        writeFileSync(join(kubeconfigDir, `lab-${target}`), kubeconfig, { mode: 0o600 });
+        console.log(`  Saved to ~/.kube/lab-${target} (merge failed, use KUBECONFIG=~/.kube/lab-${target})`);
+      }
+
+      try { const { unlinkSync } = await import("node:fs"); unlinkSync(tmpPath); } catch { /* ignore */ }
+      console.log("");
+
+      // 2. Apply CockroachDB manifests
+      console.log("[2/4] Deploying CockroachDB...");
+      const { cockroachDbManifests } = await import("@lab/modules/dist/modules/labcontroller/src/cockroachdb.js");
+      const crdb = cockroachDbManifests({ replicas: parseInt(opts.crdbReplicas, 10) });
+
+      const manifests = [crdb.namespace, crdb.headlessService, crdb.clientService, crdb.statefulSet];
+
+      for (const manifest of manifests) {
+        const json = JSON.stringify(manifest);
+        const kind = (manifest as { kind?: string }).kind ?? "?";
+        const name = ((manifest as { metadata?: { name?: string } }).metadata)?.name ?? "?";
+        const result = await sshExec(ip, opts.user,
+          `echo '${json.replace(/'/g, "'\\''")}' | sudo k3s kubectl apply -f -`,
+          { ...sshOpts, timeoutMs: 15_000 },
+        );
+        if (result.exitCode === 0) {
+          console.log(`  applied ${kind}/${name}`);
+        } else {
+          console.error(`  FAILED ${kind}/${name}: ${result.stderr.trim()}`);
+        }
+      }
+
+      console.log("  Waiting for CockroachDB pod...");
+      const waitResult = await sshExec(ip, opts.user,
+        "sudo k3s kubectl wait --for=condition=Ready pod -l app=cockroachdb -n lab-system --timeout=120s 2>/dev/null || echo 'still starting'",
+        { ...sshOpts, timeoutMs: 130_000 },
+      );
+      console.log(`  ${waitResult.stdout.trim()}`);
+
+      console.log("  Initializing CockroachDB cluster...");
+      const initJson = JSON.stringify(crdb.initJob);
+      await sshExec(ip, opts.user,
+        `echo '${initJson.replace(/'/g, "'\\''")}' | sudo k3s kubectl apply -f - 2>/dev/null; sudo k3s kubectl wait --for=condition=Complete job/cockroachdb-init -n lab-system --timeout=60s 2>/dev/null || echo 'init may already be done'`,
+        { ...sshOpts, timeoutMs: 70_000 },
+      );
+
+      await sshExec(ip, opts.user,
+        "sudo k3s kubectl exec cockroachdb-0 -n lab-system -- /cockroach/cockroach sql --insecure -e 'CREATE DATABASE IF NOT EXISTS lab' 2>/dev/null || echo 'db may already exist'",
+        { ...sshOpts, timeoutMs: 15_000 },
+      );
+      console.log("  CockroachDB ready\n");
+
+      // 3. Deploy labd
+      console.log("[3/4] Deploying labd...");
+      const { labdManifests } = await import("@lab/modules/dist/modules/labcontroller/src/labd.js");
+      const labd = labdManifests({ databaseUrl: crdb.connectionString });
+
+      for (const manifest of [labd.service, labd.deployment]) {
+        const json = JSON.stringify(manifest);
+        const kind = (manifest as { kind?: string }).kind ?? "?";
+        const name = ((manifest as { metadata?: { name?: string } }).metadata)?.name ?? "?";
+        const result = await sshExec(ip, opts.user,
+          `echo '${json.replace(/'/g, "'\\''")}' | sudo k3s kubectl apply -f -`,
+          { ...sshOpts, timeoutMs: 15_000 },
+        );
+        console.log(`  ${result.exitCode === 0 ? "applied" : "FAILED"} ${kind}/${name}`);
+      }
+      console.log("");
+
+      // 4. Deploy bastion
+      console.log("[4/4] Deploying bastion (hostNetwork)...");
+      const { bastionManifests } = await import("@lab/modules/dist/modules/labcontroller/src/bastion.js");
+      const bastion = bastionManifests();
+
+      const bJson = JSON.stringify(bastion.daemonSet);
+      const bResult = await sshExec(ip, opts.user,
+        `echo '${bJson.replace(/'/g, "'\\''")}' | sudo k3s kubectl apply -f -`,
+        { ...sshOpts, timeoutMs: 15_000 },
+      );
+      console.log(`  ${bResult.exitCode === 0 ? "applied" : "FAILED"} DaemonSet/bastion`);
+
+      // 5. Promote host role to labcontroller via labd
+      console.log("Promoting host role to labcontroller...");
+      try {
+        const state = await getLabdClient().getMachines();
+        for (const [mac, info] of Object.entries(state.installed)) {
+          if (info.ip === ip || info.hostname === target) {
+            await getLabdClient().updateRole(mac, "labcontroller");
+            console.log(`  ${info.hostname}: infra -> labcontroller`);
+            break;
+          }
+        }
+      } catch {
+        console.log("  Could not update role (labd may not be running yet)");
+      }
+
+      console.log("\n=== Labcontroller deployed ===");
+      console.log(`  CockroachDB: cockroachdb-client.lab-system:26257`);
+      console.log(`  labd:        ${ip}:30100`);
+      console.log(`  bastion:     ${ip}:8080 (hostNetwork)`);
+      console.log(`  context:     lab-${target}`);
+      console.log(`\n  Switch context: kubectl ctx lab-${target}`);
+      console.log(`  View pods:     kubectl get pods -n lab-system`);
+    });
+
+  lcCmd
+    .command("status [target]")
+    .description("Check labcontroller deployment status (all hosts if no target)")
+    .option("--user <user>", "SSH user", "michal")
+    .action(async (target: string | undefined, opts: { user: string }) => {
+      const sshKey = findSshKey();
+      const sshOpts = sshKey ? { keyPath: sshKey } : {};
+
+      if (!target) {
+        let state: BastionState;
+        try {
+          state = await getLabdClient().getMachines();
+        } catch (err) {
+          console.error(`Cannot reach labd: ${err instanceof Error ? err.message : String(err)}`);
+          process.exit(1);
+        }
+
+        const entries = Object.entries(state.installed);
+        if (entries.length === 0) {
+          console.log("No installed machines.");
+          return;
+        }
+
+        const BOLD = "\x1b[1m";
+        const GREEN = "\x1b[32m";
+        const RED = "\x1b[31m";
+        const DIM = "\x1b[2m";
+        const RESET = "\x1b[0m";
+        const pad = (s: string, w: number) => s.padEnd(w);
+
+        console.log(
+          `${BOLD}${pad("HOST", 22)}${pad("IP", 16)}${pad("ROLE", 14)}${pad("CRDB", 12)}${pad("LABD", 12)}${pad("BASTION", 12)}${pad("NS", 8)}${RESET}`,
+        );
+
+        interface StatusRow {
+          host: string; ip: string; role: string;
+          crdb: string; labd: string; bastion: string; ns: string;
+          crdbC: string; labdC: string; bastionC: string;
+        }
+
+        const probes = entries.map(async ([_mac, info]): Promise<StatusRow> => {
+          const r: StatusRow = {
+            host: info.hostname, ip: info.ip, role: info.role ?? "?",
+            crdb: "—", labd: "—", bastion: "—", ns: "—",
+            crdbC: DIM, labdC: DIM, bastionC: DIM,
+          };
+
+          if (!info.ip) return r;
+
+          try {
+            const result = await sshExec(info.ip, opts.user,
+              "sudo k3s kubectl get pods -n lab-system --no-headers -o custom-columns='NAME:.metadata.name,STATUS:.status.phase' 2>/dev/null || echo 'NO_NS'",
+              { ...sshOpts, timeoutMs: 10_000 },
+            );
+
+            if (result.stdout.includes("NO_NS") || result.exitCode !== 0) {
+              r.ns = "none";
+              return r;
+            }
+
+            r.ns = "ok";
+            const lines = result.stdout.trim().split("\n").filter(Boolean);
+
+            for (const line of lines) {
+              const [name, status] = line.trim().split(/\s+/);
+              if (!name) continue;
+              const running = status === "Running" || status === "Succeeded";
+              const color = running ? GREEN : RED;
+              const label = running ? "running" : (status ?? "?").toLowerCase();
+
+              if (name.startsWith("cockroachdb-") && !name.includes("init")) {
+                r.crdb = label; r.crdbC = color;
+              } else if (name.startsWith("labd-")) {
+                r.labd = label; r.labdC = color;
+              } else if (name.startsWith("bastion-")) {
+                r.bastion = label; r.bastionC = color;
+              }
+            }
+          } catch {
+            r.crdb = "ssh err"; r.crdbC = RED;
+          }
+
+          return r;
+        });
+
+        const results = await Promise.all(probes);
+        for (const r of results) {
+          console.log(
+            `${pad(r.host, 22)}${pad(r.ip, 16)}${pad(r.role, 14)}${r.crdbC}${pad(r.crdb, 12)}${RESET}${r.labdC}${pad(r.labd, 12)}${RESET}${r.bastionC}${pad(r.bastion, 12)}${RESET}${pad(r.ns, 8)}`,
+          );
+        }
+        return;
+      }
+
+      // Specific target: show detailed pod list
+      const ip = await resolveIp(target);
+
+      console.log(`Labcontroller status on ${target} (${ip}):\n`);
+
+      const result = await sshExec(ip, opts.user,
+        "sudo k3s kubectl get pods -n lab-system -o wide 2>/dev/null || echo 'lab-system namespace not found'",
+        { ...sshOpts, timeoutMs: 10_000 },
+      );
+      console.log(result.stdout);
+    });
+}
diff --git a/bastion/src/cli/src/commands/list.ts b/bastion/src/cli/src/commands/list.ts
new file mode 100644
index 0000000..029ca9b
--- /dev/null
+++ b/bastion/src/cli/src/commands/list.ts
@@ -0,0 +1,98 @@
+// CLI command: provision list
+// Merged view of all known machines with hardware + install info.
+
+import type { Command } from "commander";
+import type { BastionState } from "@lab/shared";
+import { getLabdClient } from "../api/config.js";
+
+const BOLD = "\x1b[1m";
+const GREEN = "\x1b[0;32m";
+const YELLOW = "\x1b[1;33m";
+const CYAN = "\x1b[0;36m";
+const RESET = "\x1b[0m";
+
+function statusColor(status: string): string {
+  switch (status) {
+    case "installed": return GREEN;
+    case "queued":
+    case "installing": return YELLOW;
+    case "discovered": return CYAN;
+    default: return RESET;
+  }
+}
+
+export function registerListCommand(parent: Command): void {
+  parent
+    .command("list")
+    .description("List all known machines")
+    .action(async () => {
+      let state: BastionState;
+      try {
+        state = await getLabdClient().getMachines();
+      } catch (err) {
+        console.error(`Cannot reach labd: ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+      }
+
+      // Collect all known MACs
+      const allMacs = new Set([
+        ...Object.keys(state.discovered),
+        ...Object.keys(state.install_queue),
+        ...Object.keys(state.installed),
+      ]);
+
+      console.log("");
+      if (allMacs.size === 0) {
+        console.log("  No machines known. PXE boot a machine to discover it.");
+        console.log("");
+        return;
+      }
+
+      console.log(
+        `${BOLD}  ${"MAC".padEnd(20)} ${"HOSTNAME".padEnd(24)} ${"STATUS".padEnd(12)} ${"ROLE".padEnd(8)} ${"IP".padEnd(16)} ${"CPU".padEnd(24)} ${"CORES".padEnd(6)} ${"RAM".padEnd(6)} PRODUCT${RESET}`,
+      );
+
+      for (const mac of allMacs) {
+        const hw = state.discovered[mac];
+        const queued = state.install_queue[mac];
+        const inst = state.installed[mac];
+
+        // Determine status
+        let status = "discovered";
+        if (queued !== undefined) {
+          status = queued.progress !== undefined && queued.progress !== "" && queued.progress !== "waiting"
+            ? "installing"
+            : "queued";
+        }
+        if (inst !== undefined) status = "installed";
+
+        const hostname = inst?.hostname ?? queued?.hostname ?? "-";
+        const role = inst?.role ?? queued?.role ?? "-";
+        const ip = inst?.ip ?? "-";
+        const cpu = hw?.cpu_model ?? "-";
+        const cores = hw?.cpu_cores != null ? String(hw.cpu_cores) : "-";
+        const ram = hw?.memory_gb != null ? `${hw.memory_gb}GB` : "-";
+        const product = hw?.product ?? "-";
+
+        const color = statusColor(status);
+
+        console.log(
+          `  ${mac.padEnd(20)} ${hostname.padEnd(24)} ${color}${status.padEnd(12)}${RESET} ${role.padEnd(8)} ${ip.padEnd(16)} ${cpu.substring(0, 23).padEnd(24)} ${cores.padEnd(6)} ${ram.padEnd(6)} ${product}`,
+        );
+      }
+
+      // Show install queue details if any
+      const queueEntries = Object.entries(state.install_queue);
+      if (queueEntries.length > 0) {
+        console.log("");
+        console.log(`${BOLD}PENDING${RESET}`);
+        for (const [mac, cfg] of queueEntries) {
+          const progress = cfg.progress ?? "waiting";
+          const detail = cfg.progress_detail ?? "";
+          console.log(`  ${mac}  ${progress}${detail ? ` - ${detail}` : ""}`);
+        }
+      }
+
+      console.log("");
+    });
+}
diff --git a/bastion/src/cli/src/commands/login.ts b/bastion/src/cli/src/commands/login.ts
new file mode 100644
index 0000000..8f67081
--- /dev/null
+++ b/bastion/src/cli/src/commands/login.ts
@@ -0,0 +1,120 @@
+// labctl login — authenticate with labd and obtain client certificate.
+
+import { generateKeyPairSync } from "node:crypto";
+import { writeFileSync, existsSync, mkdirSync, readFileSync } from "node:fs";
+import { createInterface } from "node:readline";
+import type { Command } from "commander";
+import { loadConfig, saveConfig, CERT_DIR } from "../config/index.js";
+import { join } from "node:path";
+
+export function registerLoginCommand(program: Command): void {
+  program
+    .command("login")
+    .description("Authenticate with labd and obtain client certificate")
+    .option("--server <url>", "labd server URL")
+    .action(async (options: { server?: string }) => {
+      if (!existsSync(CERT_DIR)) {
+        mkdirSync(CERT_DIR, { recursive: true, mode: 0o700 });
+      }
+
+      const config = loadConfig();
+      const serverUrl = options.server ?? config.labdUrl;
+
+      const keyPath = join(CERT_DIR, "client.key");
+      const certPath = join(CERT_DIR, "client.crt");
+      const caPath = join(CERT_DIR, "ca.crt");
+
+      // 1. Generate keypair if not exists
+      if (!existsSync(keyPath)) {
+        console.log("Generating client keypair...");
+        const { privateKey } = generateKeyPairSync("ec", {
+          namedCurve: "P-256",
+          privateKeyEncoding: { type: "pkcs8", format: "pem" },
+          publicKeyEncoding: { type: "spki", format: "pem" },
+        });
+        writeFileSync(keyPath, privateKey, { mode: 0o600 });
+        console.log(`Private key saved to ${keyPath}`);
+      } else {
+        console.log(`Using existing keypair at ${keyPath}`);
+      }
+
+      // 2. Read public key for CSR (simplified — send public key, labd signs)
+      const publicKey = readFileSync(keyPath, "utf-8");
+
+      // 3. Prompt for token
+      const token = await promptPassword("Enter join token: ");
+      if (!token) {
+        console.error("Token is required.");
+        process.exit(1);
+      }
+
+      // 4. Submit enrollment request
+      console.log(`Authenticating with ${serverUrl}...`);
+      try {
+        const resp = await fetch(`${serverUrl}/api/auth/user-enroll`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            token,
+            hostname: `cli-${process.env["USER"] ?? "unknown"}`,
+            csr: publicKey,
+          }),
+        });
+
+        if (!resp.ok) {
+          const body = (await resp.json().catch(() => ({}))) as Record<string, string>;
+          console.error(`Login failed: ${body["error"] ?? resp.statusText}`);
+          process.exit(1);
+        }
+
+        const result = (await resp.json()) as {
+          certificatePem?: string | null;
+          caPem?: string | null;
+          status: string;
+        };
+
+        if (result.certificatePem) {
+          writeFileSync(certPath, result.certificatePem, { mode: 0o600 });
+          console.log(`Client certificate saved to ${certPath}`);
+        }
+        if (result.caPem) {
+          writeFileSync(caPath, result.caPem, { mode: 0o644 });
+          console.log(`CA certificate saved to ${caPath}`);
+        }
+
+        // 5. Update config
+        saveConfig({
+          ...config,
+          labdUrl: serverUrl,
+          certPath,
+          keyPath,
+          ...(existsSync(caPath) ? { caPath } : {}),
+        });
+
+        console.log(`\nLogin successful! Configuration updated.`);
+        console.log(`Server: ${serverUrl}`);
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        if (message.includes("ECONNREFUSED") || message.includes("fetch")) {
+          console.error(`Cannot connect to labd at ${serverUrl}`);
+          console.error("Check that labd is running and the URL is correct.");
+        } else {
+          console.error(`Login failed: ${message}`);
+        }
+        process.exit(1);
+      }
+    });
+}
+
+function promptPassword(message: string): Promise<string> {
+  return new Promise((resolve) => {
+    const rl = createInterface({
+      input: process.stdin,
+      output: process.stdout,
+    });
+    rl.question(message, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
diff --git a/bastion/src/cli/src/commands/logs.ts b/bastion/src/cli/src/commands/logs.ts
new file mode 100644
index 0000000..85a59c1
--- /dev/null
+++ b/bastion/src/cli/src/commands/logs.ts
@@ -0,0 +1,85 @@
+// CLI command: provision logs
+// Show provisioning logs for a machine via labd.
+
+import type { Command } from "commander";
+import { getLabdClient } from "../api/config.js";
+
+/** Resolve a target (hostname, MAC, IP) to a MAC address. */
+async function resolveToMac(target: string): Promise<string> {
+  const normalized = target.toLowerCase().replace(/-/g, ":");
+
+  // Looks like a MAC already
+  if (/^([0-9a-f]{2}:){5}[0-9a-f]{2}$/.test(normalized)) {
+    return normalized;
+  }
+
+  // Resolve from labd aggregated state
+  try {
+    const state = await getLabdClient().getMachines();
+
+    for (const [mac, info] of Object.entries(state.installed)) {
+      if (info.hostname === target || info.hostname.startsWith(target + ".") || info.ip === target) {
+        return mac;
+      }
+    }
+    for (const [mac, info] of Object.entries(state.install_queue)) {
+      if (info.hostname === target || info.hostname.startsWith(target + ".")) {
+        return mac;
+      }
+    }
+    for (const mac of Object.keys(state.discovered)) {
+      if (mac === normalized) return mac;
+    }
+  } catch { /* can't reach labd */ }
+
+  return normalized;
+}
+
+export function registerLogsCommand(parent: Command): void {
+  parent
+    .command("logs <target>")
+    .description("Show provisioning logs for a machine (hostname, MAC, or IP)")
+    .action(async (target: string) => {
+      const mac = await resolveToMac(target);
+
+      try {
+        const data = await getLabdClient().getMachineLogs(mac);
+
+        const BOLD = "\x1b[1m";
+        const GREEN = "\x1b[32m";
+        const YELLOW = "\x1b[33m";
+        const RED = "\x1b[31m";
+        const DIM = "\x1b[2m";
+        const RESET = "\x1b[0m";
+
+        console.log(`${BOLD}${data["hostname"]}${RESET} (${mac})`);
+        console.log(`  Status:   ${data["status"] === "installed" ? GREEN : YELLOW}${data["status"]}${RESET}`);
+        console.log(`  Role:     ${data["role"]}`);
+        if (data["os"]) console.log(`  OS:       ${data["os"]}`);
+        if (data["ip"]) console.log(`  IP:       ${data["ip"]}`);
+        console.log("");
+
+        const log = data["log"] as Array<{ stage: string; detail: string; timestamp: string }> | undefined;
+        if (log && log.length > 0) {
+          console.log(`${BOLD}  Log:${RESET}`);
+          for (const entry of log) {
+            const time = entry.timestamp.slice(11, 19);
+            const color = entry.stage === "complete" ? GREEN : entry.stage === "error" ? RED : YELLOW;
+            const detail = entry.detail ? ` ${DIM}-- ${entry.detail}${RESET}` : "";
+            console.log(`  ${DIM}${time}${RESET}  ${color}${entry.stage}${RESET}${detail}`);
+          }
+        } else {
+          console.log(`  ${DIM}No progress events yet (queued, waiting for PXE boot)${RESET}`);
+        }
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        if (msg.includes("404") || msg.includes("not found")) {
+          console.error(`Machine not found: ${target}`);
+          console.error("Run 'labctl provision list' to see available machines.");
+        } else {
+          console.error(`Cannot reach labd: ${msg}`);
+        }
+        process.exit(1);
+      }
+    });
+}
diff --git a/bastion/src/cli/src/commands/makeiso.ts b/bastion/src/cli/src/commands/makeiso.ts
new file mode 100644
index 0000000..5af9398
--- /dev/null
+++ b/bastion/src/cli/src/commands/makeiso.ts
@@ -0,0 +1,114 @@
+// CLI command: provision makeiso
+// Generate/serve a UEFI-bootable iPXE ISO for machines that don't support PXE boot.
+// Queries labd for connected bastions and provides the download URL.
+
+import { readFileSync, writeFileSync, existsSync } from "node:fs";
+import { createInterface } from "node:readline";
+import { Command, Option } from "commander";
+import { getLabdClient } from "../api/config.js";
+import { buildBootIso } from "@lab/bastion/iso-builder";
+
+function prompt(question: string): Promise<string> {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+const IPXE_PATHS: Record<string, { src: string; dest: string }> = {
+  x86_64: { src: "/usr/share/ipxe/ipxe-snponly-x86_64.efi", dest: "EFI/BOOT/BOOTX64.EFI" },
+  aarch64: { src: "/usr/share/ipxe/arm64-efi/snponly.efi", dest: "EFI/BOOT/BOOTAA64.EFI" },
+};
+
+async function selectBastion(): Promise<{ hostname: string; serverIp: string; httpPort: number }> {
+  const bastions = await getLabdClient().getBastions();
+  const online = bastions.filter(b => b.status === "online");
+
+  if (online.length === 0) {
+    console.error("No bastions online. Start a bastion first.");
+    process.exit(1);
+  }
+
+  if (online.length === 1) {
+    const b = online[0]!;
+    console.log(`Using bastion: ${b.hostname} (${b.serverIp})`);
+    return { hostname: b.hostname, serverIp: b.serverIp, httpPort: 8080 };
+  }
+
+  console.log("Available bastions:\n");
+  for (let i = 0; i < online.length; i++) {
+    const b = online[i]!;
+    console.log(`  ${i + 1}) ${b.hostname}  ${b.serverIp}  (${b.network})`);
+  }
+  console.log("");
+
+  const answer = await prompt(`Select bastion [1-${online.length}]: `);
+  const idx = parseInt(answer, 10) - 1;
+  if (isNaN(idx) || idx < 0 || idx >= online.length) {
+    console.error("Invalid selection.");
+    process.exit(1);
+  }
+
+  const selected = online[idx]!;
+  return { hostname: selected.hostname, serverIp: selected.serverIp, httpPort: 8080 };
+}
+
+export function registerMakeIsoCommand(parent: Command): void {
+  parent
+    .command("makeiso")
+    .description("Generate a UEFI-bootable iPXE ISO for network provisioning")
+    .addOption(
+      new Option("--arch <arch...>", "Target architecture(s)")
+        .choices(["x86_64", "aarch64"])
+        .default(["x86_64", "aarch64"]),
+    )
+    .option("--local", "Build ISO locally instead of using bastion-hosted URL")
+    .option("--out <path>", "Output path for local ISO build", "ipxe-bastion.iso")
+    .action(async (opts: { arch: string[]; local?: boolean; out: string }) => {
+      const bastion = await selectBastion();
+      const bastionUrl = `http://${bastion.serverIp}:${bastion.httpPort}`;
+
+      if (opts.local) {
+        console.log(`\nGenerating iPXE boot ISO...`);
+        console.log(`  Architectures: ${opts.arch.join(", ")}`);
+        console.log(`  Bastion: ${bastionUrl}`);
+
+        const efiFiles: Array<{ path: string; data: Buffer }> = [];
+        for (const arch of opts.arch) {
+          const paths = IPXE_PATHS[arch];
+          if (!paths) {
+            console.error(`Unknown architecture: ${arch}`);
+            process.exit(1);
+          }
+          if (!existsSync(paths.src)) {
+            console.error(`iPXE binary not found: ${paths.src}`);
+            console.error(`Install: sudo dnf install ipxe-bootimgs-${arch === "aarch64" ? "aarch64" : "x86"}`);
+            process.exit(1);
+          }
+          efiFiles.push({ path: paths.dest, data: readFileSync(paths.src) });
+          console.log(`  ${arch}: ${paths.dest.split("/").pop()}`);
+        }
+
+        const script = [
+          "#!ipxe",
+          "",
+          "echo Booting from iPXE ISO -- connecting to bastion...",
+          "dhcp || ( echo DHCP failed, retrying... && sleep 3 && dhcp )",
+          `chain ${bastionUrl}/boot.ipxe || shell`,
+        ].join("\n");
+
+        const iso = buildBootIso(efiFiles, script);
+        writeFileSync(opts.out, iso);
+        console.log(`\nISO written to: ${opts.out} (${(iso.length / 1024 / 1024).toFixed(1)}MB)`);
+      } else {
+        console.log(`\nThe bastion serves a boot ISO with the correct URL embedded.`);
+        console.log(`Use this URL in JetKVM or any BMC virtual media:\n`);
+        console.log(`  ${bastionUrl}/boot.iso`);
+      }
+
+      console.log(`\nMount as virtual CD, boot from it. iPXE will chainload from bastion.`);
+    });
+}
diff --git a/bastion/src/cli/src/commands/reprovision.ts b/bastion/src/cli/src/commands/reprovision.ts
new file mode 100644
index 0000000..7e421fc
--- /dev/null
+++ b/bastion/src/cli/src/commands/reprovision.ts
@@ -0,0 +1,161 @@
+// CLI command: provision reprovision
+// Queue a machine for reinstall and attempt SSH reboot into PXE via labd.
+
+import { execFileSync } from "node:child_process";
+import { existsSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { Command, Option } from "commander";
+import type { BastionState } from "@lab/shared";
+import { isValidOsId, SUPPORTED_OS, SUPPORTED_ROLES, ROLE_REGISTRY } from "@lab/shared";
+import { getLabdClient } from "../api/config.js";
+
+function roleTable(): string {
+  const lines: string[] = ["", "Available roles:"];
+  for (const r of ROLE_REGISTRY) {
+    const parent = r.parent ? ` (extends ${r.parent})` : "";
+    const apps = r.apps.length > 0 ? ` [auto: ${r.apps.join(", ")}]` : "";
+    lines.push(`  ${r.name.padEnd(16)} ${r.description}${parent}${apps}`);
+  }
+  return lines.join("\n");
+}
+
+/** Resolve a target (hostname, MAC, or IP) to {mac, hostname, ip} from state. */
+function resolveTarget(
+  target: string,
+  state: BastionState,
+): { mac: string; hostname: string; ip: string } | null {
+  const normalized = target.toLowerCase().replace(/-/g, ":");
+
+  if (state.installed[normalized]) {
+    const info = state.installed[normalized];
+    return { mac: normalized, hostname: info.hostname, ip: info.ip };
+  }
+
+  if (state.discovered[normalized]) {
+    return { mac: normalized, hostname: normalized, ip: "" };
+  }
+
+  for (const [mac, info] of Object.entries(state.installed)) {
+    if (info.hostname === target || info.hostname.startsWith(target + ".")) {
+      return { mac, hostname: info.hostname, ip: info.ip };
+    }
+  }
+
+  for (const [mac, info] of Object.entries(state.installed)) {
+    if (info.ip === target) {
+      return { mac, hostname: info.hostname, ip: info.ip };
+    }
+  }
+
+  return null;
+}
+
+export function registerReprovisionCommand(parent: Command): void {
+  parent
+    .command("reprovision <target> [hostname]")
+    .description("Queue install + SSH reboot into PXE (target: hostname, MAC, or IP)")
+    .showHelpAfterError(true)
+    .addHelpText("after", roleTable())
+    .addOption(new Option("--role <role>", "Machine role (see below)").choices([...SUPPORTED_ROLES]).default("worker"))
+    .addOption(new Option("--os <os>", "Operating system").choices([...SUPPORTED_OS]).default("fedora-43"))
+    .option("--disk <device>", "Target disk device (auto-detect if omitted)")
+    .action(async (target: string, hostnameOverride: string | undefined, opts: {
+      role: string;
+      os: string;
+      disk?: string;
+    }) => {
+      if (!isValidOsId(opts.os)) {
+        console.error(`Unknown OS: ${opts.os}. Supported: ${SUPPORTED_OS.join(", ")}`);
+        process.exit(1);
+      }
+      if (!(SUPPORTED_ROLES as readonly string[]).includes(opts.role)) {
+        console.error(`Unknown role: ${opts.role}`);
+        console.error(roleTable());
+        process.exit(1);
+      }
+
+      const client = getLabdClient();
+
+      // Resolve target from labd aggregated state
+      let state: BastionState;
+      try {
+        state = await client.getMachines();
+      } catch (err) {
+        console.error(`Cannot reach labd: ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+      }
+
+      const resolved = resolveTarget(target, state);
+      if (!resolved) {
+        console.error(`Cannot find machine: ${target}`);
+        console.error("Provide a hostname, MAC, or IP of a known machine.");
+        console.error("Run 'labctl provision list' to see available machines.");
+        process.exit(1);
+      }
+
+      const mac = resolved.mac;
+      const hostname = hostnameOverride ?? resolved.hostname;
+      const ip = resolved.ip;
+
+      console.log(`Reprovisioning ${hostname} (${mac})${ip ? ` at ${ip}` : ""}...`);
+      console.log(`  Role: ${opts.role}  OS: ${opts.os}`);
+      console.log("");
+
+      // Queue the install via labd
+      try {
+        const result = await client.installMachine({
+          mac,
+          hostname,
+          role: opts.role,
+          os: opts.os,
+          ...(opts.disk ? { disk: opts.disk } : {}),
+        });
+        console.log(JSON.stringify(result, null, 2));
+      } catch (err) {
+        console.error(`Failed to queue install: ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+      }
+
+      // Try SSH reboot into PXE
+      if (ip === "") {
+        console.log("\nNo IP known. Reboot the machine manually into PXE.");
+        return;
+      }
+
+      const adminUser = process.env["SUDO_USER"] ?? process.env["USER"] ?? "";
+      const effectiveUser = adminUser === "root" ? "" : adminUser;
+
+      if (effectiveUser === "") {
+        console.log("\nReboot the machine manually into PXE.");
+        return;
+      }
+
+      console.log(`\nAttempting SSH reboot into PXE (${effectiveUser}@${ip})...`);
+
+      const sudoUser = process.env["SUDO_USER"];
+      const realHome = sudoUser !== undefined ? join("/home", sudoUser) : homedir();
+      const keyPaths = [
+        join(realHome, ".ssh", "id_ed25519"),
+        join(realHome, ".ssh", "id_rsa"),
+        join(realHome, ".ssh", "id_ecdsa"),
+      ];
+      const sshKey = keyPaths.find(k => existsSync(k));
+
+      const sshArgs = [
+        "-o", "StrictHostKeyChecking=no",
+        "-o", "ConnectTimeout=10",
+        ...(sshKey !== undefined ? ["-i", sshKey] : []),
+        `${effectiveUser}@${ip}`,
+        'PXE_ENTRY=$(sudo efibootmgr | grep -iE "pxe|network|ipv4" | head -1 | grep -oP "Boot\\K[0-9A-F]+"); if [ -n "$PXE_ENTRY" ]; then sudo efibootmgr --bootnext "$PXE_ENTRY" && echo "PXE set as next boot" && sudo reboot; else echo "No PXE boot entry found, rebooting anyway..." && sudo reboot; fi',
+      ];
+
+      try {
+        execFileSync("ssh", sshArgs, { stdio: "inherit" });
+      } catch {
+        // SSH connection closing during reboot is expected
+      }
+      console.log("");
+      console.log("Machine is rebooting into PXE. Install will start automatically.");
+    });
+}
diff --git a/bastion/src/cli/src/commands/serve.ts b/bastion/src/cli/src/commands/serve.ts
new file mode 100644
index 0000000..a435c92
--- /dev/null
+++ b/bastion/src/cli/src/commands/serve.ts
@@ -0,0 +1,145 @@
+// CLI command: init bastion standalone start
+// Start the bastion server (HTTP + dnsmasq), daemonized by default.
+
+import { spawn, type ChildProcess } from "node:child_process";
+import { existsSync, readFileSync, openSync, mkdirSync } from "node:fs";
+import type { Command } from "commander";
+import { startBastion } from "@lab/bastion";
+
+export function registerStartCommand(parent: Command): void {
+  parent
+    .command("start")
+    .description("Start the bastion server (HTTP + dnsmasq PXE)")
+    .option("--port <port>", "HTTP port", "8080")
+    .option("--dir <dir>", "Bastion data directory", "/tmp/lab-bastion")
+    .option("--domain <domain>", "Internal domain for hostnames", "ad.itaz.eu")
+    .option("--dhcp-mode <mode>", "DHCP mode: proxy or full", "proxy")
+    .option("--fedora <version>", "Fedora version", "43")
+    .option("--arch <arch>", "Architecture", "x86_64")
+    .option("--timezone <tz>", "Timezone", "Europe/London")
+    .option("--locale <locale>", "Locale", "en_GB.UTF-8")
+    .option("--skip-dnsmasq", "Skip starting dnsmasq (for testing)")
+    .option("--skip-artifacts", "Skip downloading boot artifacts (for testing)")
+    .option("--foreground", "Run in foreground (default: daemonize)")
+    .action(async (opts: {
+      port: string;
+      dir: string;
+      domain: string;
+      dhcpMode: string;
+      fedora: string;
+      arch: string;
+      timezone: string;
+      locale: string;
+      skipDnsmasq?: boolean;
+      skipArtifacts?: boolean;
+      foreground?: boolean;
+    }) => {
+      // Check root early (before daemonize) so the error is visible
+      if (!opts.skipDnsmasq && process.getuid?.() !== 0) {
+        console.error("Must run as root (dnsmasq needs DHCP/TFTP ports).");
+        console.error("Usage: sudo labctl init bastion standalone start");
+        process.exit(1);
+      }
+
+      if (opts.foreground === true) {
+        // Run in foreground
+        await startBastion({
+          httpPort: parseInt(opts.port, 10),
+          bastionDir: opts.dir,
+          domain: opts.domain,
+          dhcpMode: opts.dhcpMode as "proxy" | "full",
+          fedoraVersion: opts.fedora,
+          arch: opts.arch,
+          timezone: opts.timezone,
+          locale: opts.locale,
+          skipDnsmasq: opts.skipDnsmasq,
+          skipArtifacts: opts.skipArtifacts,
+        });
+        return;
+      }
+
+      // Daemonize: re-run with --foreground, redirect output to log file
+      mkdirSync(opts.dir, { recursive: true });
+      const logFile = `${opts.dir}/bastion.log`;
+
+      // Build explicit argument list instead of re-using process.argv
+      // (which breaks with bun-compiled binaries)
+      const fgArgs = [
+        "init", "bastion", "standalone", "start", "--foreground",
+        "--port", opts.port,
+        "--dir", opts.dir,
+        "--domain", opts.domain,
+        "--dhcp-mode", opts.dhcpMode,
+        "--fedora", opts.fedora,
+        "--arch", opts.arch,
+        "--timezone", opts.timezone,
+        "--locale", opts.locale,
+      ];
+      if (opts.skipDnsmasq) fgArgs.push("--skip-dnsmasq");
+      if (opts.skipArtifacts) fgArgs.push("--skip-artifacts");
+
+      // Determine how to re-invoke ourselves
+      const execPath = process.argv[0] ?? "labctl";
+      let spawnCmd: string;
+      let spawnArgs: string[];
+
+      if (execPath.includes("node") || execPath.includes("tsx")) {
+        const scriptPath = process.argv[1];
+        spawnCmd = execPath;
+        spawnArgs = scriptPath ? [scriptPath, ...fgArgs] : fgArgs;
+      } else {
+        spawnCmd = execPath;
+        spawnArgs = fgArgs;
+      }
+
+      // Open log file for the child's stdout/stderr so it survives parent exit
+      const logFd = openSync(logFile, "a");
+
+      const child: ChildProcess = spawn(spawnCmd, spawnArgs, {
+        detached: true,
+        stdio: ["ignore", logFd, logFd],
+      });
+
+      // Wait briefly for the child to start, then check it's alive
+      await new Promise((resolve) => setTimeout(resolve, 3000));
+
+      // Check if child is still running
+      try {
+        process.kill(child.pid!, 0); // signal 0 = check existence
+      } catch {
+        // Child already died — show the log
+        console.error("Bastion failed to start. Log output:");
+        console.error("");
+        try {
+          const log = readFileSync(logFile, "utf-8");
+          const lines = log.trim().split("\n").slice(-20);
+          for (const line of lines) {
+            console.error("  " + line);
+          }
+        } catch {
+          console.error("  (no log output)");
+        }
+        process.exit(1);
+      }
+
+      child.unref();
+
+      // Print startup info from the log
+      try {
+        const log = readFileSync(logFile, "utf-8");
+        process.stdout.write(log);
+      } catch {
+        // No log yet
+      }
+
+      const pidFile = `${opts.dir}/bastion.pid`;
+      const pid = existsSync(pidFile)
+        ? readFileSync(pidFile, "utf-8").trim()
+        : String(child.pid);
+
+      console.log("");
+      console.log(`Bastion running in background (PID ${pid})`);
+      console.log(`Log: ${logFile}`);
+      process.exit(0);
+    });
+}
diff --git a/bastion/src/cli/src/commands/status.ts b/bastion/src/cli/src/commands/status.ts
new file mode 100644
index 0000000..12f88ae
--- /dev/null
+++ b/bastion/src/cli/src/commands/status.ts
@@ -0,0 +1,42 @@
+// CLI command: init bastion standalone status
+// Show connected bastions and their machine counts via labd.
+
+import type { Command } from "commander";
+import { getLabdClient } from "../api/config.js";
+
+const BOLD = "\x1b[1m";
+const GREEN = "\x1b[32m";
+const RED = "\x1b[31m";
+const DIM = "\x1b[2m";
+const RESET = "\x1b[0m";
+
+export function registerStatusCommand(parent: Command): void {
+  parent
+    .command("status")
+    .description("Show bastion server status")
+    .action(async () => {
+      try {
+        const bastions = await getLabdClient().getBastions();
+
+        if (bastions.length === 0) {
+          console.log("No bastions registered.");
+          return;
+        }
+
+        const pad = (s: string, w: number) => s.padEnd(w);
+        console.log(
+          `${BOLD}${pad("HOSTNAME", 24)}${pad("NETWORK", 18)}${pad("IP", 18)}${pad("STATUS", 10)}${pad("MACHINES", 10)}${RESET}`,
+        );
+
+        for (const b of bastions) {
+          const statusColor = b.status === "online" ? GREEN : RED;
+          console.log(
+            `${pad(b.hostname, 24)}${DIM}${pad(b.network, 18)}${RESET}${pad(b.serverIp, 18)}${statusColor}${pad(b.status, 10)}${RESET}${pad(String(b.machineCount), 10)}`,
+          );
+        }
+      } catch (err) {
+        console.error(`Cannot reach labd: ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+      }
+    });
+}
diff --git a/bastion/src/cli/src/commands/stop.ts b/bastion/src/cli/src/commands/stop.ts
new file mode 100644
index 0000000..b1ed687
--- /dev/null
+++ b/bastion/src/cli/src/commands/stop.ts
@@ -0,0 +1,34 @@
+// CLI command: init bastion standalone stop
+// Read PID from bastion.pid and send SIGTERM.
+
+import { readFileSync, existsSync } from "node:fs";
+import type { Command } from "commander";
+
+export function registerStopCommand(parent: Command): void {
+  parent
+    .command("stop")
+    .description("Stop a running bastion server")
+    .option("--dir <dir>", "Bastion data directory", "/tmp/lab-bastion")
+    .action((opts: { dir: string }) => {
+      const pidFile = `${opts.dir}/bastion.pid`;
+
+      if (!existsSync(pidFile)) {
+        console.error("No bastion PID file found. Is the server running?");
+        process.exit(1);
+      }
+
+      const pid = parseInt(readFileSync(pidFile, "utf-8").trim(), 10);
+      if (isNaN(pid)) {
+        console.error(`Invalid PID in ${pidFile}`);
+        process.exit(1);
+      }
+
+      try {
+        process.kill(pid, "SIGTERM");
+        console.log(`Sent SIGTERM to bastion process (PID ${pid})`);
+      } catch {
+        console.error(`Cannot signal PID ${pid}. Process may have already exited.`);
+        process.exit(1);
+      }
+    });
+}
diff --git a/bastion/src/cli/src/config/index.ts b/bastion/src/cli/src/config/index.ts
new file mode 100644
index 0000000..4143334
--- /dev/null
+++ b/bastion/src/cli/src/config/index.ts
@@ -0,0 +1,111 @@
+// CLI configuration management.
+// Loads from: defaults -> ~/.labctl/config.yaml -> env vars -> CLI flags.
+
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+
+export interface CliConfig {
+  labdUrl: string;
+  certPath?: string;
+  keyPath?: string;
+  caPath?: string;
+  defaultEnvironment?: string;
+  defaultCloud?: string;
+  outputFormat?: "table" | "json" | "yaml";
+}
+
+export const CONFIG_DIR = join(homedir(), ".labctl");
+export const CONFIG_FILE = join(CONFIG_DIR, "config.yaml");
+export const CERT_DIR = join(CONFIG_DIR, "certs");
+
+const VALID_KEYS = new Set<keyof CliConfig>([
+  "labdUrl",
+  "certPath",
+  "keyPath",
+  "caPath",
+  "defaultEnvironment",
+  "defaultCloud",
+  "outputFormat",
+]);
+
+export function isValidConfigKey(key: string): key is keyof CliConfig {
+  return VALID_KEYS.has(key as keyof CliConfig);
+}
+
+export function loadConfig(): CliConfig {
+  // 1. Defaults
+  const config: CliConfig = {
+    labdUrl: "http://localhost:3100",
+  };
+
+  // 2. Config file overrides
+  if (existsSync(CONFIG_FILE)) {
+    try {
+      const raw = readFileSync(CONFIG_FILE, "utf-8");
+      const parsed = parseSimpleYaml(raw);
+      for (const [k, v] of Object.entries(parsed)) {
+        if (isValidConfigKey(k) && v !== "") {
+          (config as unknown as Record<string, string>)[k] = v;
+        }
+      }
+    } catch {
+      // Ignore malformed config
+    }
+  }
+
+  // 3. Environment variable overrides
+  if (process.env["LABD_URL"]) config.labdUrl = process.env["LABD_URL"];
+  if (process.env["LABCTL_ENV"]) config.defaultEnvironment = process.env["LABCTL_ENV"];
+  if (process.env["LABCTL_CLOUD"]) config.defaultCloud = process.env["LABCTL_CLOUD"];
+  if (process.env["LABCTL_OUTPUT"]) {
+    const fmt = process.env["LABCTL_OUTPUT"];
+    if (fmt === "table" || fmt === "json" || fmt === "yaml") {
+      config.outputFormat = fmt;
+    }
+  }
+
+  return config;
+}
+
+export function saveConfig(config: CliConfig): void {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  }
+  const lines: string[] = [];
+  for (const [k, v] of Object.entries(config)) {
+    if (v !== undefined) {
+      lines.push(`${k}: ${v}`);
+    }
+  }
+  writeFileSync(CONFIG_FILE, lines.join("\n") + "\n", { mode: 0o600 });
+}
+
+export function getConfigValue(config: CliConfig, key: keyof CliConfig): string {
+  return String(config[key] ?? "");
+}
+
+export function setConfigValue(config: CliConfig, key: keyof CliConfig, value: string): CliConfig {
+  return { ...config, [key]: value };
+}
+
+/** Minimal YAML parser for flat key: value files (no nested structures). */
+function parseSimpleYaml(raw: string): Record<string, string> {
+  const result: Record<string, string> = {};
+  for (const line of raw.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const idx = trimmed.indexOf(":");
+    if (idx === -1) continue;
+    const key = trimmed.slice(0, idx).trim();
+    let value = trimmed.slice(idx + 1).trim();
+    if (
+      (value.startsWith('"') && value.endsWith('"')) ||
+      (value.startsWith("'") && value.endsWith("'"))
+    ) {
+      value = value.slice(1, -1);
+    }
+    result[key] = value;
+  }
+  return result;
+}
diff --git a/bastion/src/cli/src/index.ts b/bastion/src/cli/src/index.ts
new file mode 100644
index 0000000..0584ec5
--- /dev/null
+++ b/bastion/src/cli/src/index.ts
@@ -0,0 +1,145 @@
+#!/usr/bin/env node
+// CLI entry point for lab-bastion.
+// Commands:
+//   init bastion standalone start/stop/status
+//   provision list/install/reprovision/forget
+
+import { fileURLToPath } from "node:url";
+import { Command, Option } from "commander";
+import { APP_VERSION } from "@lab/shared";
+import { loadConfig } from "./config/index.js";
+import { registerStartCommand } from "./commands/serve.js";
+import { registerStopCommand } from "./commands/stop.js";
+import { registerStatusCommand } from "./commands/status.js";
+import { registerInstallCommand } from "./commands/install.js";
+import { registerListCommand } from "./commands/list.js";
+import { registerReprovisionCommand } from "./commands/reprovision.js";
+import { registerForgetCommand } from "./commands/forget.js";
+import { registerLogsCommand } from "./commands/logs.js";
+import { registerMakeIsoCommand } from "./commands/makeiso.js";
+import { registerConfigCommand } from "./commands/config.js";
+import { registerLoginCommand } from "./commands/login.js";
+import { registerDoctorCommand } from "./commands/doctor.js";
+import { registerAppCommand } from "./commands/app.js";
+import { ROLE_REGISTRY } from "@lab/shared";
+
+export function createProgram(): Command {
+  const program = new Command();
+
+  program
+    .name("labctl")
+    .description("Lab infrastructure management CLI")
+    .version(APP_VERSION);
+
+  // Global options
+  program
+    .addOption(
+      new Option("-o, --output <format>", "output format")
+        .choices(["table", "json", "yaml"])
+        .default("table"),
+    )
+    .option("--server <url>", "override labd server URL")
+    .option("--env <name>", "override default environment")
+    .option("--cloud <name>", "override default cloud")
+    .option("--debug", "enable debug output")
+    .option("--no-color", "disable colored output");
+
+  // preAction hook: load config, apply CLI overrides, store merged config
+  program.hook("preAction", (thisCommand) => {
+    const config = loadConfig();
+    const opts = thisCommand.opts();
+
+    if (opts.output) config.outputFormat = opts.output;
+    if (opts.server) config.labdUrl = opts.server;
+    if (opts.env) config.defaultEnvironment = opts.env;
+    if (opts.cloud) config.defaultCloud = opts.cloud;
+
+    if (opts.debug) {
+      process.env["DEBUG"] = "1";
+    }
+    if (opts.color === false) {
+      process.env["NO_COLOR"] = "1";
+    }
+
+    thisCommand.setOptionValue("_config", config);
+  });
+
+  // version subcommand
+  program
+    .command("version")
+    .description("Show version information")
+    .action(() => {
+      console.log(`labctl  ${APP_VERSION}`);
+      console.log(`node    ${process.version}`);
+      console.log(`platform ${process.platform} ${process.arch}`);
+    });
+
+  // init bastion standalone start/stop/status
+  const initCmd = program.command("init");
+  initCmd.description("Initialise infrastructure components");
+
+  const bastionCmd = initCmd.command("bastion");
+  bastionCmd.description("Bastion PXE server management");
+
+  const standaloneCmd = bastionCmd.command("standalone");
+  standaloneCmd.description("Standalone bastion server lifecycle");
+
+  registerStartCommand(standaloneCmd);
+  registerStopCommand(standaloneCmd);
+  registerStatusCommand(standaloneCmd);
+
+  // provision list/install/reprovision/forget
+  const provisionCmd = program.command("provision");
+  provisionCmd.description("Machine provisioning operations");
+
+  registerListCommand(provisionCmd);
+  registerInstallCommand(provisionCmd);
+  registerReprovisionCommand(provisionCmd);
+  registerForgetCommand(provisionCmd);
+  registerLogsCommand(provisionCmd);
+  registerMakeIsoCommand(provisionCmd);
+
+  // config list/get/set/path
+  registerConfigCommand(program);
+
+  // login
+  registerLoginCommand(program);
+
+  // doctor
+  registerDoctorCommand(program);
+
+  // app k3s install/health + labcontroller
+  registerAppCommand(program);
+
+  // roles — quick reference
+  program
+    .command("roles")
+    .description("List available machine roles")
+    .action(() => {
+      const BOLD = "\x1b[1m";
+      const DIM = "\x1b[2m";
+      const RESET = "\x1b[0m";
+      const pad = (s: string, w: number) => s.padEnd(w);
+
+      console.log(`${BOLD}${pad("ROLE", 18)}${pad("EXTENDS", 12)}${pad("K3S", 6)}${pad("AUTO-DEPLOY", 30)}DESCRIPTION${RESET}`);
+      for (const r of ROLE_REGISTRY) {
+        const k3s = r.k3s ? "yes" : "no";
+        const apps = r.apps.length > 0 ? r.apps.join(", ") : "—";
+        const parent = r.parent ?? "—";
+        console.log(`${pad(r.name, 18)}${DIM}${pad(parent, 12)}${RESET}${pad(k3s, 6)}${pad(apps, 30)}${r.description}`);
+      }
+    });
+
+  return program;
+}
+
+// Run CLI when executed directly (not imported)
+const isDirectExecution =
+  process.argv[1] !== undefined &&
+  (process.argv[1].endsWith("/index.js") ||
+    process.argv[1].endsWith("/index.ts") ||
+    process.argv[1] === fileURLToPath(import.meta.url));
+
+if (isDirectExecution) {
+  createProgram().parse();
+}
diff --git a/bastion/src/cli/src/utils/index.ts b/bastion/src/cli/src/utils/index.ts
new file mode 100644
index 0000000..3190cf7
--- /dev/null
+++ b/bastion/src/cli/src/utils/index.ts
@@ -0,0 +1,27 @@
+// Public API for CLI utility functions.
+
+export {
+  parseResource,
+  formatResource,
+  validateServerName,
+  type ResourceType,
+  type ResourceIdentifier,
+} from "./resource.js";
+
+export {
+  printTable,
+  formatStatus,
+  formatRelativeTime,
+  formatOutput,
+  serverColumns,
+  roleColumns,
+  type TableColumn,
+  type Role,
+} from "./table.js";
+
+export {
+  isInteractive,
+  confirmAction,
+  promptInput,
+  promptPassword,
+} from "./prompts.js";
diff --git a/bastion/src/cli/src/utils/prompts.ts b/bastion/src/cli/src/utils/prompts.ts
new file mode 100644
index 0000000..a71eeeb
--- /dev/null
+++ b/bastion/src/cli/src/utils/prompts.ts
@@ -0,0 +1,48 @@
+// Interactive CLI prompts with non-interactive mode support.
+
+import { createInterface } from "node:readline";
+
+export function isInteractive(): boolean {
+  if (process.env["LABCTL_YES"] === "true") return false;
+  if (process.env["CI"] === "true") return false;
+  return Boolean(process.stdin.isTTY);
+}
+
+export async function confirmAction(
+  message: string,
+  defaultValue = false,
+): Promise<boolean> {
+  if (!isInteractive()) return true;
+
+  const hint = defaultValue ? "[Y/n]" : "[y/N]";
+  const answer = await prompt(`${message} ${hint} `);
+  if (answer === "") return defaultValue;
+  return answer.toLowerCase().startsWith("y");
+}
+
+export async function promptInput(
+  message: string,
+  defaultValue?: string,
+): Promise<string> {
+  if (!isInteractive() && defaultValue !== undefined) return defaultValue;
+  const suffix = defaultValue ? ` (${defaultValue})` : "";
+  const answer = await prompt(`${message}${suffix}: `);
+  return answer || defaultValue || "";
+}
+
+export async function promptPassword(message: string): Promise<string> {
+  return prompt(message);
+}
+
+function prompt(message: string): Promise<string> {
+  return new Promise((resolve) => {
+    const rl = createInterface({
+      input: process.stdin,
+      output: process.stdout,
+    });
+    rl.question(message, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
diff --git a/bastion/src/cli/src/utils/resource.ts b/bastion/src/cli/src/utils/resource.ts
new file mode 100644
index 0000000..b6351c6
--- /dev/null
+++ b/bastion/src/cli/src/utils/resource.ts
@@ -0,0 +1,129 @@
+// Resource name parsing and validation utilities.
+// Handles "type/name" and "type/namespace/name" resource identifiers
+// used throughout the CLI for addressing lab platform objects.
+
+/** All valid resource types in the lab platform. */
+export type ResourceType =
+  | "server"
+  | "app"
+  | "cluster"
+  | "role"
+  | "user"
+  | "pulumi"
+  | "bastion"
+  | "agent"
+  | "audit";
+
+const VALID_RESOURCE_TYPES: ReadonlySet<string> = new Set<ResourceType>([
+  "server",
+  "app",
+  "cluster",
+  "role",
+  "user",
+  "pulumi",
+  "bastion",
+  "agent",
+  "audit",
+]);
+
+/** A parsed resource identifier: type with name and optional namespace. */
+export interface ResourceIdentifier {
+  type: ResourceType;
+  name: string;
+  namespace?: string;
+}
+
+/**
+ * Parse a resource string into a structured identifier.
+ *
+ * Accepted formats:
+ *   "server/myhost"            -> { type: "server", name: "myhost" }
+ *   "app/production/frontend"  -> { type: "app", name: "frontend", namespace: "production" }
+ *
+ * @throws Error if the input does not match the expected format or the type is unknown.
+ */
+export function parseResource(input: string): ResourceIdentifier {
+  const match = /^([a-z-]+)\/(.+)$/.exec(input);
+  if (!match) {
+    throw new Error(
+      `Invalid resource format: "${input}". Expected "type/name" or "type/namespace/name".`,
+    );
+  }
+
+  const rawType = match[1]!;
+  const rest = match[2]!;
+
+  if (!VALID_RESOURCE_TYPES.has(rawType)) {
+    const valid = [...VALID_RESOURCE_TYPES].join(", ");
+    throw new Error(
+      `Unknown resource type "${rawType}". Valid types: ${valid}.`,
+    );
+  }
+
+  const type = rawType as ResourceType;
+
+  // If rest contains a slash, split into namespace/name
+  const slashIndex = rest.indexOf("/");
+  if (slashIndex !== -1) {
+    const namespace = rest.slice(0, slashIndex);
+    const name = rest.slice(slashIndex + 1);
+    if (!namespace || !name) {
+      throw new Error(
+        `Invalid resource format: "${input}". Namespace and name must not be empty.`,
+      );
+    }
+    return { type, name, namespace };
+  }
+
+  return { type, name: rest };
+}
+
+/**
+ * Format a resource identifier back into its string representation.
+ *
+ * Returns "type/name" or "type/namespace/name" depending on whether
+ * a namespace is present.
+ */
+export function formatResource(resource: ResourceIdentifier): string {
+  if (resource.namespace !== undefined) {
+    return `${resource.type}/${resource.namespace}/${resource.name}`;
+  }
+  return `${resource.type}/${resource.name}`;
+}
+
+/** Hostname validation pattern: lowercase alphanumeric with dots and hyphens. */
+const HOSTNAME_PATTERN = /^[a-z0-9][a-z0-9.-]*[a-z0-9]$/;
+
+/**
+ * Validate that a server name is a legal hostname.
+ *
+ * Rules:
+ *   - Must start and end with a lowercase letter or digit
+ *   - May contain lowercase letters, digits, dots, and hyphens
+ *   - Single-character names (one lowercase letter or digit) are allowed
+ *
+ * @throws Error if the name is not a valid hostname.
+ */
+export function validateServerName(name: string): void {
+  if (name.length === 0) {
+    throw new Error("Server name must not be empty.");
+  }
+
+  // Single character: just check it's alphanumeric
+  if (name.length === 1) {
+    if (!/^[a-z0-9]$/.test(name)) {
+      throw new Error(
+        `Invalid server name "${name}". Must contain only lowercase letters, digits, dots, and hyphens, ` +
+          "and must start and end with a letter or digit.",
+      );
+    }
+    return;
+  }
+
+  if (!HOSTNAME_PATTERN.test(name)) {
+    throw new Error(
+      `Invalid server name "${name}". Must contain only lowercase letters, digits, dots, and hyphens, ` +
+        "and must start and end with a letter or digit.",
+    );
+  }
+}
diff --git a/bastion/src/cli/src/utils/table.ts b/bastion/src/cli/src/utils/table.ts
new file mode 100644
index 0000000..6b93356
--- /dev/null
+++ b/bastion/src/cli/src/utils/table.ts
@@ -0,0 +1,267 @@
+// Table formatting utilities for CLI output.
+// Uses plain ANSI escape codes and string padding — no external dependencies.
+
+import type { Server } from "../api/types.js";
+
+// ---------------------------------------------------------------------------
+// ANSI escape codes
+// ---------------------------------------------------------------------------
+
+const BOLD = "\x1b[1m";
+const RESET = "\x1b[0m";
+const GREEN = "\x1b[32m";
+const RED = "\x1b[31m";
+const YELLOW = "\x1b[33m";
+const CYAN = "\x1b[36m";
+
+// ---------------------------------------------------------------------------
+// TableColumn interface
+// ---------------------------------------------------------------------------
+
+/** Describes a single column in a formatted table. */
+export interface TableColumn<T> {
+  /** Column header label. */
+  header: string;
+  /** Property key on T, or a function that extracts the cell value from a row. */
+  accessor: keyof T | ((row: T) => string);
+  /** Fixed column width (defaults to max of header width and widest cell). */
+  width?: number;
+  /** Text alignment within the cell. Defaults to 'left'. */
+  align?: "left" | "center" | "right";
+}
+
+// ---------------------------------------------------------------------------
+// printTable
+// ---------------------------------------------------------------------------
+
+/** Resolve a cell value from a row using a column's accessor. */
+function cellValue<T>(row: T, accessor: TableColumn<T>["accessor"]): string {
+  if (typeof accessor === "function") {
+    return accessor(row);
+  }
+  const raw = row[accessor];
+  if (raw === null || raw === undefined) return "-";
+  return String(raw);
+}
+
+/** Pad a string to a given width respecting the requested alignment. */
+function padCell(text: string, width: number, align: "left" | "center" | "right"): string {
+  if (text.length >= width) return text.slice(0, width);
+  switch (align) {
+    case "right":
+      return text.padStart(width);
+    case "center": {
+      const total = width - text.length;
+      const left = Math.floor(total / 2);
+      return " ".repeat(left) + text + " ".repeat(total - left);
+    }
+    case "left":
+    default:
+      return text.padEnd(width);
+  }
+}
+
+/**
+ * Format and print a table to stdout.
+ *
+ * Columns are separated by two spaces. The header row is bold. Column widths
+ * are auto-calculated from the data unless explicitly set via `width`.
+ */
+export function printTable<T>(data: T[], columns: TableColumn<T>[]): void {
+  // Compute effective widths: max(header, longest cell, explicit width).
+  const widths = columns.map((col) => {
+    const headerLen = col.header.length;
+    const maxCell = data.reduce((max, row) => {
+      const len = cellValue(row, col.accessor).length;
+      return len > max ? len : max;
+    }, 0);
+    const auto = Math.max(headerLen, maxCell);
+    return col.width !== undefined ? Math.max(col.width, headerLen) : auto;
+  });
+
+  const gap = "  ";
+
+  // Header
+  const headerLine = columns
+    .map((col, i) => padCell(col.header, widths[i]!, col.align ?? "left"))
+    .join(gap);
+  console.log(`${BOLD}${headerLine}${RESET}`);
+
+  // Rows
+  for (const row of data) {
+    const line = columns
+      .map((col, i) => padCell(cellValue(row, col.accessor), widths[i]!, col.align ?? "left"))
+      .join(gap);
+    console.log(line);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// formatStatus
+// ---------------------------------------------------------------------------
+
+/**
+ * Return a status string wrapped in the appropriate ANSI colour code.
+ *
+ * - green:  online, installed
+ * - red:    offline, error
+ * - yellow: queued, installing, provisioning
+ * - cyan:   discovered
+ */
+export function formatStatus(status: string): string {
+  const lower = status.toLowerCase();
+  switch (lower) {
+    case "online":
+    case "installed":
+      return `${GREEN}${status}${RESET}`;
+    case "offline":
+    case "error":
+      return `${RED}${status}${RESET}`;
+    case "queued":
+    case "installing":
+    case "provisioning":
+      return `${YELLOW}${status}${RESET}`;
+    case "discovered":
+      return `${CYAN}${status}${RESET}`;
+    default:
+      return status;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// formatRelativeTime
+// ---------------------------------------------------------------------------
+
+/**
+ * Convert a timestamp into a human-friendly relative string such as
+ * "2m ago", "3h ago", or "5d ago".  Returns "-" for null / undefined.
+ */
+export function formatRelativeTime(timestamp: Date | string | null): string {
+  if (timestamp === null || timestamp === undefined) return "-";
+
+  const date = typeof timestamp === "string" ? new Date(timestamp) : timestamp;
+  const now = Date.now();
+  const diffMs = now - date.getTime();
+
+  if (diffMs < 0) return "just now";
+
+  const seconds = Math.floor(diffMs / 1000);
+  if (seconds < 60) return `${seconds}s ago`;
+
+  const minutes = Math.floor(seconds / 60);
+  if (minutes < 60) return `${minutes}m ago`;
+
+  const hours = Math.floor(minutes / 60);
+  if (hours < 24) return `${hours}h ago`;
+
+  const days = Math.floor(hours / 24);
+  return `${days}d ago`;
+}
+
+// ---------------------------------------------------------------------------
+// Predefined column sets
+// ---------------------------------------------------------------------------
+
+/** Role-like object used for predefined roleColumns. */
+export interface Role {
+  name: string;
+  description: string;
+  permissions: string[];
+}
+
+/** Predefined columns for listing Server objects. */
+export const serverColumns: TableColumn<Server>[] = [
+  { header: "NAME", accessor: "hostname" },
+  { header: "CLOUD", accessor: "cloud" },
+  { header: "ENV", accessor: "environment" },
+  { header: "ROLE", accessor: "role" },
+  { header: "STATUS", accessor: (s) => formatStatus(s.status) },
+  { header: "LAST SEEN", accessor: (s) => formatRelativeTime(s.lastHeartbeat) },
+];
+
+/** Predefined columns for listing Role objects. */
+export const roleColumns: TableColumn<Role>[] = [
+  { header: "NAME", accessor: "name" },
+  { header: "DESCRIPTION", accessor: "description" },
+  { header: "PERMISSIONS", accessor: (r) => String(r.permissions.length) },
+];
+
+// ---------------------------------------------------------------------------
+// formatOutput — multi-format output dispatcher
+// ---------------------------------------------------------------------------
+
+/**
+ * Render an array of objects in the requested output format.
+ *
+ * - `table`: delegates to {@link printTable}. Requires `columns`.
+ * - `json`:  pretty-prints with 2-space indent.
+ * - `yaml`:  simple key/value serialisation (no external dependency).
+ */
+export function formatOutput<T>(
+  data: T[],
+  format: "table" | "json" | "yaml",
+  columns?: TableColumn<T>[],
+): void {
+  switch (format) {
+    case "json":
+      console.log(JSON.stringify(data, null, 2));
+      break;
+
+    case "yaml":
+      for (const [idx, item] of data.entries()) {
+        if (idx > 0) console.log("---");
+        serializeYaml(item as Record<string, unknown>, 0);
+      }
+      break;
+
+    case "table":
+      if (!columns || columns.length === 0) {
+        // Fallback: dump as JSON when no columns provided.
+        console.log(JSON.stringify(data, null, 2));
+        return;
+      }
+      printTable(data, columns);
+      break;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Minimal YAML serialiser (no dependency)
+// ---------------------------------------------------------------------------
+
+function serializeYaml(obj: unknown, indent: number): void {
+  const prefix = "  ".repeat(indent);
+
+  if (obj === null || obj === undefined) {
+    console.log(`${prefix}null`);
+    return;
+  }
+
+  if (typeof obj !== "object") {
+    console.log(`${prefix}${String(obj)}`);
+    return;
+  }
+
+  if (Array.isArray(obj)) {
+    for (const item of obj) {
+      if (typeof item === "object" && item !== null) {
+        console.log(`${prefix}-`);
+        serializeYaml(item, indent + 1);
+      } else {
+        console.log(`${prefix}- ${String(item)}`);
+      }
+    }
+    return;
+  }
+
+  for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {
+    if (value === null || value === undefined) {
+      console.log(`${prefix}${key}: null`);
+    } else if (typeof value === "object") {
+      console.log(`${prefix}${key}:`);
+      serializeYaml(value, indent + 1);
+    } else {
+      console.log(`${prefix}${key}: ${String(value)}`);
+    }
+  }
+}
diff --git a/bastion/src/cli/tests/api-errors.test.ts b/bastion/src/cli/tests/api-errors.test.ts
new file mode 100644
index 0000000..7a9dfef
--- /dev/null
+++ b/bastion/src/cli/tests/api-errors.test.ts
@@ -0,0 +1,56 @@
+// Tests for LabdApiError.
+
+import { describe, it, expect } from "vitest";
+import { LabdApiError, isLabdApiError } from "../src/api/errors.js";
+
+describe("LabdApiError", () => {
+  it("constructs with status code and message", () => {
+    const err = new LabdApiError(404, "Not found");
+    expect(err.statusCode).toBe(404);
+    expect(err.message).toBe("Not found");
+    expect(err.errorCode).toBe("NOT_FOUND");
+  });
+
+  it("fromResponse parses error body", () => {
+    const err = LabdApiError.fromResponse(400, {
+      error: "Invalid input",
+      detail: "hostname required",
+    });
+    expect(err.statusCode).toBe(400);
+    expect(err.message).toBe("Invalid input");
+    expect(err.detail).toBe("hostname required");
+  });
+
+  it("fromResponse handles non-object body", () => {
+    const err = LabdApiError.fromResponse(500, "plain text");
+    expect(err.statusCode).toBe(500);
+    expect(err.message).toBe("HTTP 500");
+  });
+
+  it("notConnected creates connection error", () => {
+    const err = LabdApiError.notConnected("https://localhost:8443");
+    expect(err.statusCode).toBe(0);
+    expect(err.errorCode).toBe("CONNECTION_ERROR");
+    expect(err.message).toContain("localhost:8443");
+  });
+
+  it("timeout creates timeout error", () => {
+    const err = LabdApiError.timeout(30000);
+    expect(err.message).toContain("30000ms");
+  });
+});
+
+describe("isLabdApiError", () => {
+  it("returns true for LabdApiError", () => {
+    expect(isLabdApiError(new LabdApiError(500, "err"))).toBe(true);
+  });
+
+  it("returns false for regular Error", () => {
+    expect(isLabdApiError(new Error("nope"))).toBe(false);
+  });
+
+  it("returns false for non-errors", () => {
+    expect(isLabdApiError(null)).toBe(false);
+    expect(isLabdApiError("string")).toBe(false);
+  });
+});
diff --git a/bastion/src/cli/tests/config.test.ts b/bastion/src/cli/tests/config.test.ts
new file mode 100644
index 0000000..7610dfa
--- /dev/null
+++ b/bastion/src/cli/tests/config.test.ts
@@ -0,0 +1,53 @@
+// Tests for CLI configuration management.
+
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdirSync, writeFileSync, rmSync, existsSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+
+// We can't easily test loadConfig() because it uses homedir() for paths.
+// Instead, test the parsing and validation logic directly.
+import { isValidConfigKey } from "../src/config/index.js";
+
+describe("isValidConfigKey", () => {
+  it("accepts valid keys", () => {
+    expect(isValidConfigKey("labdUrl")).toBe(true);
+    expect(isValidConfigKey("certPath")).toBe(true);
+    expect(isValidConfigKey("keyPath")).toBe(true);
+    expect(isValidConfigKey("caPath")).toBe(true);
+    expect(isValidConfigKey("defaultEnvironment")).toBe(true);
+    expect(isValidConfigKey("defaultCloud")).toBe(true);
+    expect(isValidConfigKey("outputFormat")).toBe(true);
+  });
+
+  it("rejects invalid keys", () => {
+    expect(isValidConfigKey("password")).toBe(false);
+    expect(isValidConfigKey("")).toBe(false);
+    expect(isValidConfigKey("LABD_URL")).toBe(false);
+  });
+});
+
+describe("CLI program creation", () => {
+  it("creates program with all commands", async () => {
+    const { createProgram } = await import("../src/index.js");
+    const program = createProgram();
+
+    // Check top-level commands exist
+    const commandNames = program.commands.map((c) => c.name());
+    expect(commandNames).toContain("version");
+    expect(commandNames).toContain("init");
+    expect(commandNames).toContain("provision");
+    expect(commandNames).toContain("config");
+    expect(commandNames).toContain("login");
+    expect(commandNames).toContain("doctor");
+  });
+
+  it("has global options", async () => {
+    const { createProgram } = await import("../src/index.js");
+    const program = createProgram();
+    const optionNames = program.options.map((o) => o.long);
+    expect(optionNames).toContain("--output");
+    expect(optionNames).toContain("--server");
+    expect(optionNames).toContain("--debug");
+  });
+});
diff --git a/bastion/src/cli/tests/resource.test.ts b/bastion/src/cli/tests/resource.test.ts
new file mode 100644
index 0000000..f4a2be7
--- /dev/null
+++ b/bastion/src/cli/tests/resource.test.ts
@@ -0,0 +1,71 @@
+// Tests for resource name parsing utilities.
+
+import { describe, it, expect } from "vitest";
+import {
+  parseResource,
+  formatResource,
+  validateServerName,
+} from "../src/utils/resource.js";
+
+describe("parseResource", () => {
+  it("parses server/name", () => {
+    const r = parseResource("server/labmaster");
+    expect(r.type).toBe("server");
+    expect(r.name).toBe("labmaster");
+    expect(r.namespace).toBeUndefined();
+  });
+
+  it("parses app/namespace/name", () => {
+    const r = parseResource("app/kube-system/nginx");
+    expect(r.type).toBe("app");
+    expect(r.namespace).toBe("kube-system");
+    expect(r.name).toBe("nginx");
+  });
+
+  it("parses all valid types", () => {
+    const types = ["server", "app", "cluster", "role", "user", "pulumi", "bastion", "agent", "audit"];
+    for (const t of types) {
+      expect(parseResource(`${t}/name`).type).toBe(t);
+    }
+  });
+
+  it("throws on invalid format", () => {
+    expect(() => parseResource("noslash")).toThrow("Invalid resource format");
+  });
+
+  it("throws on unknown type", () => {
+    expect(() => parseResource("unknown/name")).toThrow("Unknown resource type");
+  });
+});
+
+describe("formatResource", () => {
+  it("formats simple resource", () => {
+    expect(formatResource({ type: "server", name: "w1" })).toBe("server/w1");
+  });
+
+  it("formats namespaced resource", () => {
+    expect(
+      formatResource({ type: "app", namespace: "default", name: "nginx" }),
+    ).toBe("app/default/nginx");
+  });
+
+  it("roundtrips with parseResource", () => {
+    const input = "server/labmaster";
+    expect(formatResource(parseResource(input))).toBe(input);
+  });
+});
+
+describe("validateServerName", () => {
+  it("accepts valid hostnames", () => {
+    expect(() => validateServerName("worker-1")).not.toThrow();
+    expect(() => validateServerName("web.cluster.local")).not.toThrow();
+    expect(() => validateServerName("a")).not.toThrow();
+  });
+
+  it("rejects invalid hostnames", () => {
+    expect(() => validateServerName("-start")).toThrow();
+    expect(() => validateServerName("end-")).toThrow();
+    expect(() => validateServerName("")).toThrow();
+    expect(() => validateServerName("has space")).toThrow();
+  });
+});
diff --git a/bastion/src/cli/tests/smoke-bastion.test.ts b/bastion/src/cli/tests/smoke-bastion.test.ts
new file mode 100644
index 0000000..4d934ee
--- /dev/null
+++ b/bastion/src/cli/tests/smoke-bastion.test.ts
@@ -0,0 +1,197 @@
+// Smoke tests for bastion CLI commands.
+// These tests spawn real processes and verify they work end-to-end.
+
+import { describe, it, expect, afterEach } from "vitest";
+import { spawn, execSync, type ChildProcess } from "node:child_process";
+import { existsSync, readFileSync, mkdirSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+
+const CLI_PATH = join(import.meta.dirname, "..", "src", "index.ts");
+const TEST_DIR = join(tmpdir(), `lab-bastion-smoke-${process.pid}`);
+const PID_FILE = join(TEST_DIR, "bastion.pid");
+const LOG_FILE = join(TEST_DIR, "bastion.log");
+const TEST_PORT = 18932; // Unlikely to conflict
+
+function runCli(args: string[], timeoutMs = 10_000): Promise<{ code: number; stdout: string; stderr: string }> {
+  return new Promise((resolve, reject) => {
+    const child = spawn("node", ["--import", "tsx", CLI_PATH, ...args], {
+      timeout: timeoutMs,
+      env: { ...process.env, NODE_NO_WARNINGS: "1" },
+    });
+
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (d: Buffer) => { stdout += d.toString(); });
+    child.stderr.on("data", (d: Buffer) => { stderr += d.toString(); });
+
+    child.on("close", (code) => {
+      resolve({ code: code ?? 1, stdout, stderr });
+    });
+    child.on("error", reject);
+  });
+}
+
+function sleep(ms: number): Promise<void> {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+function killPid(pid: number): void {
+  try { process.kill(pid, "SIGTERM"); } catch { /* already dead */ }
+}
+
+describe("bastion smoke tests", () => {
+  let daemonPid: number | undefined;
+
+  afterEach(() => {
+    // Kill any daemon we started
+    if (daemonPid) {
+      killPid(daemonPid);
+      daemonPid = undefined;
+    }
+    // Also try PID file
+    try {
+      const pid = parseInt(readFileSync(PID_FILE, "utf-8").trim(), 10);
+      if (!isNaN(pid)) killPid(pid);
+    } catch { /* no pid file */ }
+
+    // Clean up test directory
+    try { rmSync(TEST_DIR, { recursive: true, force: true }); } catch { /* ignore */ }
+  });
+
+  it("--help prints usage without error", async () => {
+    const result = await runCli(["--help"]);
+    expect(result.code).toBe(0);
+    expect(result.stdout).toContain("labctl");
+    expect(result.stdout).toContain("Commands:");
+  });
+
+  it("--version prints version", async () => {
+    const result = await runCli(["--version"]);
+    expect(result.code).toBe(0);
+    expect(result.stdout.trim()).toMatch(/^\d+\.\d+\.\d+$/);
+  });
+
+  it("version subcommand prints detailed info", async () => {
+    const result = await runCli(["version"]);
+    expect(result.code).toBe(0);
+    expect(result.stdout).toContain("labctl");
+    expect(result.stdout).toContain("node");
+    expect(result.stdout).toContain("platform");
+  });
+
+  it("config list works without config file", async () => {
+    const result = await runCli(["config", "list"]);
+    expect(result.code).toBe(0);
+    expect(result.stdout).toContain("labdUrl");
+  });
+
+  it("config path prints a path", async () => {
+    const result = await runCli(["config", "path"]);
+    expect(result.code).toBe(0);
+    expect(result.stdout.trim()).toContain(".labctl");
+  });
+
+  it("start without root prints helpful error", async () => {
+    // Only run if we're NOT root (CI may run as root)
+    if (process.getuid?.() === 0) return;
+
+    const result = await runCli([
+      "init", "bastion", "standalone", "start",
+      "--dir", TEST_DIR,
+      "--port", String(TEST_PORT),
+    ]);
+    expect(result.code).toBe(1);
+    expect(result.stderr).toContain("root");
+    expect(result.stderr).toContain("sudo");
+  });
+
+  it("foreground start with --skip-dnsmasq --skip-artifacts works and stays alive", async () => {
+    mkdirSync(TEST_DIR, { recursive: true });
+
+    // Start in foreground as a child process
+    const child = spawn(
+      "node",
+      [
+        "--import", "tsx",
+        CLI_PATH,
+        "init", "bastion", "standalone", "start", "--foreground",
+        "--skip-dnsmasq", "--skip-artifacts",
+        "--dir", TEST_DIR,
+        "--port", String(TEST_PORT),
+      ],
+      {
+        env: { ...process.env, NODE_NO_WARNINGS: "1" },
+        stdio: ["ignore", "pipe", "pipe"],
+      },
+    );
+
+    daemonPid = child.pid;
+
+    // Collect output
+    let stdout = "";
+    child.stdout.on("data", (d: Buffer) => { stdout += d.toString(); });
+
+    let stderr = "";
+    child.stderr.on("data", (d: Buffer) => { stderr += d.toString(); });
+
+    // Wait for the server to start (look for the banner)
+    const startedAt = Date.now();
+    const maxWait = 10_000;
+    while (Date.now() - startedAt < maxWait) {
+      if (stdout.includes("Waiting for PXE boot requests")) break;
+      await sleep(200);
+    }
+
+    expect(stdout).toContain("Waiting for PXE boot requests");
+    expect(stdout).toContain("HTTP server listening");
+
+    // Verify the process is still alive after startup
+    await sleep(1000);
+    let alive = false;
+    try {
+      process.kill(child.pid!, 0);
+      alive = true;
+    } catch { /* dead */ }
+    expect(alive).toBe(true);
+
+    // Verify PID file was created
+    expect(existsSync(PID_FILE)).toBe(true);
+    const pidFromFile = parseInt(readFileSync(PID_FILE, "utf-8").trim(), 10);
+    expect(pidFromFile).toBe(child.pid);
+
+    // Verify HTTP server responds
+    try {
+      const resp = await fetch(`http://127.0.0.1:${TEST_PORT}/api/machines`);
+      expect(resp.ok).toBe(true);
+    } catch (err) {
+      // If fetch fails, that's a real problem
+      throw new Error(`HTTP server not responding: ${err}`);
+    }
+
+    // Clean shutdown
+    child.kill("SIGTERM");
+    await new Promise<void>((resolve) => {
+      child.on("close", () => resolve());
+      setTimeout(resolve, 3000);
+    });
+
+    daemonPid = undefined;
+  }, 20_000);
+
+  it("status shows bastion info or reports labd unreachable", async () => {
+    const result = await runCli([
+      "init", "bastion", "standalone", "status",
+    ]);
+    // Status queries labd — may show bastions (if labd running) or error (if not)
+    const output = result.stdout + result.stderr;
+    expect(output).toMatch(/HOSTNAME|Cannot reach labd|No bastions/i);
+  });
+
+  it("doctor runs without crashing", async () => {
+    const result = await runCli(["doctor"]);
+    // Doctor may report errors (no labd running) but should not crash
+    expect(result.code).toBeLessThanOrEqual(1); // 0 = all ok, 1 = errors found
+    expect(result.stdout).toContain("diagnostics");
+  });
+});
diff --git a/bastion/src/cli/tsconfig.json b/bastion/src/cli/tsconfig.json
new file mode 100644
index 0000000..710a6df
--- /dev/null
+++ b/bastion/src/cli/tsconfig.json
@@ -0,0 +1,14 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist",
+    "types": ["node"]
+  },
+  "include": ["src/**/*.ts"],
+  "references": [
+    { "path": "../shared" },
+    { "path": "../bastion" },
+    { "path": "../modules" }
+  ]
+}
diff --git a/bastion/src/cli/vitest.config.ts b/bastion/src/cli/vitest.config.ts
new file mode 100644
index 0000000..1cbc8c8
--- /dev/null
+++ b/bastion/src/cli/vitest.config.ts
@@ -0,0 +1,8 @@
+import { defineProject } from 'vitest/config';
+
+export default defineProject({
+  test: {
+    name: 'cli',
+    include: ['tests/**/*.test.ts'],
+  },
+});
diff --git a/bastion/src/lab-agent/package.json b/bastion/src/lab-agent/package.json
new file mode 100644
index 0000000..318792f
--- /dev/null
+++ b/bastion/src/lab-agent/package.json
@@ -0,0 +1,24 @@
+{
+  "name": "@lab/agent",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "main": "./dist/main.js",
+  "types": "./dist/main.d.ts",
+  "scripts": {
+    "build": "tsc --build",
+    "clean": "rimraf dist"
+  },
+  "dependencies": {
+    "@lab/shared": "workspace:*",
+    "winston": "^3.17.0",
+    "winston-daily-rotate-file": "^5.0.0",
+    "ws": "^8.19.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.14.1",
+    "@types/ws": "^8.18.1",
+    "rimraf": "^6.1.3",
+    "typescript": "^5.9.3"
+  }
+}
diff --git a/bastion/src/lab-agent/src/main.ts b/bastion/src/lab-agent/src/main.ts
new file mode 100644
index 0000000..5ce234d
--- /dev/null
+++ b/bastion/src/lab-agent/src/main.ts
@@ -0,0 +1,10 @@
+/**
+ * @lab/agent — Lab agent daemon entry point.
+ *
+ * For now this module re-exports the command executor so it can be consumed
+ * by other packages in the monorepo.
+ */
+
+export { CommandExecutor } from "./services/executor.js";
+export type { ExecOptions, ExecResult } from "./services/executor.js";
+export { AgentConnection, type ConnectionConfig, type ConnectionState, DEFAULT_CONNECTION_CONFIG } from "./services/connection.js";
diff --git a/bastion/src/lab-agent/src/services/connection.ts b/bastion/src/lab-agent/src/services/connection.ts
new file mode 100644
index 0000000..4908b27
--- /dev/null
+++ b/bastion/src/lab-agent/src/services/connection.ts
@@ -0,0 +1,157 @@
+// Agent WebSocket connection to labd with heartbeat and reconnection.
+
+import { EventEmitter } from "node:events";
+import { hostname } from "node:os";
+import { readFileSync } from "node:fs";
+import WebSocket from "ws";
+import type { AgentMessage, ServerMessage } from "@lab/shared";
+import { parseServerMessage } from "@lab/shared";
+
+export type ConnectionState = "disconnected" | "connecting" | "connected" | "reconnecting";
+
+export interface ConnectionConfig {
+  labdUrl: string;
+  certPath: string;
+  keyPath: string;
+  caPath?: string;
+  heartbeatIntervalMs: number;
+  reconnectBaseDelayMs: number;
+  reconnectMaxDelayMs: number;
+}
+
+export const DEFAULT_CONNECTION_CONFIG: Partial<ConnectionConfig> = {
+  heartbeatIntervalMs: 10_000,
+  reconnectBaseDelayMs: 1_000,
+  reconnectMaxDelayMs: 30_000,
+};
+
+export class AgentConnection extends EventEmitter {
+  private ws: WebSocket | null = null;
+  private heartbeatTimer: NodeJS.Timeout | null = null;
+  private reconnectAttempts = 0;
+  private isClosing = false;
+  private _state: ConnectionState = "disconnected";
+
+  constructor(private config: ConnectionConfig) {
+    super();
+  }
+
+  get state(): ConnectionState {
+    return this._state;
+  }
+
+  isConnected(): boolean {
+    return this._state === "connected";
+  }
+
+  async connect(): Promise<void> {
+    if (this.isClosing) return;
+
+    this.setState(this.reconnectAttempts > 0 ? "reconnecting" : "connecting");
+
+    const wsUrl = this.config.labdUrl.replace("https:", "wss:").replace("http:", "ws:") + "/ws/agent";
+
+    try {
+      this.ws = new WebSocket(wsUrl, {
+        cert: readFileSync(this.config.certPath),
+        key: readFileSync(this.config.keyPath),
+        ca: this.config.caPath ? readFileSync(this.config.caPath) : undefined,
+        rejectUnauthorized: true,
+      });
+
+      this.ws.on("open", () => {
+        this.reconnectAttempts = 0;
+        this.setState("connected");
+        this.startHeartbeat();
+        this.emit("connected");
+      });
+
+      this.ws.on("message", (data: Buffer) => {
+        try {
+          const message = parseServerMessage(data.toString());
+          this.handleMessage(message);
+          this.emit("message", message);
+        } catch {
+          // Ignore unparseable messages
+        }
+      });
+
+      this.ws.on("close", (_code: number, _reason: Buffer) => {
+        this.stopHeartbeat();
+        this.setState("disconnected");
+        this.emit("disconnected");
+        this.scheduleReconnect();
+      });
+
+      this.ws.on("error", (_error: Error) => {
+        // Error is followed by close event, so reconnect happens there
+      });
+    } catch {
+      this.scheduleReconnect();
+    }
+  }
+
+  send(message: AgentMessage): void {
+    if (this.ws?.readyState === WebSocket.OPEN) {
+      this.ws.send(JSON.stringify(message));
+    }
+  }
+
+  close(): void {
+    this.isClosing = true;
+    this.stopHeartbeat();
+    this.ws?.close();
+    this.setState("disconnected");
+  }
+
+  private handleMessage(message: ServerMessage): void {
+    if (message.type === "server-shutdown") {
+      this.isClosing = true; // Don't reconnect
+      this.emit("shutdown", message.reconnectAfter);
+    }
+  }
+
+  private startHeartbeat(): void {
+    this.stopHeartbeat();
+    this.heartbeatTimer = setInterval(() => {
+      this.send({
+        type: "heartbeat",
+        hostname: hostname(),
+        uptime: process.uptime(),
+        version: process.env["npm_package_version"] ?? "0.0.0",
+        memUsage: process.memoryUsage().heapUsed,
+        cpuUsage: 0, // Simplified — os.loadavg() not available everywhere
+      });
+    }, this.config.heartbeatIntervalMs);
+  }
+
+  private stopHeartbeat(): void {
+    if (this.heartbeatTimer) {
+      clearInterval(this.heartbeatTimer);
+      this.heartbeatTimer = null;
+    }
+  }
+
+  private scheduleReconnect(): void {
+    if (this.isClosing) return;
+
+    const delay = Math.min(
+      this.config.reconnectBaseDelayMs * Math.pow(2, this.reconnectAttempts),
+      this.config.reconnectMaxDelayMs,
+    );
+
+    this.reconnectAttempts++;
+    this.setState("reconnecting");
+
+    setTimeout(() => {
+      void this.connect();
+    }, delay);
+  }
+
+  private setState(state: ConnectionState): void {
+    if (this._state !== state) {
+      this._state = state;
+      this.emit("stateChange", state);
+    }
+  }
+}
diff --git a/bastion/src/lab-agent/src/services/executor.ts b/bastion/src/lab-agent/src/services/executor.ts
new file mode 100644
index 0000000..5716470
--- /dev/null
+++ b/bastion/src/lab-agent/src/services/executor.ts
@@ -0,0 +1,161 @@
+import { EventEmitter } from "node:events";
+import { spawn, type ChildProcess } from "node:child_process";
+
+/** Options for executing a command. */
+export interface ExecOptions {
+  /** The command and its arguments, e.g. ["ls", "-la"]. */
+  command: string[];
+  /** Maximum execution time in milliseconds. */
+  timeout: number;
+  /** Whether to allocate a pseudo-TTY. */
+  tty: boolean;
+  /** Optional environment variables (merged with process.env). */
+  env?: Record<string, string>;
+  /** Optional working directory. */
+  cwd?: string;
+}
+
+/** Result returned after a command finishes. */
+export interface ExecResult {
+  exitCode: number;
+  stdout: string;
+  stderr: string;
+  timedOut: boolean;
+  signal?: string | undefined;
+}
+
+export interface CommandExecutorEvents {
+  stdout: [requestId: string, chunk: Buffer];
+  stderr: [requestId: string, chunk: Buffer];
+}
+
+/**
+ * Executes commands in a sandboxed child process with timeout handling
+ * and streaming output via events.
+ */
+export class CommandExecutor extends EventEmitter<CommandExecutorEvents> {
+  private readonly processes = new Map<string, ChildProcess>();
+
+  /** Grace period between SIGTERM and SIGKILL when a timeout fires (ms). */
+  private static readonly KILL_GRACE_MS = 5_000;
+
+  /**
+   * Execute a command and return its result once it exits.
+   *
+   * While the process is running, `stdout` and `stderr` events are emitted
+   * with `(requestId, chunk)` so callers can stream output in real time.
+   */
+  execute(requestId: string, options: ExecOptions): Promise<ExecResult> {
+    const { command, timeout, tty, env, cwd } = options;
+    const [cmd, ...args] = command;
+
+    if (cmd === undefined) {
+      return Promise.resolve({
+        exitCode: 1,
+        stdout: "",
+        stderr: "Empty command",
+        timedOut: false,
+      });
+    }
+
+    return new Promise<ExecResult>((resolve) => {
+      const child = spawn(cmd, args, {
+        cwd,
+        env: env ? { ...process.env, ...env } : undefined,
+        stdio: tty ? ["pipe", "pipe", "pipe"] : ["pipe", "pipe", "pipe"],
+        // When TTY support is needed the caller should use node-pty or
+        // similar; for now we always use pipe-based stdio.
+      });
+
+      this.processes.set(requestId, child);
+
+      let stdoutBuf = "";
+      let stderrBuf = "";
+      let timedOut = false;
+      let killTimer: ReturnType<typeof setTimeout> | undefined;
+
+      // -- Streaming output ------------------------------------------------
+
+      child.stdout?.on("data", (chunk: Buffer) => {
+        stdoutBuf += chunk.toString();
+        this.emit("stdout", requestId, chunk);
+      });
+
+      child.stderr?.on("data", (chunk: Buffer) => {
+        stderrBuf += chunk.toString();
+        this.emit("stderr", requestId, chunk);
+      });
+
+      // -- Timeout handling -------------------------------------------------
+
+      const timeoutTimer = setTimeout(() => {
+        timedOut = true;
+        // Graceful shutdown first.
+        child.kill("SIGTERM");
+        // If the process does not exit within the grace period, force-kill.
+        killTimer = setTimeout(() => {
+          child.kill("SIGKILL");
+        }, CommandExecutor.KILL_GRACE_MS);
+      }, timeout);
+
+      // -- Completion -------------------------------------------------------
+
+      child.on("close", (code, signal) => {
+        clearTimeout(timeoutTimer);
+        if (killTimer !== undefined) {
+          clearTimeout(killTimer);
+        }
+        this.processes.delete(requestId);
+
+        resolve({
+          exitCode: code ?? 1,
+          stdout: stdoutBuf,
+          stderr: stderrBuf,
+          timedOut,
+          signal: signal ?? undefined,
+        });
+      });
+
+      child.on("error", (err) => {
+        clearTimeout(timeoutTimer);
+        if (killTimer !== undefined) {
+          clearTimeout(killTimer);
+        }
+        this.processes.delete(requestId);
+
+        resolve({
+          exitCode: 1,
+          stdout: stdoutBuf,
+          stderr: err.message,
+          timedOut: false,
+        });
+      });
+    });
+  }
+
+  /**
+   * Send a signal to a running process.
+   *
+   * @returns `true` if the process was found and the signal was sent.
+   */
+  sendSignal(requestId: string, signal: NodeJS.Signals): boolean {
+    const child = this.processes.get(requestId);
+    if (!child) {
+      return false;
+    }
+    return child.kill(signal);
+  }
+
+  /**
+   * Write data to the stdin of a running process.
+   *
+   * @returns `true` if the process was found and stdin was writable.
+   */
+  writeStdin(requestId: string, data: string): boolean {
+    const child = this.processes.get(requestId);
+    if (!child?.stdin || child.stdin.destroyed) {
+      return false;
+    }
+    return child.stdin.write(data);
+  }
+}
diff --git a/bastion/src/lab-agent/src/services/logger.ts b/bastion/src/lab-agent/src/services/logger.ts
new file mode 100644
index 0000000..00e4058
--- /dev/null
+++ b/bastion/src/lab-agent/src/services/logger.ts
@@ -0,0 +1,38 @@
+import winston from "winston";
+import DailyRotateFile from "winston-daily-rotate-file";
+
+const LOG_DIR = process.env["LOG_DIR"] ?? "/var/log/lab-agent";
+
+const logger = winston.createLogger({
+  level: process.env["LOG_LEVEL"] ?? "info",
+  format: winston.format.combine(
+    winston.format.timestamp(),
+    winston.format.json(),
+  ),
+  transports: [
+    new winston.transports.Console({
+      format: winston.format.combine(
+        winston.format.colorize(),
+        winston.format.simple(),
+      ),
+    }),
+    new DailyRotateFile({
+      dirname: LOG_DIR,
+      filename: "agent-%DATE%.log",
+      maxSize: "20m",
+      maxFiles: "14d",
+    }),
+  ],
+});
+
+/**
+ * Create a child logger scoped to a specific component.
+ *
+ * The returned logger inherits all transports and configuration from the root
+ * logger but attaches a `component` metadata field to every log entry.
+ */
+export function createChildLogger(component: string): winston.Logger {
+  return logger.child({ component });
+}
+
+export { logger };
diff --git a/bastion/src/lab-agent/tests/executor.test.ts b/bastion/src/lab-agent/tests/executor.test.ts
new file mode 100644
index 0000000..74b4dd2
--- /dev/null
+++ b/bastion/src/lab-agent/tests/executor.test.ts
@@ -0,0 +1,111 @@
+// Tests for CommandExecutor.
+
+import { describe, it, expect } from "vitest";
+import { CommandExecutor } from "../src/services/executor.js";
+
+describe("CommandExecutor", () => {
+  it("executes a simple command", async () => {
+    const exec = new CommandExecutor();
+    const result = await exec.execute("req-1", {
+      command: ["echo", "hello"],
+      timeout: 5000,
+      tty: false,
+    });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout.trim()).toBe("hello");
+    expect(result.timedOut).toBe(false);
+  });
+
+  it("captures stderr", async () => {
+    const exec = new CommandExecutor();
+    const result = await exec.execute("req-2", {
+      command: ["sh", "-c", "echo err >&2"],
+      timeout: 5000,
+      tty: false,
+    });
+    expect(result.exitCode).toBe(0);
+    expect(result.stderr.trim()).toBe("err");
+  });
+
+  it("returns non-zero exit code", async () => {
+    const exec = new CommandExecutor();
+    const result = await exec.execute("req-3", {
+      command: ["sh", "-c", "exit 42"],
+      timeout: 5000,
+      tty: false,
+    });
+    expect(result.exitCode).toBe(42);
+  });
+
+  it("times out long-running commands", async () => {
+    const exec = new CommandExecutor();
+    const result = await exec.execute("req-4", {
+      command: ["sleep", "60"],
+      timeout: 200,
+      tty: false,
+    });
+    expect(result.timedOut).toBe(true);
+  }, 10_000);
+
+  it("emits stdout events for streaming", async () => {
+    const exec = new CommandExecutor();
+    const chunks: string[] = [];
+    exec.on("stdout", (_reqId: string, chunk: string) => {
+      chunks.push(chunk);
+    });
+
+    await exec.execute("req-5", {
+      command: ["echo", "streamed"],
+      timeout: 5000,
+      tty: false,
+    });
+    expect(chunks.join("").trim()).toBe("streamed");
+  });
+
+  it("sends signal to running process", async () => {
+    const exec = new CommandExecutor();
+
+    // Start a long process
+    const promise = exec.execute("req-6", {
+      command: ["sleep", "60"],
+      timeout: 30000,
+      tty: false,
+    });
+
+    // Give it time to start
+    await new Promise((r) => setTimeout(r, 100));
+
+    const sent = exec.sendSignal("req-6", "SIGTERM");
+    expect(sent).toBe(true);
+
+    const result = await promise;
+    expect(result.exitCode).not.toBe(0);
+  }, 10_000);
+
+  it("sendSignal returns false for unknown request", () => {
+    const exec = new CommandExecutor();
+    expect(exec.sendSignal("nonexistent", "SIGTERM")).toBe(false);
+  });
+
+  it("uses custom cwd", async () => {
+    const exec = new CommandExecutor();
+    const result = await exec.execute("req-7", {
+      command: ["pwd"],
+      timeout: 5000,
+      tty: false,
+      cwd: "/tmp",
+    });
+    expect(result.stdout.trim()).toBe("/tmp");
+  });
+
+  it("uses custom env", async () => {
+    const exec = new CommandExecutor();
+    const result = await exec.execute("req-8", {
+      command: ["sh", "-c", "echo $MY_VAR"],
+      timeout: 5000,
+      tty: false,
+      env: { MY_VAR: "test_value" },
+    });
+    expect(result.stdout.trim()).toBe("test_value");
+  });
+});
diff --git a/bastion/src/lab-agent/tsconfig.json b/bastion/src/lab-agent/tsconfig.json
new file mode 100644
index 0000000..fbc4a94
--- /dev/null
+++ b/bastion/src/lab-agent/tsconfig.json
@@ -0,0 +1,12 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist",
+    "composite": true
+  },
+  "include": ["src/**/*.ts"],
+  "references": [
+    { "path": "../shared" }
+  ]
+}
diff --git a/bastion/src/labd/package.json b/bastion/src/labd/package.json
new file mode 100644
index 0000000..25f2f4c
--- /dev/null
+++ b/bastion/src/labd/package.json
@@ -0,0 +1,47 @@
+{
+  "name": "@lab/labd",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "main": "./dist/main.js",
+  "types": "./dist/main.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/main.js",
+      "types": "./dist/main.d.ts"
+    }
+  },
+  "scripts": {
+    "build": "tsc --build",
+    "clean": "rimraf dist",
+    "dev": "tsx src/main.ts",
+    "db:push": "prisma db push",
+    "db:generate": "prisma generate",
+    "db:migrate:dev": "prisma migrate dev",
+    "db:migrate:deploy": "prisma migrate deploy",
+    "db:migrate:reset": "prisma migrate reset",
+    "db:seed": "tsx prisma/seed.ts",
+    "db:studio": "prisma studio"
+  },
+  "dependencies": {
+    "@fastify/rate-limit": "^10.3.0",
+    "@fastify/websocket": "^11.0.2",
+    "@lab/shared": "workspace:*",
+    "@prisma/client": "^6.9.0",
+    "fastify": "^5.3.3",
+    "winston": "^3.17.0",
+    "ws": "^8.19.0",
+    "zod": "^4.3.6"
+  },
+  "prisma": {
+    "seed": "tsx prisma/seed.ts"
+  },
+  "devDependencies": {
+    "@types/node": "^22.14.1",
+    "@types/ws": "^8.18.1",
+    "prisma": "^6.9.0",
+    "rimraf": "^6.1.3",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3"
+  }
+}
diff --git a/bastion/src/labd/prisma/schema.prisma b/bastion/src/labd/prisma/schema.prisma
new file mode 100644
index 0000000..31a32a2
--- /dev/null
+++ b/bastion/src/labd/prisma/schema.prisma
@@ -0,0 +1,156 @@
+generator client {
+  provider = "prisma-client-js"
+}
+
+datasource db {
+  provider = "cockroachdb"
+  url      = env("DATABASE_URL")
+}
+
+model Server {
+  id            String   @id @default(uuid())
+  hostname      String   @unique
+  mac           String?  @unique
+  cloud         String   @default("baremetal")
+  environment   String   @default("default")
+  role          String   @default("worker")
+  labels        Json     @default("{}")
+  ip            String?
+  agentVersion  String?
+  status        String   @default("unknown") // unknown, online, offline, provisioning
+  lastHeartbeat DateTime?
+  createdAt     DateTime @default(now())
+  updatedAt     DateTime @updatedAt
+
+  agent         Agent?
+  auditLogs     AuditLog[]
+}
+
+model Agent {
+  id             String   @id @default(uuid())
+  serverId       String   @unique
+  server         Server   @relation(fields: [serverId], references: [id], onDelete: Cascade)
+  certificatePem String?
+  enrolledAt     DateTime @default(now())
+  lastSeen       DateTime?
+
+  @@index([serverId])
+}
+
+model User {
+  id              String   @id @default(uuid())
+  username        String   @unique
+  displayName     String?
+  certFingerprint String?  @unique
+  createdAt       DateTime @default(now())
+  updatedAt       DateTime @updatedAt
+
+  roleBindings UserRole[]
+  auditLogs    AuditLog[]
+}
+
+model Role {
+  id          String   @id @default(uuid())
+  name        String   @unique
+  description String?
+  createdAt   DateTime @default(now())
+
+  permissions  Permission[]
+  userBindings UserRole[]
+}
+
+model Permission {
+  id          String @id @default(uuid())
+  roleId      String
+  role        Role   @relation(fields: [roleId], references: [id], onDelete: Cascade)
+  type        String @default("allow") // allow or deny
+  action      String // read, exec, apply, destroy, manage, admin, kubectl, *
+  cloud       String @default("*")
+  environment String @default("*")
+  server      String @default("*")
+
+  @@index([roleId])
+}
+
+model UserRole {
+  id     String @id @default(uuid())
+  userId String
+  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
+  roleId String
+  role   Role   @relation(fields: [roleId], references: [id], onDelete: Cascade)
+
+  @@unique([userId, roleId])
+  @@index([userId])
+  @@index([roleId])
+}
+
+model JoinToken {
+  id        String    @id @default(uuid())
+  token     String    @unique
+  type      String    @default("one-time") // one-time or reusable
+  label     String?
+  usedBy    String? // server hostname that used it
+  usedAt    DateTime?
+  revokedAt DateTime?
+  createdAt DateTime  @default(now())
+  expiresAt DateTime?
+}
+
+model AuditLog {
+  id           String   @id @default(uuid())
+  userId       String?
+  user         User?    @relation(fields: [userId], references: [id])
+  serverId     String?
+  server       Server?  @relation(fields: [serverId], references: [id])
+  sessionId    String?
+  action       String // exec, kubectl, apply, login, rbac-denied, etc.
+  resourceType String?  // server, cluster, role, app, etc.
+  resourceName String?
+  args         String? // sanitized command args
+  result       String   @default("success") // success, denied, error
+  durationMs   Int?
+  sourceIp     String?
+  timestamp    DateTime @default(now())
+
+  @@index([userId])
+  @@index([serverId])
+  @@index([sessionId])
+  @@index([timestamp])
+  @@index([action])
+}
+
+model PulumiRun {
+  id          String    @id @default(uuid())
+  userId      String
+  stackName   String
+  action      String // up, preview, destroy
+  status      String    @default("pending") // pending, running, succeeded, failed
+  output      String?
+  startedAt   DateTime  @default(now())
+  completedAt DateTime?
+
+  @@index([userId])
+  @@index([stackName])
+}
+
+model Bastion {
+  id            String    @id @default(uuid())
+  hostname      String    @unique
+  network       String
+  serverIp      String
+  status        String    @default("offline") // online, offline
+  lastHeartbeat DateTime?
+  createdAt     DateTime  @default(now())
+  updatedAt     DateTime  @updatedAt
+}
+
+model Cluster {
+  id            String   @id @default(uuid())
+  name          String   @unique
+  cloud         String   @default("baremetal")
+  environment   String   @default("default")
+  kubeconfigEnc String? // encrypted kubeconfig
+  labels        Json     @default("{}")
+  createdAt     DateTime @default(now())
+  updatedAt     DateTime @updatedAt
+}
diff --git a/bastion/src/labd/prisma/seed.ts b/bastion/src/labd/prisma/seed.ts
new file mode 100644
index 0000000..e0b5562
--- /dev/null
+++ b/bastion/src/labd/prisma/seed.ts
@@ -0,0 +1,113 @@
+import { PrismaClient } from "@prisma/client";
+
+const db = new PrismaClient();
+
+async function main() {
+  console.log("Seeding database with default RBAC roles and permissions...");
+
+  // --- Admin role: full wildcard access ---
+  const admin = await db.role.upsert({
+    where: { name: "admin" },
+    update: {
+      description: "Full administrative access to all resources",
+    },
+    create: {
+      name: "admin",
+      description: "Full administrative access to all resources",
+      permissions: {
+        create: [
+          {
+            type: "allow",
+            action: "*",
+            cloud: "*",
+            environment: "*",
+            server: "*",
+          },
+        ],
+      },
+    },
+  });
+  console.log(`  Upserted role: ${admin.name} (${admin.id})`);
+
+  // --- Viewer role: read-only access ---
+  const viewer = await db.role.upsert({
+    where: { name: "viewer" },
+    update: {
+      description: "Read-only access to all resources",
+    },
+    create: {
+      name: "viewer",
+      description: "Read-only access to all resources",
+      permissions: {
+        create: [
+          {
+            type: "allow",
+            action: "read",
+            cloud: "*",
+            environment: "*",
+            server: "*",
+          },
+        ],
+      },
+    },
+  });
+  console.log(`  Upserted role: ${viewer.name} (${viewer.id})`);
+
+  // --- Operator role: read/exec/kubectl allowed, destroy denied ---
+  const operator = await db.role.upsert({
+    where: { name: "operator" },
+    update: {
+      description:
+        "Operational access: read, exec, and kubectl — destroy denied",
+    },
+    create: {
+      name: "operator",
+      description:
+        "Operational access: read, exec, and kubectl — destroy denied",
+      permissions: {
+        create: [
+          {
+            type: "allow",
+            action: "read",
+            cloud: "*",
+            environment: "*",
+            server: "*",
+          },
+          {
+            type: "allow",
+            action: "exec",
+            cloud: "*",
+            environment: "*",
+            server: "*",
+          },
+          {
+            type: "allow",
+            action: "kubectl",
+            cloud: "*",
+            environment: "*",
+            server: "*",
+          },
+          {
+            type: "deny",
+            action: "destroy",
+            cloud: "*",
+            environment: "*",
+            server: "*",
+          },
+        ],
+      },
+    },
+  });
+  console.log(`  Upserted role: ${operator.name} (${operator.id})`);
+
+  console.log("Seed complete.");
+}
+
+main()
+  .catch((error) => {
+    console.error("Seed failed:", error);
+    process.exit(1);
+  })
+  .finally(async () => {
+    await db.$disconnect();
+  });
diff --git a/bastion/src/labd/src/config.ts b/bastion/src/labd/src/config.ts
new file mode 100644
index 0000000..0414f9c
--- /dev/null
+++ b/bastion/src/labd/src/config.ts
@@ -0,0 +1,19 @@
+// Configuration from environment variables with sensible defaults.
+
+export interface LabdConfig {
+  port: number;
+  host: string;
+  databaseUrl: string;
+  caDir: string;
+  logLevel: string;
+}
+
+export function loadConfig(overrides: Partial<LabdConfig> = {}): LabdConfig {
+  return {
+    port: overrides.port ?? parseInt(process.env["LABD_PORT"] ?? "3100", 10),
+    host: overrides.host ?? process.env["LABD_HOST"] ?? "0.0.0.0",
+    databaseUrl: overrides.databaseUrl ?? process.env["DATABASE_URL"] ?? "",
+    caDir: overrides.caDir ?? process.env["CA_DIR"] ?? "/etc/labd/ca",
+    logLevel: overrides.logLevel ?? process.env["LABD_LOG_LEVEL"] ?? "info",
+  };
+}
diff --git a/bastion/src/labd/src/main.ts b/bastion/src/labd/src/main.ts
new file mode 100644
index 0000000..17110d9
--- /dev/null
+++ b/bastion/src/labd/src/main.ts
@@ -0,0 +1,75 @@
+// Entry point for the lab master daemon (labd).
+// Initializes Prisma, starts Fastify with WebSocket support, registers routes.
+
+import { loadConfig } from "./config.js";
+import { createApp } from "./server.js";
+import { logger } from "./services/logger.js";
+import { setupGracefulShutdown } from "./services/shutdown.js";
+
+async function main(): Promise<void> {
+  const config = loadConfig();
+
+  // Initialize Prisma client (wrapped in try/catch for when DB isn't available)
+  let db: import("./server.js").DbClient;
+  try {
+    const { PrismaClient } = await import("@prisma/client");
+    const prisma = config.databaseUrl
+      ? new PrismaClient({ datasources: { db: { url: config.databaseUrl } } })
+      : new PrismaClient();
+    await prisma.$connect();
+    logger.info("Database connected");
+    db = prisma as unknown as import("./server.js").DbClient;
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    logger.warn(`Database not available: ${message}`);
+    logger.warn("Running without database -- some features will be unavailable");
+
+    // Create a stub db client that returns errors for all operations
+    const dbError = (): never => {
+      throw new Error("Database not connected");
+    };
+    db = {
+      $queryRaw: () => dbError(),
+      $disconnect: async () => {},
+      server: {
+        findMany: () => dbError(),
+        findUnique: () => dbError(),
+      },
+      joinToken: {
+        findUnique: () => dbError(),
+        findMany: () => dbError(),
+        create: () => dbError(),
+        update: () => dbError(),
+      },
+      bastion: {
+        upsert: () => dbError(),
+        findMany: () => dbError(),
+        findUnique: () => dbError(),
+        update: () => dbError(),
+      },
+    };
+  }
+
+  // Create Fastify app
+  const { app } = await createApp(config, db);
+
+  // Start server
+  try {
+    await app.listen({ port: config.port, host: config.host });
+    logger.info(`labd listening on ${config.host}:${config.port}`);
+  } catch (err) {
+    logger.error(`Failed to start server: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(1);
+  }
+
+  // Graceful shutdown
+  setupGracefulShutdown({ app, db });
+
+  // Keep process alive
+  await new Promise(() => {});
+}
+
+main().catch((err) => {
+  console.error("Failed to start labd:", err);
+  process.exit(1);
+});
diff --git a/bastion/src/labd/src/middleware/auth.ts b/bastion/src/labd/src/middleware/auth.ts
new file mode 100644
index 0000000..5da371c
--- /dev/null
+++ b/bastion/src/labd/src/middleware/auth.ts
@@ -0,0 +1,33 @@
+// Placeholder mTLS auth middleware.
+// Extracts client certificate info from the request and resolves user/agent identity.
+
+import type { FastifyRequest, FastifyReply } from "fastify";
+import { logger } from "../services/logger.js";
+
+declare module "fastify" {
+  interface FastifyRequest {
+    clientCertFingerprint?: string;
+    authenticatedUser?: string;
+    authenticatedAgent?: string;
+  }
+}
+
+export function createMtlsAuthMiddleware(): (
+  request: FastifyRequest,
+  reply: FastifyReply,
+) => Promise<void> {
+  return async function mtlsAuthMiddleware(
+    request: FastifyRequest,
+    _reply: FastifyReply,
+  ): Promise<void> {
+    // TODO: Extract client certificate from TLS connection
+    // const cert = (request.raw.socket as TLSSocket).getPeerCertificate();
+    // For now, this is a no-op placeholder
+
+    const certHeader = request.headers["x-client-cert-fingerprint"];
+    if (typeof certHeader === "string" && certHeader.length > 0) {
+      request.clientCertFingerprint = certHeader;
+      logger.info(`mTLS: client cert fingerprint=${certHeader.slice(0, 16)}...`);
+    }
+  };
+}
diff --git a/bastion/src/labd/src/middleware/rate-limit.ts b/bastion/src/labd/src/middleware/rate-limit.ts
new file mode 100644
index 0000000..6e16589
--- /dev/null
+++ b/bastion/src/labd/src/middleware/rate-limit.ts
@@ -0,0 +1,50 @@
+// Rate limiting middleware for labd API.
+// Applies global rate limits and stricter limits for sensitive routes.
+
+import type { FastifyInstance } from "fastify";
+import rateLimit from "@fastify/rate-limit";
+import { logger } from "../services/logger.js";
+
+/** Routes that require stricter rate limiting. */
+const SENSITIVE_ROUTE_LIMITS: Record<string, number> = {
+  "/api/auth/enroll": 10,
+  "/api/tokens": 20,
+};
+
+/**
+ * Register the @fastify/rate-limit plugin with global defaults
+ * and apply stricter limits to sensitive routes.
+ */
+export async function setupRateLimiting(
+  app: FastifyInstance,
+): Promise<void> {
+  await app.register(rateLimit, {
+    max: 100,
+    timeWindow: "1 minute",
+    keyGenerator: (request) => request.ip,
+    errorResponseBuilder: (_request, context) => ({
+      error: "Too many requests",
+      code: "RATE_LIMITED",
+      retryAfter: context.after,
+    }),
+  });
+
+  // Apply stricter per-route limits for sensitive endpoints.
+  app.addHook("onRoute", (routeOptions) => {
+    const url = routeOptions.url;
+
+    for (const [prefix, max] of Object.entries(SENSITIVE_ROUTE_LIMITS)) {
+      if (url.startsWith(prefix)) {
+        routeOptions.config = {
+          ...routeOptions.config,
+          rateLimit: {
+            max,
+            timeWindow: "1 minute",
+          },
+        };
+        logger.info(`Rate limit: ${url} -> ${max} req/min`);
+        break;
+      }
+    }
+  });
+}
diff --git a/bastion/src/labd/src/routes/agents.ts b/bastion/src/labd/src/routes/agents.ts
new file mode 100644
index 0000000..25a908e
--- /dev/null
+++ b/bastion/src/labd/src/routes/agents.ts
@@ -0,0 +1,20 @@
+// Agent connection routes.
+// GET /api/agents — list currently connected agents (excludes raw socket)
+
+import type { FastifyInstance } from "fastify";
+import { agentRegistry } from "../services/agent-registry.js";
+
+export function registerAgentRoutes(app: FastifyInstance): void {
+  app.get("/api/agents", async (_request, reply) => {
+    const agents = agentRegistry.getAllConnected().map((agent) => ({
+      serverId: agent.serverId,
+      hostname: agent.hostname,
+      connectedAt: agent.connectedAt,
+      lastHeartbeat: agent.lastHeartbeat,
+      version: agent.version,
+      certFingerprint: agent.certFingerprint,
+    }));
+
+    return reply.send(agents);
+  });
+}
diff --git a/bastion/src/labd/src/routes/auth.ts b/bastion/src/labd/src/routes/auth.ts
new file mode 100644
index 0000000..7c1c1eb
--- /dev/null
+++ b/bastion/src/labd/src/routes/auth.ts
@@ -0,0 +1,163 @@
+// Authentication and token management routes.
+// POST   /api/auth/enroll — agent enrollment (token + CSR -> signed cert)
+// POST   /api/tokens      — create join token
+// GET    /api/tokens      — list tokens
+// DELETE /api/tokens/:id  — revoke token
+
+import { randomBytes } from "node:crypto";
+import type { FastifyInstance } from "fastify";
+import type { DbClient } from "../server.js";
+import { logger } from "../services/logger.js";
+
+export function registerAuthRoutes(app: FastifyInstance, db: DbClient): void {
+  // Agent enrollment: validate join token, accept CSR, return signed cert
+  app.post<{
+    Body: {
+      token?: string;
+      hostname?: string;
+      csr?: string;
+    };
+  }>("/api/auth/enroll", async (request, reply) => {
+    const { token, hostname, csr } = request.body ?? {};
+
+    if (token === undefined || token === "") {
+      return reply.code(400).send({ error: "token is required" });
+    }
+    if (hostname === undefined || hostname === "") {
+      return reply.code(400).send({ error: "hostname is required" });
+    }
+
+    try {
+      // Validate token
+      const joinToken = await db.joinToken.findUnique({
+        where: { token },
+      }) as { id: string; type: string; usedBy: string | null; revokedAt: Date | null; expiresAt: Date | null } | null;
+
+      if (joinToken === null) {
+        return reply.code(401).send({ error: "Invalid join token" });
+      }
+      if (joinToken.revokedAt !== null) {
+        return reply.code(401).send({ error: "Token has been revoked" });
+      }
+      if (joinToken.expiresAt !== null && joinToken.expiresAt < new Date()) {
+        return reply.code(401).send({ error: "Token has expired" });
+      }
+      if (joinToken.type === "one-time" && joinToken.usedBy !== null) {
+        return reply.code(401).send({ error: "Token has already been used" });
+      }
+
+      // Mark token as used
+      await db.joinToken.update({
+        where: { id: joinToken.id },
+        data: {
+          usedBy: hostname,
+          usedAt: new Date(),
+        },
+      });
+
+      logger.info(`AGENT ENROLLED: ${hostname} (token=${joinToken.id.slice(0, 8)}...)`);
+
+      // TODO: Sign CSR with CA and return certificate
+      // For now, return a placeholder acknowledging enrollment
+      return reply.send({
+        status: "enrolled",
+        hostname,
+        message: "Agent enrolled successfully",
+        certificatePem: null, // TODO: implement CA signing
+        csr: csr !== undefined ? "received" : "not provided",
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return reply.code(500).send({ error: "Enrollment failed", detail: message });
+    }
+  });
+
+  // Create a new join token
+  app.post<{
+    Body: {
+      type?: string;
+      label?: string;
+      expiresInHours?: number;
+    };
+  }>("/api/tokens", async (request, reply) => {
+    const { type, label, expiresInHours } = request.body ?? {};
+
+    const tokenType = type ?? "one-time";
+    if (tokenType !== "one-time" && tokenType !== "reusable") {
+      return reply.code(400).send({ error: "type must be 'one-time' or 'reusable'" });
+    }
+
+    const tokenValue = randomBytes(32).toString("hex");
+    const expiresAt = expiresInHours !== undefined
+      ? new Date(Date.now() + expiresInHours * 60 * 60 * 1000)
+      : undefined;
+
+    try {
+      const created = await db.joinToken.create({
+        data: {
+          token: tokenValue,
+          type: tokenType,
+          label: label ?? null,
+          expiresAt: expiresAt ?? null,
+        },
+      });
+
+      logger.info(`TOKEN CREATED: ${(created as { id: string }).id} type=${tokenType} label=${label ?? "(none)"}`);
+
+      return reply.code(201).send({
+        id: (created as { id: string }).id,
+        token: tokenValue,
+        type: tokenType,
+        label: label ?? null,
+        expiresAt: expiresAt?.toISOString() ?? null,
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return reply.code(500).send({ error: "Failed to create token", detail: message });
+    }
+  });
+
+  // List tokens
+  app.get("/api/tokens", async (_request, reply) => {
+    try {
+      const tokens = await db.joinToken.findMany({
+        orderBy: { createdAt: "desc" },
+        select: {
+          id: true,
+          type: true,
+          label: true,
+          usedBy: true,
+          usedAt: true,
+          revokedAt: true,
+          createdAt: true,
+          expiresAt: true,
+          // Intentionally omit token value for security
+        },
+      });
+      return reply.send(tokens);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return reply.code(500).send({ error: "Failed to list tokens", detail: message });
+    }
+  });
+
+  // Revoke a token
+  app.delete<{
+    Params: { id: string };
+  }>("/api/tokens/:id", async (request, reply) => {
+    const { id } = request.params;
+
+    try {
+      await db.joinToken.update({
+        where: { id },
+        data: { revokedAt: new Date() },
+      });
+
+      logger.info(`TOKEN REVOKED: ${id}`);
+      return reply.send({ status: "revoked", id });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return reply.code(500).send({ error: "Failed to revoke token", detail: message });
+    }
+  });
+}
diff --git a/bastion/src/labd/src/routes/bastions.ts b/bastion/src/labd/src/routes/bastions.ts
new file mode 100644
index 0000000..8ed15ec
--- /dev/null
+++ b/bastion/src/labd/src/routes/bastions.ts
@@ -0,0 +1,207 @@
+// Bastion management routes.
+// GET  /api/bastions          — list connected bastions
+// GET  /api/machines          — aggregated machines from all bastions
+// POST /api/machines/install  — queue install on correct bastion
+// DELETE /api/machines/:mac   — forget machine on correct bastion
+// POST /api/machines/role     — update role on correct bastion
+// GET  /api/machines/:mac/logs — get provision logs from correct bastion
+
+import type { FastifyInstance } from "fastify";
+import type { DbClient } from "../server.js";
+import { bastionRegistry } from "../services/bastion-registry.js";
+import { generateRequestId } from "@lab/shared";
+
+const COMMAND_TIMEOUT_MS = 15_000;
+
+/** Send a command to a bastion and wait for the response. */
+function sendCommand(
+  bastionId: string,
+  msg: Record<string, unknown>,
+): Promise<{ status: string; data?: unknown; error?: string | undefined }> {
+  const bastion = bastionRegistry.getById(bastionId);
+  if (!bastion) {
+    return Promise.reject(new Error(`Bastion ${bastionId} not connected`));
+  }
+
+  const requestId = generateRequestId();
+  const fullMsg = { ...msg, requestId };
+
+  return new Promise((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      cleanup();
+      reject(new Error("Command timed out"));
+    }, COMMAND_TIMEOUT_MS);
+
+    const handler = (data: Buffer) => {
+      try {
+        const parsed = JSON.parse(data.toString()) as { type: string; requestId?: string; status?: string; data?: unknown; error?: string };
+        if (parsed.type === "command-response" && parsed.requestId === requestId) {
+          cleanup();
+          resolve({ status: parsed.status ?? "ok", data: parsed.data, error: parsed.error });
+        }
+      } catch { /* not our message */ }
+    };
+
+    const cleanup = () => {
+      clearTimeout(timeout);
+      bastion.socket.off("message", handler);
+    };
+
+    bastion.socket.on("message", handler);
+    bastion.socket.send(JSON.stringify(fullMsg));
+  });
+}
+
+export function registerBastionRoutes(app: FastifyInstance, db: DbClient): void {
+  // List all bastions (DB records enriched with online status from registry)
+  app.get("/api/bastions", async () => {
+    const dbBastions = await db.bastion.findMany() as Array<{
+      id: string; hostname: string; network: string; serverIp: string;
+      status: string; lastHeartbeat: Date | null; createdAt: Date;
+    }>;
+
+    return dbBastions.map((b) => {
+      const connected = bastionRegistry.getById(b.id);
+      return {
+        id: b.id,
+        hostname: b.hostname,
+        network: b.network,
+        serverIp: b.serverIp,
+        status: connected ? "online" : "offline",
+        lastHeartbeat: connected?.lastHeartbeat ?? b.lastHeartbeat,
+        connectedAt: connected?.connectedAt,
+        machineCount: connected
+          ? Object.keys(connected.state.discovered).length +
+            Object.keys(connected.state.install_queue).length +
+            Object.keys(connected.state.installed).length
+          : 0,
+        createdAt: b.createdAt,
+      };
+    });
+  });
+
+  // Aggregated machines from all connected bastions
+  app.get("/api/machines", async () => {
+    return bastionRegistry.getAggregatedState();
+  });
+
+  // Queue install — route to correct bastion by MAC
+  app.post<{
+    Body: { mac?: string; hostname?: string; disk?: string; role?: string; os?: string };
+  }>("/api/machines/install", async (request, reply) => {
+    const { mac, hostname, disk, role, os } = request.body ?? {};
+    if (!mac || !hostname) {
+      return reply.code(400).send({ error: "mac and hostname are required" });
+    }
+
+    // Find bastion that knows this MAC, or let caller specify
+    const bastion = bastionRegistry.findBastionByMac(mac);
+    if (!bastion) {
+      // If only one bastion is connected, use it
+      const all = bastionRegistry.getAll();
+      if (all.length === 0) {
+        return reply.code(503).send({ error: "No bastions connected" });
+      }
+      if (all.length === 1) {
+        try {
+          const result = await sendCommand(all[0]!.bastionId, {
+            type: "command-install",
+            mac, hostname, disk: disk ?? "/dev/sda", role: role ?? "infra", os: os ?? "fedora-43",
+          });
+          return reply.code(result.status === "ok" ? 200 : 500).send(result);
+        } catch (err) {
+          return reply.code(500).send({ error: err instanceof Error ? err.message : String(err) });
+        }
+      }
+      return reply.code(404).send({ error: `MAC ${mac} not found on any bastion` });
+    }
+
+    try {
+      const result = await sendCommand(bastion.bastionId, {
+        type: "command-install",
+        mac, hostname, disk: disk ?? "/dev/sda", role: role ?? "infra", os: os ?? "fedora-43",
+      });
+      return reply.code(result.status === "ok" ? 200 : 500).send(result);
+    } catch (err) {
+      return reply.code(500).send({ error: err instanceof Error ? err.message : String(err) });
+    }
+  });
+
+  // Forget machine
+  app.delete<{ Params: { mac: string } }>("/api/machines/:mac", async (request, reply) => {
+    const mac = request.params.mac.toLowerCase().replace(/-/g, ":");
+    const bastion = bastionRegistry.findBastionByMac(mac);
+    if (!bastion) {
+      return reply.code(404).send({ error: `MAC ${mac} not found on any bastion` });
+    }
+
+    try {
+      const result = await sendCommand(bastion.bastionId, { type: "command-forget", mac });
+      return reply.send(result);
+    } catch (err) {
+      return reply.code(500).send({ error: err instanceof Error ? err.message : String(err) });
+    }
+  });
+
+  // Update role
+  app.post<{
+    Body: { mac?: string; role?: string };
+  }>("/api/machines/role", async (request, reply) => {
+    const { mac, role } = request.body ?? {};
+    if (!mac || !role) {
+      return reply.code(400).send({ error: "mac and role are required" });
+    }
+
+    const normalized = mac.toLowerCase().replace(/-/g, ":");
+    const bastion = bastionRegistry.findBastionByMac(normalized);
+    if (!bastion) {
+      return reply.code(404).send({ error: `MAC ${normalized} not found on any bastion` });
+    }
+
+    try {
+      const result = await sendCommand(bastion.bastionId, { type: "command-role-update", mac: normalized, role });
+      return reply.send(result);
+    } catch (err) {
+      return reply.code(500).send({ error: err instanceof Error ? err.message : String(err) });
+    }
+  });
+
+  // Machine logs (snapshot from bastion's state)
+  app.get<{ Params: { mac: string } }>("/api/machines/:mac/logs", async (request, reply) => {
+    const mac = request.params.mac.toLowerCase().replace(/-/g, ":");
+    const bastion = bastionRegistry.findBastionByMac(mac);
+    if (!bastion) {
+      return reply.code(404).send({ error: `MAC ${mac} not found` });
+    }
+
+    const queued = bastion.state.install_queue[mac];
+    const installed = bastion.state.installed[mac];
+
+    if (installed) {
+      return {
+        mac,
+        hostname: installed.hostname,
+        status: "installed",
+        role: installed.role,
+        ip: installed.ip,
+        installed_at: installed.installed_at,
+      };
+    }
+
+    if (queued) {
+      return {
+        mac,
+        hostname: queued.hostname,
+        status: queued.progress ? "installing" : "queued",
+        progress: queued.progress,
+        progress_detail: queued.progress_detail,
+        progress_at: queued.progress_at,
+        role: queued.role,
+        os: queued.os,
+        log: queued.log,
+      };
+    }
+
+    return reply.code(404).send({ error: `MAC ${mac} not found in install queue or installed` });
+  });
+}
diff --git a/bastion/src/labd/src/routes/health.ts b/bastion/src/labd/src/routes/health.ts
new file mode 100644
index 0000000..6d61fe6
--- /dev/null
+++ b/bastion/src/labd/src/routes/health.ts
@@ -0,0 +1,144 @@
+// Health check routes.
+
+import type { FastifyInstance } from "fastify";
+import { performance } from "node:perf_hooks";
+import type { DbClient } from "../server.js";
+import { agentRegistry } from "../services/agent-registry.js";
+import { isShuttingDownNow } from "../services/shutdown.js";
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export interface ComponentStatus {
+  status: "up" | "down" | "degraded";
+  latency?: number;
+  message?: string;
+}
+
+export interface HealthStatus {
+  status: "healthy" | "degraded" | "unhealthy";
+  version: string;
+  uptime: number;
+  timestamp: string;
+  components: {
+    database: ComponentStatus;
+    agents: ComponentStatus;
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+async function checkDatabase(db: DbClient): Promise<ComponentStatus> {
+  const start = performance.now();
+  try {
+    await db.$queryRaw`SELECT 1`;
+    const latency = Math.round((performance.now() - start) * 100) / 100;
+    return { status: "up", latency };
+  } catch (err) {
+    const latency = Math.round((performance.now() - start) * 100) / 100;
+    const message = err instanceof Error ? err.message : "Unknown error";
+    return { status: "down", latency, message };
+  }
+}
+
+function checkAgents(): ComponentStatus {
+  const count = agentRegistry.getConnectedCount();
+  return {
+    status: count > 0 ? "up" : "degraded",
+    message: `${count} agent(s) connected`,
+  };
+}
+
+function aggregateStatus(
+  components: HealthStatus["components"],
+): { status: HealthStatus["status"]; statusCode: number } {
+  const statuses = Object.values(components);
+  if (statuses.some((c) => c.status === "down")) {
+    return { status: "unhealthy", statusCode: 503 };
+  }
+  if (statuses.some((c) => c.status === "degraded")) {
+    return { status: "degraded", statusCode: 200 };
+  }
+  return { status: "healthy", statusCode: 200 };
+}
+
+// ---------------------------------------------------------------------------
+// Route registration
+// ---------------------------------------------------------------------------
+
+export function registerHealthRoutes(app: FastifyInstance, db: DbClient): void {
+  // ---- existing /healthz (preserved for backward compat) ------------------
+  app.get("/healthz", async (_request, reply) => {
+    if (isShuttingDownNow()) {
+      return reply.code(503).send({
+        status: "shutting_down",
+        uptime: process.uptime(),
+        timestamp: new Date().toISOString(),
+      });
+    }
+
+    let dbOk = false;
+    try {
+      await db.$queryRaw`SELECT 1`;
+      dbOk = true;
+    } catch {
+      // DB not reachable
+    }
+
+    const status = dbOk ? "healthy" : "degraded";
+    const statusCode = dbOk ? 200 : 503;
+
+    return reply.code(statusCode).send({
+      status,
+      uptime: process.uptime(),
+      timestamp: new Date().toISOString(),
+      checks: {
+        database: dbOk ? "ok" : "error",
+      },
+    });
+  });
+
+  // ---- GET /health — simple probe for k8s --------------------------------
+  app.get("/health", async (_request, reply) => {
+    return reply.code(200).send({ status: "ok" });
+  });
+
+  // ---- GET /health/detailed — full component check -----------------------
+  app.get("/health/detailed", async (_request, reply) => {
+    const database = await checkDatabase(db);
+    const agents = checkAgents();
+
+    const components = { database, agents };
+    const { status, statusCode } = aggregateStatus(components);
+
+    const body: HealthStatus = {
+      status,
+      version: process.env["LABD_VERSION"] ?? "0.1.0",
+      uptime: process.uptime(),
+      timestamp: new Date().toISOString(),
+      components,
+    };
+
+    return reply.code(statusCode).send(body);
+  });
+
+  // ---- GET /health/live — liveness probe ---------------------------------
+  app.get("/health/live", async (_request, reply) => {
+    return reply.code(200).send({ status: "alive" });
+  });
+
+  // ---- GET /health/ready — readiness probe (needs DB) --------------------
+  app.get("/health/ready", async (_request, reply) => {
+    const database = await checkDatabase(db);
+    if (database.status === "down") {
+      return reply.code(503).send({
+        status: "not_ready",
+        reason: database.message,
+      });
+    }
+    return reply.code(200).send({ status: "ready" });
+  });
+}
diff --git a/bastion/src/labd/src/routes/servers.ts b/bastion/src/labd/src/routes/servers.ts
new file mode 100644
index 0000000..50ad4ed
--- /dev/null
+++ b/bastion/src/labd/src/routes/servers.ts
@@ -0,0 +1,64 @@
+// Server management routes.
+// GET /api/servers     — list servers with optional filters (cloud, environment, label)
+// GET /api/servers/:id — get server details
+
+import type { FastifyInstance } from "fastify";
+import type { DbClient } from "../server.js";
+
+export function registerServerRoutes(app: FastifyInstance, db: DbClient): void {
+  // List servers with optional filters
+  app.get<{
+    Querystring: {
+      cloud?: string;
+      environment?: string;
+      status?: string;
+    };
+  }>("/api/servers", async (request, reply) => {
+    const { cloud, environment, status } = request.query;
+
+    const where: Record<string, unknown> = {};
+    if (cloud !== undefined && cloud !== "") {
+      where["cloud"] = cloud;
+    }
+    if (environment !== undefined && environment !== "") {
+      where["environment"] = environment;
+    }
+    if (status !== undefined && status !== "") {
+      where["status"] = status;
+    }
+
+    try {
+      const servers = await db.server.findMany({
+        where: Object.keys(where).length > 0 ? where : undefined,
+        orderBy: { hostname: "asc" },
+      });
+      return reply.send(servers);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return reply.code(500).send({ error: "Failed to list servers", detail: message });
+    }
+  });
+
+  // Get server details by ID
+  app.get<{
+    Params: { id: string };
+  }>("/api/servers/:id", async (request, reply) => {
+    const { id } = request.params;
+
+    try {
+      const server = await db.server.findUnique({
+        where: { id },
+        include: { agent: true },
+      });
+
+      if (server === null) {
+        return reply.code(404).send({ error: "Server not found", id });
+      }
+
+      return reply.send(server);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return reply.code(500).send({ error: "Failed to get server", detail: message });
+    }
+  });
+}
diff --git a/bastion/src/labd/src/server.ts b/bastion/src/labd/src/server.ts
new file mode 100644
index 0000000..b1bd8f4
--- /dev/null
+++ b/bastion/src/labd/src/server.ts
@@ -0,0 +1,222 @@
+// Fastify application setup with all routes registered.
+
+import Fastify from "fastify";
+import websocket from "@fastify/websocket";
+import type { LabdConfig } from "./config.js";
+import { logger } from "./services/logger.js";
+import { registerHealthRoutes } from "./routes/health.js";
+import { registerServerRoutes } from "./routes/servers.js";
+import { registerAuthRoutes } from "./routes/auth.js";
+import { registerAgentRoutes } from "./routes/agents.js";
+import { registerBastionRoutes } from "./routes/bastions.js";
+import { setupRateLimiting } from "./middleware/rate-limit.js";
+import { bastionRegistry } from "./services/bastion-registry.js";
+import { isBastionMessage } from "@lab/shared";
+
+export interface DbClient {
+  $queryRaw: (...args: unknown[]) => Promise<unknown>;
+  $disconnect?: () => Promise<void>;
+  server: {
+    findMany: (...args: unknown[]) => Promise<unknown[]>;
+    findUnique: (...args: unknown[]) => Promise<unknown>;
+  };
+  joinToken: {
+    findUnique: (...args: unknown[]) => Promise<unknown>;
+    findMany: (...args: unknown[]) => Promise<unknown[]>;
+    create: (...args: unknown[]) => Promise<unknown>;
+    update: (...args: unknown[]) => Promise<unknown>;
+  };
+  bastion: {
+    upsert: (...args: unknown[]) => Promise<unknown>;
+    findMany: (...args: unknown[]) => Promise<unknown[]>;
+    findUnique: (...args: unknown[]) => Promise<unknown>;
+    update: (...args: unknown[]) => Promise<unknown>;
+  };
+}
+
+export async function createApp(_config: LabdConfig, db: DbClient): Promise<{
+  app: ReturnType<typeof Fastify>;
+}> {
+  const app = Fastify({
+    logger: false, // We use winston instead
+  });
+
+  // Register rate limiting before routes
+  await setupRateLimiting(app);
+
+  // Register WebSocket support
+  void app.register(websocket);
+
+  // Register route handlers
+  registerHealthRoutes(app, db);
+  registerServerRoutes(app, db);
+  registerAuthRoutes(app, db);
+  registerAgentRoutes(app);
+  registerBastionRoutes(app, db);
+
+  // WebSocket handler for agent connections
+  app.register(async (fastify) => {
+    fastify.get("/ws/agent", { websocket: true }, (socket, _request) => {
+      logger.info("Agent WebSocket connection established");
+
+      socket.on("message", (message: Buffer) => {
+        const data = message.toString();
+        logger.info(`Agent message: ${data}`);
+        // TODO: Handle agent heartbeat, command relay, etc.
+      });
+
+      socket.on("close", () => {
+        logger.info("Agent WebSocket connection closed");
+      });
+    });
+  });
+
+  // WebSocket handler for bastion connections
+  app.register(async (fastify) => {
+    fastify.get("/ws/bastion", { websocket: true }, (socket, _request) => {
+      let bastionId: string | null = null;
+
+      logger.info("Bastion WebSocket connection established");
+
+      socket.on("message", (data: Buffer) => {
+        try {
+          const raw = data.toString();
+          const msg: unknown = JSON.parse(raw);
+
+          if (!isBastionMessage(msg)) {
+            logger.warn(`Unknown bastion message: ${(msg as { type?: string }).type}`);
+            return;
+          }
+
+          switch (msg.type) {
+            case "bastion-enroll": {
+              // Validate the join token
+              void (async () => {
+                try {
+                  const joinToken = await db.joinToken.findUnique({ where: { token: msg.token } }) as {
+                    id: string; type: string; usedBy: string | null; revokedAt: Date | null; expiresAt: Date | null;
+                  } | null;
+
+                  if (!joinToken || joinToken.revokedAt !== null) {
+                    logger.warn(`Bastion enrollment rejected: invalid/revoked token from ${msg.hostname}`);
+                    socket.send(JSON.stringify({ type: "error", error: "Invalid or revoked token" }));
+                    socket.close();
+                    return;
+                  }
+                  if (joinToken.expiresAt !== null && joinToken.expiresAt < new Date()) {
+                    logger.warn(`Bastion enrollment rejected: expired token from ${msg.hostname}`);
+                    socket.send(JSON.stringify({ type: "error", error: "Token expired" }));
+                    socket.close();
+                    return;
+                  }
+                  if (joinToken.type === "one-time" && joinToken.usedBy !== null) {
+                    logger.warn(`Bastion enrollment rejected: already-used token from ${msg.hostname}`);
+                    socket.send(JSON.stringify({ type: "error", error: "Token already used" }));
+                    socket.close();
+                    return;
+                  }
+
+                  // Mark token as used
+                  await db.joinToken.update({
+                    where: { id: joinToken.id },
+                    data: { usedBy: `bastion:${msg.hostname}`, usedAt: new Date() },
+                  });
+
+                  // Upsert bastion record
+                  const record = await db.bastion.upsert({
+                    where: { hostname: msg.hostname },
+                    create: { hostname: msg.hostname, network: msg.network, serverIp: msg.serverIp, status: "online" },
+                    update: { network: msg.network, serverIp: msg.serverIp, status: "online", lastHeartbeat: new Date() },
+                  }) as { id: string };
+
+                  bastionId = record.id;
+
+                  bastionRegistry.register({
+                    bastionId: record.id,
+                    hostname: msg.hostname,
+                    network: msg.network,
+                    serverIp: msg.serverIp,
+                    socket,
+                    connectedAt: new Date(),
+                    lastHeartbeat: new Date(),
+                    state: { discovered: {}, install_queue: {}, installed: {} },
+                  });
+
+                  socket.send(JSON.stringify({ type: "bastion-enrolled", bastionId: record.id }));
+                  logger.info(`BASTION ENROLLED: ${msg.hostname} (${msg.network}) as ${record.id.slice(0, 8)}...`);
+                } catch (err) {
+                  logger.error(`Bastion enrollment error: ${err instanceof Error ? err.message : String(err)}`);
+                  socket.close();
+                }
+              })();
+              break;
+            }
+
+            case "bastion-state-sync": {
+              if (!bastionId && msg.bastionId) {
+                // Reconnection with known bastionId — re-register
+                bastionId = msg.bastionId;
+                const existing = bastionRegistry.getById(bastionId);
+                if (!existing) {
+                  bastionRegistry.register({
+                    bastionId,
+                    hostname: "reconnecting",
+                    network: "",
+                    serverIp: "",
+                    socket,
+                    connectedAt: new Date(),
+                    lastHeartbeat: new Date(),
+                    state: msg.state,
+                  });
+                  // Update DB status
+                  void db.bastion.update({ where: { id: bastionId }, data: { status: "online", lastHeartbeat: new Date() } });
+                }
+              }
+              if (bastionId) {
+                bastionRegistry.updateState(bastionId, msg.state);
+                logger.info(`Bastion ${bastionId.slice(0, 8)} state sync: ${Object.keys(msg.state.discovered).length} discovered, ${Object.keys(msg.state.installed).length} installed`);
+              }
+              break;
+            }
+
+            case "bastion-heartbeat": {
+              if (bastionId) {
+                bastionRegistry.updateHeartbeat(bastionId);
+                socket.send(JSON.stringify({ type: "bastion-heartbeat-ack", serverTime: new Date().toISOString() }));
+              }
+              break;
+            }
+
+            case "bastion-progress": {
+              // Forward to any SSE subscribers (future)
+              logger.info(`Bastion progress: ${msg.mac} -> ${msg.stage}: ${msg.detail}`);
+              break;
+            }
+
+            case "command-response": {
+              // Handled by the pending command listener in bastions.ts routes
+              break;
+            }
+          }
+        } catch (err) {
+          logger.error(`Failed to parse bastion message: ${err instanceof Error ? err.message : String(err)}`);
+        }
+      });
+
+      socket.on("close", () => {
+        if (bastionId) {
+          logger.info(`Bastion ${bastionId.slice(0, 8)} disconnected`);
+          bastionRegistry.unregister(bastionId);
+          void db.bastion.update({ where: { id: bastionId }, data: { status: "offline" } }).catch(() => {});
+        }
+      });
+    });
+  });
+
+  // Log all requests
+  app.addHook("onRequest", async (request) => {
+    logger.info(`HTTP: ${request.ip} ${request.method} ${request.url}`);
+  });
+
+  return { app };
+}
diff --git a/bastion/src/labd/src/services/agent-registry.ts b/bastion/src/labd/src/services/agent-registry.ts
new file mode 100644
index 0000000..61f66e5
--- /dev/null
+++ b/bastion/src/labd/src/services/agent-registry.ts
@@ -0,0 +1,65 @@
+// In-memory registry of connected lab-agent WebSocket connections.
+// Tracks agents by serverId and hostname, emits lifecycle events.
+
+import { EventEmitter } from "node:events";
+import type { WebSocket } from "ws";
+
+export interface ConnectedAgent {
+  serverId: string;
+  hostname: string;
+  socket: WebSocket;
+  connectedAt: Date;
+  lastHeartbeat: Date;
+  version: string;
+  certFingerprint: string;
+}
+
+export class AgentRegistry extends EventEmitter {
+  private agents: Map<string, ConnectedAgent> = new Map();
+  private byHostname: Map<string, string> = new Map();
+
+  register(agent: ConnectedAgent): void {
+    this.agents.set(agent.serverId, agent);
+    this.byHostname.set(agent.hostname, agent.serverId);
+    this.emit("agent:connected", agent);
+  }
+
+  unregister(serverId: string): void {
+    const agent = this.agents.get(serverId);
+    if (agent !== undefined) {
+      this.byHostname.delete(agent.hostname);
+      this.agents.delete(serverId);
+      this.emit("agent:disconnected", agent);
+    }
+  }
+
+  getByServerId(serverId: string): ConnectedAgent | undefined {
+    return this.agents.get(serverId);
+  }
+
+  getByHostname(hostname: string): ConnectedAgent | undefined {
+    const serverId = this.byHostname.get(hostname);
+    if (serverId === undefined) {
+      return undefined;
+    }
+    return this.agents.get(serverId);
+  }
+
+  updateHeartbeat(serverId: string): void {
+    const agent = this.agents.get(serverId);
+    if (agent !== undefined) {
+      agent.lastHeartbeat = new Date();
+      this.emit("agent:heartbeat", agent);
+    }
+  }
+
+  getConnectedCount(): number {
+    return this.agents.size;
+  }
+
+  getAllConnected(): ConnectedAgent[] {
+    return [...this.agents.values()];
+  }
+}
+
+export const agentRegistry = new AgentRegistry();
diff --git a/bastion/src/labd/src/services/bastion-registry.ts b/bastion/src/labd/src/services/bastion-registry.ts
new file mode 100644
index 0000000..15d0570
--- /dev/null
+++ b/bastion/src/labd/src/services/bastion-registry.ts
@@ -0,0 +1,107 @@
+// In-memory registry of connected bastion WebSocket connections.
+// Tracks bastions by ID, caches their BastionState, and provides aggregation.
+
+import { EventEmitter } from "node:events";
+import type { WebSocket } from "ws";
+import type { BastionState, HardwareInfo, InstallConfig, InstalledInfo } from "@lab/shared";
+
+export interface ConnectedBastion {
+  bastionId: string;
+  hostname: string;
+  network: string;
+  serverIp: string;
+  socket: WebSocket;
+  connectedAt: Date;
+  lastHeartbeat: Date;
+  state: BastionState;
+}
+
+export interface AggregatedState {
+  discovered: Record<string, HardwareInfo>;
+  install_queue: Record<string, InstallConfig>;
+  installed: Record<string, InstalledInfo>;
+}
+
+export class BastionRegistry extends EventEmitter {
+  private bastions = new Map<string, ConnectedBastion>();
+
+  register(bastion: ConnectedBastion): void {
+    this.bastions.set(bastion.bastionId, bastion);
+    this.emit("bastion:connected", bastion);
+  }
+
+  unregister(bastionId: string): void {
+    const bastion = this.bastions.get(bastionId);
+    if (bastion) {
+      this.bastions.delete(bastionId);
+      this.emit("bastion:disconnected", bastion);
+    }
+  }
+
+  getById(bastionId: string): ConnectedBastion | undefined {
+    return this.bastions.get(bastionId);
+  }
+
+  getAll(): ConnectedBastion[] {
+    return [...this.bastions.values()];
+  }
+
+  getConnectedCount(): number {
+    return this.bastions.size;
+  }
+
+  updateState(bastionId: string, state: BastionState): void {
+    const bastion = this.bastions.get(bastionId);
+    if (bastion) {
+      bastion.state = state;
+      this.emit("bastion:state-updated", bastion);
+    }
+  }
+
+  updateHeartbeat(bastionId: string): void {
+    const bastion = this.bastions.get(bastionId);
+    if (bastion) {
+      bastion.lastHeartbeat = new Date();
+    }
+  }
+
+  /** Find which bastion owns a given MAC address. */
+  findBastionByMac(mac: string): ConnectedBastion | undefined {
+    const normalized = mac.toLowerCase();
+    for (const bastion of this.bastions.values()) {
+      if (
+        normalized in bastion.state.discovered ||
+        normalized in bastion.state.install_queue ||
+        normalized in bastion.state.installed
+      ) {
+        return bastion;
+      }
+    }
+    return undefined;
+  }
+
+  /** Merge all bastion states into one, tagging each entry with bastionId. */
+  getAggregatedState(): AggregatedState {
+    const result: AggregatedState = {
+      discovered: {},
+      install_queue: {},
+      installed: {},
+    };
+
+    for (const bastion of this.bastions.values()) {
+      for (const [mac, hw] of Object.entries(bastion.state.discovered)) {
+        result.discovered[mac] = { ...hw, bastionId: bastion.bastionId };
+      }
+      for (const [mac, cfg] of Object.entries(bastion.state.install_queue)) {
+        result.install_queue[mac] = { ...cfg, bastionId: bastion.bastionId };
+      }
+      for (const [mac, info] of Object.entries(bastion.state.installed)) {
+        result.installed[mac] = { ...info, bastionId: bastion.bastionId };
+      }
+    }
+
+    return result;
+  }
+}
+
+export const bastionRegistry = new BastionRegistry();
diff --git a/bastion/src/labd/src/services/encryption.ts b/bastion/src/labd/src/services/encryption.ts
new file mode 100644
index 0000000..94b3559
--- /dev/null
+++ b/bastion/src/labd/src/services/encryption.ts
@@ -0,0 +1,73 @@
+// Encryption service for sensitive data (CA keys, kubeconfigs).
+// Uses AES-256-GCM with scrypt-derived keys.
+
+import {
+  createCipheriv,
+  createDecipheriv,
+  randomBytes,
+  scryptSync,
+} from "node:crypto";
+
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32;
+const IV_LENGTH = 16;
+const SALT = "labctl-salt";
+
+export class EncryptionService {
+  private key: Buffer;
+
+  constructor(masterKey: string) {
+    this.key = scryptSync(masterKey, SALT, KEY_LENGTH);
+  }
+
+  encrypt(plaintext: string): string {
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, this.key, iv);
+
+    let encrypted = cipher.update(plaintext, "utf8", "base64");
+    encrypted += cipher.final("base64");
+
+    const authTag = cipher.getAuthTag();
+
+    // Format: iv:authTag:encrypted (all base64)
+    return [
+      iv.toString("base64"),
+      authTag.toString("base64"),
+      encrypted,
+    ].join(":");
+  }
+
+  decrypt(ciphertext: string): string {
+    const parts = ciphertext.split(":");
+    if (parts.length !== 3) {
+      throw new Error("Invalid ciphertext format: expected iv:authTag:encrypted");
+    }
+
+    const [ivB64, tagB64, encrypted] = parts as [string, string, string];
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(tagB64, "base64");
+
+    const decipher = createDecipheriv(ALGORITHM, this.key, iv);
+    decipher.setAuthTag(authTag);
+
+    let decrypted = decipher.update(encrypted, "base64", "utf8");
+    decrypted += decipher.final("utf8");
+
+    return decrypted;
+  }
+}
+
+// --- Singleton ---
+
+let _instance: EncryptionService | undefined;
+
+export function getEncryptionService(): EncryptionService {
+  if (!_instance) {
+    const masterKey = process.env["CA_ENCRYPTION_KEY"];
+    if (!masterKey || masterKey.length < 32) {
+      throw new Error("CA_ENCRYPTION_KEY must be set and at least 32 characters");
+    }
+    _instance = new EncryptionService(masterKey);
+  }
+  return _instance;
+}
diff --git a/bastion/src/labd/src/services/logger.ts b/bastion/src/labd/src/services/logger.ts
new file mode 100644
index 0000000..b3178c7
--- /dev/null
+++ b/bastion/src/labd/src/services/logger.ts
@@ -0,0 +1,17 @@
+// Winston logger instance shared across the labd application.
+
+import winston from "winston";
+
+export const logger = winston.createLogger({
+  level: process.env["LABD_LOG_LEVEL"] ?? "info",
+  format: winston.format.combine(
+    winston.format.timestamp({ format: "HH:mm:ss" }),
+    winston.format.printf(({ timestamp, level, message }) => {
+      const prefix = level === "error" ? "\x1b[31m[labd]\x1b[0m"
+        : level === "warn" ? "\x1b[33m[labd]\x1b[0m"
+        : "\x1b[36m[labd]\x1b[0m";
+      return `${prefix} ${timestamp as string} ${message as string}`;
+    }),
+  ),
+  transports: [new winston.transports.Console()],
+});
diff --git a/bastion/src/labd/src/services/message-router.ts b/bastion/src/labd/src/services/message-router.ts
new file mode 100644
index 0000000..e38655b
--- /dev/null
+++ b/bastion/src/labd/src/services/message-router.ts
@@ -0,0 +1,192 @@
+// WebSocket message routing between labd and connected agents.
+// Dispatches incoming agent messages to handlers, manages pending requests.
+
+import type { AgentMessage, ServerMessage, JournalOptions } from "@lab/shared";
+import { generateRequestId } from "@lab/shared";
+import type { ConnectedAgent } from "./agent-registry.js";
+
+export type MessageHandler = (
+  agent: ConnectedAgent,
+  message: AgentMessage,
+) => Promise<void>;
+
+export interface PendingRequest {
+  requestId: string;
+  serverId: string;
+  type: "exec" | "log";
+  resolve: (result: unknown) => void;
+  reject: (error: Error) => void;
+  timeout: NodeJS.Timeout;
+  onData?: (chunk: string) => void;
+}
+
+export class MessageRouter {
+  private pendingRequests: Map<string, PendingRequest> = new Map();
+  private handlers: Map<string, MessageHandler> = new Map();
+
+  registerHandler(type: string, handler: MessageHandler): void {
+    this.handlers.set(type, handler);
+  }
+
+  async handleMessage(
+    agent: ConnectedAgent,
+    message: AgentMessage,
+  ): Promise<void> {
+    // Dispatch to registered handler
+    const handler = this.handlers.get(message.type);
+    if (handler) {
+      await handler(agent, message);
+    }
+
+    // Handle responses to pending requests
+    if ("requestId" in message) {
+      const pending = this.pendingRequests.get(message.requestId);
+      if (!pending) return;
+
+      switch (message.type) {
+        case "exec-exit":
+          clearTimeout(pending.timeout);
+          pending.resolve({ exitCode: message.exitCode });
+          this.pendingRequests.delete(message.requestId);
+          break;
+        case "exec-stdout":
+        case "exec-stderr":
+          pending.onData?.(message.data);
+          break;
+        case "log-line":
+          pending.onData?.(message.line);
+          break;
+        case "log-end":
+          clearTimeout(pending.timeout);
+          pending.resolve({ completed: true });
+          this.pendingRequests.delete(message.requestId);
+          break;
+      }
+    }
+  }
+
+  async sendRequest(
+    agent: ConnectedAgent,
+    message: ServerMessage,
+    timeoutMs: number = 30_000,
+  ): Promise<unknown> {
+    return new Promise((resolve, reject) => {
+      const requestId =
+        "requestId" in message ? message.requestId : generateRequestId();
+
+      const timeoutHandle = setTimeout(() => {
+        this.pendingRequests.delete(requestId);
+        reject(new Error(`Request ${requestId} timed out after ${timeoutMs}ms`));
+      }, timeoutMs);
+
+      this.pendingRequests.set(requestId, {
+        requestId,
+        serverId: agent.serverId,
+        type: message.type === "log-subscribe" ? "log" : "exec",
+        resolve,
+        reject,
+        timeout: timeoutHandle,
+      });
+
+      agent.socket.send(JSON.stringify(message));
+    });
+  }
+
+  async sendRequestWithStreaming(
+    agent: ConnectedAgent,
+    message: ServerMessage,
+    onData: (chunk: string) => void,
+    timeoutMs: number = 30_000,
+  ): Promise<unknown> {
+    return new Promise((resolve, reject) => {
+      const requestId =
+        "requestId" in message ? message.requestId : generateRequestId();
+
+      const timeoutHandle = setTimeout(() => {
+        this.pendingRequests.delete(requestId);
+        reject(new Error(`Request ${requestId} timed out after ${timeoutMs}ms`));
+      }, timeoutMs);
+
+      this.pendingRequests.set(requestId, {
+        requestId,
+        serverId: agent.serverId,
+        type: message.type === "log-subscribe" ? "log" : "exec",
+        resolve,
+        reject,
+        timeout: timeoutHandle,
+        onData,
+      });
+
+      agent.socket.send(JSON.stringify(message));
+    });
+  }
+
+  subscribeToLogs(
+    agent: ConnectedAgent,
+    options: JournalOptions,
+    onLine: (line: string) => void,
+  ): { requestId: string; unsubscribe: () => void } {
+    const requestId = generateRequestId();
+
+    const timeoutHandle = setTimeout(() => {
+      // Log subscriptions don't time out by default, but we set a long one
+    }, 24 * 60 * 60 * 1000); // 24h max
+
+    this.pendingRequests.set(requestId, {
+      requestId,
+      serverId: agent.serverId,
+      type: "log",
+      resolve: () => {},
+      reject: () => {},
+      timeout: timeoutHandle,
+      onData: onLine,
+    });
+
+    agent.socket.send(
+      JSON.stringify({
+        type: "log-subscribe",
+        requestId,
+        options,
+      } satisfies ServerMessage),
+    );
+
+    return {
+      requestId,
+      unsubscribe: () => {
+        clearTimeout(timeoutHandle);
+        this.pendingRequests.delete(requestId);
+        agent.socket.send(
+          JSON.stringify({
+            type: "log-unsubscribe",
+            requestId,
+          } satisfies ServerMessage),
+        );
+      },
+    };
+  }
+
+  cancelRequest(requestId: string): boolean {
+    const pending = this.pendingRequests.get(requestId);
+    if (!pending) return false;
+    clearTimeout(pending.timeout);
+    pending.reject(new Error("Request cancelled"));
+    this.pendingRequests.delete(requestId);
+    return true;
+  }
+
+  cleanupAgent(serverId: string): void {
+    for (const [id, pending] of this.pendingRequests) {
+      if (pending.serverId === serverId) {
+        clearTimeout(pending.timeout);
+        pending.reject(new Error("Agent disconnected"));
+        this.pendingRequests.delete(id);
+      }
+    }
+  }
+
+  getPendingCount(): number {
+    return this.pendingRequests.size;
+  }
+}
+
+export const messageRouter = new MessageRouter();
diff --git a/bastion/src/labd/src/services/shutdown.ts b/bastion/src/labd/src/services/shutdown.ts
new file mode 100644
index 0000000..71fde7e
--- /dev/null
+++ b/bastion/src/labd/src/services/shutdown.ts
@@ -0,0 +1,98 @@
+// Graceful shutdown handling for labd.
+// Registers SIGTERM/SIGINT handlers, drains connections, and exits cleanly.
+
+import type { FastifyInstance } from "fastify";
+import { logger } from "./logger.js";
+import { agentRegistry } from "./agent-registry.js";
+import { messageRouter } from "./message-router.js";
+
+const FORCE_EXIT_TIMEOUT_MS = 15_000;
+
+let isShuttingDown = false;
+
+/**
+ * Returns true if the server is in the process of shutting down.
+ */
+export function isShuttingDownNow(): boolean {
+  return isShuttingDown;
+}
+
+export interface ShutdownResources {
+  app: FastifyInstance;
+  db?: { $disconnect?: () => Promise<void> };
+}
+
+/**
+ * Registers SIGTERM and SIGINT handlers for graceful shutdown.
+ * Idempotent: a second signal while shutdown is in progress is ignored.
+ */
+export function setupGracefulShutdown(resources: ShutdownResources): void {
+  const { app, db } = resources;
+
+  const shutdown = async (signal: string): Promise<void> => {
+    if (isShuttingDown) {
+      logger.info(`Received ${signal} again — shutdown already in progress, ignoring`);
+      return;
+    }
+
+    isShuttingDown = true;
+    logger.info(`Received ${signal}, starting graceful shutdown...`);
+
+    // Safety net: force exit after timeout
+    const forceExitTimer = setTimeout(() => {
+      logger.error("Graceful shutdown timed out — forcing exit");
+      process.exit(1);
+    }, FORCE_EXIT_TIMEOUT_MS);
+    forceExitTimer.unref();
+
+    try {
+      // 1. Stop accepting new connections
+      await app.close();
+      logger.info("HTTP server closed");
+
+      // 2. Notify connected agents and close their sockets
+      const agents = agentRegistry.getAllConnected();
+      if (agents.length > 0) {
+        logger.info(`Notifying ${agents.length} connected agent(s) of shutdown`);
+        for (const agent of agents) {
+          try {
+            agent.socket.send(
+              JSON.stringify({
+                type: "server-shutdown",
+                reconnectAfter: 5000,
+              }),
+            );
+            agent.socket.close();
+          } catch {
+            // Agent may already be disconnected
+          }
+        }
+      }
+
+      // 3. Clean up pending message-router requests for each agent
+      const pendingCount = messageRouter.getPendingCount();
+      if (pendingCount > 0) {
+        logger.info(`Cleaning up ${pendingCount} pending request(s)`);
+        for (const agent of agents) {
+          messageRouter.cleanupAgent(agent.serverId);
+        }
+      }
+
+      // 4. Disconnect database
+      if (db?.$disconnect) {
+        await db.$disconnect();
+        logger.info("Database disconnected");
+      }
+
+      logger.info("Graceful shutdown complete — goodbye");
+      process.exit(0);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.error(`Error during shutdown: ${message}`);
+      process.exit(1);
+    }
+  };
+
+  process.on("SIGTERM", () => void shutdown("SIGTERM"));
+  process.on("SIGINT", () => void shutdown("SIGINT"));
+}
diff --git a/bastion/src/labd/src/validation/index.ts b/bastion/src/labd/src/validation/index.ts
new file mode 100644
index 0000000..082ef0a
--- /dev/null
+++ b/bastion/src/labd/src/validation/index.ts
@@ -0,0 +1,13 @@
+export {
+  createTokenSchema,
+  enrollmentSchema,
+  serverFiltersSchema,
+  permissionPatternSchema,
+  createRoleSchema,
+  type CreateTokenInput,
+  type EnrollmentInput,
+  type ServerFiltersInput,
+  type CreateRoleInput,
+} from "./schemas.js";
+
+export { validateBody, validateQuery } from "./middleware.js";
diff --git a/bastion/src/labd/src/validation/middleware.ts b/bastion/src/labd/src/validation/middleware.ts
new file mode 100644
index 0000000..6a83466
--- /dev/null
+++ b/bastion/src/labd/src/validation/middleware.ts
@@ -0,0 +1,32 @@
+// Fastify validation middleware using Zod schemas.
+
+import type { FastifyRequest, FastifyReply } from "fastify";
+import type { ZodSchema } from "zod";
+
+export function validateBody<T>(schema: ZodSchema<T>) {
+  return async (request: FastifyRequest, reply: FastifyReply): Promise<void> => {
+    const result = schema.safeParse(request.body);
+    if (!result.success) {
+      void reply.status(400).send({
+        error: "Validation failed",
+        details: result.error.flatten(),
+      });
+      return;
+    }
+    (request as unknown as { body: T }).body = result.data;
+  };
+}
+
+export function validateQuery<T>(schema: ZodSchema<T>) {
+  return async (request: FastifyRequest, reply: FastifyReply): Promise<void> => {
+    const result = schema.safeParse(request.query);
+    if (!result.success) {
+      void reply.status(400).send({
+        error: "Validation failed",
+        details: result.error.flatten(),
+      });
+      return;
+    }
+    (request as unknown as { query: T }).query = result.data;
+  };
+}
diff --git a/bastion/src/labd/src/validation/schemas.ts b/bastion/src/labd/src/validation/schemas.ts
new file mode 100644
index 0000000..516ee09
--- /dev/null
+++ b/bastion/src/labd/src/validation/schemas.ts
@@ -0,0 +1,37 @@
+// Zod validation schemas for labd API requests.
+
+import { z } from "zod";
+
+export const createTokenSchema = z.object({
+  type: z.enum(["one-time", "reusable"]).default("one-time"),
+  label: z.string().max(255).optional(),
+  expiresInHours: z.number().positive().max(8760).optional(), // Max 1 year
+});
+export type CreateTokenInput = z.infer<typeof createTokenSchema>;
+
+export const enrollmentSchema = z.object({
+  token: z.string().min(1, "token is required"),
+  hostname: z.string().regex(/^[a-z0-9][a-z0-9.-]*$/i, "Invalid hostname format").max(253),
+  csr: z.string().optional(),
+});
+export type EnrollmentInput = z.infer<typeof enrollmentSchema>;
+
+export const serverFiltersSchema = z.object({
+  cloud: z.string().optional(),
+  environment: z.string().optional(),
+  status: z.enum(["online", "offline", "provisioning", "unknown"]).optional(),
+});
+export type ServerFiltersInput = z.infer<typeof serverFiltersSchema>;
+
+export const permissionPatternSchema = z.string().regex(
+  /^[a-z*]+:[a-z*]+:[a-z*]+:[a-z0-9.*-]+$/,
+  "Permission must match pattern action:cloud:environment:server",
+);
+
+export const createRoleSchema = z.object({
+  name: z.string().min(1).max(64).regex(/^[a-z][a-z0-9-]*$/, "Role name must be lowercase alphanumeric with hyphens"),
+  description: z.string().max(500).optional(),
+  allow: z.array(permissionPatternSchema).optional(),
+  deny: z.array(permissionPatternSchema).optional(),
+});
+export type CreateRoleInput = z.infer<typeof createRoleSchema>;
diff --git a/bastion/src/labd/tests/agent-registry.test.ts b/bastion/src/labd/tests/agent-registry.test.ts
new file mode 100644
index 0000000..a595e2c
--- /dev/null
+++ b/bastion/src/labd/tests/agent-registry.test.ts
@@ -0,0 +1,112 @@
+// Tests for AgentRegistry.
+
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { AgentRegistry, type ConnectedAgent } from "../src/services/agent-registry.js";
+
+function makeAgent(overrides: Partial<ConnectedAgent> = {}): ConnectedAgent {
+  return {
+    serverId: "srv-1",
+    hostname: "worker-1",
+    socket: { send: vi.fn(), close: vi.fn(), readyState: 1 } as unknown as ConnectedAgent["socket"],
+    connectedAt: new Date(),
+    lastHeartbeat: new Date(),
+    version: "0.1.0",
+    certFingerprint: "abc123",
+    ...overrides,
+  };
+}
+
+describe("AgentRegistry", () => {
+  let registry: AgentRegistry;
+
+  beforeEach(() => {
+    registry = new AgentRegistry();
+  });
+
+  it("starts empty", () => {
+    expect(registry.getConnectedCount()).toBe(0);
+    expect(registry.getAllConnected()).toEqual([]);
+  });
+
+  it("registers and retrieves by serverId", () => {
+    const agent = makeAgent();
+    registry.register(agent);
+    expect(registry.getByServerId("srv-1")).toBe(agent);
+    expect(registry.getConnectedCount()).toBe(1);
+  });
+
+  it("retrieves by hostname", () => {
+    const agent = makeAgent({ hostname: "web-1" });
+    registry.register(agent);
+    expect(registry.getByHostname("web-1")).toBe(agent);
+  });
+
+  it("returns undefined for unknown serverId", () => {
+    expect(registry.getByServerId("nope")).toBeUndefined();
+  });
+
+  it("returns undefined for unknown hostname", () => {
+    expect(registry.getByHostname("nope")).toBeUndefined();
+  });
+
+  it("unregisters agent", () => {
+    const agent = makeAgent();
+    registry.register(agent);
+    registry.unregister("srv-1");
+    expect(registry.getByServerId("srv-1")).toBeUndefined();
+    expect(registry.getByHostname("worker-1")).toBeUndefined();
+    expect(registry.getConnectedCount()).toBe(0);
+  });
+
+  it("unregister is no-op for unknown serverId", () => {
+    registry.unregister("nonexistent"); // should not throw
+    expect(registry.getConnectedCount()).toBe(0);
+  });
+
+  it("updates heartbeat", () => {
+    const agent = makeAgent();
+    const oldTime = new Date(2020, 0, 1);
+    agent.lastHeartbeat = oldTime;
+    registry.register(agent);
+    registry.updateHeartbeat("srv-1");
+    expect(agent.lastHeartbeat.getTime()).toBeGreaterThan(oldTime.getTime());
+  });
+
+  it("emits agent:connected on register", () => {
+    const handler = vi.fn();
+    registry.on("agent:connected", handler);
+    const agent = makeAgent();
+    registry.register(agent);
+    expect(handler).toHaveBeenCalledWith(agent);
+  });
+
+  it("emits agent:disconnected on unregister", () => {
+    const handler = vi.fn();
+    registry.on("agent:disconnected", handler);
+    const agent = makeAgent();
+    registry.register(agent);
+    registry.unregister("srv-1");
+    expect(handler).toHaveBeenCalledWith(agent);
+  });
+
+  it("emits agent:heartbeat on updateHeartbeat", () => {
+    const handler = vi.fn();
+    registry.on("agent:heartbeat", handler);
+    const agent = makeAgent();
+    registry.register(agent);
+    registry.updateHeartbeat("srv-1");
+    expect(handler).toHaveBeenCalledWith(agent);
+  });
+
+  it("handles multiple agents", () => {
+    const a1 = makeAgent({ serverId: "s1", hostname: "h1" });
+    const a2 = makeAgent({ serverId: "s2", hostname: "h2" });
+    registry.register(a1);
+    registry.register(a2);
+    expect(registry.getConnectedCount()).toBe(2);
+    expect(registry.getAllConnected()).toHaveLength(2);
+    registry.unregister("s1");
+    expect(registry.getConnectedCount()).toBe(1);
+    expect(registry.getByHostname("h2")).toBe(a2);
+  });
+});
diff --git a/bastion/src/labd/tests/auth-routes.test.ts b/bastion/src/labd/tests/auth-routes.test.ts
new file mode 100644
index 0000000..1845405
--- /dev/null
+++ b/bastion/src/labd/tests/auth-routes.test.ts
@@ -0,0 +1,208 @@
+// Tests for auth and token management routes.
+
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import Fastify from "fastify";
+import { registerAuthRoutes } from "../src/routes/auth.js";
+
+function createMockDb() {
+  const tokens: Map<string, Record<string, unknown>> = new Map();
+
+  return {
+    $queryRaw: vi.fn(),
+    server: { findMany: vi.fn(), findUnique: vi.fn() },
+    joinToken: {
+      findUnique: vi.fn(async (args: { where: { token?: string; id?: string } }) => {
+        const key = args.where.token ?? args.where.id;
+        return key ? tokens.get(key) ?? null : null;
+      }),
+      findMany: vi.fn(async () => [...tokens.values()]),
+      create: vi.fn(async (args: { data: Record<string, unknown> }) => {
+        const id = `tok-${tokens.size + 1}`;
+        const record = {
+          id,
+          ...args.data,
+          usedBy: null,
+          usedAt: null,
+          revokedAt: null,
+          createdAt: new Date(),
+        };
+        tokens.set(record.token as string, record);
+        tokens.set(id, record);
+        return record;
+      }),
+      update: vi.fn(async (args: { where: { id: string }; data: Record<string, unknown> }) => {
+        const existing = tokens.get(args.where.id);
+        if (existing) Object.assign(existing, args.data);
+        return existing;
+      }),
+    },
+    _tokens: tokens,
+  };
+}
+
+describe("auth routes", () => {
+  let app: ReturnType<typeof Fastify>;
+  let db: ReturnType<typeof createMockDb>;
+
+  beforeEach(async () => {
+    app = Fastify({ logger: false });
+    db = createMockDb();
+    registerAuthRoutes(app, db);
+    await app.ready();
+  });
+
+  describe("POST /api/tokens", () => {
+    it("creates a one-time token", async () => {
+      const resp = await app.inject({
+        method: "POST",
+        url: "/api/tokens",
+        payload: { label: "test-token" },
+      });
+      expect(resp.statusCode).toBe(201);
+      const body = resp.json();
+      expect(body.token).toBeDefined();
+      expect(body.type).toBe("one-time");
+      expect(body.label).toBe("test-token");
+    });
+
+    it("creates a reusable token", async () => {
+      const resp = await app.inject({
+        method: "POST",
+        url: "/api/tokens",
+        payload: { type: "reusable", label: "asg-token" },
+      });
+      expect(resp.statusCode).toBe(201);
+      expect(resp.json().type).toBe("reusable");
+    });
+
+    it("rejects invalid type", async () => {
+      const resp = await app.inject({
+        method: "POST",
+        url: "/api/tokens",
+        payload: { type: "invalid" },
+      });
+      expect(resp.statusCode).toBe(400);
+    });
+
+    it("creates token with expiry", async () => {
+      const resp = await app.inject({
+        method: "POST",
+        url: "/api/tokens",
+        payload: { expiresInHours: 24 },
+      });
+      expect(resp.statusCode).toBe(201);
+      expect(resp.json().expiresAt).toBeDefined();
+    });
+  });
+
+  describe("GET /api/tokens", () => {
+    it("lists tokens", async () => {
+      // Create a token first
+      await app.inject({
+        method: "POST",
+        url: "/api/tokens",
+        payload: { label: "t1" },
+      });
+
+      const resp = await app.inject({ method: "GET", url: "/api/tokens" });
+      expect(resp.statusCode).toBe(200);
+      expect(Array.isArray(resp.json())).toBe(true);
+    });
+  });
+
+  describe("POST /api/auth/enroll", () => {
+    it("rejects missing token", async () => {
+      const resp = await app.inject({
+        method: "POST",
+        url: "/api/auth/enroll",
+        payload: { hostname: "w1" },
+      });
+      expect(resp.statusCode).toBe(400);
+      expect(resp.json().error).toContain("token");
+    });
+
+    it("rejects missing hostname", async () => {
+      const resp = await app.inject({
+        method: "POST",
+        url: "/api/auth/enroll",
+        payload: { token: "some-token" },
+      });
+      expect(resp.statusCode).toBe(400);
+      expect(resp.json().error).toContain("hostname");
+    });
+
+    it("rejects invalid token", async () => {
+      const resp = await app.inject({
+        method: "POST",
+        url: "/api/auth/enroll",
+        payload: { token: "nonexistent", hostname: "w1" },
+      });
+      expect(resp.statusCode).toBe(401);
+    });
+
+    it("accepts valid token", async () => {
+      // Create a token
+      const createResp = await app.inject({
+        method: "POST",
+        url: "/api/tokens",
+        payload: { label: "test" },
+      });
+      const tokenValue = createResp.json().token;
+
+      const resp = await app.inject({
+        method: "POST",
+        url: "/api/auth/enroll",
+        payload: { token: tokenValue, hostname: "worker-1" },
+      });
+      expect(resp.statusCode).toBe(200);
+      expect(resp.json().status).toBe("enrolled");
+      expect(resp.json().hostname).toBe("worker-1");
+    });
+
+    it("rejects revoked token", async () => {
+      // Create and revoke a token
+      const createResp = await app.inject({
+        method: "POST",
+        url: "/api/tokens",
+        payload: { label: "revoked" },
+      });
+      const token = createResp.json();
+
+      // Manually set revokedAt
+      const record = db._tokens.get(token.token);
+      if (record) record.revokedAt = new Date();
+
+      const resp = await app.inject({
+        method: "POST",
+        url: "/api/auth/enroll",
+        payload: { token: token.token, hostname: "w1" },
+      });
+      expect(resp.statusCode).toBe(401);
+      expect(resp.json().error).toContain("revoked");
+    });
+
+    it("rejects expired token", async () => {
+      const createResp = await app.inject({
+        method: "POST",
+        url: "/api/tokens",
+        payload: { label: "expired" },
+      });
+      const token = createResp.json();
+
+      // Manually set past expiry (keep revokedAt null so it hits expiry check)
+      const record = db._tokens.get(token.token);
+      if (record) {
+        record.expiresAt = new Date(Date.now() - 60000);
+        record.revokedAt = null;
+      }
+
+      const resp = await app.inject({
+        method: "POST",
+        url: "/api/auth/enroll",
+        payload: { token: token.token, hostname: "w1" },
+      });
+      expect(resp.statusCode).toBe(401);
+      expect(resp.json().error).toContain("expired");
+    });
+  });
+});
diff --git a/bastion/src/labd/tests/encryption.test.ts b/bastion/src/labd/tests/encryption.test.ts
new file mode 100644
index 0000000..9e70224
--- /dev/null
+++ b/bastion/src/labd/tests/encryption.test.ts
@@ -0,0 +1,63 @@
+// Tests for EncryptionService.
+
+import { describe, it, expect } from "vitest";
+import { EncryptionService } from "../src/services/encryption.js";
+
+const MASTER_KEY = "a".repeat(32);
+
+describe("EncryptionService", () => {
+  it("encrypt/decrypt roundtrip", () => {
+    const svc = new EncryptionService(MASTER_KEY);
+    const plaintext = "hello world secret data";
+    const ciphertext = svc.encrypt(plaintext);
+    expect(ciphertext).not.toBe(plaintext);
+    expect(svc.decrypt(ciphertext)).toBe(plaintext);
+  });
+
+  it("encrypts empty string", () => {
+    const svc = new EncryptionService(MASTER_KEY);
+    expect(svc.decrypt(svc.encrypt(""))).toBe("");
+  });
+
+  it("encrypts unicode", () => {
+    const svc = new EncryptionService(MASTER_KEY);
+    const text = "Héllo 世界 🌍";
+    expect(svc.decrypt(svc.encrypt(text))).toBe(text);
+  });
+
+  it("encrypts large data", () => {
+    const svc = new EncryptionService(MASTER_KEY);
+    const text = "x".repeat(100_000);
+    expect(svc.decrypt(svc.encrypt(text))).toBe(text);
+  });
+
+  it("different IVs produce different ciphertext", () => {
+    const svc = new EncryptionService(MASTER_KEY);
+    const a = svc.encrypt("same");
+    const b = svc.encrypt("same");
+    expect(a).not.toBe(b); // Random IV each time
+    expect(svc.decrypt(a)).toBe("same");
+    expect(svc.decrypt(b)).toBe("same");
+  });
+
+  it("different keys produce different ciphertext", () => {
+    const svc1 = new EncryptionService("a".repeat(32));
+    const svc2 = new EncryptionService("b".repeat(32));
+    const ct1 = svc1.encrypt("secret");
+    expect(() => svc2.decrypt(ct1)).toThrow(); // Auth tag mismatch
+  });
+
+  it("rejects tampered ciphertext", () => {
+    const svc = new EncryptionService(MASTER_KEY);
+    const ct = svc.encrypt("data");
+    const parts = ct.split(":");
+    parts[2] = "AAAA" + parts[2]!.slice(4); // corrupt encrypted data
+    expect(() => svc.decrypt(parts.join(":"))).toThrow();
+  });
+
+  it("rejects invalid format", () => {
+    const svc = new EncryptionService(MASTER_KEY);
+    expect(() => svc.decrypt("not:enough")).toThrow("Invalid ciphertext format");
+    expect(() => svc.decrypt("")).toThrow("Invalid ciphertext format");
+  });
+});
diff --git a/bastion/src/labd/tests/health.test.ts b/bastion/src/labd/tests/health.test.ts
new file mode 100644
index 0000000..6d3bc80
--- /dev/null
+++ b/bastion/src/labd/tests/health.test.ts
@@ -0,0 +1,65 @@
+import { describe, it, expect, vi } from "vitest";
+import Fastify from "fastify";
+import { registerHealthRoutes } from "../src/routes/health.js";
+import type { DbClient } from "../src/server.js";
+
+function createMockDb(overrides: Partial<DbClient> = {}): DbClient {
+  return {
+    $queryRaw: vi.fn().mockResolvedValue([{ "?column?": 1 }]),
+    server: {
+      findMany: vi.fn().mockResolvedValue([]),
+      findUnique: vi.fn().mockResolvedValue(null),
+    },
+    joinToken: {
+      findUnique: vi.fn().mockResolvedValue(null),
+      findMany: vi.fn().mockResolvedValue([]),
+      create: vi.fn().mockResolvedValue({ id: "test-id" }),
+      update: vi.fn().mockResolvedValue({}),
+    },
+    ...overrides,
+  };
+}
+
+describe("Health endpoint", () => {
+  it("returns healthy when database is reachable", async () => {
+    const app = Fastify({ logger: false });
+    const db = createMockDb();
+
+    registerHealthRoutes(app, db);
+
+    const response = await app.inject({
+      method: "GET",
+      url: "/healthz",
+    });
+
+    expect(response.statusCode).toBe(200);
+    const body = JSON.parse(response.body);
+    expect(body.status).toBe("healthy");
+    expect(body.checks.database).toBe("ok");
+    expect(body.uptime).toBeTypeOf("number");
+    expect(body.timestamp).toBeTypeOf("string");
+
+    await app.close();
+  });
+
+  it("returns degraded when database is unreachable", async () => {
+    const app = Fastify({ logger: false });
+    const db = createMockDb({
+      $queryRaw: vi.fn().mockRejectedValue(new Error("Connection refused")),
+    });
+
+    registerHealthRoutes(app, db);
+
+    const response = await app.inject({
+      method: "GET",
+      url: "/healthz",
+    });
+
+    expect(response.statusCode).toBe(503);
+    const body = JSON.parse(response.body);
+    expect(body.status).toBe("degraded");
+    expect(body.checks.database).toBe("error");
+
+    await app.close();
+  });
+});
diff --git a/bastion/src/labd/tests/validation.test.ts b/bastion/src/labd/tests/validation.test.ts
new file mode 100644
index 0000000..281622c
--- /dev/null
+++ b/bastion/src/labd/tests/validation.test.ts
@@ -0,0 +1,123 @@
+// Tests for Zod validation schemas.
+
+import { describe, it, expect } from "vitest";
+import {
+  createTokenSchema,
+  enrollmentSchema,
+  serverFiltersSchema,
+  createRoleSchema,
+  permissionPatternSchema,
+} from "../src/validation/schemas.js";
+
+describe("createTokenSchema", () => {
+  it("accepts minimal input", () => {
+    const result = createTokenSchema.safeParse({});
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.type).toBe("one-time"); // default
+    }
+  });
+
+  it("accepts full input", () => {
+    const result = createTokenSchema.safeParse({
+      type: "reusable",
+      label: "asg-token",
+      expiresInHours: 24,
+    });
+    expect(result.success).toBe(true);
+  });
+
+  it("rejects invalid type", () => {
+    const result = createTokenSchema.safeParse({ type: "invalid" });
+    expect(result.success).toBe(false);
+  });
+
+  it("rejects negative expiry", () => {
+    const result = createTokenSchema.safeParse({ expiresInHours: -1 });
+    expect(result.success).toBe(false);
+  });
+
+  it("rejects expiry over 1 year", () => {
+    const result = createTokenSchema.safeParse({ expiresInHours: 9000 });
+    expect(result.success).toBe(false);
+  });
+});
+
+describe("enrollmentSchema", () => {
+  it("accepts valid enrollment", () => {
+    const result = enrollmentSchema.safeParse({
+      token: "abc123",
+      hostname: "worker-1.ad.itaz.eu",
+    });
+    expect(result.success).toBe(true);
+  });
+
+  it("rejects empty token", () => {
+    const result = enrollmentSchema.safeParse({
+      token: "",
+      hostname: "w1",
+    });
+    expect(result.success).toBe(false);
+  });
+
+  it("rejects invalid hostname", () => {
+    const result = enrollmentSchema.safeParse({
+      token: "abc",
+      hostname: "-invalid",
+    });
+    expect(result.success).toBe(false);
+  });
+});
+
+describe("serverFiltersSchema", () => {
+  it("accepts empty filters", () => {
+    const result = serverFiltersSchema.safeParse({});
+    expect(result.success).toBe(true);
+  });
+
+  it("accepts valid status", () => {
+    const result = serverFiltersSchema.safeParse({ status: "online" });
+    expect(result.success).toBe(true);
+  });
+
+  it("rejects invalid status", () => {
+    const result = serverFiltersSchema.safeParse({ status: "banana" });
+    expect(result.success).toBe(false);
+  });
+});
+
+describe("permissionPatternSchema", () => {
+  it("accepts valid patterns", () => {
+    expect(permissionPatternSchema.safeParse("read:*:*:*").success).toBe(true);
+    expect(permissionPatternSchema.safeParse("exec:baremetal:lab:*").success).toBe(true);
+    expect(permissionPatternSchema.safeParse("*:*:*:worker-1").success).toBe(true);
+  });
+
+  it("rejects invalid patterns", () => {
+    expect(permissionPatternSchema.safeParse("read").success).toBe(false);
+    expect(permissionPatternSchema.safeParse("read:*").success).toBe(false);
+    expect(permissionPatternSchema.safeParse("READ:*:*:*").success).toBe(false);
+  });
+});
+
+describe("createRoleSchema", () => {
+  it("accepts valid role", () => {
+    const result = createRoleSchema.safeParse({
+      name: "deployer",
+      description: "Can deploy apps",
+      allow: ["exec:*:*:*", "read:*:*:*"],
+      deny: ["destroy:*:*:*"],
+    });
+    expect(result.success).toBe(true);
+  });
+
+  it("rejects uppercase role name", () => {
+    const result = createRoleSchema.safeParse({ name: "Admin" });
+    expect(result.success).toBe(false);
+  });
+
+  it("rejects empty role name", () => {
+    const result = createRoleSchema.safeParse({ name: "" });
+    expect(result.success).toBe(false);
+  });
+});
diff --git a/bastion/src/labd/tsconfig.json b/bastion/src/labd/tsconfig.json
new file mode 100644
index 0000000..4c4fbfc
--- /dev/null
+++ b/bastion/src/labd/tsconfig.json
@@ -0,0 +1,12 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist",
+    "types": ["node"]
+  },
+  "include": ["src/**/*.ts"],
+  "references": [
+    { "path": "../shared" }
+  ]
+}
diff --git a/bastion/src/labd/vitest.config.ts b/bastion/src/labd/vitest.config.ts
new file mode 100644
index 0000000..fc23bdd
--- /dev/null
+++ b/bastion/src/labd/vitest.config.ts
@@ -0,0 +1,8 @@
+import { defineProject } from 'vitest/config';
+
+export default defineProject({
+  test: {
+    name: 'labd',
+    include: ['tests/**/*.test.ts'],
+  },
+});
diff --git a/bastion/src/modules/modules/k3s/module.yaml b/bastion/src/modules/modules/k3s/module.yaml
new file mode 100644
index 0000000..698ec7b
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/module.yaml
@@ -0,0 +1,6 @@
+name: k3s
+version: 0.1.0
+description: Install and configure k3s with CIS security hardening and Cilium CNI
+targets:
+  roles: [infra, worker]
+dependencies: []
diff --git a/bastion/src/modules/modules/k3s/src/configure.ts b/bastion/src/modules/modules/k3s/src/configure.ts
new file mode 100644
index 0000000..a39b748
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/configure.ts
@@ -0,0 +1,117 @@
+// k3s module — configure phase.
+// Post-install configuration: log rotation, network policies, cert rotation.
+
+export function generateConfigureScript(hostname: string): string {
+  return `#!/bin/bash
+set -euo pipefail
+
+echo "=== k3s configure: ${hostname} ==="
+
+# ── 0. Fix CoreDNS upstream resolver ──
+# systemd-resolved listens on 127.0.0.53, but that address is unreachable from
+# inside CoreDNS's pod network namespace. CoreDNS forwards to /etc/resolv.conf
+# which contains 127.0.0.53 on systemd-resolved hosts, causing all external DNS
+# lookups to time out. Fix: write a resolv.conf with the real upstream DNS server
+# that k3s will use instead of /etc/resolv.conf.
+echo "[0/4] Fixing CoreDNS upstream DNS..."
+UPSTREAM_DNS=$(resolvectl status 2>/dev/null | grep -A2 "Link.*$(ip -4 route show default | awk '{print $5}' | head -1)" | grep "Current DNS" | awk '{print $NF}' || echo "")
+if [ -z "$UPSTREAM_DNS" ]; then
+  # Fallback: parse resolv.conf from systemd-resolved's real config
+  UPSTREAM_DNS=$(cat /run/systemd/resolve/resolv.conf 2>/dev/null | grep "^nameserver" | head -1 | awk '{print $2}' || echo "")
+fi
+
+if [ -n "$UPSTREAM_DNS" ] && [ "$UPSTREAM_DNS" != "127.0.0.53" ]; then
+  echo "nameserver $UPSTREAM_DNS" > /etc/rancher/k3s/resolv.conf
+  echo "  Wrote /etc/rancher/k3s/resolv.conf with upstream DNS: $UPSTREAM_DNS"
+
+  # k3s reads this file automatically on next restart; restart now to apply
+  if systemctl is-active k3s >/dev/null 2>&1; then
+    systemctl restart k3s
+    echo "  Restarted k3s to pick up DNS fix"
+    # Wait for API to come back
+    for i in $(seq 1 30); do
+      if k3s kubectl get nodes >/dev/null 2>&1; then
+        break
+      fi
+      sleep 2
+    done
+  fi
+else
+  echo "  Upstream DNS already correct or could not detect — skipping"
+fi
+
+# ── 1. Log rotation for k3s ──
+echo "[1/4] Setting up log rotation..."
+cat > /etc/logrotate.d/k3s << 'LOGROTATE'
+/var/log/kubernetes/*.log {
+  daily
+  rotate 14
+  compress
+  delaycompress
+  missingok
+  notifempty
+  copytruncate
+  maxsize 100M
+}
+LOGROTATE
+
+# ── 2. Verify certificate rotation ──
+echo "[2/4] Checking certificate rotation..."
+if k3s certificate rotate --help > /dev/null 2>&1; then
+  echo "  Certificate rotation available"
+else
+  echo "  Warning: certificate rotation not available in this k3s version"
+fi
+
+# Check cert expiry
+CERT_DIR="/var/lib/rancher/k3s/server/tls"
+if [ -d "$CERT_DIR" ]; then
+  for cert in "$CERT_DIR"/*.crt; do
+    [ -f "$cert" ] || continue
+    EXPIRY=$(openssl x509 -in "$cert" -enddate -noout 2>/dev/null | cut -d= -f2)
+    echo "  $(basename "$cert"): expires $EXPIRY"
+  done
+fi
+
+# ── 3. Default network policy (deny all ingress by default) ──
+echo "[3/4] Applying default network policies..."
+k3s kubectl apply -f - << 'NETPOL'
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: default
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+NETPOL
+
+# Allow DNS
+k3s kubectl apply -f - << 'DNSPOL'
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dns
+  namespace: default
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to: []
+    ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+DNSPOL
+
+# ── 4. Verify cluster state ──
+echo "[4/4] Verifying cluster state..."
+k3s kubectl get nodes
+k3s kubectl get pods -A
+
+echo "=== k3s configure complete ==="
+`;
+}
diff --git a/bastion/src/modules/modules/k3s/src/groups/hardening.ts b/bastion/src/modules/modules/k3s/src/groups/hardening.ts
new file mode 100644
index 0000000..f2b92fc
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/groups/hardening.ts
@@ -0,0 +1,22 @@
+// Hardening: Pod Security Standards, certificate check, log rotation.
+
+import type { OperationContext, OperationResult, OperationGroup } from "../types.js";
+import { runSequential } from "../utils.js";
+import { applyPodSecurityStandards } from "../operations/pod-security.js";
+import { checkCertExpiry } from "../operations/cert-check.js";
+import { configureLogRotation } from "../operations/log-rotation.js";
+
+export const hardeningGroup: OperationGroup = {
+  name: "hardening",
+  description: "Pod security, certificate check, log rotation",
+  operations: [
+    { name: "Apply Pod Security Standards", fn: applyPodSecurityStandards },
+    { name: "Check certificate expiry", fn: checkCertExpiry },
+    { name: "Configure log rotation", fn: configureLogRotation },
+  ],
+};
+
+export async function runHardening(ctx: OperationContext): Promise<OperationResult[]> {
+  ctx.log("Cluster hardening...");
+  return runSequential(ctx, hardeningGroup.operations);
+}
diff --git a/bastion/src/modules/modules/k3s/src/groups/host-prep.ts b/bastion/src/modules/modules/k3s/src/groups/host-prep.ts
new file mode 100644
index 0000000..f8acf27
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/groups/host-prep.ts
@@ -0,0 +1,26 @@
+// Host preparation: kernel modules, sysctl, swap, firewall, SELinux.
+
+import type { OperationContext, OperationResult, OperationGroup } from "../types.js";
+import { runSequential } from "../utils.js";
+import { loadKernelModules } from "../operations/kernel-modules.js";
+import { applyCisHardening } from "../operations/sysctl.js";
+import { disableSwap } from "../operations/swap.js";
+import { disableFirewall } from "../operations/firewall.js";
+import { setSelinuxPermissive } from "../operations/selinux.js";
+
+export const hostPrepGroup: OperationGroup = {
+  name: "host-prep",
+  description: "Prepare host for k3s: kernel modules, sysctl, swap, firewall, SELinux",
+  operations: [
+    { name: "Load kernel modules", fn: loadKernelModules },
+    { name: "Apply CIS sysctl", fn: applyCisHardening },
+    { name: "Disable swap", fn: disableSwap },
+    { name: "Disable firewall", fn: disableFirewall },
+    { name: "Set SELinux permissive", fn: setSelinuxPermissive },
+  ],
+};
+
+export async function runHostPrep(ctx: OperationContext): Promise<OperationResult[]> {
+  ctx.log("Host preparation...");
+  return runSequential(ctx, hostPrepGroup.operations);
+}
diff --git a/bastion/src/modules/modules/k3s/src/groups/index.ts b/bastion/src/modules/modules/k3s/src/groups/index.ts
new file mode 100644
index 0000000..32b4f6a
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/groups/index.ts
@@ -0,0 +1,5 @@
+export { hostPrepGroup, runHostPrep } from "./host-prep.js";
+export { k3sServerGroup, runK3sServer } from "./k3s-server.js";
+export { k3sAgentGroup, runK3sAgent } from "./k3s-agent.js";
+export { networkingGroup, runNetworking } from "./networking.js";
+export { hardeningGroup, runHardening } from "./hardening.js";
diff --git a/bastion/src/modules/modules/k3s/src/groups/k3s-agent.ts b/bastion/src/modules/modules/k3s/src/groups/k3s-agent.ts
new file mode 100644
index 0000000..ba6c0e0
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/groups/k3s-agent.ts
@@ -0,0 +1,20 @@
+// K3s agent installation: config + binary in agent mode.
+
+import type { OperationContext, OperationResult, OperationGroup } from "../types.js";
+import { runSequential } from "../utils.js";
+import { writeK3sConfig } from "../operations/k3s-config.js";
+import { installK3sBinary } from "../operations/k3s-install.js";
+
+export const k3sAgentGroup: OperationGroup = {
+  name: "k3s-agent",
+  description: "Install k3s agent and join cluster",
+  operations: [
+    { name: "Write k3s config", fn: writeK3sConfig },
+    { name: "Install k3s agent", fn: installK3sBinary },
+  ],
+};
+
+export async function runK3sAgent(ctx: OperationContext): Promise<OperationResult[]> {
+  ctx.log("K3s agent installation...");
+  return runSequential(ctx, k3sAgentGroup.operations);
+}
diff --git a/bastion/src/modules/modules/k3s/src/groups/k3s-server.ts b/bastion/src/modules/modules/k3s/src/groups/k3s-server.ts
new file mode 100644
index 0000000..a7279ad
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/groups/k3s-server.ts
@@ -0,0 +1,24 @@
+// K3s server installation: config, audit policy, CNI cleanup, binary install.
+
+import type { OperationContext, OperationResult, OperationGroup } from "../types.js";
+import { runSequential } from "../utils.js";
+import { writeK3sConfig } from "../operations/k3s-config.js";
+import { writeAuditPolicy } from "../operations/audit-policy.js";
+import { cleanupStaleCni } from "../operations/cni-cleanup.js";
+import { installK3sBinary } from "../operations/k3s-install.js";
+
+export const k3sServerGroup: OperationGroup = {
+  name: "k3s-server",
+  description: "Install k3s server with CIS-hardened config",
+  operations: [
+    { name: "Write k3s config", fn: writeK3sConfig },
+    { name: "Write audit policy", fn: writeAuditPolicy },
+    { name: "Clean stale CNI", fn: cleanupStaleCni },
+    { name: "Install k3s binary", fn: installK3sBinary },
+  ],
+};
+
+export async function runK3sServer(ctx: OperationContext): Promise<OperationResult[]> {
+  ctx.log("K3s server installation...");
+  return runSequential(ctx, k3sServerGroup.operations);
+}
diff --git a/bastion/src/modules/modules/k3s/src/groups/networking.ts b/bastion/src/modules/modules/k3s/src/groups/networking.ts
new file mode 100644
index 0000000..fa786db
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/groups/networking.ts
@@ -0,0 +1,22 @@
+// Networking: Cilium CNI, CoreDNS fix, network policies.
+
+import type { OperationContext, OperationResult, OperationGroup } from "../types.js";
+import { runSequential } from "../utils.js";
+import { installCilium } from "../operations/cilium.js";
+import { fixCoreDnsUpstream } from "../operations/dns-fix.js";
+import { applyDefaultNetworkPolicies } from "../operations/network-policy.js";
+
+export const networkingGroup: OperationGroup = {
+  name: "networking",
+  description: "Install Cilium CNI, fix DNS, apply network policies",
+  operations: [
+    { name: "Install Cilium CNI", fn: installCilium },
+    { name: "Fix CoreDNS upstream", fn: fixCoreDnsUpstream },
+    { name: "Apply network policies", fn: applyDefaultNetworkPolicies },
+  ],
+};
+
+export async function runNetworking(ctx: OperationContext): Promise<OperationResult[]> {
+  ctx.log("Networking setup...");
+  return runSequential(ctx, networkingGroup.operations);
+}
diff --git a/bastion/src/modules/modules/k3s/src/health.ts b/bastion/src/modules/modules/k3s/src/health.ts
new file mode 100644
index 0000000..c58f9e9
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/health.ts
@@ -0,0 +1,56 @@
+// k3s module — health check phase.
+// Verifies k3s is running, nodes ready, API accessible, Cilium healthy, encryption active.
+
+export interface HealthCheck {
+  name: string;
+  command: string;
+  /** Function to check if the command output indicates success */
+  check: (stdout: string, exitCode: number) => boolean;
+}
+
+export const K3S_HEALTH_CHECKS: HealthCheck[] = [
+  {
+    name: "k3s service active",
+    command: "systemctl is-active k3s",
+    check: (stdout, code) => code === 0 && stdout.trim() === "active",
+  },
+  {
+    name: "node Ready",
+    command: "k3s kubectl get nodes -o jsonpath='{.items[0].status.conditions[?(@.type==\"Ready\")].status}'",
+    check: (stdout) => stdout.includes("True"),
+  },
+  {
+    name: "API server healthy",
+    command: "k3s kubectl get --raw /healthz",
+    check: (stdout, code) => code === 0 && stdout.trim() === "ok",
+  },
+  {
+    name: "secrets encryption enabled",
+    command: "k3s secrets-encrypt status 2>/dev/null || echo 'not available'",
+    check: (stdout) => stdout.includes("Enabled") || stdout.includes("enabled"),
+  },
+  {
+    name: "Cilium status",
+    command: "cilium status --brief 2>/dev/null || echo 'cilium not installed'",
+    check: (stdout, code) => code === 0 && !stdout.includes("not installed"),
+  },
+  {
+    name: "kube-system pods running",
+    command: "k3s kubectl get pods -n kube-system --no-headers | grep -v Running | grep -v Completed | wc -l",
+    check: (stdout) => parseInt(stdout.trim(), 10) === 0,
+  },
+];
+
+export function generateHealthScript(): string {
+  const checks = K3S_HEALTH_CHECKS.map((check, i) => `
+echo "[${i + 1}/${K3S_HEALTH_CHECKS.length}] ${check.name}..."
+OUTPUT=$(${check.command} 2>&1) || true
+echo "  result: $OUTPUT"
+`).join("\n");
+
+  return `#!/bin/bash
+echo "=== k3s health check ==="
+${checks}
+echo "=== health check complete ==="
+`;
+}
diff --git a/bastion/src/modules/modules/k3s/src/health/api-health.ts b/bastion/src/modules/modules/k3s/src/health/api-health.ts
new file mode 100644
index 0000000..66ecb3e
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/health/api-health.ts
@@ -0,0 +1,8 @@
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts } from "../utils.js";
+
+export const checkApiHealth: Operation = async (ctx): Promise<OperationResult> => {
+  const result = await ctx.ssh.exec("k3s kubectl get --raw /healthz 2>/dev/null", sshOpts(ctx));
+  const healthy = result.exitCode === 0 && result.stdout.trim() === "ok";
+  return { success: healthy, changed: false, message: healthy ? "API server healthy" : "API server unhealthy" };
+};
diff --git a/bastion/src/modules/modules/k3s/src/health/cilium-status.ts b/bastion/src/modules/modules/k3s/src/health/cilium-status.ts
new file mode 100644
index 0000000..7c55dea
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/health/cilium-status.ts
@@ -0,0 +1,16 @@
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts } from "../utils.js";
+
+export const checkCiliumStatus: Operation = async (ctx): Promise<OperationResult> => {
+  const result = await ctx.ssh.exec(
+    "KUBECONFIG=/etc/rancher/k3s/k3s.yaml cilium status --brief 2>/dev/null",
+    sshOpts(ctx),
+  );
+  const ok = result.exitCode === 0;
+  return {
+    success: ok,
+    changed: false,
+    message: ok ? "Cilium OK" : "Cilium unhealthy",
+    details: ok ? [result.stdout.trim()] : [result.stderr.trim()],
+  };
+};
diff --git a/bastion/src/modules/modules/k3s/src/health/index.ts b/bastion/src/modules/modules/k3s/src/health/index.ts
new file mode 100644
index 0000000..d85f09c
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/health/index.ts
@@ -0,0 +1,6 @@
+export { checkK3sService } from "./k3s-service.js";
+export { checkNodeReady } from "./node-ready.js";
+export { checkApiHealth } from "./api-health.js";
+export { checkSecretsEncryption } from "./secrets-encryption.js";
+export { checkCiliumStatus } from "./cilium-status.js";
+export { checkPodStatus } from "./pod-status.js";
diff --git a/bastion/src/modules/modules/k3s/src/health/k3s-service.ts b/bastion/src/modules/modules/k3s/src/health/k3s-service.ts
new file mode 100644
index 0000000..be62fdb
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/health/k3s-service.ts
@@ -0,0 +1,9 @@
+import type { Operation, OperationResult } from "../types.js";
+import { isServiceActive } from "../utils.js";
+
+export const checkK3sService: Operation = async (ctx): Promise<OperationResult> => {
+  const isServer = ctx.config.role === "infra" || ctx.config.role === "labcontroller";
+  const service = isServer ? "k3s" : "k3s-agent";
+  const active = await isServiceActive(ctx, service);
+  return { success: active, changed: false, message: active ? `${service} is active` : `${service} is not active` };
+};
diff --git a/bastion/src/modules/modules/k3s/src/health/node-ready.ts b/bastion/src/modules/modules/k3s/src/health/node-ready.ts
new file mode 100644
index 0000000..1865034
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/health/node-ready.ts
@@ -0,0 +1,11 @@
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts } from "../utils.js";
+
+export const checkNodeReady: Operation = async (ctx): Promise<OperationResult> => {
+  const result = await ctx.ssh.exec(
+    "k3s kubectl get nodes -o jsonpath='{.items[0].status.conditions[?(@.type==\"Ready\")].status}' 2>/dev/null",
+    sshOpts(ctx),
+  );
+  const ready = result.stdout.includes("True");
+  return { success: ready, changed: false, message: ready ? "Node is Ready" : "Node is NotReady" };
+};
diff --git a/bastion/src/modules/modules/k3s/src/health/pod-status.ts b/bastion/src/modules/modules/k3s/src/health/pod-status.ts
new file mode 100644
index 0000000..88b9066
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/health/pod-status.ts
@@ -0,0 +1,20 @@
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts } from "../utils.js";
+
+export const checkPodStatus: Operation = async (ctx): Promise<OperationResult> => {
+  const result = await ctx.ssh.exec(
+    "k3s kubectl get pods -n kube-system --no-headers 2>/dev/null",
+    sshOpts(ctx),
+  );
+  const lines = result.stdout.trim().split("\n").filter(Boolean);
+  const notReady = lines.filter((l) => !l.includes("Running") && !l.includes("Completed"));
+
+  return {
+    success: notReady.length === 0,
+    changed: false,
+    message: notReady.length === 0
+      ? `All ${lines.length} kube-system pods healthy`
+      : `${notReady.length} unhealthy pod(s)`,
+    ...(notReady.length > 0 ? { details: notReady } : {}),
+  };
+};
diff --git a/bastion/src/modules/modules/k3s/src/health/secrets-encryption.ts b/bastion/src/modules/modules/k3s/src/health/secrets-encryption.ts
new file mode 100644
index 0000000..2000c5a
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/health/secrets-encryption.ts
@@ -0,0 +1,8 @@
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts } from "../utils.js";
+
+export const checkSecretsEncryption: Operation = async (ctx): Promise<OperationResult> => {
+  const result = await ctx.ssh.exec("k3s secrets-encrypt status 2>/dev/null", sshOpts(ctx));
+  const enabled = result.stdout.includes("Enabled");
+  return { success: enabled, changed: false, message: enabled ? "Secrets encryption enabled" : "Secrets encryption not enabled" };
+};
diff --git a/bastion/src/modules/modules/k3s/src/index.ts b/bastion/src/modules/modules/k3s/src/index.ts
new file mode 100644
index 0000000..eec0cef
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/index.ts
@@ -0,0 +1,32 @@
+// k3s module entry point.
+
+// New operation-based module
+export { K3sModule } from "./k3s-module.js";
+
+// Types
+export type {
+  K3sConfig,
+  OperationContext,
+  OperationResult,
+  Operation,
+  NamedOperation,
+  OperationGroup,
+  SshClient,
+} from "./types.js";
+
+// Utilities
+export { runSequential, aggregateResults, writeRemoteFile, isServiceActive, checkCommand } from "./utils.js";
+
+// Individual operations
+export * from "./operations/index.js";
+
+// Operation groups
+export * from "./groups/index.js";
+
+// Health checks
+export * from "./health/index.js";
+
+// DEPRECATED: Legacy bash script generators — remove after CLI migration
+export { generateInstallScript, type K3sInstallContext } from "./install.js";
+export { generateConfigureScript } from "./configure.js";
+export { generateHealthScript, K3S_HEALTH_CHECKS, type HealthCheck } from "./health.js";
diff --git a/bastion/src/modules/modules/k3s/src/install.ts b/bastion/src/modules/modules/k3s/src/install.ts
new file mode 100644
index 0000000..feb605e
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/install.ts
@@ -0,0 +1,275 @@
+// k3s module — install phase.
+// Installs k3s with CIS-hardened configuration and Cilium CNI.
+
+export interface K3sInstallContext {
+  hostname: string;
+  ip: string;
+  role: string;   // "infra" = server, "worker" = agent
+  k3sServerUrl?: string;  // Required for agent role
+  k3sToken?: string;       // Required for agent role
+}
+
+/** Generate the shell script that installs k3s on a target machine. */
+export function generateInstallScript(ctx: K3sInstallContext): string {
+  const isServer = ctx.role === "infra";
+
+  return `#!/bin/bash
+set -euo pipefail
+
+echo "=== k3s install: ${ctx.hostname} (${ctx.role}) ==="
+
+# ── 1. Verify kernel prerequisites ──
+echo "[1/10] Checking kernel modules..."
+modprobe br_netfilter
+modprobe overlay
+modprobe ip_conntrack 2>/dev/null || true
+
+cat > /etc/modules-load.d/k3s.conf << 'MODULES'
+br_netfilter
+overlay
+ip_conntrack
+MODULES
+
+# ── 2. CIS-compliant sysctl ──
+echo "[2/10] Setting kernel parameters..."
+cat > /etc/sysctl.d/90-k3s-cis.conf << 'SYSCTL'
+# k3s CIS hardening
+net.bridge.bridge-nf-call-iptables  = 1
+net.bridge.bridge-nf-call-ip6tables = 1
+net.ipv4.ip_forward                 = 1
+vm.panic_on_oom                     = 0
+vm.overcommit_memory                = 1
+kernel.panic                        = 10
+kernel.panic_on_oops                = 1
+# inotify limits for large clusters
+fs.inotify.max_user_instances       = 524288
+fs.inotify.max_user_watches         = 524288
+SYSCTL
+sysctl --system > /dev/null
+
+# ── 3. Disable swap (CIS requirement) ──
+echo "[3/10] Disabling swap..."
+swapoff -a || true
+sed -i '/\\sswap\\s/d' /etc/fstab
+
+# ── 4. Disable firewall permanently (k3s/Cilium manage iptables directly) ──
+# CRITICAL: firewalld's nftables rules block pod-to-gateway traffic.
+# Must survive reboot — use both disable and mask.
+echo "[4/10] Disabling firewall..."
+systemctl disable --now firewalld 2>/dev/null || true
+systemctl mask firewalld 2>/dev/null || true
+systemctl disable --now ufw 2>/dev/null || true
+systemctl mask ufw 2>/dev/null || true
+
+${isServer ? generateServerInstall(ctx) : generateAgentInstall(ctx)}
+
+echo "=== k3s install complete ==="
+`;
+}
+
+function generateServerInstall(ctx: K3sInstallContext): string {
+  return `# ── 5. Set SELinux permissive (Fedora: k3s-selinux RPM has GPG issues with dnf5) ──
+echo "[5/10] Configuring SELinux..."
+setenforce 0 2>/dev/null || true
+sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config 2>/dev/null || true
+
+# ── 5b. Create k3s config directory ──
+echo "[5/10] Writing k3s server configuration..."
+mkdir -p /etc/rancher/k3s
+mkdir -p /var/log/kubernetes
+
+cat > /etc/rancher/k3s/config.yaml << 'K3S_CONFIG'
+# k3s server configuration — CIS hardened
+protect-kernel-defaults: true
+secrets-encryption: true
+write-kubeconfig-mode: "0640"
+
+# Disable default components (we use Cilium)
+flannel-backend: none
+disable-network-policy: true
+disable:
+  - servicelb
+  - traefik
+
+# API server hardening
+kube-apiserver-arg:
+  - "anonymous-auth=false"
+  - "audit-log-path=/var/log/kubernetes/audit.log"
+  - "audit-log-maxage=30"
+  - "audit-log-maxbackup=10"
+  - "audit-log-maxsize=100"
+  - "audit-policy-file=/etc/rancher/k3s/audit-policy.yaml"
+  - "enable-admission-plugins=NodeRestriction,PodSecurity"
+  - "request-timeout=300s"
+
+# Kubelet hardening
+kubelet-arg:
+  - "protect-kernel-defaults=true"
+  - "streaming-connection-idle-timeout=5m"
+  - "make-iptables-util-chains=true"
+
+# TLS SANs for remote access
+tls-san:
+  - "${ctx.hostname}"
+  - "${ctx.ip}"
+K3S_CONFIG
+
+# ── 6. Write audit policy ──
+echo "[6/10] Writing audit policy..."
+cat > /etc/rancher/k3s/audit-policy.yaml << 'AUDIT_POLICY'
+apiVersion: audit.k8s.io/v1
+kind: Policy
+rules:
+  # Log secret/configmap access at metadata level
+  - level: Metadata
+    resources:
+    - group: ""
+      resources: ["secrets", "configmaps"]
+  # Log pod/service mutations at request level
+  - level: RequestResponse
+    verbs: ["create", "update", "patch", "delete"]
+    resources:
+    - group: ""
+      resources: ["pods", "services", "deployments"]
+  # Skip noisy endpoints
+  - level: None
+    resources:
+    - group: ""
+      resources: ["endpoints", "events"]
+    users: ["system:kube-proxy", "system:apiserver"]
+  # Default: log everything else at metadata level
+  - level: Metadata
+    omitStages:
+    - "RequestReceived"
+AUDIT_POLICY
+
+# ── 6b. Pre-install cleanup: stop existing k3s and remove stale CNI state ──
+# CRITICAL: flannel.1 vxlan uses port 8472 which conflicts with Cilium's vxlan.
+# If we don't clean this up BEFORE starting k3s with flannel-backend=none + Cilium,
+# Cilium will fail with "address already in use" and ALL pod creation will hang.
+echo "[6b/10] Cleaning up previous CNI state..."
+if systemctl is-active k3s >/dev/null 2>&1; then
+  echo "  Stopping k3s before reconfiguration..."
+  systemctl stop k3s
+  sleep 3
+fi
+
+# Remove stale flannel interface (uses same vxlan port 8472 as Cilium)
+if ip link show flannel.1 >/dev/null 2>&1; then
+  echo "  Removing stale flannel.1 vxlan interface..."
+  ip link delete flannel.1 2>/dev/null || true
+fi
+
+# Remove stale Cilium interfaces from any previous install
+for iface in cilium_vxlan cilium_host cilium_net; do
+  if ip link show "\$iface" >/dev/null 2>&1; then
+    echo "  Removing stale \$iface interface..."
+    ip link delete "\$iface" 2>/dev/null || true
+  fi
+done
+
+# Remove any other vxlan on port 8472 (Cilium's port)
+for iface in \$(ip -o link show type vxlan 2>/dev/null | awk -F': ' '{print \$2}'); do
+  if ip -d link show "\$iface" 2>/dev/null | grep -q 'dstport 8472'; then
+    echo "  Removing conflicting vxlan interface: \$iface"
+    ip link delete "\$iface" 2>/dev/null || true
+  fi
+done
+
+# Clean old CNI config and state
+rm -rf /etc/cni/net.d/* 2>/dev/null || true
+rm -rf /var/lib/cni/ 2>/dev/null || true
+echo "  CNI state cleaned"
+
+# ── 7. Install k3s server ──
+echo "[7/10] Installing k3s server..."
+curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" INSTALL_K3S_SKIP_SELINUX_RPM=true sh -
+
+# Force restart to pick up new config (installer may skip if binary unchanged)
+echo "  Restarting k3s to apply configuration..."
+systemctl restart k3s
+
+# ── 8. Wait for k3s API to be available (node will be NotReady until Cilium is installed) ──
+echo "[8/10] Waiting for k3s API..."
+for i in $(seq 1 60); do
+  if k3s kubectl get nodes 2>/dev/null; then
+    echo "  API available after \${i}s"
+    break
+  fi
+  sleep 2
+done
+
+# ── 9. Install Cilium CNI (node becomes Ready after Cilium provides networking) ──
+echo "[9/10] Installing Cilium CNI..."
+CILIUM_CLI_VERSION=\$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
+ARCH=\$(uname -m)
+case "\$ARCH" in
+  x86_64) CLI_ARCH="amd64" ;;
+  aarch64) CLI_ARCH="arm64" ;;
+  *) CLI_ARCH="\$ARCH" ;;
+esac
+
+curl -L --fail --silent \\
+  "https://github.com/cilium/cilium-cli/releases/download/\${CILIUM_CLI_VERSION}/cilium-linux-\${CLI_ARCH}.tar.gz" \\
+  | tar xz -C /usr/local/bin
+
+# Detect the default route device (avoid picking up tailscale/wireguard interfaces)
+DEFAULT_DEV=\$(ip -4 route show default | awk '{print \$5}' | head -1)
+echo "  Using network device: \$DEFAULT_DEV"
+
+KUBECONFIG=/etc/rancher/k3s/k3s.yaml cilium install \\
+  --set kubeProxyReplacement=true \\
+  --set ipam.mode=kubernetes \\
+  --set devices="\$DEFAULT_DEV" \\
+  --set nodePort.directRoutingDevice="\$DEFAULT_DEV"
+
+echo "  Waiting for Cilium to become ready..."
+KUBECONFIG=/etc/rancher/k3s/k3s.yaml cilium status --wait --wait-duration 300s || echo "  Cilium wait timed out (may still be pulling images)"
+
+# Wait for node to become Ready (now that Cilium provides CNI)
+echo "  Waiting for node Ready..."
+k3s kubectl wait --for=condition=Ready node --all --timeout=120s || echo "  Node not ready yet (Cilium may still be initializing)"
+
+# ── 10. Apply Pod Security Standards ──
+echo "[10/10] Applying Pod Security Standards..."
+k3s kubectl label namespace default pod-security.kubernetes.io/enforce=restricted --overwrite
+k3s kubectl label namespace default pod-security.kubernetes.io/warn=restricted --overwrite
+k3s kubectl label namespace default pod-security.kubernetes.io/audit=restricted --overwrite
+`;
+}
+
+function generateAgentInstall(ctx: K3sInstallContext): string {
+  if (!ctx.k3sServerUrl || !ctx.k3sToken) {
+    return `echo "ERROR: k3s agent requires --k3s-server-url and --k3s-token"
+exit 1`;
+  }
+
+  return `# ── 5-10. Install k3s agent ──
+echo "[5/10] Installing k3s agent..."
+mkdir -p /etc/rancher/k3s
+
+cat > /etc/rancher/k3s/config.yaml << 'K3S_CONFIG'
+protect-kernel-defaults: true
+kubelet-arg:
+  - "protect-kernel-defaults=true"
+  - "streaming-connection-idle-timeout=5m"
+  - "make-iptables-util-chains=true"
+K3S_CONFIG
+
+echo "[6/10] Joining cluster at ${ctx.k3sServerUrl}..."
+curl -sfL https://get.k3s.io | \\
+  INSTALL_K3S_EXEC="agent" \\
+  K3S_URL="${ctx.k3sServerUrl}" \\
+  K3S_TOKEN="${ctx.k3sToken}" \\
+  sh -
+
+echo "[7/10] Waiting for agent to connect..."
+sleep 10
+
+echo "[8/10] Verifying agent service..."
+systemctl is-active k3s-agent
+
+echo "[9/10] Agent joined successfully"
+echo "[10/10] Done"
+`;
+}
diff --git a/bastion/src/modules/modules/k3s/src/k3s-module.ts b/bastion/src/modules/modules/k3s/src/k3s-module.ts
new file mode 100644
index 0000000..ae2f5b4
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/k3s-module.ts
@@ -0,0 +1,112 @@
+// K3sModule: implements the Module interface using typed operations.
+// Orchestrates install/configure/health phases via operation groups.
+
+import type { Module, ModuleMetadata, ModuleContext, ModuleResult } from "../../../src/types.js";
+import type { OperationContext, K3sConfig, OperationResult } from "./types.js";
+import { sshExec } from "../../../src/ssh.js";
+import { aggregateResults } from "./utils.js";
+import { runHostPrep } from "./groups/host-prep.js";
+import { runK3sServer } from "./groups/k3s-server.js";
+import { runK3sAgent } from "./groups/k3s-agent.js";
+import { runNetworking } from "./groups/networking.js";
+import { runHardening } from "./groups/hardening.js";
+import { runSequential } from "./utils.js";
+import * as health from "./health/index.js";
+
+function toOpContext(ctx: ModuleContext): OperationContext {
+  const config: K3sConfig = {
+    hostname: ctx.hostname,
+    ip: ctx.ip,
+    role: ctx.role as K3sConfig["role"],
+    k3sServerUrl: ctx.config["k3sServerUrl"] as string | undefined,
+    k3sToken: ctx.config["k3sToken"] as string | undefined,
+    tlsSans: ctx.config["tlsSans"] as string[] | undefined,
+  };
+  return {
+    config,
+    ssh: {
+      exec: (cmd, opts) => sshExec(ctx.ip, ctx.sshUser, cmd, {
+        ...opts,
+        ...(ctx.sshKeyPath ? { keyPath: ctx.sshKeyPath } : {}),
+      }),
+      user: ctx.sshUser,
+      ip: ctx.ip,
+      keyPath: ctx.sshKeyPath,
+    },
+    os: ctx.os,
+    arch: ctx.arch,
+    log: (_msg) => { /* collected via results */ },
+  };
+}
+
+function toModuleResult(phase: ModuleResult["phase"], results: OperationResult[], startMs: number): ModuleResult {
+  const agg = aggregateResults(results);
+  return {
+    success: agg.success,
+    phase,
+    duration: Math.round(performance.now() - startMs),
+    output: agg.details ?? [agg.message],
+    errors: agg.error ? [agg.error] : [],
+  };
+}
+
+export class K3sModule implements Module {
+  readonly metadata: ModuleMetadata = {
+    name: "k3s",
+    version: "1.0.0",
+    description: "CIS-hardened k3s with Cilium CNI",
+    targets: { roles: ["infra", "worker", "labcontroller"] },
+    dependencies: [],
+  };
+
+  async install(ctx: ModuleContext): Promise<ModuleResult> {
+    const start = performance.now();
+    const opCtx = toOpContext(ctx);
+    const isServer = ctx.role === "infra" || ctx.role === "labcontroller";
+
+    // Phase 1: Host preparation
+    const prepResults = await runHostPrep(opCtx);
+    if (prepResults.some((r) => !r.success)) {
+      return toModuleResult("install", prepResults, start);
+    }
+
+    // Phase 2: K3s install (server or agent)
+    const k3sResults = isServer
+      ? await runK3sServer(opCtx)
+      : await runK3sAgent(opCtx);
+    if (k3sResults.some((r) => !r.success)) {
+      return toModuleResult("install", [...prepResults, ...k3sResults], start);
+    }
+
+    // Phase 3: Networking (server only — agents don't install Cilium)
+    let netResults: OperationResult[] = [];
+    if (isServer) {
+      netResults = await runNetworking(opCtx);
+    }
+
+    return toModuleResult("install", [...prepResults, ...k3sResults, ...netResults], start);
+  }
+
+  async configure(ctx: ModuleContext): Promise<ModuleResult> {
+    const start = performance.now();
+    const opCtx = toOpContext(ctx);
+    const results = await runHardening(opCtx);
+    return toModuleResult("configure", results, start);
+  }
+
+  async health(ctx: ModuleContext): Promise<ModuleResult> {
+    const start = performance.now();
+    const opCtx = toOpContext(ctx);
+
+    const checks = await runSequential(opCtx, [
+      { name: "K3s service", fn: health.checkK3sService },
+      { name: "Node ready", fn: health.checkNodeReady },
+      { name: "API health", fn: health.checkApiHealth },
+      { name: "Secrets encryption", fn: health.checkSecretsEncryption },
+      { name: "Cilium status", fn: health.checkCiliumStatus },
+      { name: "Pod status", fn: health.checkPodStatus },
+    ]);
+
+    return toModuleResult("health", checks, start);
+  }
+}
diff --git a/bastion/src/modules/modules/k3s/src/operations/audit-policy.ts b/bastion/src/modules/modules/k3s/src/operations/audit-policy.ts
new file mode 100644
index 0000000..b3253a6
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/audit-policy.ts
@@ -0,0 +1,43 @@
+// Write Kubernetes audit policy for k3s API server.
+
+import type { Operation, OperationResult } from "../types.js";
+import { writeRemoteFile } from "../utils.js";
+
+const AUDIT_POLICY = `apiVersion: audit.k8s.io/v1
+kind: Policy
+rules:
+  # Log secret/configmap access at metadata level
+  - level: Metadata
+    resources:
+    - group: ""
+      resources: ["secrets", "configmaps"]
+  # Log pod/service mutations at request level
+  - level: RequestResponse
+    verbs: ["create", "update", "patch", "delete"]
+    resources:
+    - group: ""
+      resources: ["pods", "services", "deployments"]
+  # Skip noisy endpoints
+  - level: None
+    resources:
+    - group: ""
+      resources: ["endpoints", "events"]
+    users: ["system:kube-proxy", "system:apiserver"]
+  # Default: log everything else at metadata level
+  - level: Metadata
+    omitStages:
+    - "RequestReceived"`;
+
+export const writeAuditPolicy: Operation = async (ctx): Promise<OperationResult> => {
+  const changed = await writeRemoteFile(
+    ctx,
+    "/etc/rancher/k3s/audit-policy.yaml",
+    AUDIT_POLICY,
+  );
+
+  return {
+    success: true,
+    changed,
+    message: changed ? "Audit policy written" : "Audit policy unchanged",
+  };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/cert-check.ts b/bastion/src/modules/modules/k3s/src/operations/cert-check.ts
new file mode 100644
index 0000000..9894c4f
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/cert-check.ts
@@ -0,0 +1,30 @@
+// Check k3s TLS certificate expiry.
+
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts } from "../utils.js";
+
+export const checkCertExpiry: Operation = async (ctx): Promise<OperationResult> => {
+  const details: string[] = [];
+
+  // Check if cert rotation is supported
+  const rotateCheck = await ctx.ssh.exec("k3s certificate rotate --help 2>/dev/null", sshOpts(ctx));
+  details.push(
+    rotateCheck.exitCode === 0
+      ? "Certificate rotation available"
+      : "Certificate rotation not available in this k3s version",
+  );
+
+  // List certificate expiry dates
+  const certsResult = await ctx.ssh.exec(
+    'for cert in /var/lib/rancher/k3s/server/tls/*.crt; do [ -f "$cert" ] && echo "$(basename "$cert"): $(openssl x509 -in "$cert" -enddate -noout 2>/dev/null | cut -d= -f2)"; done',
+    sshOpts(ctx),
+  );
+
+  if (certsResult.stdout.trim()) {
+    for (const line of certsResult.stdout.trim().split("\n")) {
+      details.push(line.trim());
+    }
+  }
+
+  return { success: true, changed: false, message: "Certificate check complete", details };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/cilium.ts b/bastion/src/modules/modules/k3s/src/operations/cilium.ts
new file mode 100644
index 0000000..621c146
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/cilium.ts
@@ -0,0 +1,78 @@
+// Install Cilium CNI with kube-proxy replacement.
+// Detects architecture and network interface automatically.
+
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts } from "../utils.js";
+
+export const installCilium: Operation = async (ctx): Promise<OperationResult> => {
+  const details: string[] = [];
+
+  // Check if Cilium is already installed and running
+  const ciliumCheck = await ctx.ssh.exec(
+    "KUBECONFIG=/etc/rancher/k3s/k3s.yaml cilium status --brief 2>/dev/null",
+    sshOpts(ctx),
+  );
+  if (ciliumCheck.exitCode === 0 && ciliumCheck.stdout.includes("OK")) {
+    return { success: true, changed: false, message: "Cilium already installed" };
+  }
+
+  // Install cilium CLI
+  const cliVersion = await ctx.ssh.exec(
+    "curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt",
+    sshOpts(ctx),
+  );
+  const version = cliVersion.stdout.trim();
+
+  const archMap: Record<string, string> = { x86_64: "amd64", aarch64: "arm64" };
+  const cliArch = archMap[ctx.arch] ?? ctx.arch;
+
+  const dlResult = await ctx.ssh.exec(
+    `curl -L --fail --silent "https://github.com/cilium/cilium-cli/releases/download/${version}/cilium-linux-${cliArch}.tar.gz" | tar xz -C /usr/local/bin`,
+    { timeoutMs: 120_000 },
+  );
+  if (dlResult.exitCode !== 0) {
+    return { success: false, changed: false, message: "Failed to download Cilium CLI", error: dlResult.stderr };
+  }
+  details.push(`Installed cilium CLI ${version} (${cliArch})`);
+
+  // Detect default network device (avoid tailscale/wireguard)
+  const devResult = await ctx.ssh.exec(
+    "ip -4 route show default | awk '{print $5}' | head -1",
+    sshOpts(ctx),
+  );
+  const defaultDev = devResult.stdout.trim();
+  details.push(`Network device: ${defaultDev}`);
+
+  // Install Cilium
+  const installResult = await ctx.ssh.exec(
+    `KUBECONFIG=/etc/rancher/k3s/k3s.yaml cilium install \
+      --set kubeProxyReplacement=true \
+      --set ipam.mode=kubernetes \
+      --set devices="${defaultDev}" \
+      --set nodePort.directRoutingDevice="${defaultDev}"`,
+    { timeoutMs: 300_000 },
+  );
+  if (installResult.exitCode !== 0) {
+    return { success: false, changed: true, message: "Cilium install failed", error: installResult.stderr };
+  }
+  details.push("Cilium installed");
+
+  // Wait for Cilium ready
+  await ctx.ssh.exec(
+    "KUBECONFIG=/etc/rancher/k3s/k3s.yaml cilium status --wait --wait-duration 300s 2>/dev/null || true",
+    { timeoutMs: 310_000 },
+  );
+
+  // Wait for node Ready
+  await ctx.ssh.exec(
+    "k3s kubectl wait --for=condition=Ready node --all --timeout=120s 2>/dev/null || true",
+    { timeoutMs: 130_000 },
+  );
+
+  return {
+    success: true,
+    changed: true,
+    message: "Cilium CNI installed",
+    details,
+  };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/cni-cleanup.ts b/bastion/src/modules/modules/k3s/src/operations/cni-cleanup.ts
new file mode 100644
index 0000000..15bfa41
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/cni-cleanup.ts
@@ -0,0 +1,57 @@
+// Clean up stale CNI state before k3s install.
+// CRITICAL: flannel.1 vxlan uses port 8472 which conflicts with Cilium.
+
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts, isServiceActive } from "../utils.js";
+
+const STALE_INTERFACES = ["flannel.1", "cilium_vxlan", "cilium_host", "cilium_net"];
+
+export const cleanupStaleCni: Operation = async (ctx): Promise<OperationResult> => {
+  const details: string[] = [];
+  let changed = false;
+
+  // Stop k3s if running (must stop before interface cleanup)
+  if (await isServiceActive(ctx, "k3s")) {
+    await ctx.ssh.exec("systemctl stop k3s", sshOpts(ctx));
+    details.push("Stopped k3s service");
+    changed = true;
+    await new Promise((r) => setTimeout(r, 3000));
+  }
+
+  // Remove known stale interfaces
+  for (const iface of STALE_INTERFACES) {
+    const check = await ctx.ssh.exec(`ip link show ${iface} 2>/dev/null`, sshOpts(ctx));
+    if (check.exitCode === 0) {
+      await ctx.ssh.exec(`ip link delete ${iface} 2>/dev/null || true`, sshOpts(ctx));
+      details.push(`Removed interface: ${iface}`);
+      changed = true;
+    }
+  }
+
+  // Remove any vxlan on port 8472 (Cilium's port)
+  const vxlans = await ctx.ssh.exec(
+    "ip -o link show type vxlan 2>/dev/null | awk -F': ' '{print $2}'",
+    sshOpts(ctx),
+  );
+  for (const iface of vxlans.stdout.trim().split("\n").filter(Boolean)) {
+    const portCheck = await ctx.ssh.exec(
+      `ip -d link show "${iface}" 2>/dev/null | grep -q 'dstport 8472'`,
+      sshOpts(ctx),
+    );
+    if (portCheck.exitCode === 0) {
+      await ctx.ssh.exec(`ip link delete "${iface}" 2>/dev/null || true`, sshOpts(ctx));
+      details.push(`Removed conflicting vxlan: ${iface}`);
+      changed = true;
+    }
+  }
+
+  // Clean CNI config and state directories
+  await ctx.ssh.exec("rm -rf /etc/cni/net.d/* /var/lib/cni/ 2>/dev/null || true", sshOpts(ctx));
+
+  return {
+    success: true,
+    changed,
+    message: changed ? "CNI state cleaned" : "No CNI cleanup needed",
+    details,
+  };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/dns-fix.ts b/bastion/src/modules/modules/k3s/src/operations/dns-fix.ts
new file mode 100644
index 0000000..3f8f02d
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/dns-fix.ts
@@ -0,0 +1,50 @@
+// Fix CoreDNS upstream DNS resolution.
+// systemd-resolved listens on 127.0.0.53 which is unreachable from pod netns.
+// Solution: write /etc/rancher/k3s/resolv.conf with the real upstream DNS.
+
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts, writeRemoteFile, isServiceActive } from "../utils.js";
+
+export const fixCoreDnsUpstream: Operation = async (ctx): Promise<OperationResult> => {
+  // Detect upstream DNS from systemd-resolved
+  const dnsResult = await ctx.ssh.exec(
+    "resolvectl status 2>/dev/null | grep -A2 \"Link.*$(ip -4 route show default | awk '{print $5}' | head -1)\" | grep 'Current DNS' | awk '{print $NF}'",
+    sshOpts(ctx),
+  );
+  let upstream = dnsResult.stdout.trim();
+
+  // Fallback: read systemd-resolved's real config
+  if (!upstream || upstream === "127.0.0.53") {
+    const fallback = await ctx.ssh.exec(
+      "cat /run/systemd/resolve/resolv.conf 2>/dev/null | grep '^nameserver' | head -1 | awk '{print $2}'",
+      sshOpts(ctx),
+    );
+    upstream = fallback.stdout.trim();
+  }
+
+  if (!upstream || upstream === "127.0.0.53") {
+    return { success: true, changed: false, message: "Could not detect upstream DNS, skipping" };
+  }
+
+  const changed = await writeRemoteFile(
+    ctx,
+    "/etc/rancher/k3s/resolv.conf",
+    `nameserver ${upstream}`,
+  );
+
+  if (changed && await isServiceActive(ctx, "k3s")) {
+    await ctx.ssh.exec("systemctl restart k3s", sshOpts(ctx));
+    // Wait for API
+    for (let i = 0; i < 30; i++) {
+      const check = await ctx.ssh.exec("k3s kubectl get nodes 2>/dev/null", sshOpts(ctx));
+      if (check.exitCode === 0) break;
+      await new Promise((r) => setTimeout(r, 2000));
+    }
+  }
+
+  return {
+    success: true,
+    changed,
+    message: changed ? `DNS upstream set to ${upstream}` : "DNS already configured",
+  };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/firewall.ts b/bastion/src/modules/modules/k3s/src/operations/firewall.ts
new file mode 100644
index 0000000..a15e755
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/firewall.ts
@@ -0,0 +1,38 @@
+// Disable and mask firewall services.
+// CRITICAL: firewalld's nftables rules block pod-to-gateway traffic.
+// Both disable and mask to survive reboots.
+
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts, isServiceActive } from "../utils.js";
+
+const FIREWALL_SERVICES = ["firewalld", "ufw"];
+
+export const disableFirewall: Operation = async (ctx): Promise<OperationResult> => {
+  const details: string[] = [];
+  let changed = false;
+
+  for (const svc of FIREWALL_SERVICES) {
+    const active = await isServiceActive(ctx, svc);
+    if (active) {
+      await ctx.ssh.exec(`systemctl disable --now ${svc} 2>/dev/null || true`, sshOpts(ctx));
+      await ctx.ssh.exec(`systemctl mask ${svc} 2>/dev/null || true`, sshOpts(ctx));
+      details.push(`Disabled and masked: ${svc}`);
+      changed = true;
+    } else {
+      // Still mask even if not active (might be enabled but stopped)
+      const masked = await ctx.ssh.exec(`systemctl is-enabled ${svc} 2>/dev/null`, sshOpts(ctx));
+      if (masked.stdout.trim() !== "masked" && masked.exitCode === 0) {
+        await ctx.ssh.exec(`systemctl mask ${svc} 2>/dev/null || true`, sshOpts(ctx));
+        details.push(`Masked: ${svc}`);
+        changed = true;
+      }
+    }
+  }
+
+  return {
+    success: true,
+    changed,
+    message: changed ? "Firewall disabled" : "Firewall already disabled",
+    details,
+  };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/index.ts b/bastion/src/modules/modules/k3s/src/operations/index.ts
new file mode 100644
index 0000000..55d8c80
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/index.ts
@@ -0,0 +1,15 @@
+export { loadKernelModules } from "./kernel-modules.js";
+export { applyCisHardening } from "./sysctl.js";
+export { disableSwap } from "./swap.js";
+export { disableFirewall } from "./firewall.js";
+export { setSelinuxPermissive } from "./selinux.js";
+export { writeK3sConfig } from "./k3s-config.js";
+export { writeAuditPolicy } from "./audit-policy.js";
+export { cleanupStaleCni } from "./cni-cleanup.js";
+export { installK3sBinary } from "./k3s-install.js";
+export { installCilium } from "./cilium.js";
+export { fixCoreDnsUpstream } from "./dns-fix.js";
+export { configureLogRotation } from "./log-rotation.js";
+export { applyDefaultNetworkPolicies } from "./network-policy.js";
+export { applyPodSecurityStandards } from "./pod-security.js";
+export { checkCertExpiry } from "./cert-check.js";
diff --git a/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts b/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts
new file mode 100644
index 0000000..542dd7e
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts
@@ -0,0 +1,66 @@
+// Write k3s server or agent configuration YAML.
+
+import type { Operation, OperationResult, K3sConfig } from "../types.js";
+import { sshOpts, writeRemoteFile } from "../utils.js";
+
+function isServerRole(role: string): boolean {
+  return role === "infra" || role === "labcontroller";
+}
+
+function generateServerConfig(config: K3sConfig): string {
+  const tlsSans = [config.hostname, config.ip, ...(config.tlsSans ?? [])];
+  return `# k3s server configuration — CIS hardened
+protect-kernel-defaults: true
+secrets-encryption: true
+write-kubeconfig-mode: "0640"
+
+flannel-backend: none
+disable-network-policy: true
+disable:
+  - servicelb
+  - traefik
+
+kube-apiserver-arg:
+  - "anonymous-auth=false"
+  - "audit-log-path=/var/log/kubernetes/audit.log"
+  - "audit-log-maxage=30"
+  - "audit-log-maxbackup=10"
+  - "audit-log-maxsize=100"
+  - "audit-policy-file=/etc/rancher/k3s/audit-policy.yaml"
+  - "enable-admission-plugins=NodeRestriction,PodSecurity"
+  - "request-timeout=300s"
+
+kubelet-arg:
+  - "protect-kernel-defaults=true"
+  - "streaming-connection-idle-timeout=5m"
+  - "make-iptables-util-chains=true"
+
+tls-san:
+${tlsSans.map((s) => `  - "${s}"`).join("\n")}
+`;
+}
+
+function generateAgentConfig(): string {
+  return `protect-kernel-defaults: true
+kubelet-arg:
+  - "protect-kernel-defaults=true"
+  - "streaming-connection-idle-timeout=5m"
+  - "make-iptables-util-chains=true"
+`;
+}
+
+export const writeK3sConfig: Operation = async (ctx): Promise<OperationResult> => {
+  await ctx.ssh.exec("mkdir -p /etc/rancher/k3s /var/log/kubernetes", sshOpts(ctx));
+
+  const content = isServerRole(ctx.config.role)
+    ? generateServerConfig(ctx.config)
+    : generateAgentConfig();
+
+  const changed = await writeRemoteFile(ctx, "/etc/rancher/k3s/config.yaml", content);
+
+  return {
+    success: true,
+    changed,
+    message: changed ? "K3s config written" : "K3s config unchanged",
+  };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/k3s-install.ts b/bastion/src/modules/modules/k3s/src/operations/k3s-install.ts
new file mode 100644
index 0000000..1f74da5
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/k3s-install.ts
@@ -0,0 +1,71 @@
+// Install k3s binary (server or agent mode).
+
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts } from "../utils.js";
+
+function isServerRole(role: string): boolean {
+  return role === "infra" || role === "labcontroller";
+}
+
+export const installK3sBinary: Operation = async (ctx): Promise<OperationResult> => {
+  const isServer = isServerRole(ctx.config.role);
+
+  // Check if already installed
+  const version = await ctx.ssh.exec("k3s --version 2>/dev/null", sshOpts(ctx));
+  const alreadyInstalled = version.exitCode === 0;
+
+  if (isServer) {
+    const result = await ctx.ssh.exec(
+      'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" INSTALL_K3S_SKIP_SELINUX_RPM=true sh -',
+      { timeoutMs: 300_000 },
+    );
+    if (result.exitCode !== 0) {
+      return {
+        success: false,
+        changed: false,
+        message: "K3s server install failed",
+        error: result.stderr.trim(),
+      };
+    }
+  } else {
+    if (!ctx.config.k3sServerUrl || !ctx.config.k3sToken) {
+      return {
+        success: false,
+        changed: false,
+        message: "Agent requires k3sServerUrl and k3sToken",
+        error: "Missing agent join configuration",
+      };
+    }
+    const result = await ctx.ssh.exec(
+      `curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent" K3S_URL="${ctx.config.k3sServerUrl}" K3S_TOKEN="${ctx.config.k3sToken}" sh -`,
+      { timeoutMs: 300_000 },
+    );
+    if (result.exitCode !== 0) {
+      return {
+        success: false,
+        changed: false,
+        message: "K3s agent install failed",
+        error: result.stderr.trim(),
+      };
+    }
+  }
+
+  // Restart to ensure config is applied
+  const service = isServer ? "k3s" : "k3s-agent";
+  await ctx.ssh.exec(`systemctl restart ${service}`, sshOpts(ctx));
+
+  // Wait for API (server only)
+  if (isServer) {
+    for (let i = 0; i < 60; i++) {
+      const check = await ctx.ssh.exec("k3s kubectl get nodes 2>/dev/null", sshOpts(ctx));
+      if (check.exitCode === 0) break;
+      await new Promise((r) => setTimeout(r, 2000));
+    }
+  }
+
+  return {
+    success: true,
+    changed: !alreadyInstalled,
+    message: alreadyInstalled ? "K3s restarted with updated config" : "K3s installed",
+  };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/kernel-modules.ts b/bastion/src/modules/modules/k3s/src/operations/kernel-modules.ts
new file mode 100644
index 0000000..0dc60df
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/kernel-modules.ts
@@ -0,0 +1,39 @@
+// Load required kernel modules for k3s container networking.
+
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts, writeRemoteFile } from "../utils.js";
+
+const REQUIRED_MODULES = ["br_netfilter", "overlay", "ip_conntrack"];
+
+export const loadKernelModules: Operation = async (ctx): Promise<OperationResult> => {
+  const details: string[] = [];
+  let changed = false;
+
+  for (const mod of REQUIRED_MODULES) {
+    const check = await ctx.ssh.exec(`lsmod | grep -q "^${mod}"`, sshOpts(ctx));
+    if (check.exitCode !== 0) {
+      await ctx.ssh.exec(`modprobe ${mod} 2>/dev/null || true`, sshOpts(ctx));
+      details.push(`Loaded: ${mod}`);
+      changed = true;
+    } else {
+      details.push(`Already loaded: ${mod}`);
+    }
+  }
+
+  const fileChanged = await writeRemoteFile(
+    ctx,
+    "/etc/modules-load.d/k3s.conf",
+    REQUIRED_MODULES.join("\n"),
+  );
+  if (fileChanged) {
+    details.push("Wrote /etc/modules-load.d/k3s.conf");
+    changed = true;
+  }
+
+  return {
+    success: true,
+    changed,
+    message: changed ? "Kernel modules configured" : "Kernel modules already configured",
+    details,
+  };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/log-rotation.ts b/bastion/src/modules/modules/k3s/src/operations/log-rotation.ts
new file mode 100644
index 0000000..9a501fd
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/log-rotation.ts
@@ -0,0 +1,25 @@
+// Configure log rotation for k3s.
+
+import type { Operation, OperationResult } from "../types.js";
+import { writeRemoteFile } from "../utils.js";
+
+const LOGROTATE_CONFIG = `/var/log/kubernetes/*.log {
+  daily
+  rotate 14
+  compress
+  delaycompress
+  missingok
+  notifempty
+  copytruncate
+  maxsize 100M
+}`;
+
+export const configureLogRotation: Operation = async (ctx): Promise<OperationResult> => {
+  const changed = await writeRemoteFile(ctx, "/etc/logrotate.d/k3s", LOGROTATE_CONFIG);
+
+  return {
+    success: true,
+    changed,
+    message: changed ? "Log rotation configured" : "Log rotation already configured",
+  };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/network-policy.ts b/bastion/src/modules/modules/k3s/src/operations/network-policy.ts
new file mode 100644
index 0000000..0d7434d
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/network-policy.ts
@@ -0,0 +1,50 @@
+// Apply default network policies: deny all ingress, allow DNS egress.
+
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts } from "../utils.js";
+
+const DENY_INGRESS = `apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: default
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress`;
+
+const ALLOW_DNS = `apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dns
+  namespace: default
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to: []
+    ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP`;
+
+export const applyDefaultNetworkPolicies: Operation = async (ctx): Promise<OperationResult> => {
+  const details: string[] = [];
+
+  for (const [name, yaml] of [["default-deny-ingress", DENY_INGRESS], ["allow-dns", ALLOW_DNS]] as const) {
+    const escaped = yaml.replace(/'/g, "'\\''");
+    const result = await ctx.ssh.exec(
+      `echo '${escaped}' | k3s kubectl apply -f -`,
+      sshOpts(ctx),
+    );
+    if (result.exitCode === 0) {
+      details.push(`Applied: ${name}`);
+    } else {
+      return { success: false, changed: true, message: `Failed to apply ${name}`, error: result.stderr };
+    }
+  }
+
+  return { success: true, changed: true, message: "Network policies applied", details };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/pod-security.ts b/bastion/src/modules/modules/k3s/src/operations/pod-security.ts
new file mode 100644
index 0000000..d886038
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/pod-security.ts
@@ -0,0 +1,21 @@
+// Apply Pod Security Standards (restricted) to default namespace.
+
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts } from "../utils.js";
+
+const PSS_LABELS = [
+  "pod-security.kubernetes.io/enforce=restricted",
+  "pod-security.kubernetes.io/warn=restricted",
+  "pod-security.kubernetes.io/audit=restricted",
+];
+
+export const applyPodSecurityStandards: Operation = async (ctx): Promise<OperationResult> => {
+  for (const label of PSS_LABELS) {
+    await ctx.ssh.exec(
+      `k3s kubectl label namespace default ${label} --overwrite`,
+      sshOpts(ctx),
+    );
+  }
+
+  return { success: true, changed: true, message: "Pod Security Standards applied" };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/selinux.ts b/bastion/src/modules/modules/k3s/src/operations/selinux.ts
new file mode 100644
index 0000000..fc01853
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/selinux.ts
@@ -0,0 +1,22 @@
+// Set SELinux to permissive mode.
+// Fedora: k3s-selinux RPM has GPG issues with dnf5, so we use permissive.
+
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts } from "../utils.js";
+
+export const setSelinuxPermissive: Operation = async (ctx): Promise<OperationResult> => {
+  const check = await ctx.ssh.exec("getenforce 2>/dev/null || echo Disabled", sshOpts(ctx));
+  const current = check.stdout.trim();
+
+  if (current === "Permissive" || current === "Disabled") {
+    return { success: true, changed: false, message: `SELinux already ${current.toLowerCase()}` };
+  }
+
+  await ctx.ssh.exec("setenforce 0 2>/dev/null || true", sshOpts(ctx));
+  await ctx.ssh.exec(
+    "sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config 2>/dev/null || true",
+    sshOpts(ctx),
+  );
+
+  return { success: true, changed: true, message: "SELinux set to permissive" };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/swap.ts b/bastion/src/modules/modules/k3s/src/operations/swap.ts
new file mode 100644
index 0000000..cdc2b17
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/swap.ts
@@ -0,0 +1,22 @@
+// Disable swap (CIS requirement for k3s).
+
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts } from "../utils.js";
+
+export const disableSwap: Operation = async (ctx): Promise<OperationResult> => {
+  const check = await ctx.ssh.exec("swapon --show --noheadings", sshOpts(ctx));
+  const active = check.stdout.trim().length > 0;
+
+  if (active) {
+    await ctx.ssh.exec("swapoff -a", sshOpts(ctx));
+  }
+
+  // Remove swap entries from fstab permanently
+  await ctx.ssh.exec("sed -i '/\\sswap\\s/d' /etc/fstab", sshOpts(ctx));
+
+  return {
+    success: true,
+    changed: active,
+    message: active ? "Swap disabled" : "Swap already disabled",
+  };
+};
diff --git a/bastion/src/modules/modules/k3s/src/operations/sysctl.ts b/bastion/src/modules/modules/k3s/src/operations/sysctl.ts
new file mode 100644
index 0000000..c3d1285
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/operations/sysctl.ts
@@ -0,0 +1,30 @@
+// Apply CIS-compliant sysctl kernel parameters for k3s.
+
+import type { Operation, OperationResult } from "../types.js";
+import { sshOpts, writeRemoteFile } from "../utils.js";
+
+const CIS_SYSCTL = `# k3s CIS hardening
+net.bridge.bridge-nf-call-iptables  = 1
+net.bridge.bridge-nf-call-ip6tables = 1
+net.ipv4.ip_forward                 = 1
+vm.panic_on_oom                     = 0
+vm.overcommit_memory                = 1
+kernel.panic                        = 10
+kernel.panic_on_oops                = 1
+# inotify limits for large clusters
+fs.inotify.max_user_instances       = 524288
+fs.inotify.max_user_watches         = 524288`;
+
+export const applyCisHardening: Operation = async (ctx): Promise<OperationResult> => {
+  const changed = await writeRemoteFile(ctx, "/etc/sysctl.d/90-k3s-cis.conf", CIS_SYSCTL);
+
+  if (changed) {
+    await ctx.ssh.exec("sysctl --system > /dev/null", sshOpts(ctx));
+  }
+
+  return {
+    success: true,
+    changed,
+    message: changed ? "Sysctl hardening applied" : "Sysctl already configured",
+  };
+};
diff --git a/bastion/src/modules/modules/k3s/src/types.ts b/bastion/src/modules/modules/k3s/src/types.ts
new file mode 100644
index 0000000..4304334
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/types.ts
@@ -0,0 +1,61 @@
+// Core types for the operation-based k3s module.
+// Every operation follows: OperationContext → OperationResult.
+
+import type { SshExecResult } from "../../../src/ssh.js";
+import type { OsId, Arch, Role } from "@lab/shared";
+
+/** Typed k3s cluster configuration. */
+export interface K3sConfig {
+  hostname: string;
+  ip: string;
+  role: Role; // "infra"/"labcontroller" = server, "worker" = agent
+
+  // Agent-only (required when role is "worker")
+  k3sServerUrl?: string | undefined;
+  k3sToken?: string | undefined;
+
+  // Additional TLS SANs for API server certificate
+  tlsSans?: string[] | undefined;
+}
+
+/** SSH execution interface injected into operations. */
+export interface SshClient {
+  exec: (command: string, opts?: { timeoutMs?: number }) => Promise<SshExecResult>;
+  user: string;
+  ip: string;
+  keyPath?: string | undefined;
+}
+
+/** Context passed to every operation. */
+export interface OperationContext {
+  config: K3sConfig;
+  ssh: SshClient;
+  os: OsId;
+  arch: Arch;
+  log: (msg: string) => void;
+}
+
+/** Result returned by every operation. */
+export interface OperationResult {
+  success: boolean;
+  changed: boolean; // idempotency: did this operation modify the target?
+  message: string;
+  details?: string[] | undefined;
+  error?: string | undefined;
+}
+
+/** An atomic operation function. */
+export type Operation = (ctx: OperationContext) => Promise<OperationResult>;
+
+/** A named group of operations executed sequentially. */
+export interface NamedOperation {
+  name: string;
+  fn: Operation;
+}
+
+/** A logical grouping of related operations. */
+export interface OperationGroup {
+  name: string;
+  description: string;
+  operations: NamedOperation[];
+}
diff --git a/bastion/src/modules/modules/k3s/src/utils.ts b/bastion/src/modules/modules/k3s/src/utils.ts
new file mode 100644
index 0000000..4b4927c
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/src/utils.ts
@@ -0,0 +1,102 @@
+// Utility helpers for k3s operations.
+// Common patterns: check-before-act, file writing, sequential execution.
+
+import type { OperationContext, OperationResult, NamedOperation } from "./types.js";
+
+/** Default SSH options with 30s timeout. */
+export function sshOpts(_ctx: OperationContext): { timeoutMs: number } {
+  return { timeoutMs: 30_000 };
+}
+
+/** Check if a remote command's stdout matches expected value. */
+export async function checkCommand(
+  ctx: OperationContext,
+  command: string,
+  expected: string | RegExp,
+): Promise<boolean> {
+  const result = await ctx.ssh.exec(command, sshOpts(ctx));
+  if (typeof expected === "string") {
+    return result.stdout.trim() === expected;
+  }
+  return expected.test(result.stdout);
+}
+
+/** Write a file via SSH only if content differs. Returns whether it changed. */
+export async function writeRemoteFile(
+  ctx: OperationContext,
+  path: string,
+  content: string,
+  mode?: string,
+): Promise<boolean> {
+  // Check existing content
+  const existing = await ctx.ssh.exec(
+    `cat ${path} 2>/dev/null || echo '__LABCTL_NOT_FOUND__'`,
+    sshOpts(ctx),
+  );
+  if (existing.stdout.trim() === content.trim()) {
+    return false; // no change
+  }
+
+  // Write via heredoc
+  const escaped = content.replace(/\\/g, "\\\\");
+  await ctx.ssh.exec(
+    `mkdir -p "$(dirname "${path}")" && cat > "${path}" << 'LABCTL_EOF'\n${escaped}\nLABCTL_EOF`,
+    sshOpts(ctx),
+  );
+
+  if (mode) {
+    await ctx.ssh.exec(`chmod ${mode} "${path}"`, sshOpts(ctx));
+  }
+
+  return true; // changed
+}
+
+/** Check if a systemd service is active. */
+export async function isServiceActive(
+  ctx: OperationContext,
+  service: string,
+): Promise<boolean> {
+  const result = await ctx.ssh.exec(
+    `systemctl is-active ${service} 2>/dev/null`,
+    sshOpts(ctx),
+  );
+  return result.exitCode === 0 && result.stdout.trim() === "active";
+}
+
+/** Run named operations sequentially, stopping on first failure. */
+export async function runSequential(
+  ctx: OperationContext,
+  operations: NamedOperation[],
+): Promise<OperationResult[]> {
+  const results: OperationResult[] = [];
+  for (const op of operations) {
+    ctx.log(`  ${op.name}...`);
+    const result = await op.fn(ctx);
+    results.push(result);
+    if (result.success) {
+      ctx.log(`  ${op.name}: ${result.changed ? "changed" : "ok"}`);
+    } else {
+      ctx.log(`  ${op.name}: FAILED — ${result.error ?? result.message}`);
+      break;
+    }
+  }
+  return results;
+}
+
+/** Aggregate multiple OperationResults into one summary. */
+export function aggregateResults(results: OperationResult[]): OperationResult {
+  const allSuccess = results.every((r) => r.success);
+  const anyChanged = results.some((r) => r.changed);
+  const details = results.flatMap((r) => r.details ?? [r.message]);
+  const errors = results.filter((r) => !r.success).map((r) => r.error ?? r.message);
+
+  return {
+    success: allSuccess,
+    changed: anyChanged,
+    message: allSuccess
+      ? anyChanged ? "Applied changes" : "Already configured"
+      : `Failed: ${errors[0]}`,
+    details,
+    ...(errors.length > 0 ? { error: errors.join("; ") } : {}),
+  };
+}
diff --git a/bastion/src/modules/modules/k3s/tests/helpers.ts b/bastion/src/modules/modules/k3s/tests/helpers.ts
new file mode 100644
index 0000000..2ec401e
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/tests/helpers.ts
@@ -0,0 +1,63 @@
+// Test helpers: mock SSH client and operation context factory.
+
+import { vi } from "vitest";
+import type { OperationContext, K3sConfig, SshClient } from "../src/types.js";
+import type { SshExecResult } from "../../../src/ssh.js";
+
+/** Default mock SSH result (success, empty output). */
+export const OK: SshExecResult = { exitCode: 0, stdout: "", stderr: "" };
+export const FAIL: SshExecResult = { exitCode: 1, stdout: "", stderr: "" };
+
+/** Create a mock SSH result with stdout. */
+export function stdout(out: string): SshExecResult {
+  return { exitCode: 0, stdout: out, stderr: "" };
+}
+
+/** Create a mock SSH client with a vi.fn() exec. */
+export function mockSsh(): SshClient & { exec: ReturnType<typeof vi.fn> } {
+  return {
+    exec: vi.fn<[string, { timeoutMs?: number }?], Promise<SshExecResult>>().mockResolvedValue(OK),
+    user: "root",
+    ip: "10.0.0.1",
+    keyPath: "/root/.ssh/id_ed25519",
+  };
+}
+
+/** Create a full OperationContext with mock SSH. */
+export function mockCtx(configOverrides?: Partial<K3sConfig>): OperationContext & { ssh: ReturnType<typeof mockSsh> } {
+  const config: K3sConfig = {
+    hostname: "test.local",
+    ip: "10.0.0.1",
+    role: "infra",
+    ...configOverrides,
+  };
+  return {
+    config,
+    ssh: mockSsh(),
+    os: "fedora-43",
+    arch: "x86_64",
+    log: vi.fn(),
+  };
+}
+
+/** Assert that ssh.exec was called with a command matching the pattern. */
+export function expectCommand(ssh: ReturnType<typeof mockSsh>, pattern: string | RegExp): void {
+  const calls = ssh.exec.mock.calls.map((c: [string, unknown?]) => c[0]);
+  const match = typeof pattern === "string"
+    ? calls.some((c: string) => c.includes(pattern))
+    : calls.some((c: string) => pattern.test(c));
+  if (!match) {
+    throw new Error(`Expected SSH command matching ${pattern}, got:\n${calls.map((c: string) => `  - ${c}`).join("\n")}`);
+  }
+}
+
+/** Assert that ssh.exec was NOT called with a command matching the pattern. */
+export function expectNoCommand(ssh: ReturnType<typeof mockSsh>, pattern: string | RegExp): void {
+  const calls = ssh.exec.mock.calls.map((c: [string, unknown?]) => c[0]);
+  const match = typeof pattern === "string"
+    ? calls.some((c: string) => c.includes(pattern))
+    : calls.some((c: string) => pattern.test(c));
+  if (match) {
+    throw new Error(`Expected NO SSH command matching ${pattern}, but found one`);
+  }
+}
diff --git a/bastion/src/modules/modules/k3s/tests/install.test.ts b/bastion/src/modules/modules/k3s/tests/install.test.ts
new file mode 100644
index 0000000..8060c09
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/tests/install.test.ts
@@ -0,0 +1,134 @@
+// Tests for k3s install script generation.
+
+import { describe, it, expect } from "vitest";
+import { generateInstallScript } from "../src/install.js";
+
+describe("k3s install script — server role", () => {
+  const script = generateInstallScript({
+    hostname: "labmaster.ad.itaz.eu",
+    ip: "10.0.0.210",
+    role: "infra",
+  });
+
+  it("includes CIS sysctl settings", () => {
+    expect(script).toContain("vm.panic_on_oom");
+    expect(script).toContain("vm.overcommit_memory");
+    expect(script).toContain("kernel.panic");
+    expect(script).toContain("kernel.panic_on_oops");
+  });
+
+  it("loads required kernel modules", () => {
+    expect(script).toContain("modprobe br_netfilter");
+    expect(script).toContain("modprobe overlay");
+  });
+
+  it("disables swap", () => {
+    expect(script).toContain("swapoff -a");
+  });
+
+  it("writes k3s server config with security flags", () => {
+    expect(script).toContain("protect-kernel-defaults: true");
+    expect(script).toContain("secrets-encryption: true");
+    expect(script).toContain("anonymous-auth=false");
+    expect(script).toContain("write-kubeconfig-mode");
+  });
+
+  it("disables flannel for Cilium", () => {
+    expect(script).toContain("flannel-backend: none");
+    expect(script).toContain("disable-network-policy: true");
+  });
+
+  it("disables default servicelb and traefik", () => {
+    expect(script).toContain("servicelb");
+    expect(script).toContain("traefik");
+  });
+
+  it("writes audit policy", () => {
+    expect(script).toContain("audit-policy.yaml");
+    expect(script).toContain("apiVersion: audit.k8s.io/v1");
+    expect(script).toContain("kind: Policy");
+  });
+
+  it("includes TLS SANs for hostname and IP", () => {
+    expect(script).toContain("labmaster.ad.itaz.eu");
+    expect(script).toContain("10.0.0.210");
+  });
+
+  it("installs k3s as server", () => {
+    expect(script).toContain('INSTALL_K3S_EXEC="server"');
+  });
+
+  it("installs Cilium", () => {
+    expect(script).toContain("cilium install");
+    expect(script).toContain("kubeProxyReplacement=true");
+  });
+
+  it("applies Pod Security Standards", () => {
+    expect(script).toContain("pod-security.kubernetes.io/enforce=restricted");
+  });
+
+  it("includes PodSecurity admission plugin", () => {
+    expect(script).toContain("enable-admission-plugins=NodeRestriction,PodSecurity");
+  });
+
+  it("configures audit logging", () => {
+    expect(script).toContain("audit-log-path=/var/log/kubernetes/audit.log");
+    expect(script).toContain("audit-log-maxage=30");
+  });
+
+  it("cleans stale flannel vxlan before Cilium install", () => {
+    expect(script).toContain("flannel.1");
+    expect(script).toContain("ip link delete flannel.1");
+  });
+
+  it("cleans stale Cilium interfaces before install", () => {
+    expect(script).toContain("ip link delete");
+    expect(script).toContain("cilium_vxlan");
+    expect(script).toContain("cilium_host");
+  });
+
+  it("cleans old CNI config directory", () => {
+    expect(script).toContain("/etc/cni/net.d");
+    expect(script).toContain("/var/lib/cni");
+  });
+
+  it("stops k3s before reconfiguration", () => {
+    expect(script).toContain("systemctl stop k3s");
+    // Stop must come before interface cleanup
+    const stopIdx = script.indexOf("systemctl stop k3s");
+    const cleanIdx = script.indexOf("ip link delete flannel.1");
+    expect(stopIdx).toBeLessThan(cleanIdx);
+  });
+
+  it("force restarts k3s after install to apply config", () => {
+    expect(script).toContain("systemctl restart k3s");
+  });
+});
+
+describe("k3s install script — agent role", () => {
+  it("installs as agent with server URL and token", () => {
+    const script = generateInstallScript({
+      hostname: "worker-1",
+      ip: "10.0.0.50",
+      role: "worker",
+      k3sServerUrl: "https://10.0.0.210:6443",
+      k3sToken: "K10abc123::server:xyz",
+    });
+
+    expect(script).toContain('INSTALL_K3S_EXEC="agent"');
+    expect(script).toContain("K3S_URL=");
+    expect(script).toContain("K3S_TOKEN=");
+    expect(script).not.toContain("cilium install");
+  });
+
+  it("errors without server URL", () => {
+    const script = generateInstallScript({
+      hostname: "worker-1",
+      ip: "10.0.0.50",
+      role: "worker",
+    });
+
+    expect(script).toContain("ERROR");
+    expect(script).toContain("exit 1");
+  });
+});
diff --git a/bastion/src/modules/modules/k3s/tests/operations.test.ts b/bastion/src/modules/modules/k3s/tests/operations.test.ts
new file mode 100644
index 0000000..a211e52
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/tests/operations.test.ts
@@ -0,0 +1,350 @@
+// Unit tests for k3s operations.
+// Each operation is tested for: correctness, idempotency, and error handling.
+
+import { describe, it, expect, beforeEach } from "vitest";
+import { mockCtx, OK, FAIL, stdout, expectCommand, expectNoCommand } from "./helpers.js";
+
+// --- Kernel Modules ---
+
+import { loadKernelModules } from "../src/operations/kernel-modules.js";
+
+describe("loadKernelModules", () => {
+  it("loads missing modules and writes config", async () => {
+    const ctx = mockCtx();
+    // lsmod checks: br_netfilter missing, overlay loaded, ip_conntrack missing
+    ctx.ssh.exec
+      .mockResolvedValueOnce(FAIL)   // br_netfilter not loaded
+      .mockResolvedValueOnce(OK)     // modprobe br_netfilter
+      .mockResolvedValueOnce(OK)     // overlay loaded
+      .mockResolvedValueOnce(FAIL)   // ip_conntrack not loaded
+      .mockResolvedValueOnce(OK)     // modprobe ip_conntrack
+      .mockResolvedValueOnce(stdout("__LABCTL_NOT_FOUND__")) // cat config file
+      .mockResolvedValueOnce(OK);    // write config
+
+    const result = await loadKernelModules(ctx);
+    expect(result.success).toBe(true);
+    expect(result.changed).toBe(true);
+    expect(result.details).toContain("Loaded: br_netfilter");
+    expect(result.details).toContain("Already loaded: overlay");
+  });
+
+  it("is idempotent when all modules loaded and config exists", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec
+      .mockResolvedValueOnce(OK) // br_netfilter loaded
+      .mockResolvedValueOnce(OK) // overlay loaded
+      .mockResolvedValueOnce(OK) // ip_conntrack loaded
+      .mockResolvedValueOnce(stdout("br_netfilter\noverlay\nip_conntrack")); // config exists with correct content
+
+    const result = await loadKernelModules(ctx);
+    expect(result.success).toBe(true);
+    expect(result.changed).toBe(false);
+  });
+});
+
+// --- Sysctl ---
+
+import { applyCisHardening } from "../src/operations/sysctl.js";
+
+describe("applyCisHardening", () => {
+  it("writes config and applies sysctl", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec
+      .mockResolvedValueOnce(stdout("__LABCTL_NOT_FOUND__")) // file not found
+      .mockResolvedValueOnce(OK)  // write file
+      .mockResolvedValueOnce(OK); // sysctl --system
+
+    const result = await applyCisHardening(ctx);
+    expect(result.success).toBe(true);
+    expect(result.changed).toBe(true);
+    expectCommand(ctx.ssh, "sysctl --system");
+  });
+
+  it("skips sysctl when config unchanged", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec.mockResolvedValueOnce(stdout("# k3s CIS hardening\nnet.bridge.bridge-nf-call-iptables  = 1\nnet.bridge.bridge-nf-call-ip6tables = 1\nnet.ipv4.ip_forward                 = 1\nvm.panic_on_oom                     = 0\nvm.overcommit_memory                = 1\nkernel.panic                        = 10\nkernel.panic_on_oops                = 1\n# inotify limits for large clusters\nfs.inotify.max_user_instances       = 524288\nfs.inotify.max_user_watches         = 524288"));
+
+    const result = await applyCisHardening(ctx);
+    expect(result.changed).toBe(false);
+    expectNoCommand(ctx.ssh, "sysctl --system");
+  });
+});
+
+// --- Swap ---
+
+import { disableSwap } from "../src/operations/swap.js";
+
+describe("disableSwap", () => {
+  it("disables active swap", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec
+      .mockResolvedValueOnce(stdout("/dev/sda2 partition 2G"))  // swap active
+      .mockResolvedValueOnce(OK)   // swapoff
+      .mockResolvedValueOnce(OK);  // sed fstab
+
+    const result = await disableSwap(ctx);
+    expect(result.success).toBe(true);
+    expect(result.changed).toBe(true);
+    expectCommand(ctx.ssh, "swapoff -a");
+  });
+
+  it("is idempotent when swap already off", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec
+      .mockResolvedValueOnce(stdout(""))  // no swap
+      .mockResolvedValueOnce(OK);          // sed fstab (always runs)
+
+    const result = await disableSwap(ctx);
+    expect(result.changed).toBe(false);
+    expectNoCommand(ctx.ssh, "swapoff");
+  });
+});
+
+// --- Firewall ---
+
+import { disableFirewall } from "../src/operations/firewall.js";
+
+describe("disableFirewall", () => {
+  it("disables active firewalld", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec
+      .mockResolvedValueOnce(stdout("active"))  // firewalld active
+      .mockResolvedValueOnce(OK)   // disable
+      .mockResolvedValueOnce(OK)   // mask
+      .mockResolvedValueOnce(FAIL);  // ufw not active
+
+    const result = await disableFirewall(ctx);
+    expect(result.success).toBe(true);
+    expect(result.changed).toBe(true);
+    expect(result.details).toContain("Disabled and masked: firewalld");
+  });
+
+  it("is idempotent when nothing active", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec
+      .mockResolvedValueOnce(FAIL)  // firewalld not active
+      .mockResolvedValueOnce(stdout("masked")) // already masked
+      .mockResolvedValueOnce(FAIL)  // ufw not active
+      .mockResolvedValueOnce(FAIL); // ufw not enabled
+
+    const result = await disableFirewall(ctx);
+    expect(result.changed).toBe(false);
+  });
+});
+
+// --- SELinux ---
+
+import { setSelinuxPermissive } from "../src/operations/selinux.js";
+
+describe("setSelinuxPermissive", () => {
+  it("sets enforcing to permissive", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec
+      .mockResolvedValueOnce(stdout("Enforcing"))  // current mode
+      .mockResolvedValueOnce(OK)   // setenforce 0
+      .mockResolvedValueOnce(OK);  // sed config
+
+    const result = await setSelinuxPermissive(ctx);
+    expect(result.changed).toBe(true);
+  });
+
+  it("skips when already permissive", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec.mockResolvedValueOnce(stdout("Permissive"));
+
+    const result = await setSelinuxPermissive(ctx);
+    expect(result.changed).toBe(false);
+  });
+
+  it("skips when disabled", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec.mockResolvedValueOnce(stdout("Disabled"));
+
+    const result = await setSelinuxPermissive(ctx);
+    expect(result.changed).toBe(false);
+  });
+});
+
+// --- K3s Config ---
+
+import { writeK3sConfig } from "../src/operations/k3s-config.js";
+
+describe("writeK3sConfig", () => {
+  it("writes server config with TLS SANs", async () => {
+    const ctx = mockCtx({ hostname: "node1.lab", ip: "10.0.1.1", role: "infra" });
+    ctx.ssh.exec
+      .mockResolvedValueOnce(OK)   // mkdir
+      .mockResolvedValueOnce(stdout("__LABCTL_NOT_FOUND__")) // cat existing
+      .mockResolvedValueOnce(OK);  // write
+
+    const result = await writeK3sConfig(ctx);
+    expect(result.changed).toBe(true);
+
+    // Verify the written content includes TLS SANs
+    const writeCall = ctx.ssh.exec.mock.calls[2]![0] as string;
+    expect(writeCall).toContain("node1.lab");
+    expect(writeCall).toContain("10.0.1.1");
+    expect(writeCall).toContain("secrets-encryption: true");
+    expect(writeCall).toContain("flannel-backend: none");
+  });
+
+  it("writes minimal agent config", async () => {
+    const ctx = mockCtx({ role: "worker" });
+    ctx.ssh.exec
+      .mockResolvedValueOnce(OK)   // mkdir
+      .mockResolvedValueOnce(stdout("__LABCTL_NOT_FOUND__"))
+      .mockResolvedValueOnce(OK);
+
+    const result = await writeK3sConfig(ctx);
+    expect(result.changed).toBe(true);
+
+    const writeCall = ctx.ssh.exec.mock.calls[2]![0] as string;
+    expect(writeCall).toContain("protect-kernel-defaults: true");
+    expect(writeCall).not.toContain("secrets-encryption");
+  });
+});
+
+// --- CNI Cleanup ---
+
+import { cleanupStaleCni } from "../src/operations/cni-cleanup.js";
+
+describe("cleanupStaleCni", () => {
+  it("stops k3s and removes stale interfaces", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec
+      .mockResolvedValueOnce(stdout("active"))  // k3s is active
+      .mockResolvedValueOnce(OK)    // systemctl stop k3s
+      .mockResolvedValueOnce(OK)    // flannel.1 exists
+      .mockResolvedValueOnce(OK)    // delete flannel.1
+      .mockResolvedValueOnce(FAIL)  // cilium_vxlan not found
+      .mockResolvedValueOnce(FAIL)  // cilium_host not found
+      .mockResolvedValueOnce(FAIL)  // cilium_net not found
+      .mockResolvedValueOnce(stdout(""))  // no vxlans
+      .mockResolvedValueOnce(OK);   // rm -rf cni
+
+    const result = await cleanupStaleCni(ctx);
+    expect(result.success).toBe(true);
+    expect(result.changed).toBe(true);
+    expect(result.details).toContain("Stopped k3s service");
+    expect(result.details).toContain("Removed interface: flannel.1");
+  });
+
+  it("is idempotent when nothing to clean", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec
+      .mockResolvedValueOnce(FAIL)  // k3s not active
+      .mockResolvedValueOnce(FAIL)  // flannel.1 not found
+      .mockResolvedValueOnce(FAIL)  // cilium_vxlan
+      .mockResolvedValueOnce(FAIL)  // cilium_host
+      .mockResolvedValueOnce(FAIL)  // cilium_net
+      .mockResolvedValueOnce(stdout(""))  // no vxlans
+      .mockResolvedValueOnce(OK);   // rm -rf (always runs)
+
+    const result = await cleanupStaleCni(ctx);
+    expect(result.changed).toBe(false);
+  });
+});
+
+// --- K3s Install ---
+
+import { installK3sBinary } from "../src/operations/k3s-install.js";
+
+describe("installK3sBinary", () => {
+  it("installs k3s server", async () => {
+    const ctx = mockCtx({ role: "infra" });
+    ctx.ssh.exec
+      .mockResolvedValueOnce(FAIL)  // k3s not installed
+      .mockResolvedValueOnce(OK)    // curl install
+      .mockResolvedValueOnce(OK)    // restart
+      .mockResolvedValueOnce(OK);   // kubectl get nodes
+
+    const result = await installK3sBinary(ctx);
+    expect(result.success).toBe(true);
+    expect(result.changed).toBe(true);
+  });
+
+  it("fails agent without server URL", async () => {
+    const ctx = mockCtx({ role: "worker" });
+    ctx.ssh.exec.mockResolvedValueOnce(FAIL);  // not installed
+
+    const result = await installK3sBinary(ctx);
+    expect(result.success).toBe(false);
+    expect(result.error).toContain("Missing agent");
+  });
+
+  it("installs k3s agent with URL and token", async () => {
+    const ctx = mockCtx({ role: "worker", k3sServerUrl: "https://10.0.0.1:6443", k3sToken: "secret" });
+    ctx.ssh.exec
+      .mockResolvedValueOnce(FAIL)  // not installed
+      .mockResolvedValueOnce(OK)    // curl install
+      .mockResolvedValueOnce(OK);   // restart
+
+    const result = await installK3sBinary(ctx);
+    expect(result.success).toBe(true);
+    expectCommand(ctx.ssh, "K3S_URL=");
+    expectCommand(ctx.ssh, "K3S_TOKEN=");
+  });
+});
+
+// --- DNS Fix ---
+
+import { fixCoreDnsUpstream } from "../src/operations/dns-fix.js";
+
+describe("fixCoreDnsUpstream", () => {
+  it("detects upstream DNS and writes resolv.conf", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec
+      .mockResolvedValueOnce(stdout("192.168.8.1"))  // resolvectl
+      .mockResolvedValueOnce(stdout("__LABCTL_NOT_FOUND__"))  // cat existing
+      .mockResolvedValueOnce(OK)    // write resolv.conf
+      .mockResolvedValueOnce(stdout("active"))  // k3s active
+      .mockResolvedValueOnce(OK)    // restart
+      .mockResolvedValueOnce(OK);   // kubectl get nodes
+
+    const result = await fixCoreDnsUpstream(ctx);
+    expect(result.success).toBe(true);
+    expect(result.changed).toBe(true);
+    expect(result.message).toContain("192.168.8.1");
+  });
+
+  it("falls back to /run/systemd/resolve/resolv.conf", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec
+      .mockResolvedValueOnce(stdout(""))  // resolvectl empty
+      .mockResolvedValueOnce(stdout("10.0.0.1"))  // fallback resolv.conf
+      .mockResolvedValueOnce(stdout("__LABCTL_NOT_FOUND__"))
+      .mockResolvedValueOnce(OK)
+      .mockResolvedValueOnce(stdout("active"))
+      .mockResolvedValueOnce(OK)
+      .mockResolvedValueOnce(OK);
+
+    const result = await fixCoreDnsUpstream(ctx);
+    expect(result.changed).toBe(true);
+  });
+
+  it("skips when upstream cannot be detected", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec
+      .mockResolvedValueOnce(stdout(""))       // resolvectl empty
+      .mockResolvedValueOnce(stdout("127.0.0.53")); // fallback is still stub
+
+    const result = await fixCoreDnsUpstream(ctx);
+    expect(result.changed).toBe(false);
+  });
+});
+
+// --- Pod Security ---
+
+import { applyPodSecurityStandards } from "../src/operations/pod-security.js";
+
+describe("applyPodSecurityStandards", () => {
+  it("applies all three labels", async () => {
+    const ctx = mockCtx();
+    const result = await applyPodSecurityStandards(ctx);
+    expect(result.success).toBe(true);
+    expect(ctx.ssh.exec).toHaveBeenCalledTimes(3);
+    expectCommand(ctx.ssh, "pod-security.kubernetes.io/enforce=restricted");
+    expectCommand(ctx.ssh, "pod-security.kubernetes.io/warn=restricted");
+    expectCommand(ctx.ssh, "pod-security.kubernetes.io/audit=restricted");
+  });
+});
diff --git a/bastion/src/modules/modules/k3s/tests/smoke.test.ts b/bastion/src/modules/modules/k3s/tests/smoke.test.ts
new file mode 100644
index 0000000..e3234f8
--- /dev/null
+++ b/bastion/src/modules/modules/k3s/tests/smoke.test.ts
@@ -0,0 +1,125 @@
+// Smoke tests: verify the full operation pipeline composes and runs end-to-end
+// with mocked SSH. These test the integration between operations, not individual logic.
+
+import { describe, it, expect } from "vitest";
+import { mockCtx, OK, stdout } from "./helpers.js";
+import * as ops from "../src/operations/index.js";
+import { runSequential } from "../src/utils.js";
+import type { NamedOperation } from "../src/types.js";
+
+describe("smoke: full server install pipeline", () => {
+  it("runs all install operations in sequence without errors", async () => {
+    const ctx = mockCtx({ hostname: "smoke.local", ip: "10.0.0.99", role: "infra" });
+    // Default mock returns OK for everything
+    ctx.ssh.exec.mockResolvedValue(OK);
+
+    const pipeline: NamedOperation[] = [
+      { name: "Kernel modules", fn: ops.loadKernelModules },
+      { name: "Sysctl hardening", fn: ops.applyCisHardening },
+      { name: "Disable swap", fn: ops.disableSwap },
+      { name: "Disable firewall", fn: ops.disableFirewall },
+      { name: "SELinux permissive", fn: ops.setSelinuxPermissive },
+      { name: "Write k3s config", fn: ops.writeK3sConfig },
+      { name: "Write audit policy", fn: ops.writeAuditPolicy },
+      { name: "CNI cleanup", fn: ops.cleanupStaleCni },
+    ];
+
+    const results = await runSequential(ctx, pipeline);
+
+    expect(results).toHaveLength(pipeline.length);
+    for (const r of results) {
+      expect(r.success).toBe(true);
+    }
+    // Verify log was called for each operation
+    expect(ctx.log).toHaveBeenCalledTimes(pipeline.length * 2); // start + end per op
+  });
+});
+
+describe("smoke: full configure pipeline", () => {
+  it("runs all configure operations", async () => {
+    const ctx = mockCtx({ role: "infra" });
+    ctx.ssh.exec.mockResolvedValue(OK);
+
+    const pipeline: NamedOperation[] = [
+      { name: "Fix CoreDNS", fn: ops.fixCoreDnsUpstream },
+      { name: "Log rotation", fn: ops.configureLogRotation },
+      { name: "Cert check", fn: ops.checkCertExpiry },
+      { name: "Network policies", fn: ops.applyDefaultNetworkPolicies },
+      { name: "Pod security", fn: ops.applyPodSecurityStandards },
+    ];
+
+    const results = await runSequential(ctx, pipeline);
+
+    expect(results).toHaveLength(pipeline.length);
+    for (const r of results) {
+      expect(r.success).toBe(true);
+    }
+  });
+});
+
+describe("smoke: pipeline stops on failure", () => {
+  it("stops at first failing operation", async () => {
+    const ctx = mockCtx();
+    ctx.ssh.exec.mockResolvedValue(OK);
+
+    let callCount = 0;
+    const failingOp = async () => {
+      callCount++;
+      return { success: false, changed: false, message: "Boom", error: "test failure" };
+    };
+    const neverCalled = async () => {
+      callCount++;
+      return { success: true, changed: false, message: "Should not run" };
+    };
+
+    const results = await runSequential(ctx, [
+      { name: "OK op", fn: ops.disableSwap },
+      { name: "Failing op", fn: failingOp },
+      { name: "Never called", fn: neverCalled },
+    ]);
+
+    expect(results).toHaveLength(2); // stopped after failure
+    expect(results[0]!.success).toBe(true);
+    expect(results[1]!.success).toBe(false);
+  });
+});
+
+describe("smoke: agent install rejects missing config", () => {
+  it("fails gracefully without server URL", async () => {
+    const ctx = mockCtx({ role: "worker" });
+    ctx.ssh.exec.mockResolvedValue(OK);
+    // Override the version check to say not installed
+    ctx.ssh.exec.mockResolvedValueOnce({ exitCode: 1, stdout: "", stderr: "" });
+
+    const result = await ops.installK3sBinary(ctx);
+    expect(result.success).toBe(false);
+    expect(result.error).toBeDefined();
+  });
+});
+
+describe("smoke: all operations are exported", () => {
+  it("exports all 15 operations", () => {
+    const exported = [
+      ops.loadKernelModules,
+      ops.applyCisHardening,
+      ops.disableSwap,
+      ops.disableFirewall,
+      ops.setSelinuxPermissive,
+      ops.writeK3sConfig,
+      ops.writeAuditPolicy,
+      ops.cleanupStaleCni,
+      ops.installK3sBinary,
+      ops.installCilium,
+      ops.fixCoreDnsUpstream,
+      ops.configureLogRotation,
+      ops.applyDefaultNetworkPolicies,
+      ops.applyPodSecurityStandards,
+      ops.checkCertExpiry,
+    ];
+
+    expect(exported).toHaveLength(15);
+    for (const op of exported) {
+      expect(typeof op).toBe("function");
+    }
+  });
+});
diff --git a/bastion/src/modules/modules/labcontroller/module.yaml b/bastion/src/modules/modules/labcontroller/module.yaml
new file mode 100644
index 0000000..4ef7a37
--- /dev/null
+++ b/bastion/src/modules/modules/labcontroller/module.yaml
@@ -0,0 +1,6 @@
+name: labcontroller
+version: 0.1.0
+description: Deploy bastion + labd + CockroachDB on k3s via Pulumi. Multi-node auto-clustering.
+targets:
+  roles: [labcontroller]
+dependencies: [k3s]
diff --git a/bastion/src/modules/modules/labcontroller/src/bastion.ts b/bastion/src/modules/modules/labcontroller/src/bastion.ts
new file mode 100644
index 0000000..a1b728b
--- /dev/null
+++ b/bastion/src/modules/modules/labcontroller/src/bastion.ts
@@ -0,0 +1,90 @@
+// Bastion PXE server k8s deployment manifests.
+// Uses hostNetwork for DHCP (UDP 67), TFTP (UDP 69), and HTTP.
+
+export interface BastionK8sConfig {
+  namespace: string;
+  image: string;
+  httpPort: number;
+  dataPath: string;  // Host path for state persistence
+}
+
+export const BASTION_DEFAULTS: BastionK8sConfig = {
+  namespace: "lab-system",
+  image: "gitea.mysources.co.uk/michal/lab-bastion:latest",
+  httpPort: 8080,
+  dataPath: "/srv/lab-bastion",
+};
+
+export function bastionManifests(opts?: Partial<BastionK8sConfig>) {
+  const o = { ...BASTION_DEFAULTS, ...opts };
+  const labels = { app: "bastion", "app.kubernetes.io/part-of": "lab" };
+
+  return {
+    // DaemonSet with hostNetwork — runs on every labcontroller node
+    // Gives direct access to DHCP port 67, TFTP port 69, HTTP
+    daemonSet: {
+      apiVersion: "apps/v1",
+      kind: "DaemonSet",
+      metadata: {
+        name: "bastion",
+        namespace: o.namespace,
+      },
+      spec: {
+        selector: { matchLabels: labels },
+        template: {
+          metadata: { labels },
+          spec: {
+            hostNetwork: true,
+            dnsPolicy: "ClusterFirstWithHostNet",
+            nodeSelector: {
+              "node-role.kubernetes.io/control-plane": "true",
+            },
+            tolerations: [{
+              key: "node-role.kubernetes.io/control-plane",
+              operator: "Exists",
+              effect: "NoSchedule",
+            }],
+            containers: [{
+              name: "bastion",
+              image: o.image,
+              env: [
+                { name: "HTTP_PORT", value: String(o.httpPort) },
+                { name: "BASTION_DIR", value: "/data" },
+                { name: "DHCP_MODE", value: "proxy" },
+              ],
+              ports: [
+                { containerPort: o.httpPort, hostPort: o.httpPort, protocol: "TCP" },
+                { containerPort: 67, hostPort: 67, protocol: "UDP" },
+                { containerPort: 69, hostPort: 69, protocol: "UDP" },
+                { containerPort: 4011, hostPort: 4011, protocol: "UDP" },
+              ],
+              volumeMounts: [
+                { name: "data", mountPath: "/data" },
+                { name: "tftpboot", mountPath: "/usr/share/ipxe", readOnly: true },
+              ],
+              securityContext: {
+                capabilities: {
+                  add: ["NET_ADMIN", "NET_RAW", "NET_BIND_SERVICE"],
+                },
+              },
+              resources: {
+                requests: { cpu: "50m", memory: "64Mi" },
+                limits: { cpu: "500m", memory: "256Mi" },
+              },
+            }],
+            volumes: [
+              {
+                name: "data",
+                hostPath: { path: o.dataPath, type: "DirectoryOrCreate" },
+              },
+              {
+                name: "tftpboot",
+                hostPath: { path: "/usr/share/ipxe", type: "Directory" },
+              },
+            ],
+          },
+        },
+      },
+    },
+  };
+}
diff --git a/bastion/src/modules/modules/labcontroller/src/cockroachdb.ts b/bastion/src/modules/modules/labcontroller/src/cockroachdb.ts
new file mode 100644
index 0000000..14f9080
--- /dev/null
+++ b/bastion/src/modules/modules/labcontroller/src/cockroachdb.ts
@@ -0,0 +1,172 @@
+// CockroachDB deployment for labcontroller.
+// Uses @kubernetes/client-node to apply resources directly to k3s.
+// StatefulSet with headless Service for multi-node auto-clustering.
+// Data stored on /srv/cockroachdb/ (preserved across reprovision).
+
+export interface CockroachDbConfig {
+  namespace: string;
+  replicas: number;
+  hostDataPath: string;
+  version: string;
+}
+
+export const COCKROACHDB_DEFAULTS: CockroachDbConfig = {
+  namespace: "lab-system",
+  replicas: 1,
+  hostDataPath: "/srv/cockroachdb",
+  version: "v24.3.5",
+};
+
+/** Generate all k8s manifests for CockroachDB deployment. */
+export function cockroachDbManifests(opts?: Partial<CockroachDbConfig>) {
+  const o = { ...COCKROACHDB_DEFAULTS, ...opts };
+  const labels = { app: "cockroachdb", "app.kubernetes.io/part-of": "lab" };
+
+  const joinHosts = Array.from({ length: o.replicas }, (_, i) =>
+    `cockroachdb-${i}.cockroachdb.${o.namespace}.svc.cluster.local:26257`
+  ).join(",");
+
+  return {
+    namespace: {
+      apiVersion: "v1",
+      kind: "Namespace",
+      metadata: { name: o.namespace },
+    },
+
+    headlessService: {
+      apiVersion: "v1",
+      kind: "Service",
+      metadata: {
+        name: "cockroachdb",
+        namespace: o.namespace,
+        labels,
+      },
+      spec: {
+        clusterIP: "None",
+        selector: labels,
+        ports: [
+          { name: "grpc", port: 26257, targetPort: 26257 },
+          { name: "http", port: 8080, targetPort: 8080 },
+        ],
+      },
+    },
+
+    clientService: {
+      apiVersion: "v1",
+      kind: "Service",
+      metadata: {
+        name: "cockroachdb-client",
+        namespace: o.namespace,
+        labels,
+      },
+      spec: {
+        selector: labels,
+        ports: [
+          { name: "sql", port: 26257, targetPort: 26257 },
+        ],
+      },
+    },
+
+    statefulSet: {
+      apiVersion: "apps/v1",
+      kind: "StatefulSet",
+      metadata: {
+        name: "cockroachdb",
+        namespace: o.namespace,
+      },
+      spec: {
+        serviceName: "cockroachdb",
+        replicas: o.replicas,
+        selector: { matchLabels: labels },
+        template: {
+          metadata: { labels },
+          spec: {
+            containers: [{
+              name: "cockroachdb",
+              image: `cockroachdb/cockroach:${o.version}`,
+              ports: [
+                { containerPort: 26257, name: "grpc" },
+                { containerPort: 8080, name: "http" },
+              ],
+              command: ["/cockroach/cockroach"],
+              args: [
+                "start",
+                "--logtostderr",
+                "--insecure",
+                "$(POD_ADVERTISE)",
+                `--join=${joinHosts}`,
+                "--store=path=/cockroach/cockroach-data",
+                "--cache=.25",
+                "--max-sql-memory=.25",
+              ],
+              env: [
+                {
+                  name: "POD_NAME",
+                  valueFrom: { fieldRef: { fieldPath: "metadata.name" } },
+                },
+                {
+                  name: "POD_ADVERTISE",
+                  value: `--advertise-host=$(POD_NAME).cockroachdb.${o.namespace}.svc.cluster.local`,
+                },
+              ],
+              volumeMounts: [{
+                name: "datadir",
+                mountPath: "/cockroach/cockroach-data",
+              }],
+              readinessProbe: {
+                httpGet: { path: "/health?ready=1", port: 8080, scheme: "HTTP" },
+                initialDelaySeconds: 10,
+                periodSeconds: 5,
+              },
+              livenessProbe: {
+                httpGet: { path: "/health", port: 8080, scheme: "HTTP" },
+                initialDelaySeconds: 30,
+                periodSeconds: 10,
+              },
+              resources: {
+                requests: { cpu: "100m", memory: "256Mi" },
+                limits: { cpu: "2", memory: "2Gi" },
+              },
+            }],
+            volumes: [{
+              name: "datadir",
+              hostPath: {
+                path: o.hostDataPath,
+                type: "DirectoryOrCreate",
+              },
+            }],
+            terminationGracePeriodSeconds: 60,
+          },
+        },
+      },
+    },
+
+    initJob: {
+      apiVersion: "batch/v1",
+      kind: "Job",
+      metadata: {
+        name: "cockroachdb-init",
+        namespace: o.namespace,
+      },
+      spec: {
+        template: {
+          spec: {
+            restartPolicy: "OnFailure",
+            containers: [{
+              name: "init",
+              image: `cockroachdb/cockroach:${o.version}`,
+              command: ["/cockroach/cockroach"],
+              args: [
+                "init",
+                "--insecure",
+                `--host=cockroachdb-0.cockroachdb.${o.namespace}.svc.cluster.local:26257`,
+              ],
+            }],
+          },
+        },
+      },
+    },
+
+    connectionString: `postgresql://root@cockroachdb-client.${o.namespace}.svc.cluster.local:26257/lab?sslmode=disable`,
+  };
+}
diff --git a/bastion/src/modules/modules/labcontroller/src/deploy.ts b/bastion/src/modules/modules/labcontroller/src/deploy.ts
new file mode 100644
index 0000000..0912dec
--- /dev/null
+++ b/bastion/src/modules/modules/labcontroller/src/deploy.ts
@@ -0,0 +1,18 @@
+// Labcontroller deploy helpers.
+// The actual deployment uses kubectl apply via SSH (see labcontroller CLI command).
+
+/** Serialize a manifest to JSON for piping to kubectl apply. */
+export function toKubectlJson(manifest: Record<string, unknown>): string {
+  return JSON.stringify(manifest);
+}
+
+/** Escape single quotes for embedding in a bash string. */
+export function shellEscape(s: string): string {
+  return s.replace(/'/g, "'\\''");
+}
+
+/** Generate a kubectl apply command for a manifest. */
+export function kubectlApplyCmd(manifest: Record<string, unknown>): string {
+  const json = shellEscape(toKubectlJson(manifest));
+  return `echo '${json}' | sudo k3s kubectl apply -f -`;
+}
diff --git a/bastion/src/modules/modules/labcontroller/src/index.ts b/bastion/src/modules/modules/labcontroller/src/index.ts
new file mode 100644
index 0000000..d0ad719
--- /dev/null
+++ b/bastion/src/modules/modules/labcontroller/src/index.ts
@@ -0,0 +1,39 @@
+// Labcontroller module — deploys bastion + labd + CockroachDB to k3s.
+// Multi-node: CockroachDB auto-clusters via headless Service DNS.
+
+export { cockroachDbManifests, type CockroachDbConfig, COCKROACHDB_DEFAULTS } from "./cockroachdb.js";
+export { labdManifests, type LabdConfig, LABD_DEFAULTS } from "./labd.js";
+export { bastionManifests, type BastionK8sConfig, BASTION_DEFAULTS } from "./bastion.js";
+export { toKubectlJson, shellEscape, kubectlApplyCmd } from "./deploy.js";
+
+import { cockroachDbManifests, type CockroachDbConfig } from "./cockroachdb.js";
+import { labdManifests, type LabdConfig } from "./labd.js";
+import { bastionManifests, type BastionK8sConfig } from "./bastion.js";
+
+export interface LabcontrollerConfig {
+  cockroachdb?: Partial<CockroachDbConfig>;
+  labd?: Partial<LabdConfig>;
+  bastion?: Partial<BastionK8sConfig>;
+}
+
+/** Generate all k8s manifests for a full labcontroller deployment. */
+export function labcontrollerManifests(config?: LabcontrollerConfig): Record<string, unknown>[] {
+  const crdb = cockroachDbManifests(config?.cockroachdb);
+  const labd = labdManifests({
+    ...config?.labd,
+    databaseUrl: crdb.connectionString,
+  });
+  const bastion = bastionManifests(config?.bastion);
+
+  // Order matters: namespace first, then services, then workloads
+  return [
+    crdb.namespace,
+    crdb.headlessService,
+    crdb.clientService,
+    crdb.statefulSet,
+    crdb.initJob,
+    labd.service,
+    labd.deployment,
+    bastion.daemonSet,
+  ];
+}
diff --git a/bastion/src/modules/modules/labcontroller/src/labd.ts b/bastion/src/modules/modules/labcontroller/src/labd.ts
new file mode 100644
index 0000000..ac1270b
--- /dev/null
+++ b/bastion/src/modules/modules/labcontroller/src/labd.ts
@@ -0,0 +1,81 @@
+// labd (master daemon) k8s deployment manifests.
+
+export interface LabdConfig {
+  namespace: string;
+  image: string;
+  replicas: number;
+  databaseUrl: string;
+}
+
+export const LABD_DEFAULTS: LabdConfig = {
+  namespace: "lab-system",
+  image: "gitea.mysources.co.uk/michal/lab-labd:latest",
+  replicas: 1,
+  databaseUrl: "postgresql://root@cockroachdb-client.lab-system.svc.cluster.local:26257/lab?sslmode=disable",
+};
+
+export function labdManifests(opts?: Partial<LabdConfig>) {
+  const o = { ...LABD_DEFAULTS, ...opts };
+  const labels = { app: "labd", "app.kubernetes.io/part-of": "lab" };
+
+  return {
+    deployment: {
+      apiVersion: "apps/v1",
+      kind: "Deployment",
+      metadata: {
+        name: "labd",
+        namespace: o.namespace,
+      },
+      spec: {
+        replicas: o.replicas,
+        selector: { matchLabels: labels },
+        template: {
+          metadata: { labels },
+          spec: {
+            containers: [{
+              name: "labd",
+              image: o.image,
+              ports: [{ containerPort: 3100, name: "http" }],
+              env: [
+                { name: "DATABASE_URL", value: o.databaseUrl },
+                { name: "LABD_PORT", value: "3100" },
+                { name: "LABD_HOST", value: "0.0.0.0" },
+              ],
+              readinessProbe: {
+                httpGet: { path: "/healthz", port: 3100 },
+                initialDelaySeconds: 5,
+                periodSeconds: 5,
+              },
+              livenessProbe: {
+                httpGet: { path: "/healthz", port: 3100 },
+                initialDelaySeconds: 10,
+                periodSeconds: 10,
+              },
+              resources: {
+                requests: { cpu: "50m", memory: "128Mi" },
+                limits: { cpu: "500m", memory: "512Mi" },
+              },
+            }],
+          },
+        },
+      },
+    },
+
+    service: {
+      apiVersion: "v1",
+      kind: "Service",
+      metadata: {
+        name: "labd",
+        namespace: o.namespace,
+        labels,
+      },
+      spec: {
+        type: "NodePort",
+        selector: labels,
+        ports: [
+          { name: "http", port: 3100, targetPort: 3100, nodePort: 30100 },
+        ],
+      },
+    },
+  };
+}
diff --git a/bastion/src/modules/package.json b/bastion/src/modules/package.json
new file mode 100644
index 0000000..fe89fcf
--- /dev/null
+++ b/bastion/src/modules/package.json
@@ -0,0 +1,21 @@
+{
+  "name": "@lab/modules",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "main": "./dist/src/index.js",
+  "types": "./dist/src/index.d.ts",
+  "scripts": {
+    "build": "tsc --build",
+    "clean": "rimraf dist"
+  },
+  "dependencies": {
+    "@kubernetes/client-node": "^1.4.0",
+    "@lab/shared": "workspace:*"
+  },
+  "devDependencies": {
+    "@types/node": "^22.14.1",
+    "rimraf": "^6.1.3",
+    "typescript": "^5.9.3"
+  }
+}
diff --git a/bastion/src/modules/src/index.ts b/bastion/src/modules/src/index.ts
new file mode 100644
index 0000000..f3d318f
--- /dev/null
+++ b/bastion/src/modules/src/index.ts
@@ -0,0 +1,23 @@
+export type {
+  ModuleMetadata,
+  ModuleContext,
+  ModuleResult,
+  Module,
+} from "./types.js";
+
+export { sshExec, sshExecStreaming } from "./ssh.js";
+export type { SshExecOptions, SshExecResult } from "./ssh.js";
+
+export { ModuleRunner } from "./runner.js";
+export type { Phase, RunOptions } from "./runner.js";
+
+export { ModuleRegistry } from "./registry.js";
+
+// k3s module — operation-based
+export { K3sModule } from "../modules/k3s/src/k3s-module.js";
+export type { K3sConfig, OperationContext, OperationResult, Operation } from "../modules/k3s/src/types.js";
+
+// DEPRECATED: legacy bash script generators (still used by labcontroller deploy)
+export { generateInstallScript, type K3sInstallContext } from "../modules/k3s/src/install.js";
+export { generateConfigureScript } from "../modules/k3s/src/configure.js";
+export { generateHealthScript, K3S_HEALTH_CHECKS } from "../modules/k3s/src/health.js";
diff --git a/bastion/src/modules/src/registry.ts b/bastion/src/modules/src/registry.ts
new file mode 100644
index 0000000..2472dda
--- /dev/null
+++ b/bastion/src/modules/src/registry.ts
@@ -0,0 +1,30 @@
+import type { Module, ModuleMetadata } from "./types.js";
+
+export class ModuleRegistry {
+  private readonly modules = new Map<string, Module>();
+
+  /**
+   * Register a module. Throws if a module with the same name is already registered.
+   */
+  registerModule(module: Module): void {
+    const { name } = module.metadata;
+    if (this.modules.has(name)) {
+      throw new Error(`Module "${name}" is already registered`);
+    }
+    this.modules.set(name, module);
+  }
+
+  /**
+   * Get a module by name. Returns undefined if not found.
+   */
+  getModule(name: string): Module | undefined {
+    return this.modules.get(name);
+  }
+
+  /**
+   * List metadata for all registered modules.
+   */
+  listModules(): ModuleMetadata[] {
+    return [...this.modules.values()].map((m) => m.metadata);
+  }
+}
diff --git a/bastion/src/modules/src/runner.ts b/bastion/src/modules/src/runner.ts
new file mode 100644
index 0000000..d9a5796
--- /dev/null
+++ b/bastion/src/modules/src/runner.ts
@@ -0,0 +1,61 @@
+import type { Module, ModuleContext, ModuleResult } from "./types.js";
+
+export type Phase = "install" | "configure" | "health";
+
+export interface RunOptions {
+  phases?: Phase[];
+  onProgress?: (phase: string, line: string) => void;
+}
+
+const DEFAULT_PHASES: Phase[] = ["install", "configure", "health"];
+
+export class ModuleRunner {
+  /**
+   * Run module phases in order. Stops on first failure.
+   * Returns results for each phase that was executed.
+   */
+  async run(
+    module: Module,
+    ctx: ModuleContext,
+    options?: RunOptions,
+  ): Promise<ModuleResult[]> {
+    const phases = options?.phases ?? DEFAULT_PHASES;
+    const onProgress = options?.onProgress ?? ((_phase: string, line: string) => {
+      console.log(line);
+    });
+
+    const results: ModuleResult[] = [];
+
+    for (const phase of phases) {
+      onProgress(phase, `[${module.metadata.name}] starting phase: ${phase}`);
+
+      const start = performance.now();
+      let result: ModuleResult;
+
+      try {
+        result = await module[phase](ctx);
+      } catch (err) {
+        const duration = Math.round(performance.now() - start);
+        const errorMessage = err instanceof Error ? err.message : String(err);
+        result = {
+          success: false,
+          phase,
+          duration,
+          output: [],
+          errors: [errorMessage],
+        };
+      }
+
+      results.push(result);
+
+      if (result.success) {
+        onProgress(phase, `[${module.metadata.name}] ${phase} completed in ${result.duration}ms`);
+      } else {
+        onProgress(phase, `[${module.metadata.name}] ${phase} failed: ${result.errors.join(", ")}`);
+        break;
+      }
+    }
+
+    return results;
+  }
+}
diff --git a/bastion/src/modules/src/ssh.d.ts b/bastion/src/modules/src/ssh.d.ts
new file mode 100644
index 0000000..8fd810d
--- /dev/null
+++ b/bastion/src/modules/src/ssh.d.ts
@@ -0,0 +1,18 @@
+export interface SshExecOptions {
+    keyPath?: string;
+    timeoutMs?: number;
+}
+export interface SshExecResult {
+    exitCode: number;
+    stdout: string;
+    stderr: string;
+}
+/**
+ * Execute a command over SSH and return the result when complete.
+ */
+export declare function sshExec(ip: string, user: string, command: string, options?: SshExecOptions): Promise<SshExecResult>;
+/**
+ * Execute a command over SSH, calling onLine for each line of combined output.
+ */
+export declare function sshExecStreaming(ip: string, user: string, command: string, onLine: (line: string) => void, options?: SshExecOptions): Promise<SshExecResult>;
+//# sourceMappingURL=ssh.d.ts.map
\ No newline at end of file
diff --git a/bastion/src/modules/src/ssh.d.ts.map b/bastion/src/modules/src/ssh.d.ts.map
new file mode 100644
index 0000000..db4350e
--- /dev/null
+++ b/bastion/src/modules/src/ssh.d.ts.map
@@ -0,0 +1 @@
+{"version":3,"file":"ssh.d.ts","sourceRoot":"","sources":["ssh.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB;AAsBD;;GAEG;AACH,wBAAgB,OAAO,CACrB,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,aAAa,CAAC,CAuCxB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,EAC9B,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,aAAa,CAAC,CAgExB"}
\ No newline at end of file
diff --git a/bastion/src/modules/src/ssh.js b/bastion/src/modules/src/ssh.js
new file mode 100644
index 0000000..0983b85
--- /dev/null
+++ b/bastion/src/modules/src/ssh.js
@@ -0,0 +1,111 @@
+import { spawn } from "node:child_process";
+function buildSshArgs(ip, user, command, options) {
+    const args = [
+        "-o", "StrictHostKeyChecking=no",
+        "-o", "UserKnownHostsFile=/dev/null",
+        "-o", "LogLevel=ERROR",
+    ];
+    if (options?.keyPath) {
+        args.push("-i", options.keyPath);
+    }
+    args.push(`${user}@${ip}`, command);
+    return args;
+}
+/**
+ * Execute a command over SSH and return the result when complete.
+ */
+export function sshExec(ip, user, command, options) {
+    return new Promise((resolve, reject) => {
+        const args = buildSshArgs(ip, user, command, options);
+        const proc = spawn("ssh", args, { stdio: ["ignore", "pipe", "pipe"] });
+        const stdoutChunks = [];
+        const stderrChunks = [];
+        proc.stdout.on("data", (chunk) => stdoutChunks.push(chunk));
+        proc.stderr.on("data", (chunk) => stderrChunks.push(chunk));
+        let timedOut = false;
+        let timer;
+        if (options?.timeoutMs) {
+            timer = setTimeout(() => {
+                timedOut = true;
+                proc.kill("SIGTERM");
+            }, options.timeoutMs);
+        }
+        proc.on("error", (err) => {
+            if (timer)
+                clearTimeout(timer);
+            reject(err);
+        });
+        proc.on("close", (code) => {
+            if (timer)
+                clearTimeout(timer);
+            const stdout = Buffer.concat(stdoutChunks).toString("utf-8");
+            const stderr = Buffer.concat(stderrChunks).toString("utf-8");
+            if (timedOut) {
+                resolve({ exitCode: 124, stdout, stderr: stderr + "\nSSH command timed out" });
+                return;
+            }
+            resolve({ exitCode: code ?? 1, stdout, stderr });
+        });
+    });
+}
+/**
+ * Execute a command over SSH, calling onLine for each line of combined output.
+ */
+export function sshExecStreaming(ip, user, command, onLine, options) {
+    return new Promise((resolve, reject) => {
+        const args = buildSshArgs(ip, user, command, options);
+        const proc = spawn("ssh", args, { stdio: ["ignore", "pipe", "pipe"] });
+        const stdoutChunks = [];
+        const stderrChunks = [];
+        let stdoutBuffer = "";
+        let stderrBuffer = "";
+        proc.stdout.on("data", (chunk) => {
+            stdoutChunks.push(chunk);
+            stdoutBuffer += chunk.toString("utf-8");
+            const lines = stdoutBuffer.split("\n");
+            stdoutBuffer = lines.pop() ?? "";
+            for (const line of lines) {
+                onLine(line);
+            }
+        });
+        proc.stderr.on("data", (chunk) => {
+            stderrChunks.push(chunk);
+            stderrBuffer += chunk.toString("utf-8");
+            const lines = stderrBuffer.split("\n");
+            stderrBuffer = lines.pop() ?? "";
+            for (const line of lines) {
+                onLine(line);
+            }
+        });
+        let timedOut = false;
+        let timer;
+        if (options?.timeoutMs) {
+            timer = setTimeout(() => {
+                timedOut = true;
+                proc.kill("SIGTERM");
+            }, options.timeoutMs);
+        }
+        proc.on("error", (err) => {
+            if (timer)
+                clearTimeout(timer);
+            reject(err);
+        });
+        proc.on("close", (code) => {
+            if (timer)
+                clearTimeout(timer);
+            // Flush remaining buffered content
+            if (stdoutBuffer)
+                onLine(stdoutBuffer);
+            if (stderrBuffer)
+                onLine(stderrBuffer);
+            const stdout = Buffer.concat(stdoutChunks).toString("utf-8");
+            const stderr = Buffer.concat(stderrChunks).toString("utf-8");
+            if (timedOut) {
+                resolve({ exitCode: 124, stdout, stderr: stderr + "\nSSH command timed out" });
+                return;
+            }
+            resolve({ exitCode: code ?? 1, stdout, stderr });
+        });
+    });
+}
+//# sourceMappingURL=ssh.js.map
\ No newline at end of file
diff --git a/bastion/src/modules/src/ssh.js.map b/bastion/src/modules/src/ssh.js.map
new file mode 100644
index 0000000..d42a999
--- /dev/null
+++ b/bastion/src/modules/src/ssh.js.map
@@ -0,0 +1 @@
+{"version":3,"file":"ssh.js","sourceRoot":"","sources":["ssh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAa3C,SAAS,YAAY,CACnB,EAAU,EACV,IAAY,EACZ,OAAe,EACf,OAAwB;IAExB,MAAM,IAAI,GAAa;QACrB,IAAI,EAAE,0BAA0B;QAChC,IAAI,EAAE,8BAA8B;QACpC,IAAI,EAAE,gBAAgB;KACvB,CAAC;IAEF,IAAI,OAAO,EAAE,OAAO,EAAE,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;IACpC,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,OAAO,CACrB,EAAU,EACV,IAAY,EACZ,OAAe,EACf,OAAwB;IAExB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,IAAI,GAAG,YAAY,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QACtD,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QAEvE,MAAM,YAAY,GAAa,EAAE,CAAC;QAClC,MAAM,YAAY,GAAa,EAAE,CAAC;QAElC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACpE,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAEpE,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,KAAgD,CAAC;QAErD,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;YACvB,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBACtB,QAAQ,GAAG,IAAI,CAAC;gBAChB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACvB,IAAI,KAAK;gBAAE,YAAY,CAAC,KAAK,CAAC,CAAC;YAC/B,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,IAAI,KAAK;gBAAE,YAAY,CAAC,KAAK,CAAC,CAAC;YAC/B,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC7D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAE7D,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,yBAAyB,EAAE,CAAC,CAAC;gBAC/E,OAAO;YACT,CAAC;YAED,OAAO,CAAC,EAAE,QAAQ,EAAE,IAAI,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,EAAU,EACV,IAAY,EACZ,OAAe,EACf,MAA8B,EAC9B,OAAwB;IAExB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,IAAI,GAAG,YAAY,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QACtD,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QAEvE,MAAM,YAAY,GAAa,EAAE,CAAC;QAClC,MAAM,YAAY,GAAa,EAAE,CAAC;QAElC,IAAI,YAAY,GAAG,EAAE,CAAC;QACtB,IAAI,YAAY,GAAG,EAAE,CAAC;QAEtB,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACvC,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACzB,YAAY,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACxC,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACvC,YAAY,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YACjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,CAAC,IAAI,CAAC,CAAC;YACf,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACvC,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACzB,YAAY,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACxC,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACvC,YAAY,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YACjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,CAAC,IAAI,CAAC,CAAC;YACf,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,KAAgD,CAAC;QAErD,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;YACvB,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBACtB,QAAQ,GAAG,IAAI,CAAC;gBAChB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACvB,IAAI,KAAK;gBAAE,YAAY,CAAC,KAAK,CAAC,CAAC;YAC/B,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,IAAI,KAAK;gBAAE,YAAY,CAAC,KAAK,CAAC,CAAC;YAE/B,mCAAmC;YACnC,IAAI,YAAY;gBAAE,MAAM,CAAC,YAAY,CAAC,CAAC;YACvC,IAAI,YAAY;gBAAE,MAAM,CAAC,YAAY,CAAC,CAAC;YAEvC,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC7D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAE7D,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,yBAAyB,EAAE,CAAC,CAAC;gBAC/E,OAAO;YACT,CAAC;YAED,OAAO,CAAC,EAAE,QAAQ,EAAE,IAAI,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
\ No newline at end of file
diff --git a/bastion/src/modules/src/ssh.ts b/bastion/src/modules/src/ssh.ts
new file mode 100644
index 0000000..1bdc021
--- /dev/null
+++ b/bastion/src/modules/src/ssh.ts
@@ -0,0 +1,156 @@
+import { spawn } from "node:child_process";
+
+export interface SshExecOptions {
+  keyPath?: string;
+  timeoutMs?: number;
+}
+
+export interface SshExecResult {
+  exitCode: number;
+  stdout: string;
+  stderr: string;
+}
+
+function buildSshArgs(
+  ip: string,
+  user: string,
+  command: string,
+  options?: SshExecOptions,
+): string[] {
+  const args: string[] = [
+    "-o", "StrictHostKeyChecking=no",
+    "-o", "UserKnownHostsFile=/dev/null",
+    "-o", "LogLevel=ERROR",
+  ];
+
+  if (options?.keyPath) {
+    args.push("-i", options.keyPath);
+  }
+
+  args.push(`${user}@${ip}`, command);
+  return args;
+}
+
+/**
+ * Execute a command over SSH and return the result when complete.
+ */
+export function sshExec(
+  ip: string,
+  user: string,
+  command: string,
+  options?: SshExecOptions,
+): Promise<SshExecResult> {
+  return new Promise((resolve, reject) => {
+    const args = buildSshArgs(ip, user, command, options);
+    const proc = spawn("ssh", args, { stdio: ["ignore", "pipe", "pipe"] });
+
+    const stdoutChunks: Buffer[] = [];
+    const stderrChunks: Buffer[] = [];
+
+    proc.stdout.on("data", (chunk: Buffer) => stdoutChunks.push(chunk));
+    proc.stderr.on("data", (chunk: Buffer) => stderrChunks.push(chunk));
+
+    let timedOut = false;
+    let timer: ReturnType<typeof setTimeout> | undefined;
+
+    if (options?.timeoutMs) {
+      timer = setTimeout(() => {
+        timedOut = true;
+        proc.kill("SIGTERM");
+      }, options.timeoutMs);
+    }
+
+    proc.on("error", (err) => {
+      if (timer) clearTimeout(timer);
+      reject(err);
+    });
+
+    proc.on("close", (code) => {
+      if (timer) clearTimeout(timer);
+      const stdout = Buffer.concat(stdoutChunks).toString("utf-8");
+      const stderr = Buffer.concat(stderrChunks).toString("utf-8");
+
+      if (timedOut) {
+        resolve({ exitCode: 124, stdout, stderr: stderr + "\nSSH command timed out" });
+        return;
+      }
+
+      resolve({ exitCode: code ?? 1, stdout, stderr });
+    });
+  });
+}
+
+/**
+ * Execute a command over SSH, calling onLine for each line of combined output.
+ */
+export function sshExecStreaming(
+  ip: string,
+  user: string,
+  command: string,
+  onLine: (line: string) => void,
+  options?: SshExecOptions,
+): Promise<SshExecResult> {
+  return new Promise((resolve, reject) => {
+    const args = buildSshArgs(ip, user, command, options);
+    const proc = spawn("ssh", args, { stdio: ["ignore", "pipe", "pipe"] });
+
+    const stdoutChunks: Buffer[] = [];
+    const stderrChunks: Buffer[] = [];
+
+    let stdoutBuffer = "";
+    let stderrBuffer = "";
+
+    proc.stdout.on("data", (chunk: Buffer) => {
+      stdoutChunks.push(chunk);
+      stdoutBuffer += chunk.toString("utf-8");
+      const lines = stdoutBuffer.split("\n");
+      stdoutBuffer = lines.pop() ?? "";
+      for (const line of lines) {
+        onLine(line);
+      }
+    });
+
+    proc.stderr.on("data", (chunk: Buffer) => {
+      stderrChunks.push(chunk);
+      stderrBuffer += chunk.toString("utf-8");
+      const lines = stderrBuffer.split("\n");
+      stderrBuffer = lines.pop() ?? "";
+      for (const line of lines) {
+        onLine(line);
+      }
+    });
+
+    let timedOut = false;
+    let timer: ReturnType<typeof setTimeout> | undefined;
+
+    if (options?.timeoutMs) {
+      timer = setTimeout(() => {
+        timedOut = true;
+        proc.kill("SIGTERM");
+      }, options.timeoutMs);
+    }
+
+    proc.on("error", (err) => {
+      if (timer) clearTimeout(timer);
+      reject(err);
+    });
+
+    proc.on("close", (code) => {
+      if (timer) clearTimeout(timer);
+
+      // Flush remaining buffered content
+      if (stdoutBuffer) onLine(stdoutBuffer);
+      if (stderrBuffer) onLine(stderrBuffer);
+
+      const stdout = Buffer.concat(stdoutChunks).toString("utf-8");
+      const stderr = Buffer.concat(stderrChunks).toString("utf-8");
+
+      if (timedOut) {
+        resolve({ exitCode: 124, stdout, stderr: stderr + "\nSSH command timed out" });
+        return;
+      }
+
+      resolve({ exitCode: code ?? 1, stdout, stderr });
+    });
+  });
+}
diff --git a/bastion/src/modules/src/types.ts b/bastion/src/modules/src/types.ts
new file mode 100644
index 0000000..3baf7b2
--- /dev/null
+++ b/bastion/src/modules/src/types.ts
@@ -0,0 +1,38 @@
+import type { OsId, Arch } from "@lab/shared";
+
+export interface ModuleMetadata {
+  name: string;
+  version: string;
+  description: string;
+  targets: {
+    roles?: string[];
+    labels?: Record<string, string>;
+  };
+  dependencies?: string[];
+}
+
+export interface ModuleContext {
+  hostname: string;
+  ip: string;
+  role: string;
+  os: OsId;
+  arch: Arch;
+  sshUser: string;
+  sshKeyPath?: string;
+  config: Record<string, unknown>;
+}
+
+export interface ModuleResult {
+  success: boolean;
+  phase: "install" | "configure" | "health";
+  duration: number;
+  output: string[];
+  errors: string[];
+}
+
+export interface Module {
+  readonly metadata: ModuleMetadata;
+  install(ctx: ModuleContext): Promise<ModuleResult>;
+  configure(ctx: ModuleContext): Promise<ModuleResult>;
+  health(ctx: ModuleContext): Promise<ModuleResult>;
+}
diff --git a/bastion/src/modules/tsconfig.json b/bastion/src/modules/tsconfig.json
new file mode 100644
index 0000000..ed14a8c
--- /dev/null
+++ b/bastion/src/modules/tsconfig.json
@@ -0,0 +1,13 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": ".",
+    "outDir": "dist",
+    "composite": true
+  },
+  "include": ["src/**/*.ts", "modules/**/*.ts"],
+  "exclude": ["modules/**/tests/**"],
+  "references": [
+    { "path": "../shared" }
+  ]
+}
diff --git a/bastion/src/shared/package.json b/bastion/src/shared/package.json
new file mode 100644
index 0000000..55aee71
--- /dev/null
+++ b/bastion/src/shared/package.json
@@ -0,0 +1,20 @@
+{
+  "name": "@lab/shared",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "scripts": {
+    "build": "tsc --build",
+    "clean": "rimraf dist",
+    "test": "vitest",
+    "test:run": "vitest run"
+  }
+}
diff --git a/bastion/src/shared/src/constants/index.ts b/bastion/src/shared/src/constants/index.ts
new file mode 100644
index 0000000..73496b8
--- /dev/null
+++ b/bastion/src/shared/src/constants/index.ts
@@ -0,0 +1,4 @@
+// Application-wide constants.
+
+export const APP_NAME = "labctl";
+export const APP_VERSION = "0.1.0";
diff --git a/bastion/src/shared/src/errors/index.ts b/bastion/src/shared/src/errors/index.ts
new file mode 100644
index 0000000..c93216a
--- /dev/null
+++ b/bastion/src/shared/src/errors/index.ts
@@ -0,0 +1,86 @@
+// Error handling and reporting utilities for the lab platform.
+
+// --- Base error class ---
+
+export class LabError extends Error {
+  readonly code: string;
+  readonly statusCode: number;
+  readonly details: Record<string, unknown> | undefined;
+
+  constructor(
+    message: string,
+    code: string,
+    statusCode: number = 500,
+    details?: Record<string, unknown>,
+  ) {
+    super(message);
+    this.name = this.constructor.name;
+    this.code = code;
+    this.statusCode = statusCode;
+    this.details = details;
+  }
+
+  toJSON(): { error: string; code: string; statusCode: number; details: Record<string, unknown> | undefined } {
+    return {
+      error: this.message,
+      code: this.code,
+      statusCode: this.statusCode,
+      details: this.details,
+    };
+  }
+}
+
+// --- Subclasses ---
+
+export class NotFoundError extends LabError {
+  constructor(resourceType: string, identifier: string) {
+    super(
+      `${resourceType} '${identifier}' not found`,
+      "NOT_FOUND",
+      404,
+      { resourceType, identifier },
+    );
+  }
+}
+
+export class PermissionDeniedError extends LabError {
+  constructor(action: string, resource: string, reason?: string) {
+    const message = reason
+      ? `Permission denied: cannot ${action} on ${resource} — ${reason}`
+      : `Permission denied: cannot ${action} on ${resource}`;
+    super(
+      message,
+      "PERMISSION_DENIED",
+      403,
+      { action, resource, ...(reason !== undefined ? { reason } : {}) },
+    );
+  }
+}
+
+export class ValidationError extends LabError {
+  constructor(message: string, field?: string) {
+    super(
+      message,
+      "VALIDATION_ERROR",
+      400,
+      field !== undefined ? { field } : undefined,
+    );
+  }
+}
+
+export class AgentNotConnectedError extends LabError {
+  constructor(serverName: string) {
+    super(
+      `Agent on server '${serverName}' is not connected`,
+      "AGENT_NOT_CONNECTED",
+      503,
+      { serverName },
+    );
+  }
+}
+
+// --- Type guard ---
+
+export function isLabError(err: unknown): err is LabError {
+  return err instanceof LabError;
+}
diff --git a/bastion/src/shared/src/index.ts b/bastion/src/shared/src/index.ts
new file mode 100644
index 0000000..7179a6d
--- /dev/null
+++ b/bastion/src/shared/src/index.ts
@@ -0,0 +1,45 @@
+export type {
+  OsId,
+  Arch,
+  Role,
+  HardwareInfo,
+  InstallConfig,
+  InstalledInfo,
+  BastionState,
+  BastionConfig,
+} from "./types/index.js";
+
+export { SUPPORTED_OS, SUPPORTED_ROLES, ROLE_REGISTRY, isValidOsId } from "./types/index.js";
+export type { RoleInfo } from "./types/index.js";
+
+export { APP_NAME, APP_VERSION } from "./constants/index.js";
+
+export {
+  type AgentMessage,
+  type ServerMessage,
+  type BastionMessage,
+  type LabdBastionMessage,
+  type JournalOptions,
+  type AgentMessageType,
+  type ServerMessageType,
+  type BastionMessageType,
+  type LabdBastionMessageType,
+  isAgentMessage,
+  isServerMessage,
+  isBastionMessage,
+  isLabdBastionMessage,
+  parseAgentMessage,
+  parseServerMessage,
+  parseBastionMessage,
+  parseLabdBastionMessage,
+  generateRequestId,
+} from "./protocol/index.js";
+
+export {
+  LabError,
+  NotFoundError,
+  PermissionDeniedError,
+  ValidationError,
+  AgentNotConnectedError,
+  isLabError,
+} from "./errors/index.js";
diff --git a/bastion/src/shared/src/protocol/index.ts b/bastion/src/shared/src/protocol/index.ts
new file mode 100644
index 0000000..6670c54
--- /dev/null
+++ b/bastion/src/shared/src/protocol/index.ts
@@ -0,0 +1,171 @@
+// Protocol types for agent-labd WebSocket communication.
+
+import { randomUUID } from "node:crypto";
+
+// --- Agent -> labd messages ---
+
+export type AgentMessage =
+  | { type: "heartbeat"; hostname: string; uptime: number; version: string; memUsage: number; cpuUsage: number }
+  | { type: "exec-stdout"; requestId: string; data: string }
+  | { type: "exec-stderr"; requestId: string; data: string }
+  | { type: "exec-exit"; requestId: string; exitCode: number }
+  | { type: "log-line"; requestId: string; line: string }
+  | { type: "log-end"; requestId: string }
+  | { type: "enrollment-request"; joinToken: string; hostname: string; csr: string }
+  | { type: "rotation-request"; currentFingerprint: string; newCsr: string };
+
+// --- labd -> Agent messages ---
+
+export type ServerMessage =
+  | { type: "exec"; requestId: string; command: string; args: string[]; timeout: number; tty: boolean }
+  | { type: "exec-stdin"; requestId: string; data: string }
+  | { type: "exec-signal"; requestId: string; signal: "SIGTERM" | "SIGKILL" | "SIGINT" }
+  | { type: "log-subscribe"; requestId: string; options: JournalOptions }
+  | { type: "log-unsubscribe"; requestId: string }
+  | { type: "enrollment-response"; status: "success" | "error"; certificatePem?: string; error?: string }
+  | { type: "heartbeat-ack"; serverTime: string }
+  | { type: "server-shutdown"; reconnectAfter: number };
+
+// --- Supporting types ---
+
+export interface JournalOptions {
+  follow?: boolean;
+  lines?: number;
+  unit?: string;
+  since?: string;
+  priority?: string;
+  kernel?: boolean;
+  file?: string;
+}
+
+// --- Message types for discriminated union access ---
+
+export type AgentMessageType = AgentMessage["type"];
+export type ServerMessageType = ServerMessage["type"];
+
+// --- Type guards ---
+
+const AGENT_MESSAGE_TYPES = new Set<string>([
+  "heartbeat", "exec-stdout", "exec-stderr", "exec-exit",
+  "log-line", "log-end", "enrollment-request", "rotation-request",
+]);
+
+const SERVER_MESSAGE_TYPES = new Set<string>([
+  "exec", "exec-stdin", "exec-signal", "log-subscribe",
+  "log-unsubscribe", "enrollment-response", "heartbeat-ack", "server-shutdown",
+]);
+
+export function isAgentMessage(msg: unknown): msg is AgentMessage {
+  return (
+    typeof msg === "object" &&
+    msg !== null &&
+    "type" in msg &&
+    typeof (msg as { type: unknown }).type === "string" &&
+    AGENT_MESSAGE_TYPES.has((msg as { type: string }).type)
+  );
+}
+
+export function isServerMessage(msg: unknown): msg is ServerMessage {
+  return (
+    typeof msg === "object" &&
+    msg !== null &&
+    "type" in msg &&
+    typeof (msg as { type: unknown }).type === "string" &&
+    SERVER_MESSAGE_TYPES.has((msg as { type: string }).type)
+  );
+}
+
+// --- Parsing utilities ---
+
+export function parseAgentMessage(data: string): AgentMessage {
+  const msg: unknown = JSON.parse(data);
+  if (!isAgentMessage(msg)) {
+    throw new Error(`Invalid agent message: ${(msg as { type?: string }).type ?? "unknown"}`);
+  }
+  return msg;
+}
+
+export function parseServerMessage(data: string): ServerMessage {
+  const msg: unknown = JSON.parse(data);
+  if (!isServerMessage(msg)) {
+    throw new Error(`Invalid server message: ${(msg as { type?: string }).type ?? "unknown"}`);
+  }
+  return msg;
+}
+
+// --- Bastion -> labd messages ---
+
+export type BastionMessage =
+  | { type: "bastion-enroll"; token: string; hostname: string; network: string; serverIp: string }
+  | { type: "bastion-heartbeat"; bastionId: string; uptime: number; machineCount: number }
+  | { type: "bastion-state-sync"; bastionId: string; state: import("../types/state.js").BastionState }
+  | { type: "bastion-progress"; bastionId: string; mac: string; stage: string; detail: string; timestamp: string }
+  | { type: "bastion-install-log"; bastionId: string; mac: string; hostname: string; provisionerType: import("../types/state.js").ProvisionStackType; sessionId: string; lines: string[]; timestamp: string }
+  | { type: "command-response"; requestId: string; status: "ok" | "error"; data?: unknown; error?: string };
+
+// --- labd -> Bastion messages ---
+
+export type LabdBastionMessage =
+  | { type: "bastion-enrolled"; bastionId: string }
+  | { type: "bastion-heartbeat-ack"; serverTime: string }
+  | { type: "command-install"; requestId: string; mac: string; hostname: string; disk?: string; role: string; os: string }
+  | { type: "command-forget"; requestId: string; mac: string }
+  | { type: "command-role-update"; requestId: string; mac: string; role: string }
+  | { type: "server-shutdown"; reconnectAfter: number };
+
+export type BastionMessageType = BastionMessage["type"];
+export type LabdBastionMessageType = LabdBastionMessage["type"];
+
+// --- Bastion type guards ---
+
+const BASTION_MESSAGE_TYPES = new Set<string>([
+  "bastion-enroll", "bastion-heartbeat", "bastion-state-sync",
+  "bastion-progress", "bastion-install-log", "command-response",
+]);
+
+const LABD_BASTION_MESSAGE_TYPES = new Set<string>([
+  "bastion-enrolled", "bastion-heartbeat-ack", "command-install",
+  "command-forget", "command-role-update", "server-shutdown",
+]);
+
+export function isBastionMessage(msg: unknown): msg is BastionMessage {
+  return (
+    typeof msg === "object" &&
+    msg !== null &&
+    "type" in msg &&
+    typeof (msg as { type: unknown }).type === "string" &&
+    BASTION_MESSAGE_TYPES.has((msg as { type: string }).type)
+  );
+}
+
+export function isLabdBastionMessage(msg: unknown): msg is LabdBastionMessage {
+  return (
+    typeof msg === "object" &&
+    msg !== null &&
+    "type" in msg &&
+    typeof (msg as { type: unknown }).type === "string" &&
+    LABD_BASTION_MESSAGE_TYPES.has((msg as { type: string }).type)
+  );
+}
+
+export function parseBastionMessage(data: string): BastionMessage {
+  const msg: unknown = JSON.parse(data);
+  if (!isBastionMessage(msg)) {
+    throw new Error(`Invalid bastion message: ${(msg as { type?: string }).type ?? "unknown"}`);
+  }
+  return msg;
+}
+
+export function parseLabdBastionMessage(data: string): LabdBastionMessage {
+  const msg: unknown = JSON.parse(data);
+  if (!isLabdBastionMessage(msg)) {
+    throw new Error(`Invalid labd-bastion message: ${(msg as { type?: string }).type ?? "unknown"}`);
+  }
+  return msg;
+}
+
+// --- Request ID utility ---
+
+export function generateRequestId(): string {
+  return randomUUID();
+}
diff --git a/bastion/src/shared/src/types/config.ts b/bastion/src/shared/src/types/config.ts
new file mode 100644
index 0000000..7c1d72f
--- /dev/null
+++ b/bastion/src/shared/src/types/config.ts
@@ -0,0 +1,36 @@
+// Configuration types for the bastion server.
+
+export interface BastionConfig {
+  fedoraVersion: string;
+  arch: string;
+  httpPort: number;
+  timezone: string;
+  locale: string;
+  bastionDir: string;
+  domain: string;
+  dhcpMode: "proxy" | "full";
+  dhcpRangeStart: string;
+  dhcpRangeEnd: string;
+  // Ubuntu support
+  ubuntuVersion: string;
+  ubuntuMirror: string;
+  // Syslog listener for install logs (Anaconda logging --host)
+  syslogPort: number;
+  // Flags
+  skipDnsmasq?: boolean | undefined;
+  skipArtifacts?: boolean | undefined;
+  // Labd registration (optional — if unset, bastion runs standalone)
+  labdUrl?: string | undefined;
+  bastionJoinToken?: string | undefined;
+  // Derived at runtime
+  iface: string;
+  serverIp: string;
+  network: string;
+  gateway: string;
+  sshKeys: string[];
+  adminUser: string;
+  fedoraMirror: string;
+  tftpDir: string;
+  httpDir: string;
+  stateFile: string;
+}
diff --git a/bastion/src/shared/src/types/index.ts b/bastion/src/shared/src/types/index.ts
new file mode 100644
index 0000000..8ff20ed
--- /dev/null
+++ b/bastion/src/shared/src/types/index.ts
@@ -0,0 +1,14 @@
+export type {
+  OsId,
+  Arch,
+  Role,
+  HardwareInfo,
+  InstallConfig,
+  InstalledInfo,
+  BastionState,
+} from "./state.js";
+
+export { SUPPORTED_OS, SUPPORTED_ROLES, ROLE_REGISTRY, isValidOsId } from "./state.js";
+export type { RoleInfo } from "./state.js";
+
+export type { BastionConfig } from "./config.js";
diff --git a/bastion/src/shared/src/types/state.ts b/bastion/src/shared/src/types/state.ts
new file mode 100644
index 0000000..9be3d21
--- /dev/null
+++ b/bastion/src/shared/src/types/state.ts
@@ -0,0 +1,105 @@
+// State types for discovered machines, install queue, and installed machines.
+
+export type ProvisionStackType = "dhcpproxy" | "iso" | "cloud-init";
+
+export type OsId = "fedora-43" | "ubuntu-26.04";
+export type Arch = "x86_64" | "aarch64";
+
+export const SUPPORTED_OS: readonly OsId[] = ["fedora-43", "ubuntu-26.04"] as const;
+
+export function isValidOsId(value: string): value is OsId {
+  return (SUPPORTED_OS as readonly string[]).includes(value);
+}
+
+export interface HardwareInfo {
+  mac: string;
+  product: string;
+  board: string;
+  serial: string;
+  manufacturer: string;
+  cpu_model: string;
+  cpu_cores: number;
+  memory_gb: number;
+  arch: string;
+  disks: Array<{ name: string; size_gb: number; model: string }>;
+  nics: Array<{ name: string; mac: string; state: string }>;
+  first_seen: string;
+  last_seen: string;
+  bastionId?: string;  // set when aggregated through labd
+}
+
+export type Role = "vanilla" | "worker" | "infra" | "labcontroller";
+export const SUPPORTED_ROLES: readonly Role[] = ["vanilla", "worker", "infra", "labcontroller"] as const;
+
+export interface RoleInfo {
+  name: Role;
+  description: string;
+  parent?: Role;       // inherits from this role
+  k3s: boolean;        // installs k3s
+  apps: string[];      // apps auto-deployed after k3s
+}
+
+export const ROLE_REGISTRY: readonly RoleInfo[] = [
+  {
+    name: "vanilla",
+    description: "OS only — no k3s, no cluster services",
+    k3s: false,
+    apps: [],
+  },
+  {
+    name: "worker",
+    description: "k3s agent + Longhorn storage — joins existing cluster",
+    parent: "vanilla",
+    k3s: true,
+    apps: [],
+  },
+  {
+    name: "infra",
+    description: "k3s server + etcd — control plane node",
+    parent: "vanilla",
+    k3s: true,
+    apps: [],
+  },
+  {
+    name: "labcontroller",
+    description: "infra + bastion + labd + CockroachDB — self-sufficient provisioning node",
+    parent: "infra",
+    k3s: true,
+    apps: ["cockroachdb", "labd", "bastion"],
+  },
+] as const;
+
+export interface ProgressLogEntry {
+  stage: string;
+  detail: string;
+  timestamp: string;
+}
+
+export interface InstallConfig {
+  hostname: string;
+  disk: string;
+  role: Role;
+  os?: OsId;          // defaults to "fedora-43" for backward compat
+  arch?: Arch;         // detected from HardwareInfo or overridden
+  queued_at: string;
+  progress?: string;
+  progress_at?: string;
+  progress_detail?: string;
+  log?: ProgressLogEntry[];   // full progress history
+  bastionId?: string;  // set when aggregated through labd
+}
+
+export interface InstalledInfo {
+  hostname: string;
+  role: string;
+  os?: OsId;
+  ip: string;
+  installed_at: string;
+  bastionId?: string;  // set when aggregated through labd
+}
+
+export interface BastionState {
+  discovered: Record<string, HardwareInfo>;
+  install_queue: Record<string, InstallConfig>;
+  installed: Record<string, InstalledInfo>;
+}
diff --git a/bastion/src/shared/tests/errors.test.ts b/bastion/src/shared/tests/errors.test.ts
new file mode 100644
index 0000000..0fc3086
--- /dev/null
+++ b/bastion/src/shared/tests/errors.test.ts
@@ -0,0 +1,85 @@
+// Tests for error hierarchy.
+
+import { describe, it, expect } from "vitest";
+import {
+  LabError,
+  NotFoundError,
+  PermissionDeniedError,
+  ValidationError,
+  AgentNotConnectedError,
+  isLabError,
+} from "../src/errors/index.js";
+
+describe("LabError", () => {
+  it("preserves stack trace", () => {
+    const err = new LabError("test", "TEST", 500);
+    expect(err.stack).toContain("errors.test");
+  });
+
+  it("sets name to constructor name", () => {
+    expect(new LabError("x", "X", 500).name).toBe("LabError");
+    expect(new NotFoundError("Server", "w1").name).toBe("NotFoundError");
+  });
+
+  it("toJSON returns structured error", () => {
+    const err = new LabError("msg", "CODE", 418, { key: "val" });
+    const json = err.toJSON();
+    expect(json).toEqual({
+      error: "msg",
+      code: "CODE",
+      statusCode: 418,
+      details: { key: "val" },
+    });
+  });
+});
+
+describe("NotFoundError", () => {
+  it("has 404 status", () => {
+    const err = new NotFoundError("Server", "worker-1");
+    expect(err.statusCode).toBe(404);
+    expect(err.code).toBe("NOT_FOUND");
+    expect(err.message).toContain("Server");
+    expect(err.message).toContain("worker-1");
+  });
+});
+
+describe("PermissionDeniedError", () => {
+  it("has 403 status", () => {
+    const err = new PermissionDeniedError("exec", "server/w1", "no permission");
+    expect(err.statusCode).toBe(403);
+    expect(err.code).toBe("PERMISSION_DENIED");
+    expect(err.message).toContain("exec");
+  });
+});
+
+describe("ValidationError", () => {
+  it("has 400 status", () => {
+    const err = new ValidationError("bad input", "hostname");
+    expect(err.statusCode).toBe(400);
+    expect(err.code).toBe("VALIDATION_ERROR");
+  });
+});
+
+describe("AgentNotConnectedError", () => {
+  it("has 503 status", () => {
+    const err = new AgentNotConnectedError("worker-1");
+    expect(err.statusCode).toBe(503);
+    expect(err.message).toContain("worker-1");
+  });
+});
+
+describe("isLabError", () => {
+  it("returns true for LabError subclasses", () => {
+    expect(isLabError(new NotFoundError("x", "y"))).toBe(true);
+    expect(isLabError(new PermissionDeniedError("a", "b"))).toBe(true);
+  });
+
+  it("returns false for plain Error", () => {
+    expect(isLabError(new Error("nope"))).toBe(false);
+  });
+
+  it("returns false for non-errors", () => {
+    expect(isLabError("string")).toBe(false);
+    expect(isLabError(null)).toBe(false);
+  });
+});
diff --git a/bastion/src/shared/tests/protocol.test.ts b/bastion/src/shared/tests/protocol.test.ts
new file mode 100644
index 0000000..58142a2
--- /dev/null
+++ b/bastion/src/shared/tests/protocol.test.ts
@@ -0,0 +1,109 @@
+// Tests for WebSocket protocol types, type guards, and parsing.
+
+import { describe, it, expect } from "vitest";
+import {
+  isAgentMessage,
+  isServerMessage,
+  parseAgentMessage,
+  parseServerMessage,
+  generateRequestId,
+} from "../src/protocol/index.js";
+
+describe("protocol type guards", () => {
+  it("isAgentMessage accepts valid heartbeat", () => {
+    expect(
+      isAgentMessage({
+        type: "heartbeat",
+        hostname: "worker-1",
+        uptime: 100,
+        version: "0.1.0",
+        memUsage: 1024,
+        cpuUsage: 0.5,
+      }),
+    ).toBe(true);
+  });
+
+  it("isAgentMessage accepts valid exec-exit", () => {
+    expect(
+      isAgentMessage({ type: "exec-exit", requestId: "abc", exitCode: 0 }),
+    ).toBe(true);
+  });
+
+  it("isAgentMessage rejects unknown type", () => {
+    expect(isAgentMessage({ type: "unknown-type" })).toBe(false);
+  });
+
+  it("isAgentMessage rejects non-object", () => {
+    expect(isAgentMessage("heartbeat")).toBe(false);
+    expect(isAgentMessage(null)).toBe(false);
+    expect(isAgentMessage(42)).toBe(false);
+  });
+
+  it("isServerMessage accepts valid exec", () => {
+    expect(
+      isServerMessage({
+        type: "exec",
+        requestId: "abc",
+        command: "ls",
+        args: ["-la"],
+        timeout: 30000,
+        tty: false,
+      }),
+    ).toBe(true);
+  });
+
+  it("isServerMessage accepts server-shutdown", () => {
+    expect(
+      isServerMessage({ type: "server-shutdown", reconnectAfter: 5000 }),
+    ).toBe(true);
+  });
+
+  it("isServerMessage rejects agent message types", () => {
+    expect(isServerMessage({ type: "heartbeat" })).toBe(false);
+  });
+});
+
+describe("parseAgentMessage", () => {
+  it("parses valid JSON", () => {
+    const msg = parseAgentMessage(
+      JSON.stringify({ type: "heartbeat", hostname: "w1", uptime: 1, version: "0.1.0", memUsage: 0, cpuUsage: 0 }),
+    );
+    expect(msg.type).toBe("heartbeat");
+  });
+
+  it("throws on invalid JSON", () => {
+    expect(() => parseAgentMessage("not json")).toThrow();
+  });
+
+  it("throws on invalid message type", () => {
+    expect(() => parseAgentMessage(JSON.stringify({ type: "bogus" }))).toThrow(
+      "Invalid agent message",
+    );
+  });
+});
+
+describe("parseServerMessage", () => {
+  it("parses valid JSON", () => {
+    const msg = parseServerMessage(
+      JSON.stringify({ type: "heartbeat-ack", serverTime: "2026-01-01T00:00:00Z" }),
+    );
+    expect(msg.type).toBe("heartbeat-ack");
+  });
+
+  it("throws on agent message type", () => {
+    expect(() =>
+      parseServerMessage(JSON.stringify({ type: "heartbeat" })),
+    ).toThrow("Invalid server message");
+  });
+});
+
+describe("generateRequestId", () => {
+  it("returns a string", () => {
+    expect(typeof generateRequestId()).toBe("string");
+  });
+
+  it("returns unique IDs", () => {
+    const ids = new Set(Array.from({ length: 100 }, () => generateRequestId()));
+    expect(ids.size).toBe(100);
+  });
+});
diff --git a/bastion/src/shared/tsconfig.json b/bastion/src/shared/tsconfig.json
new file mode 100644
index 0000000..df59da5
--- /dev/null
+++ b/bastion/src/shared/tsconfig.json
@@ -0,0 +1,8 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist"
+  },
+  "include": ["src/**/*.ts"]
+}
diff --git a/bastion/src/shared/vitest.config.ts b/bastion/src/shared/vitest.config.ts
new file mode 100644
index 0000000..28c192f
--- /dev/null
+++ b/bastion/src/shared/vitest.config.ts
@@ -0,0 +1,8 @@
+import { defineProject } from 'vitest/config';
+
+export default defineProject({
+  test: {
+    name: 'shared',
+    include: ['tests/**/*.test.ts'],
+  },
+});
diff --git a/bastion/stack/.env.example b/bastion/stack/.env.example
new file mode 100644
index 0000000..6f27615
--- /dev/null
+++ b/bastion/stack/.env.example
@@ -0,0 +1,36 @@
+# Lab PXE Bastion -- Environment Configuration
+#
+# Copy this file to .env and adjust as needed.
+
+# Fedora version to install
+FEDORA_VERSION=43
+
+# Target architecture
+ARCH=x86_64
+
+# HTTP server port
+HTTP_PORT=8080
+
+# System locale and timezone for installed machines
+TIMEZONE=Europe/London
+LOCALE=en_GB.UTF-8
+
+# Data directory (inside container)
+BASTION_DIR=/data
+
+# Internal domain for hostnames (e.g., node1.ad.itaz.eu)
+DOMAIN=ad.itaz.eu
+
+# DHCP mode: "proxy" works alongside existing DHCP (e.g., UniFi)
+#             "full" means bastion is the only DHCP server
+DHCP_MODE=proxy
+
+# Only used in full DHCP mode -- auto-derived from network if empty
+DHCP_RANGE_START=
+DHCP_RANGE_END=
+
+# Path to SSH keys directory on host (mounted read-only)
+SSH_KEY_PATH=~/.ssh
+
+# CockroachDB connection (used by labd)
+DATABASE_URL=postgresql://root@localhost:26257/labctl?sslmode=disable
diff --git a/bastion/stack/Dockerfile b/bastion/stack/Dockerfile
new file mode 100644
index 0000000..b421eca
--- /dev/null
+++ b/bastion/stack/Dockerfile
@@ -0,0 +1,70 @@
+# Stage 1: Build TypeScript
+FROM node:22-alpine AS builder
+
+RUN corepack enable && corepack prepare pnpm@9.15.0 --activate
+
+WORKDIR /app
+
+# Copy workspace config and package manifests
+COPY pnpm-workspace.yaml pnpm-lock.yaml package.json tsconfig.base.json tsconfig.json ./
+COPY src/shared/package.json src/shared/tsconfig.json src/shared/
+COPY src/bastion/package.json src/bastion/tsconfig.json src/bastion/
+COPY src/cli/package.json src/cli/tsconfig.json src/cli/
+
+# Install all dependencies
+RUN pnpm install --frozen-lockfile
+
+# Copy source code
+COPY src/shared/src/ src/shared/src/
+COPY src/bastion/src/ src/bastion/src/
+COPY src/cli/src/ src/cli/src/
+
+# Build TypeScript
+RUN pnpm build
+
+# Stage 2: Production runtime
+FROM fedora:43
+
+# Install system dependencies
+RUN dnf install -y \
+    dnsmasq \
+    ipxe-bootimgs-x86 \
+    ipxe-bootimgs-aarch64 \
+    curl \
+    openssh-clients \
+    nodejs \
+    npm \
+    && dnf clean all
+
+# Install pnpm
+RUN npm install -g pnpm@9
+
+# Create app directory
+WORKDIR /app
+
+# Copy workspace config, manifests, and lockfile
+COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./
+COPY src/shared/package.json src/shared/
+COPY src/bastion/package.json src/bastion/
+COPY src/cli/package.json src/cli/
+
+# Install production dependencies
+RUN pnpm install --frozen-lockfile --prod 2>/dev/null || pnpm install --prod
+
+# Copy built output from builder
+COPY --from=builder /app/src/shared/dist/ src/shared/dist/
+COPY --from=builder /app/src/bastion/dist/ src/bastion/dist/
+COPY --from=builder /app/src/cli/dist/ src/cli/dist/
+
+# Create data directories
+RUN mkdir -p /data/state /data/tftp /data/http
+
+ENV BASTION_DIR=/data
+ENV HTTP_PORT=8080
+
+EXPOSE 8080/tcp
+EXPOSE 67/udp
+EXPOSE 69/udp
+EXPOSE 4011/udp
+
+ENTRYPOINT ["node", "src/cli/dist/index.js", "init", "bastion", "standalone", "start"]
diff --git a/bastion/stack/docker-compose.yml b/bastion/stack/docker-compose.yml
new file mode 100644
index 0000000..e148b68
--- /dev/null
+++ b/bastion/stack/docker-compose.yml
@@ -0,0 +1,33 @@
+services:
+  bastion:
+    build:
+      context: ..
+      dockerfile: stack/Dockerfile
+    network_mode: host
+    restart: unless-stopped
+    env_file: .env
+    volumes:
+      - bastion-state:/data/state
+      - bastion-tftp:/data/tftp
+      - bastion-http:/data/http
+      - ${SSH_KEY_PATH:-~/.ssh}:/root/.ssh:ro
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+
+  cockroachdb:
+    image: cockroachdb/cockroach:latest-v24.3
+    command: start-single-node --insecure --store=type=mem,size=256MiB
+    ports:
+      - "26257:26257"
+      - "8081:8080"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+volumes:
+  bastion-state:
+  bastion-tftp:
+  bastion-http:
diff --git a/bastion/tests/integration/arm-iso-provision.test.ts b/bastion/tests/integration/arm-iso-provision.test.ts
new file mode 100644
index 0000000..6521aeb
--- /dev/null
+++ b/bastion/tests/integration/arm-iso-provision.test.ts
@@ -0,0 +1,339 @@
+// Integration test: ARM (aarch64) boot ISO provisioning.
+//
+// Simulates the MinisForum R1 scenario: ARM machine without PXE support,
+// booting from the bastion-generated ISO via QEMU aarch64 emulation.
+//
+// IMPORTANT: This runs under emulation (not KVM), so it's SLOW (~30-60 min).
+// The ISO contains an embedded aarch64 kernel+initrd for the fallback path.
+//
+// Prerequisites:
+//   - qemu-system-aarch64 installed (sudo dnf install qemu-system-aarch64)
+//   - edk2-aarch64 installed (sudo dnf install edk2-aarch64)
+//   - xorriso, mtools for ISO generation
+//   - sudo access, libvirtd running
+//
+// Run: sudo pnpm run test:integration:arm-iso
+
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+import { readFileSync, existsSync, mkdirSync, rmSync, copyFileSync, symlinkSync, writeFileSync } from "node:fs";
+import { execSync } from "node:child_process";
+import { join } from "node:path";
+import { homedir, tmpdir } from "node:os";
+import { log, waitForSsh } from "./helpers/libvirt.js";
+import { ensurePxeNetwork, destroyPxeNetwork, PXE_NETWORK_NAME, PXE_GATEWAY, PXE_SUBNET } from "./helpers/pxe-network.js";
+import { createIsoVm, destroyPxeVm, getVmMac, rebootPxeVm } from "./helpers/pxe-vm.js";
+import { sshExec } from "./helpers/ssh.js";
+
+const VM_NAME = "lab-arm-iso-test";
+const VM_MEMORY = 4096;
+const VM_VCPUS = 2;
+const VM_DISK_GB = 250;       // LVM layout needs ~204GB, QCOW2 is sparse
+const HTTP_PORT = 8097;       // different from x86 tests
+const SSH_USER = "michal";
+const BASTION_IP = PXE_GATEWAY;
+const DHCP_RANGE_START = `${PXE_SUBNET}.100`;
+const DHCP_RANGE_END = `${PXE_SUBNET}.200`;
+
+// ARM emulation is SLOW — generous timeouts
+const DISCOVERY_TIMEOUT_MS = 15 * 60_000;   // 15 min for emulated boot + discovery
+const INSTALL_TIMEOUT_MS = 60 * 60_000;     // 60 min for emulated Fedora install
+const SSH_TIMEOUT_MS = 15 * 60_000;         // 15 min for emulated reboot + SSH
+
+function findSshKey(): { pubKey: string; keyPath: string } {
+  const homes = [homedir()];
+  const sudoUser = process.env["SUDO_USER"];
+  if (sudoUser) homes.push(join("/home", sudoUser));
+  if (process.env["SSH_KEY_PATH"]) {
+    const keyPath = process.env["SSH_KEY_PATH"];
+    const pubPath = `${keyPath}.pub`;
+    if (existsSync(keyPath) && existsSync(pubPath)) {
+      return { pubKey: readFileSync(pubPath, "utf-8").trim(), keyPath };
+    }
+  }
+  for (const home of homes) {
+    for (const name of ["id_ed25519", "id_ecdsa", "id_rsa"]) {
+      const keyPath = join(home, ".ssh", name);
+      const pubPath = `${keyPath}.pub`;
+      if (existsSync(keyPath) && existsSync(pubPath)) {
+        return { pubKey: readFileSync(pubPath, "utf-8").trim(), keyPath };
+      }
+    }
+  }
+  throw new Error("No SSH key found");
+}
+
+function sleep(ms: number): Promise<void> {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+async function pollApi<T>(
+  url: string,
+  check: (data: T) => boolean,
+  timeoutMs: number,
+  intervalMs = 10000,
+): Promise<T> {
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    try {
+      const res = await fetch(url);
+      if (res.ok) {
+        const data = (await res.json()) as T;
+        if (check(data)) return data;
+      }
+    } catch { /* bastion not ready */ }
+    await sleep(intervalMs);
+  }
+  throw new Error(`Timeout after ${timeoutMs}ms polling ${url}`);
+}
+
+describe("ARM ISO boot provisioning", () => {
+  let bastionApp: { close: () => Promise<void> };
+  let testDir: string;
+  let vmMac: string;
+  let vmIp: string;
+  let sshKeyPath: string;
+
+  beforeAll(async () => {
+    // Check ARM prerequisites
+    if (!existsSync("/usr/bin/qemu-system-aarch64")) {
+      throw new Error("qemu-system-aarch64 not installed. Run: sudo dnf install qemu-system-aarch64");
+    }
+    if (!existsSync("/usr/share/edk2/aarch64/QEMU_EFI.fd")) {
+      throw new Error("AAVMF not installed. Run: sudo dnf install edk2-aarch64");
+    }
+
+    const { pubKey, keyPath } = findSshKey();
+    sshKeyPath = keyPath;
+
+    // 1. Network
+    log("Setting up PXE test network (for ARM ISO test)...");
+    ensurePxeNetwork();
+
+    // 2. Bastion dirs
+    testDir = join(tmpdir(), `lab-arm-iso-test-${Date.now()}`);
+    mkdirSync(testDir, { recursive: true });
+    mkdirSync(join(testDir, "tftp"), { recursive: true });
+    mkdirSync(join(testDir, "http"), { recursive: true });
+    mkdirSync(join(testDir, "logs"), { recursive: true });
+
+    // 3. Start bastion with ISO generation (needs both x86_64 and aarch64 artifacts)
+    log("Starting bastion with ARM boot ISO generation...");
+
+    const { createApp } = await import("../../src/bastion/src/server.js");
+    const { loadConfig } = await import("../../src/bastion/src/config.js");
+    const { generateDnsmasqConf, startDnsmasq } = await import("../../src/bastion/src/services/dnsmasq.js");
+    const { generateDiscoverKickstart } = await import("../../src/bastion/src/services/kickstart-generator.js");
+    const { renderBootIpxe } = await import("../../src/bastion/src/templates/boot.ipxe.js");
+    const { ensureBootIso } = await import("../../src/bastion/src/routes/boot-iso.js");
+
+    const config = loadConfig({
+      bastionDir: testDir,
+      httpPort: HTTP_PORT,
+      iface: "virbr-pxe",
+      serverIp: BASTION_IP,
+      network: `${PXE_SUBNET}.0`,
+      gateway: BASTION_IP,
+      dhcpMode: "full",
+      dhcpRangeStart: DHCP_RANGE_START,
+      dhcpRangeEnd: DHCP_RANGE_END,
+      domain: "arm-test.local",
+      sshKeys: [pubKey],
+      adminUser: SSH_USER,
+    });
+
+    // iPXE for TFTP (x86_64 — still needed for dnsmasq config)
+    const ipxeSrc = "/usr/share/ipxe/ipxe-snponly-x86_64.efi";
+    if (existsSync(ipxeSrc)) {
+      copyFileSync(ipxeSrc, join(config.tftpDir, "ipxe.efi"));
+    }
+
+    // Fedora kernel + initrd for BOTH architectures
+    const cacheDir = "/var/lib/libvirt/images/lab-pxe-cache";
+    execSync(`mkdir -p "${cacheDir}"`, { stdio: "pipe" });
+
+    // x86_64 (for the bastion HTTP serving)
+    for (const [arch, prefix] of [["x86_64", ""], ["aarch64", "aarch64-"]] as const) {
+      const mirror = `https://download.fedoraproject.org/pub/fedora/linux/releases/${config.fedoraVersion}/Everything/${arch}/os`;
+      const kernel = join(cacheDir, `vmlinuz-${arch}`);
+      const initrd = join(cacheDir, `initrd-${arch}.img`);
+
+      if (!existsSync(kernel)) {
+        log(`Downloading Fedora ${config.fedoraVersion} ${arch} kernel...`);
+        execSync(`curl -# -L -f -o "${kernel}" "${mirror}/images/pxeboot/vmlinuz"`, { stdio: "inherit", timeout: 300_000 });
+      } else {
+        log(`Fedora ${arch} kernel cached`);
+      }
+      if (!existsSync(initrd)) {
+        log(`Downloading Fedora ${config.fedoraVersion} ${arch} initrd...`);
+        execSync(`curl -# -L -f -o "${initrd}" "${mirror}/images/pxeboot/initrd.img"`, { stdio: "inherit", timeout: 300_000 });
+      } else {
+        log(`Fedora ${arch} initrd cached`);
+      }
+
+      // x86_64 artifacts go to httpDir for normal PXE serving
+      if (arch === "x86_64") {
+        copyFileSync(kernel, join(config.httpDir, "vmlinuz"));
+        copyFileSync(initrd, join(config.httpDir, "initrd.img"));
+      }
+    }
+
+    try { symlinkSync(join(config.tftpDir, "ipxe.efi"), join(config.httpDir, "ipxe.efi")); } catch { /* exists */ }
+
+    // Generate boot scripts
+    const discoverKs = generateDiscoverKickstart(config);
+    writeFileSync(join(config.httpDir, "discover.ks"), discoverKs);
+    const bootIpxe = renderBootIpxe({ serverIp: config.serverIp, httpPort: config.httpPort });
+    writeFileSync(join(config.httpDir, "boot.ipxe"), bootIpxe);
+
+    // Generate the boot ISO — includes both x86_64 and aarch64 payloads
+    log("Generating boot ISO with ARM support...");
+    ensureBootIso(config);
+
+    const isoPath = join(config.httpDir, "boot.iso");
+    if (!existsSync(isoPath)) {
+      throw new Error("Boot ISO was not generated");
+    }
+    const { statSync } = await import("node:fs");
+    const isoSize = statSync(isoPath).size;
+    log(`Boot ISO generated: ${(isoSize / 1024 / 1024).toFixed(1)}MB`);
+
+    // dnsmasq + HTTP server
+    generateDnsmasqConf(config);
+    const { app } = createApp(config);
+    bastionApp = app;
+    await app.listen({ port: config.httpPort, host: "0.0.0.0" });
+    log(`Bastion HTTP listening on :${HTTP_PORT}`);
+
+    void startDnsmasq(config);
+    await sleep(1000);
+
+    // 4. Create ARM VM booting from ISO
+    log("Creating ARM ISO boot VM (aarch64 emulation — this will be SLOW)...");
+    createIsoVm({
+      name: VM_NAME,
+      memory: VM_MEMORY,
+      vcpus: VM_VCPUS,
+      diskSize: VM_DISK_GB,
+      network: PXE_NETWORK_NAME,
+      isoPath,
+      arch: "aarch64",
+    });
+
+    const mac = getVmMac(VM_NAME);
+    if (!mac) throw new Error("Could not determine VM MAC address");
+    vmMac = mac;
+    log(`ARM VM MAC: ${vmMac}`);
+
+    // 5. Wait for discovery (ARM emulation is slow)
+    log("Waiting for ARM VM to boot ISO -> iPXE -> DHCP -> bastion -> discover...");
+    log("(ARM emulation is ~10x slower than native — be patient)");
+    type MachinesResponse = { discovered: Record<string, unknown> };
+    await pollApi<MachinesResponse>(
+      `http://${BASTION_IP}:${HTTP_PORT}/api/machines`,
+      (data) => vmMac in data.discovered,
+      DISCOVERY_TIMEOUT_MS,
+      15_000,
+    );
+    log("ARM VM discovered via ISO boot!");
+
+    // 6. Queue install
+    log("Queueing ARM machine for install...");
+    await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/install`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ mac: vmMac, hostname: VM_NAME, disk: "", role: "vanilla" }),
+    });
+
+    // 7. Reboot for install
+    log("Waiting for discovery reboot...");
+    await sleep(30_000); // ARM is slow
+    rebootPxeVm(VM_NAME);
+
+    // 8. Wait for install (ARM emulation makes this very slow)
+    log("Waiting for ARM install (emulated — expect 30-60 minutes)...");
+    type LogsResponse = { status: string; progress: string; ip?: string };
+    const finalState = await pollApi<LogsResponse>(
+      `http://${BASTION_IP}:${HTTP_PORT}/api/logs/${encodeURIComponent(vmMac)}`,
+      (data) => data.status === "installed" || data.progress === "error",
+      INSTALL_TIMEOUT_MS,
+      30_000,
+    );
+
+    if (finalState.progress === "error") {
+      const logsRes = await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/logs/${encodeURIComponent(vmMac)}`);
+      const logs = await logsRes.json();
+      log(`ARM INSTALL FAILED. State: ${JSON.stringify(logs, null, 2)}`);
+      throw new Error("ARM install failed — check logs above");
+    }
+
+    vmIp = finalState.ip ?? "";
+    log(`ARM install complete! VM IP: ${vmIp}`);
+
+    // 9. Ensure VM is running after kickstart reboot/poweroff
+    log("Waiting for kickstart reboot/poweroff...");
+    await sleep(30_000); // ARM is slow
+    const { spawnSync: spSync } = await import("node:child_process");
+    const stateResult = spSync("sudo", ["virsh", "domstate", VM_NAME], { encoding: "utf-8", stdio: "pipe" });
+    if (stateResult.stdout?.trim() === "shut off") {
+      log("ARM VM shut off after install. Restarting...");
+      rebootPxeVm(VM_NAME);
+    }
+
+    // 10. Wait for SSH (ARM reboot is slow)
+    log("Waiting for SSH on ARM VM...");
+    await waitForSsh(vmIp, SSH_USER, SSH_TIMEOUT_MS, sshKeyPath);
+    log("ARM ISO boot provision test setup complete.");
+
+  }, DISCOVERY_TIMEOUT_MS + INSTALL_TIMEOUT_MS + SSH_TIMEOUT_MS + 300_000);
+
+  afterAll(async () => {
+    log("Cleaning up ARM test...");
+    if (bastionApp) await bastionApp.close().catch(() => {});
+    const { stopDnsmasq } = await import("../../src/bastion/src/services/dnsmasq.js");
+    stopDnsmasq();
+    destroyPxeVm(VM_NAME);
+    destroyPxeNetwork();
+    if (testDir) rmSync(testDir, { recursive: true, force: true });
+  });
+
+  it("ARM machine was discovered and installed", async () => {
+    const res = await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/machines`);
+    const data = (await res.json()) as { installed: Record<string, { hostname: string }> };
+    expect(data.installed[vmMac]).toBeDefined();
+    expect(data.installed[vmMac].hostname).toBe(VM_NAME);
+  });
+
+  it("architecture is aarch64", async () => {
+    const result = sshExec(vmIp, SSH_USER, "uname -m", { keyPath: sshKeyPath, timeout: 30_000 });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout.trim()).toBe("aarch64");
+  });
+
+  it("SSH works", () => {
+    const result = sshExec(vmIp, SSH_USER, "whoami", { keyPath: sshKeyPath, timeout: 30_000 });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout.trim()).toBe(SSH_USER);
+  });
+
+  it("hostname is correct", () => {
+    const result = sshExec(vmIp, SSH_USER, "hostname -f", { keyPath: sshKeyPath, timeout: 30_000 });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout.trim()).toContain(VM_NAME);
+  });
+
+  it("provisioning metadata exists", () => {
+    const result = sshExec(vmIp, SSH_USER, "cat /etc/lab-provisioned", { keyPath: sshKeyPath, timeout: 30_000 });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout).toContain(`hostname: ${VM_NAME}`);
+    expect(result.stdout).toContain("role: vanilla");
+  });
+
+  it("LVM layout is correct", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo lvs labvg --noheadings -o lv_name", { keyPath: sshKeyPath, timeout: 30_000 });
+    expect(result.exitCode).toBe(0);
+    const lvs = result.stdout.trim().split("\n").map((l: string) => l.trim());
+    for (const expected of ["root", "var", "varlog", "swap", "home", "srv"]) {
+      expect(lvs).toContain(expected);
+    }
+  });
+});
diff --git a/bastion/tests/integration/helpers/libvirt.ts b/bastion/tests/integration/helpers/libvirt.ts
new file mode 100644
index 0000000..ca4d51b
--- /dev/null
+++ b/bastion/tests/integration/helpers/libvirt.ts
@@ -0,0 +1,219 @@
+// Libvirt VM lifecycle management for integration tests.
+
+import { execSync, spawnSync, type SpawnSyncReturns } from "node:child_process";
+import { existsSync, mkdirSync, writeFileSync, unlinkSync } from "node:fs";
+import { join } from "node:path";
+
+const IMAGE_DIR = "/var/lib/libvirt/images";
+// Cloud-init ISOs must be in a path accessible to the host's libvirtd,
+// so we use the shared images directory (not /tmp which may be container-only).
+const CLOUD_INIT_DIR = "/var/lib/libvirt/images/lab-cloud-init";
+
+// When running as root (inside container or via sudo), don't prefix with sudo.
+const IS_ROOT = process.getuid?.() === 0;
+
+/** Run a shell command, prefixing with sudo if not root. */
+function run(cmd: string, opts?: { timeout?: number }): string {
+  const full = IS_ROOT ? cmd : `sudo ${cmd}`;
+  return execSync(full, { encoding: "utf-8", stdio: "pipe", timeout: opts?.timeout ?? 60_000 });
+}
+
+/** Spawn a command, prefixing args with sudo if not root. */
+function virsh(...args: string[]): SpawnSyncReturns<string> {
+  const cmd = IS_ROOT ? "virsh" : "sudo";
+  const finalArgs = IS_ROOT ? args : ["virsh", ...args];
+  return spawnSync(cmd, finalArgs, { encoding: "utf-8", stdio: "pipe", timeout: 30_000 });
+}
+
+export interface VmConfig {
+  name: string;
+  memory: number;       // MB
+  vcpus: number;
+  diskSize: number;     // GB
+  network: string;      // libvirt network name
+  cloudImageUrl: string;
+  sshPubKey: string;    // content of authorized key
+  userData?: string;     // custom cloud-init user-data
+}
+
+export function log(msg: string): void {
+  const ts = new Date().toISOString().slice(11, 19);
+  console.log(`  [${ts}] ${msg}`);
+}
+
+/** Download a cloud image if not already cached. */
+export function ensureCloudImage(url: string, name: string): string {
+  const dest = join(IMAGE_DIR, `${name}.qcow2`);
+  if (existsSync(dest)) {
+    log(`Cloud image cached: ${dest}`);
+    return dest;
+  }
+  log(`Downloading cloud image: ${url}`);
+  run(`curl -L -f -o "${dest}" "${url}"`, { timeout: 300_000 });
+  return dest;
+}
+
+/** Create a cloud-init ISO for a VM. */
+export function createCloudInitIso(vmName: string, config: VmConfig): string {
+  mkdirSync(CLOUD_INIT_DIR, { recursive: true });
+  const dir = join(CLOUD_INIT_DIR, vmName);
+  mkdirSync(dir, { recursive: true });
+
+  const userData = config.userData ?? `#cloud-config
+hostname: ${vmName}
+manage_etc_hosts: true
+users:
+  - default
+  - name: fedora
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - ${config.sshPubKey}
+ssh_pwauth: false
+package_update: false
+packages:
+  - curl
+  - socat
+  - conntrack-tools
+  - ethtool
+  - iptables-nft
+runcmd:
+  - modprobe br_netfilter
+  - modprobe overlay
+  - |
+    cat > /etc/sysctl.d/90-k3s.conf << 'EOF'
+    net.bridge.bridge-nf-call-iptables = 1
+    net.bridge.bridge-nf-call-ip6tables = 1
+    net.ipv4.ip_forward = 1
+    vm.panic_on_oom = 0
+    vm.overcommit_memory = 1
+    kernel.panic = 10
+    kernel.panic_on_oops = 1
+    EOF
+  - sysctl --system
+  - swapoff -a
+  - systemctl disable --now firewalld 2>/dev/null || true
+  - systemctl disable --now ufw 2>/dev/null || true
+`;
+
+  const metaData = `instance-id: ${vmName}\nlocal-hostname: ${vmName}\n`;
+
+  writeFileSync(join(dir, "user-data"), userData);
+  writeFileSync(join(dir, "meta-data"), metaData);
+
+  const isoPath = join(CLOUD_INIT_DIR, `${vmName}-cloud-init.iso`);
+  execSync(
+    `genisoimage -output "${isoPath}" -volid cidata -joliet -rock "${dir}/user-data" "${dir}/meta-data" 2>/dev/null || ` +
+    `mkisofs -output "${isoPath}" -volid cidata -joliet -rock "${dir}/user-data" "${dir}/meta-data" 2>/dev/null || ` +
+    `xorrisofs -output "${isoPath}" -volid cidata -joliet -rock "${dir}/user-data" "${dir}/meta-data"`,
+    { stdio: "pipe" },
+  );
+
+  return isoPath;
+}
+
+/** Create and start a VM from a cloud image with cloud-init. */
+export function createVm(config: VmConfig): void {
+  destroyVm(config.name);
+
+  log(`Creating VM: ${config.name} (${config.memory}MB RAM, ${config.vcpus} vCPU, ${config.diskSize}GB disk)`);
+
+  const baseImage = ensureCloudImage(config.cloudImageUrl, `${config.name}-base`);
+  const diskPath = join(IMAGE_DIR, `${config.name}.qcow2`);
+
+  run(`cp "${baseImage}" "${diskPath}"`);
+  run(`qemu-img resize "${diskPath}" ${config.diskSize}G`);
+
+  const cloudInitIso = createCloudInitIso(config.name, config);
+
+  const virtInstallArgs = [
+    "virt-install",
+    `--name=${config.name}`,
+    `--memory=${config.memory}`,
+    `--vcpus=${config.vcpus}`,
+    `--disk=path=${diskPath},format=qcow2`,
+    `--disk=path=${cloudInitIso},device=cdrom`,
+    `--network=network=${config.network},model=virtio`,
+    "--os-variant=generic",
+    "--import",
+    "--noautoconsole",
+    "--wait=0",
+  ];
+
+  log(`Running: virt-install --name=${config.name} ...`);
+  run(virtInstallArgs.join(" "));
+  log(`VM ${config.name} created and starting`);
+}
+
+/** Destroy a VM and remove its storage. */
+export function destroyVm(name: string): void {
+  const result = virsh("dominfo", name);
+  if (result.status !== 0) return;
+
+  log(`Destroying VM: ${name}`);
+  virsh("destroy", name);
+  virsh("undefine", name, "--remove-all-storage");
+
+  const isoPath = join(CLOUD_INIT_DIR, `${name}-cloud-init.iso`);
+  try { unlinkSync(isoPath); } catch { /* ignore */ }
+}
+
+/** Get the IP address of a running VM. */
+export function getVmIp(name: string): string | null {
+  try {
+    // Try with agent first, then without
+    let output = virsh("domifaddr", name, "--source", "agent").stdout;
+    if (!output || !output.includes(".")) {
+      output = virsh("domifaddr", name).stdout;
+    }
+    const match = output.match(/(\d+\.\d+\.\d+\.\d+)/);
+    return match ? match[1] : null;
+  } catch {
+    return null;
+  }
+}
+
+/** Wait for a VM to get an IP address. */
+export async function waitForVmIp(name: string, timeoutMs: number): Promise<string> {
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    const ip = getVmIp(name);
+    if (ip) {
+      log(`VM ${name} got IP: ${ip}`);
+      return ip;
+    }
+    await sleep(2000);
+  }
+  throw new Error(`VM ${name} did not get an IP within ${timeoutMs}ms`);
+}
+
+/** Wait for SSH to become available on a host. */
+export async function waitForSsh(
+  ip: string,
+  user: string,
+  timeoutMs: number,
+  keyPath?: string,
+): Promise<void> {
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    const result = spawnSync("ssh", [
+      "-o", "StrictHostKeyChecking=no",
+      "-o", "ConnectTimeout=3",
+      "-o", "BatchMode=yes",
+      ...(keyPath ? ["-i", keyPath] : []),
+      `${user}@${ip}`,
+      "echo ok",
+    ], { encoding: "utf-8", stdio: "pipe", timeout: 10_000 });
+
+    if (result.status === 0 && result.stdout.includes("ok")) {
+      log(`SSH ready on ${ip}`);
+      return;
+    }
+    await sleep(3000);
+  }
+  throw new Error(`SSH not available on ${ip} within ${timeoutMs}ms`);
+}
+
+function sleep(ms: number): Promise<void> {
+  return new Promise((r) => setTimeout(r, ms));
+}
diff --git a/bastion/tests/integration/helpers/network.ts b/bastion/tests/integration/helpers/network.ts
new file mode 100644
index 0000000..9842a19
--- /dev/null
+++ b/bastion/tests/integration/helpers/network.ts
@@ -0,0 +1,68 @@
+// Libvirt network management for integration tests.
+
+import { execSync, spawnSync } from "node:child_process";
+import { writeFileSync, unlinkSync } from "node:fs";
+import { log } from "./libvirt.js";
+
+export const TEST_NETWORK_NAME = "lab-test";
+export const TEST_NETWORK_BRIDGE = "virbr-lab";
+export const TEST_NETWORK_SUBNET = "192.168.250";
+export const TEST_NETWORK_GATEWAY = `${TEST_NETWORK_SUBNET}.1`;
+
+const IS_ROOT = process.getuid?.() === 0;
+
+function run(cmd: string): string {
+  const full = IS_ROOT ? cmd : `sudo ${cmd}`;
+  return execSync(full, { encoding: "utf-8", stdio: "pipe" });
+}
+
+function virsh(...args: string[]): { status: number; stdout: string } {
+  const cmd = IS_ROOT ? "virsh" : "sudo";
+  const finalArgs = IS_ROOT ? args : ["virsh", ...args];
+  const result = spawnSync(cmd, finalArgs, { encoding: "utf-8", stdio: "pipe" });
+  return { status: result.status ?? 1, stdout: result.stdout ?? "" };
+}
+
+const NETWORK_XML = `<network>
+  <name>${TEST_NETWORK_NAME}</name>
+  <forward mode='nat'/>
+  <bridge name='${TEST_NETWORK_BRIDGE}' stp='on' delay='0'/>
+  <ip address='${TEST_NETWORK_GATEWAY}' netmask='255.255.255.0'>
+    <dhcp>
+      <range start='${TEST_NETWORK_SUBNET}.100' end='${TEST_NETWORK_SUBNET}.200'/>
+    </dhcp>
+  </ip>
+</network>`;
+
+/** Ensure the test libvirt network exists and is active. */
+export function ensureTestNetwork(): void {
+  const result = virsh("net-info", TEST_NETWORK_NAME);
+
+  if (result.status === 0 && result.stdout.includes("Active:         yes")) {
+    log(`Network ${TEST_NETWORK_NAME} already active`);
+    return;
+  }
+
+  // Destroy existing if present but inactive
+  if (result.status === 0) {
+    virsh("net-destroy", TEST_NETWORK_NAME);
+    virsh("net-undefine", TEST_NETWORK_NAME);
+  }
+
+  const xmlPath = `/tmp/lab-test-network.xml`;
+  writeFileSync(xmlPath, NETWORK_XML);
+
+  log(`Creating libvirt network: ${TEST_NETWORK_NAME} (${TEST_NETWORK_SUBNET}.0/24)`);
+  run(`virsh net-define "${xmlPath}"`);
+  run(`virsh net-start "${TEST_NETWORK_NAME}"`);
+
+  try { unlinkSync(xmlPath); } catch { /* ignore */ }
+  log(`Network ${TEST_NETWORK_NAME} created and active`);
+}
+
+/** Destroy the test network. */
+export function destroyTestNetwork(): void {
+  log(`Destroying network: ${TEST_NETWORK_NAME}`);
+  virsh("net-destroy", TEST_NETWORK_NAME);
+  virsh("net-undefine", TEST_NETWORK_NAME);
+}
diff --git a/bastion/tests/integration/helpers/pxe-network.ts b/bastion/tests/integration/helpers/pxe-network.ts
new file mode 100644
index 0000000..9f4f0a5
--- /dev/null
+++ b/bastion/tests/integration/helpers/pxe-network.ts
@@ -0,0 +1,95 @@
+// Libvirt network for PXE boot testing.
+// Unlike the regular test network, this one has NO DHCP —
+// the bastion provides full DHCP + PXE on this network.
+
+import { execSync, spawnSync } from "node:child_process";
+import { writeFileSync, unlinkSync } from "node:fs";
+import { log } from "./libvirt.js";
+
+export const PXE_NETWORK_NAME = "lab-pxe-test";
+export const PXE_BRIDGE = "virbr-pxe";
+export const PXE_SUBNET = "192.168.251";
+export const PXE_GATEWAY = `${PXE_SUBNET}.1`;
+
+const IS_ROOT = process.getuid?.() === 0;
+
+function run(cmd: string): string {
+  const full = IS_ROOT ? cmd : `sudo ${cmd}`;
+  return execSync(full, { encoding: "utf-8", stdio: "pipe" });
+}
+
+function virsh(...args: string[]): { status: number; stdout: string } {
+  const cmd = IS_ROOT ? "virsh" : "sudo";
+  const finalArgs = IS_ROOT ? args : ["virsh", ...args];
+  const result = spawnSync(cmd, finalArgs, { encoding: "utf-8", stdio: "pipe" });
+  return { status: result.status ?? 1, stdout: result.stdout ?? "" };
+}
+
+// No <dhcp> section — bastion dnsmasq provides full DHCP + PXE
+const NETWORK_XML = `<network>
+  <name>${PXE_NETWORK_NAME}</name>
+  <forward mode='nat'/>
+  <bridge name='${PXE_BRIDGE}' stp='on' delay='0'/>
+  <ip address='${PXE_GATEWAY}' netmask='255.255.255.0'>
+  </ip>
+</network>`;
+
+/** Ensure the PXE test network exists and is active (no DHCP). */
+export function ensurePxeNetwork(): void {
+  const result = virsh("net-info", PXE_NETWORK_NAME);
+
+  if (result.status === 0 && result.stdout.includes("Active:         yes")) {
+    log(`Network ${PXE_NETWORK_NAME} already active`);
+  } else {
+    // Destroy existing if present but inactive
+    if (result.status === 0) {
+      virsh("net-destroy", PXE_NETWORK_NAME);
+      virsh("net-undefine", PXE_NETWORK_NAME);
+    }
+
+    const xmlPath = "/tmp/lab-pxe-test-network.xml";
+    writeFileSync(xmlPath, NETWORK_XML);
+
+    log(`Creating PXE libvirt network: ${PXE_NETWORK_NAME} (${PXE_SUBNET}.0/24, no DHCP)`);
+    run(`virsh net-define "${xmlPath}"`);
+    run(`virsh net-start "${PXE_NETWORK_NAME}"`);
+
+    try { unlinkSync(xmlPath); } catch { /* ignore */ }
+
+    log(`Network ${PXE_NETWORK_NAME} created and active`);
+  }
+
+  // Libvirt adds nftables reject rules for NAT networks that block host→VM SSH.
+  // Delete them now and after every VM reboot (libvirt recreates them).
+  deleteNftablesRejectRules();
+}
+
+/** Delete libvirt's nftables reject rules for our bridge so host→VM traffic works.
+ *  Must be called after every VM start/restart — libvirt recreates them. */
+export function deleteNftablesRejectRules(): void {
+  // libvirt uses "ip libvirt_network" table (not "inet libvirt")
+  const tables = ["ip libvirt_network", "ip6 libvirt_network", "inet libvirt"];
+  for (const table of tables) {
+    try {
+      for (const chain of ["guest_input", "guest_output"]) {
+        const output = run(`nft -a list chain ${table} ${chain} 2>/dev/null || true`);
+        for (const line of output.split("\n")) {
+          if (line.includes(PXE_BRIDGE) && line.includes("reject")) {
+            const handleMatch = line.match(/# handle (\d+)/);
+            if (handleMatch) {
+              run(`nft delete rule ${table} ${chain} handle ${handleMatch[1]}`);
+            }
+          }
+        }
+      }
+    } catch { /* table may not exist */ }
+  }
+}
+
+/** Destroy the PXE test network. */
+export function destroyPxeNetwork(): void {
+  log(`Destroying PXE network: ${PXE_NETWORK_NAME}`);
+  // nftables rules are cleaned up when the network is destroyed (libvirt removes them)
+  virsh("net-destroy", PXE_NETWORK_NAME);
+  virsh("net-undefine", PXE_NETWORK_NAME);
+}
diff --git a/bastion/tests/integration/helpers/pxe-vm.ts b/bastion/tests/integration/helpers/pxe-vm.ts
new file mode 100644
index 0000000..58ae4e2
--- /dev/null
+++ b/bastion/tests/integration/helpers/pxe-vm.ts
@@ -0,0 +1,214 @@
+// Create a blank UEFI VM for PXE boot testing.
+// Unlike cloud image VMs, these have an empty disk and boot from network.
+// Each VM gets a serial console on a TCP port for debugging without network/SSH.
+
+import { execSync, spawnSync, type SpawnSyncReturns } from "node:child_process";
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+import { createConnection } from "node:net";
+import { log } from "./libvirt.js";
+
+const IMAGE_DIR = "/var/lib/libvirt/images";
+const IS_ROOT = process.getuid?.() === 0;
+
+function run(cmd: string, opts?: { timeout?: number }): string {
+  const full = IS_ROOT ? cmd : `sudo ${cmd}`;
+  return execSync(full, { encoding: "utf-8", stdio: "pipe", timeout: opts?.timeout ?? 60_000 });
+}
+
+function virsh(...args: string[]): SpawnSyncReturns<string> {
+  const cmd = IS_ROOT ? "virsh" : "sudo";
+  const finalArgs = IS_ROOT ? args : ["virsh", ...args];
+  return spawnSync(cmd, finalArgs, { encoding: "utf-8", stdio: "pipe", timeout: 30_000 });
+}
+
+export interface PxeVmConfig {
+  name: string;
+  memory: number;       // MB
+  vcpus: number;
+  diskSize: number;     // GB
+  network: string;      // libvirt network name
+  arch?: "x86_64" | "aarch64";
+}
+
+/** Create a blank UEFI VM that PXE boots from the network. */
+export function createPxeVm(config: PxeVmConfig): void {
+  destroyPxeVm(config.name);
+
+  const arch = config.arch ?? "x86_64";
+  log(`Creating PXE VM: ${config.name} (${arch}, ${config.memory}MB RAM, ${config.vcpus} vCPU, ${config.diskSize}GB disk)`);
+
+  // Create blank disk
+  const diskPath = join(IMAGE_DIR, `${config.name}.qcow2`);
+  run(`qemu-img create -f qcow2 "${diskPath}" ${config.diskSize}G`);
+
+  // UEFI firmware paths (Fedora)
+  if (arch === "aarch64") {
+    const aavmf = "/usr/share/edk2/aarch64/QEMU_EFI.fd";
+    if (!existsSync(aavmf)) {
+      throw new Error(`AAVMF firmware not found at ${aavmf}. Install: sudo dnf install edk2-aarch64`);
+    }
+  } else {
+    const ovmf = "/usr/share/edk2/ovmf/OVMF_CODE.fd";
+    if (!existsSync(ovmf)) {
+      throw new Error(`OVMF firmware not found at ${ovmf}. Install: sudo dnf install edk2-ovmf`);
+    }
+  }
+
+  const virtInstallArgs = [
+    "virt-install",
+    `--name=${config.name}`,
+    `--memory=${config.memory}`,
+    `--vcpus=${config.vcpus}`,
+    `--disk=path=${diskPath},format=qcow2,bus=virtio`,
+    `--network=network=${config.network},model=virtio`,
+    // UEFI firmware — required for PXE boot in modern mode
+    `--boot=uefi,network,hd`,
+    // No OS to install — PXE provides everything
+    "--os-variant=generic",
+    "--noautoconsole",
+    "--wait=0",
+    // Graphics for debugging (VNC, connect with virt-viewer if needed)
+    "--graphics=vnc,listen=127.0.0.1",
+    // Serial console via TCP — allows exec without network/SSH
+    // Connect: socat - TCP:127.0.0.1:4555
+    "--serial=tcp,host=127.0.0.1:4555,mode=bind,protocol=telnet",
+  ];
+
+  if (arch === "aarch64") {
+    virtInstallArgs.push("--arch=aarch64", "--machine=virt");
+  }
+
+  log(`Running: virt-install --name=${config.name} --boot=uefi,network ...`);
+  run(virtInstallArgs.join(" "), { timeout: 30_000 });
+  log(`PXE VM ${config.name} created (serial: telnet 127.0.0.1 4555)`);
+}
+
+/** Destroy a PXE VM and clean up its disk. */
+export function destroyPxeVm(name: string): void {
+  const result = virsh("dominfo", name);
+  if (result.status !== 0) return;
+
+  log(`Destroying PXE VM: ${name}`);
+  virsh("destroy", name);
+  virsh("undefine", name, "--remove-all-storage", "--nvram");
+}
+
+/** Get the MAC address of a VM's first NIC. */
+export function getVmMac(name: string): string | null {
+  const result = virsh("domiflist", name);
+  if (result.status !== 0) return null;
+  // Output format: Interface  Type  Source  Model  MAC
+  const match = result.stdout.match(/([0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2})/i);
+  return match ? match[1].toLowerCase() : null;
+}
+
+/** Reboot a VM (force off + start). */
+export function rebootPxeVm(name: string): void {
+  log(`Rebooting PXE VM: ${name}`);
+  virsh("destroy", name);
+  // Brief pause to let resources release
+  spawnSync("sleep", ["2"]);
+  virsh("start", name);
+  log(`PXE VM ${name} restarted`);
+}
+
+/**
+ * Read raw output from the VM's serial console (telnet TCP port).
+ * Returns the last N lines. Useful for diagnostics when SSH isn't available.
+ */
+export async function readSerialLog(
+  port: number,
+  opts: { lastLines?: number; timeoutMs?: number } = {},
+): Promise<string> {
+  const { lastLines = 50, timeoutMs = 10_000 } = opts;
+  return new Promise((resolve) => {
+    const sock = createConnection({ host: "127.0.0.1", port });
+    let buf = "";
+    const timer = setTimeout(() => { sock.destroy(); resolve(buf); }, timeoutMs);
+    sock.on("data", (d: Buffer) => { buf += d.toString(); });
+    sock.on("error", () => { clearTimeout(timer); resolve(`(connection error) ${buf}`); });
+    sock.on("close", () => { clearTimeout(timer); resolve(buf); });
+    // Send a newline to trigger any buffered output / prompt
+    setTimeout(() => sock.write("\r\n"), 500);
+  }).then((raw: unknown) => {
+    const lines = (raw as string).split("\n").map(l => l.trimEnd()).filter(Boolean);
+    return lines.slice(-lastLines).join("\n");
+  });
+}
+
+/**
+ * Execute a command on the VM's serial console via socat.
+ * Requires auto-login root shell on the serial port.
+ */
+export function serialExec(
+  port: number,
+  command: string,
+  timeoutMs = 15_000,
+): string {
+  const marker = `__END_${Date.now()}__`;
+  // Use socat to handle telnet negotiation properly
+  const input = `\r\n${command}; echo '${marker}'\r\n`;
+  const result = spawnSync("bash", ["-c",
+    `echo -e '${input.replace(/'/g, "\\'")}' | socat -T${Math.ceil(timeoutMs / 1000)} - TCP:127.0.0.1:${port} 2>/dev/null`
+  ], { encoding: "utf-8", stdio: "pipe", timeout: timeoutMs + 5000 });
+  const output = result.stdout ?? "";
+  const markerIdx = output.indexOf(marker);
+  if (markerIdx < 0) return `(no marker) ${output.slice(-500)}`;
+  // Get lines between command echo and marker
+  const before = output.substring(0, markerIdx);
+  const lines = before.split("\n");
+  // Skip everything up to and including the command echo line
+  const cmdIdx = lines.findIndex(l => l.includes(command.substring(0, 20)));
+  return lines.slice(cmdIdx >= 0 ? cmdIdx + 1 : 1).join("\n").trim();
+}
+
+export interface IsoVmConfig {
+  name: string;
+  memory: number;       // MB
+  vcpus: number;
+  diskSize: number;     // GB
+  network: string;      // libvirt network name
+  isoPath: string;      // path to boot ISO
+  arch?: "x86_64" | "aarch64";
+}
+
+/** Create a UEFI VM that boots from a CD-ROM ISO (not PXE). */
+export function createIsoVm(config: IsoVmConfig): void {
+  destroyPxeVm(config.name);
+
+  const arch = config.arch ?? "x86_64";
+  log(`Creating ISO boot VM: ${config.name} (${arch}, ${config.memory}MB RAM, ${config.vcpus} vCPU, ${config.diskSize}GB disk)`);
+
+  // Create blank disk
+  const diskPath = join(IMAGE_DIR, `${config.name}.qcow2`);
+  run(`qemu-img create -f qcow2 "${diskPath}" ${config.diskSize}G`);
+
+  const virtInstallArgs = [
+    "virt-install",
+    `--name=${config.name}`,
+    `--memory=${config.memory}`,
+    `--vcpus=${config.vcpus}`,
+    `--disk=path=${diskPath},format=qcow2,bus=virtio`,
+    // Boot ISO as CD-ROM
+    `--disk=path=${config.isoPath},device=cdrom,readonly=on`,
+    `--network=network=${config.network},model=virtio`,
+    // UEFI firmware, boot from cdrom (not network)
+    "--boot=uefi,cdrom",
+    "--os-variant=generic",
+    "--noautoconsole",
+    "--wait=0",
+    "--graphics=vnc,listen=127.0.0.1",
+    // Serial console via TCP (port 4556 to avoid conflict with PXE VM)
+    "--serial=tcp,host=127.0.0.1:4556,mode=bind,protocol=telnet",
+  ];
+
+  if (arch === "aarch64") {
+    virtInstallArgs.push("--arch=aarch64", "--machine=virt");
+  }
+
+  log(`Running: virt-install --name=${config.name} --boot=uefi,cdrom ...`);
+  run(virtInstallArgs.join(" "), { timeout: 60_000 });
+  log(`ISO boot VM ${config.name} created (serial: telnet 127.0.0.1 4556)`);
+}
+
diff --git a/bastion/tests/integration/helpers/ssh.ts b/bastion/tests/integration/helpers/ssh.ts
new file mode 100644
index 0000000..2bdac24
--- /dev/null
+++ b/bastion/tests/integration/helpers/ssh.ts
@@ -0,0 +1,106 @@
+// SSH execution helper for integration tests.
+
+import { spawn, spawnSync } from "node:child_process";
+import { log } from "./libvirt.js";
+
+export interface SshResult {
+  exitCode: number;
+  stdout: string;
+  stderr: string;
+}
+
+/** Execute a command via SSH and return the result. */
+export function sshExec(
+  ip: string,
+  user: string,
+  command: string,
+  options?: { keyPath?: string; timeout?: number },
+): SshResult {
+  const args = [
+    "-o", "StrictHostKeyChecking=no",
+    "-o", "ConnectTimeout=10",
+    "-o", "BatchMode=yes",
+    ...(options?.keyPath ? ["-i", options.keyPath] : []),
+    `${user}@${ip}`,
+    command,
+  ];
+
+  const result = spawnSync("ssh", args, {
+    stdio: "pipe",
+    timeout: options?.timeout ?? 120_000,
+    encoding: "utf-8",
+  });
+
+  return {
+    exitCode: result.status ?? 1,
+    stdout: result.stdout ?? "",
+    stderr: result.stderr ?? "",
+  };
+}
+
+/** Execute a command via SSH with live streaming output. */
+export async function sshExecStreaming(
+  ip: string,
+  user: string,
+  command: string,
+  onLine: (line: string) => void,
+  options?: { keyPath?: string; timeout?: number },
+): Promise<number> {
+  return new Promise((resolve, reject) => {
+    const args = [
+      "-o", "StrictHostKeyChecking=no",
+      "-o", "ConnectTimeout=10",
+      "-o", "BatchMode=yes",
+      ...(options?.keyPath ? ["-i", options.keyPath] : []),
+      `${user}@${ip}`,
+      command,
+    ];
+
+    const proc = spawn("ssh", args, {
+      stdio: ["ignore", "pipe", "pipe"],
+      timeout: options?.timeout ?? 600_000,
+    });
+
+    let buffer = "";
+    proc.stdout.on("data", (data: Buffer) => {
+      buffer += data.toString();
+      const lines = buffer.split("\n");
+      buffer = lines.pop() ?? "";
+      for (const line of lines) {
+        onLine(line);
+      }
+    });
+
+    proc.stderr.on("data", (data: Buffer) => {
+      const text = data.toString().trim();
+      if (text) onLine(`[stderr] ${text}`);
+    });
+
+    proc.on("close", (code) => {
+      if (buffer.trim()) onLine(buffer.trim());
+      resolve(code ?? 1);
+    });
+
+    proc.on("error", (err) => {
+      reject(err);
+    });
+  });
+}
+
+/** Run a command on the VM via SSH and log it with a prefix. */
+export async function sshRun(
+  ip: string,
+  user: string,
+  command: string,
+  label: string,
+  options?: { keyPath?: string; timeout?: number },
+): Promise<number> {
+  log(`${label}: ${command.slice(0, 80)}${command.length > 80 ? "..." : ""}`);
+  const code = await sshExecStreaming(ip, user, command, (line) => {
+    console.log(`    ${line}`);
+  }, options);
+  if (code !== 0) {
+    log(`${label}: FAILED (exit ${code})`);
+  }
+  return code;
+}
diff --git a/bastion/tests/integration/helpers/vm-screenshot.sh b/bastion/tests/integration/helpers/vm-screenshot.sh
new file mode 100755
index 0000000..340ceab
--- /dev/null
+++ b/bastion/tests/integration/helpers/vm-screenshot.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+# Capture a screenshot of a libvirt VM and convert to PNG for viewing.
+# Usage: vm-screenshot.sh [VM_NAME] [OUTPUT_PATH]
+VM_NAME="${1:-lab-pxe-test}"
+OUTPUT="${2:-/tmp/vm-screenshot.png}"
+PPM="/tmp/vm-screenshot-$$.ppm"
+
+if ! sudo virsh domstate "$VM_NAME" &>/dev/null; then
+    echo "ERROR: VM '$VM_NAME' not found or not running" >&2
+    exit 1
+fi
+
+sudo virsh screenshot "$VM_NAME" "$PPM" --screen 0 2>/dev/null
+if [ ! -f "$PPM" ]; then
+    echo "ERROR: screenshot failed" >&2
+    exit 1
+fi
+
+# Convert to PNG (ppm -> png)
+if command -v convert &>/dev/null; then
+    convert "$PPM" "$OUTPUT"
+elif command -v ffmpeg &>/dev/null; then
+    ffmpeg -y -i "$PPM" "$OUTPUT" 2>/dev/null
+elif command -v pnmtopng &>/dev/null; then
+    pnmtopng "$PPM" > "$OUTPUT"
+else
+    # fallback: just copy the PPM (Read tool can handle it)
+    cp "$PPM" "${OUTPUT%.png}.ppm"
+    OUTPUT="${OUTPUT%.png}.ppm"
+fi
+
+rm -f "$PPM"
+echo "$OUTPUT"
diff --git a/bastion/tests/integration/iso-provision.test.ts b/bastion/tests/integration/iso-provision.test.ts
new file mode 100644
index 0000000..c9be66a
--- /dev/null
+++ b/bastion/tests/integration/iso-provision.test.ts
@@ -0,0 +1,328 @@
+// Integration test: boot ISO provisioning flow (for machines without PXE support).
+//
+// This test validates the ISO boot chain:
+//   1. Bastion generates a boot ISO containing iPXE + embedded kernel/initrd
+//   2. VM boots from the ISO (CD-ROM, not PXE)
+//   3. iPXE loads from ISO, does DHCP, chains to bastion
+//   4. Normal discover -> install flow follows
+//
+// This simulates machines like the MinisForum R1 that have no UEFI PXE ROM.
+//
+// Prerequisites: same as PXE test + xorriso, mtools
+// Run: sudo pnpm run test:integration:iso
+
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+import { readFileSync, existsSync } from "node:fs";
+import { join } from "node:path";
+import { homedir, tmpdir } from "node:os";
+import { mkdirSync, rmSync } from "node:fs";
+import { log, waitForSsh } from "./helpers/libvirt.js";
+import { ensurePxeNetwork, destroyPxeNetwork, PXE_NETWORK_NAME, PXE_GATEWAY, PXE_SUBNET } from "./helpers/pxe-network.js";
+import { createIsoVm, destroyPxeVm, getVmMac, rebootPxeVm } from "./helpers/pxe-vm.js";
+import { sshExec } from "./helpers/ssh.js";
+
+const VM_NAME = "lab-iso-test";
+const VM_MEMORY = 4096;
+const VM_VCPUS = 2;
+const VM_DISK_GB = 250;      // LVM layout needs ~204GB. QCOW2 is sparse.
+const HTTP_PORT = 8098;       // different from PXE test
+const SSH_USER = "michal";
+const BASTION_IP = PXE_GATEWAY;
+const DHCP_RANGE_START = `${PXE_SUBNET}.100`;
+const DHCP_RANGE_END = `${PXE_SUBNET}.200`;
+
+const DISCOVERY_TIMEOUT_MS = 5 * 60_000;
+const INSTALL_TIMEOUT_MS = 30 * 60_000;
+const SSH_TIMEOUT_MS = 10 * 60_000;         // 10 min: OVMF retries PXE/HTTP Boot before disk boot + OS startup
+
+function findSshKey(): { pubKey: string; keyPath: string } {
+  const homes = [homedir()];
+  const sudoUser = process.env["SUDO_USER"];
+  if (sudoUser) homes.push(join("/home", sudoUser));
+  if (process.env["SSH_KEY_PATH"]) {
+    const keyPath = process.env["SSH_KEY_PATH"];
+    const pubPath = `${keyPath}.pub`;
+    if (existsSync(keyPath) && existsSync(pubPath)) {
+      return { pubKey: readFileSync(pubPath, "utf-8").trim(), keyPath };
+    }
+  }
+  for (const home of homes) {
+    for (const name of ["id_ed25519", "id_ecdsa", "id_rsa"]) {
+      const keyPath = join(home, ".ssh", name);
+      const pubPath = `${keyPath}.pub`;
+      if (existsSync(keyPath) && existsSync(pubPath)) {
+        return { pubKey: readFileSync(pubPath, "utf-8").trim(), keyPath };
+      }
+    }
+  }
+  throw new Error("No SSH key found — set SSH_KEY_PATH or ensure keys exist in ~/.ssh/");
+}
+
+function sleep(ms: number): Promise<void> {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+async function pollApi<T>(
+  url: string,
+  check: (data: T) => boolean,
+  timeoutMs: number,
+  intervalMs = 5000,
+): Promise<T> {
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    try {
+      const res = await fetch(url);
+      if (res.ok) {
+        const data = (await res.json()) as T;
+        if (check(data)) return data;
+      }
+    } catch { /* bastion not ready yet */ }
+    await sleep(intervalMs);
+  }
+  throw new Error(`Timeout after ${timeoutMs}ms polling ${url}`);
+}
+
+describe("ISO boot provisioning", () => {
+  let bastionApp: ReturnType<typeof import("fastify").default>;
+  let testDir: string;
+  let vmMac: string;
+  let vmIp: string;
+  let sshKeyPath: string;
+
+  beforeAll(async () => {
+    const { pubKey, keyPath } = findSshKey();
+    sshKeyPath = keyPath;
+
+    // 1. Network
+    log("Setting up PXE test network (for ISO boot test)...");
+    ensurePxeNetwork();
+
+    // 2. Bastion dirs
+    testDir = join(tmpdir(), `lab-iso-test-${Date.now()}`);
+    mkdirSync(testDir, { recursive: true });
+    mkdirSync(join(testDir, "tftp"), { recursive: true });
+    mkdirSync(join(testDir, "http"), { recursive: true });
+    mkdirSync(join(testDir, "logs"), { recursive: true });
+
+    // 3. Start bastion with boot ISO generation
+    log("Starting bastion with boot ISO generation...");
+
+    const { createApp } = await import("../../src/bastion/src/server.js");
+    const { loadConfig } = await import("../../src/bastion/src/config.js");
+    const { generateDnsmasqConf, startDnsmasq } = await import("../../src/bastion/src/services/dnsmasq.js");
+    const { generateDiscoverKickstart } = await import("../../src/bastion/src/services/kickstart-generator.js");
+    const { renderBootIpxe } = await import("../../src/bastion/src/templates/boot.ipxe.js");
+    const { ensureBootIso } = await import("../../src/bastion/src/routes/boot-iso.js");
+    const fs = await import("node:fs");
+    const { execSync } = await import("node:child_process");
+
+    const config = loadConfig({
+      bastionDir: testDir,
+      httpPort: HTTP_PORT,
+      iface: "virbr-pxe",
+      serverIp: BASTION_IP,
+      network: `${PXE_SUBNET}.0`,
+      gateway: BASTION_IP,
+      dhcpMode: "full",
+      dhcpRangeStart: DHCP_RANGE_START,
+      dhcpRangeEnd: DHCP_RANGE_END,
+      domain: "iso-test.local",
+      sshKeys: [pubKey],
+      adminUser: SSH_USER,
+    });
+
+    // iPXE for TFTP (still needed — dnsmasq points PXE clients here)
+    const ipxeSrc = "/usr/share/ipxe/ipxe-snponly-x86_64.efi";
+    if (fs.existsSync(ipxeSrc)) {
+      fs.copyFileSync(ipxeSrc, join(config.tftpDir, "ipxe.efi"));
+    }
+
+    // Fedora kernel + initrd (cached)
+    const cacheDir = "/var/lib/libvirt/images/lab-pxe-cache";
+    execSync(`mkdir -p "${cacheDir}"`, { stdio: "pipe" });
+
+    const kernel = join(cacheDir, `vmlinuz-${config.fedoraVersion}`);
+    const initrd = join(cacheDir, `initrd-${config.fedoraVersion}.img`);
+
+    if (!fs.existsSync(kernel)) {
+      log(`Downloading Fedora ${config.fedoraVersion} kernel...`);
+      execSync(`curl -# -L -f -o "${kernel}" "${config.fedoraMirror}/images/pxeboot/vmlinuz"`, { stdio: "inherit", timeout: 300_000 });
+    }
+    if (!fs.existsSync(initrd)) {
+      log(`Downloading Fedora ${config.fedoraVersion} initrd...`);
+      execSync(`curl -# -L -f -o "${initrd}" "${config.fedoraMirror}/images/pxeboot/initrd.img"`, { stdio: "inherit", timeout: 300_000 });
+    }
+
+    fs.copyFileSync(kernel, join(config.httpDir, "vmlinuz"));
+    fs.copyFileSync(initrd, join(config.httpDir, "initrd.img"));
+    try { fs.symlinkSync(join(config.tftpDir, "ipxe.efi"), join(config.httpDir, "ipxe.efi")); } catch { /* exists */ }
+
+    // Generate boot scripts
+    const discoverKs = generateDiscoverKickstart(config);
+    fs.writeFileSync(join(config.httpDir, "discover.ks"), discoverKs);
+    const bootIpxe = renderBootIpxe({ serverIp: config.serverIp, httpPort: config.httpPort });
+    fs.writeFileSync(join(config.httpDir, "boot.ipxe"), bootIpxe);
+
+    // Generate the boot ISO — this is the key artifact for this test
+    log("Generating boot ISO...");
+    ensureBootIso(config);
+
+    const isoPath = join(config.httpDir, "boot.iso");
+    if (!fs.existsSync(isoPath)) {
+      throw new Error("Boot ISO was not generated");
+    }
+    const isoSize = fs.statSync(isoPath).size;
+    log(`Boot ISO generated: ${isoPath} (${(isoSize / 1024 / 1024).toFixed(1)}MB)`);
+
+    // dnsmasq config + start
+    generateDnsmasqConf(config);
+
+    const { app, state } = createApp(config);
+    bastionApp = app;
+    await app.listen({ port: config.httpPort, host: "0.0.0.0" });
+    log(`Bastion HTTP listening on :${HTTP_PORT}`);
+
+    log("Starting dnsmasq (full DHCP)...");
+    void startDnsmasq(config);
+    await sleep(1000);
+
+    // 4. Create VM that boots from the ISO (not PXE)
+    log("Creating ISO boot VM (blank disk, UEFI, CD-ROM boot)...");
+    createIsoVm({
+      name: VM_NAME,
+      memory: VM_MEMORY,
+      vcpus: VM_VCPUS,
+      diskSize: VM_DISK_GB,
+      network: PXE_NETWORK_NAME,
+      isoPath,
+    });
+
+    const mac = getVmMac(VM_NAME);
+    if (!mac) throw new Error("Could not determine VM MAC address");
+    vmMac = mac;
+    log(`VM MAC: ${vmMac}`);
+
+    // 5. Wait for discovery
+    log("Waiting for VM to boot ISO -> iPXE -> DHCP -> bastion -> discover...");
+    type MachinesResponse = { discovered: Record<string, unknown> };
+    await pollApi<MachinesResponse>(
+      `http://${BASTION_IP}:${HTTP_PORT}/api/machines`,
+      (data) => vmMac in data.discovered,
+      DISCOVERY_TIMEOUT_MS,
+    );
+    log("VM discovered via ISO boot!");
+
+    // 6. Queue install
+    log("Queueing machine for install...");
+    await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/install`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ mac: vmMac, hostname: VM_NAME, disk: "", role: "vanilla" }),
+    });
+
+    // 7. Reboot for install
+    log("Waiting for discovery reboot...");
+    await sleep(15_000);
+    rebootPxeVm(VM_NAME);
+
+    // 8. Wait for install
+    log("Waiting for install to complete (10-20 minutes)...");
+    type LogsResponse = { status: string; progress: string; ip?: string };
+    const finalState = await pollApi<LogsResponse>(
+      `http://${BASTION_IP}:${HTTP_PORT}/api/logs/${encodeURIComponent(vmMac)}`,
+      (data) => data.status === "installed" || data.progress === "error",
+      INSTALL_TIMEOUT_MS,
+      10_000,
+    );
+
+    if (finalState.progress === "error") {
+      const logsRes = await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/logs/${encodeURIComponent(vmMac)}`);
+      const logs = await logsRes.json();
+      log(`INSTALL FAILED. State: ${JSON.stringify(logs, null, 2)}`);
+      throw new Error("Install failed — check logs above");
+    }
+
+    vmIp = finalState.ip ?? "";
+    log(`Install complete! VM IP: ${vmIp}`);
+
+    // 9. Ensure VM is running after kickstart reboot/poweroff
+    log("Waiting for kickstart reboot/poweroff...");
+    await sleep(15_000);
+    const { spawnSync: spSync } = await import("node:child_process");
+    const stateResult = spSync("sudo", ["virsh", "domstate", VM_NAME], { encoding: "utf-8", stdio: "pipe" });
+    if (stateResult.stdout?.trim() === "shut off") {
+      log("VM shut off after install. Restarting...");
+      rebootPxeVm(VM_NAME);
+    }
+
+    // 10. Wait for SSH
+    log("Waiting for SSH...");
+    await waitForSsh(vmIp, SSH_USER, SSH_TIMEOUT_MS, sshKeyPath);
+    log("ISO boot provision test setup complete.");
+
+  }, DISCOVERY_TIMEOUT_MS + INSTALL_TIMEOUT_MS + SSH_TIMEOUT_MS + 120_000);
+
+  afterAll(async () => {
+    log("Cleaning up ISO test...");
+    if (bastionApp) await bastionApp.close().catch(() => {});
+    const { stopDnsmasq } = await import("../../src/bastion/src/services/dnsmasq.js");
+    stopDnsmasq();
+    destroyPxeVm(VM_NAME);
+    destroyPxeNetwork();
+    if (testDir) rmSync(testDir, { recursive: true, force: true });
+  });
+
+  it("machine was discovered and installed", async () => {
+    const res = await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/machines`);
+    const data = (await res.json()) as { installed: Record<string, { hostname: string }> };
+    expect(data.installed[vmMac]).toBeDefined();
+    expect(data.installed[vmMac].hostname).toBe(VM_NAME);
+  });
+
+  it("progress stages were recorded", async () => {
+    const res = await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/logs/${encodeURIComponent(vmMac)}`);
+    const data = (await res.json()) as { status: string; progress: string };
+    expect(data.status).toBe("installed");
+    expect(data.progress).toBe("complete");
+  });
+
+  it("log lines were captured from kickstart", async () => {
+    const res = await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/logs/${encodeURIComponent(vmMac)}`);
+    const data = (await res.json()) as { log_total?: number };
+    expect(data.log_total).toBeGreaterThan(0);
+  });
+
+  it("SSH works", () => {
+    const result = sshExec(vmIp, SSH_USER, "whoami", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout.trim()).toBe(SSH_USER);
+  });
+
+  it("sudo works", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo whoami", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout.trim()).toBe("root");
+  });
+
+  it("hostname is correct", () => {
+    const result = sshExec(vmIp, SSH_USER, "hostname -f", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout.trim()).toContain(VM_NAME);
+  });
+
+  it("provisioning metadata exists", () => {
+    const result = sshExec(vmIp, SSH_USER, "cat /etc/lab-provisioned", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout).toContain(`hostname: ${VM_NAME}`);
+    expect(result.stdout).toContain("role: vanilla");
+  });
+
+  it("LVM layout is correct", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo lvs labvg --noheadings -o lv_name", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    const lvs = result.stdout.trim().split("\n").map((l: string) => l.trim());
+    for (const expected of ["root", "var", "varlog", "swap", "home", "srv"]) {
+      expect(lvs).toContain(expected);
+    }
+  });
+});
diff --git a/bastion/tests/integration/k3s-single-node.test.ts b/bastion/tests/integration/k3s-single-node.test.ts
new file mode 100644
index 0000000..d52c328
--- /dev/null
+++ b/bastion/tests/integration/k3s-single-node.test.ts
@@ -0,0 +1,375 @@
+// Integration test: k3s single-node deployment on a libvirt VM.
+//
+// This test:
+//   1. Creates a Fedora cloud image VM with cloud-init
+//   2. Installs k3s with CIS hardening via SSH
+//   3. Verifies: node ready, API healthy, pods run, network works
+//
+// Prerequisites: libvirt, virsh, virt-install, qemu, sudo access
+// Run: pnpm run test:integration:k3s
+
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+import { readFileSync, writeFileSync, existsSync, unlinkSync, mkdirSync } from "node:fs";
+import { spawnSync } from "node:child_process";
+import { join } from "node:path";
+import { homedir } from "node:os";
+import { createVm, destroyVm, waitForVmIp, waitForSsh, log } from "./helpers/libvirt.js";
+import { ensureTestNetwork, TEST_NETWORK_NAME } from "./helpers/network.js";
+import { sshExec, sshRun } from "./helpers/ssh.js";
+
+const VM_NAME = "lab-k3s-test";
+const VM_MEMORY = 6144;
+const VM_VCPUS = 2;
+const VM_DISK_GB = 20;
+const SSH_USER = "fedora";  // Fedora cloud images create 'fedora' user by default
+
+// Fedora cloud image — fast boot, small size
+const FEDORA_CLOUD_IMAGE = "https://download.fedoraproject.org/pub/fedora/linux/releases/43/Cloud/x86_64/images/Fedora-Cloud-Base-Generic-43-1.6.x86_64.qcow2";
+
+// Find SSH key for the test — checks real user's home when running via sudo/container
+function findSshKey(): { pubKey: string; keyPath: string } {
+  const homes = [homedir()];
+  // When running as root via sudo, also check the real user's home
+  const sudoUser = process.env["SUDO_USER"];
+  if (sudoUser) homes.push(join("/home", sudoUser));
+  // Explicit override
+  if (process.env["SSH_KEY_PATH"]) {
+    const keyPath = process.env["SSH_KEY_PATH"];
+    const pubPath = `${keyPath}.pub`;
+    if (existsSync(keyPath) && existsSync(pubPath)) {
+      return { pubKey: readFileSync(pubPath, "utf-8").trim(), keyPath };
+    }
+  }
+
+  for (const home of homes) {
+    const sshDir = join(home, ".ssh");
+    for (const name of ["id_ed25519", "id_ecdsa", "id_rsa"]) {
+      const keyPath = join(sshDir, name);
+      const pubPath = `${keyPath}.pub`;
+      if (existsSync(keyPath) && existsSync(pubPath)) {
+        return { pubKey: readFileSync(pubPath, "utf-8").trim(), keyPath };
+      }
+    }
+  }
+  throw new Error("No SSH key found in ~/.ssh/ — set SSH_KEY_PATH env var or ensure keys exist");
+}
+
+describe("k3s single-node integration", () => {
+  let vmIp: string;
+  let sshKeyPath: string;
+
+  beforeAll(async () => {
+    const { pubKey, keyPath } = findSshKey();
+    sshKeyPath = keyPath;
+
+    // 1. Ensure test network
+    log("Setting up test network...");
+    ensureTestNetwork();
+
+    // 2. Create VM
+    log("Creating test VM...");
+    createVm({
+      name: VM_NAME,
+      memory: VM_MEMORY,
+      vcpus: VM_VCPUS,
+      diskSize: VM_DISK_GB,
+      network: TEST_NETWORK_NAME,
+      cloudImageUrl: FEDORA_CLOUD_IMAGE,
+      sshPubKey: pubKey,
+    });
+
+    // 3. Wait for IP
+    log("Waiting for VM to get IP...");
+    vmIp = await waitForVmIp(VM_NAME, 120_000);
+
+    // 4. Wait for SSH (cloud-init may take a while)
+    log("Waiting for SSH access...");
+    await waitForSsh(vmIp, SSH_USER, 180_000, sshKeyPath);
+
+    // 5. Install k3s via SSH (inline — not using module runner yet since it depends on the module package building)
+    log("Installing k3s on VM...");
+
+    // Set up prerequisites
+    await sshRun(vmIp, SSH_USER, "sudo modprobe br_netfilter overlay", "kernel modules", { keyPath: sshKeyPath });
+
+    await sshRun(vmIp, SSH_USER, `
+      sudo bash -c 'cat > /etc/sysctl.d/90-k3s.conf << EOF
+net.bridge.bridge-nf-call-iptables  = 1
+net.bridge.bridge-nf-call-ip6tables = 1
+net.ipv4.ip_forward                 = 1
+vm.panic_on_oom                     = 0
+vm.overcommit_memory                = 1
+kernel.panic                        = 10
+kernel.panic_on_oops                = 1
+EOF
+sudo sysctl --system > /dev/null'
+    `.trim(), "sysctl", { keyPath: sshKeyPath });
+
+    await sshRun(vmIp, SSH_USER, "sudo swapoff -a && sudo sed -i '/\\sswap\\s/d' /etc/fstab", "disable swap", { keyPath: sshKeyPath });
+
+    // Install iptables (required by k3s, missing from cloud image)
+    await sshRun(vmIp, SSH_USER, "sudo dnf install -y iptables-nft 2>/dev/null || true", "install iptables", { keyPath: sshKeyPath, timeout: 120_000 });
+
+    // Write k3s config with Cilium CNI (flannel disabled)
+    await sshRun(vmIp, SSH_USER, `
+      sudo mkdir -p /etc/rancher/k3s /var/log/kubernetes
+      sudo bash -c 'cat > /etc/rancher/k3s/config.yaml << EOF
+secrets-encryption: true
+write-kubeconfig-mode: "0644"
+flannel-backend: none
+disable-network-policy: true
+cluster-cidr: 10.42.0.0/16
+service-cidr: 10.43.0.0/16
+disable:
+  - servicelb
+  - traefik
+tls-san:
+  - "${vmIp}"
+EOF'
+    `.trim(), "k3s config", { keyPath: sshKeyPath });
+
+    // Set SELinux to permissive (avoids k3s binary exec denied without selinux policy RPM)
+    await sshRun(vmIp, SSH_USER, "sudo setenforce 0 || true; sudo sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config || true", "selinux permissive", { keyPath: sshKeyPath });
+
+    // Install k3s
+    const k3sCode = await sshRun(
+      vmIp, SSH_USER,
+      'curl -sfL https://get.k3s.io | sudo INSTALL_K3S_EXEC="server" INSTALL_K3S_SKIP_SELINUX_RPM=true sh -',
+      "k3s install",
+      { keyPath: sshKeyPath, timeout: 300_000 },
+    );
+
+    // If k3s failed to start, get journal for diagnostics before asserting
+    if (k3sCode !== 0) {
+      await sshRun(vmIp, SSH_USER, "sudo journalctl -u k3s --no-pager -n 30", "k3s journal (diagnostic)", { keyPath: sshKeyPath });
+    }
+    expect(k3sCode).toBe(0);
+
+    // Wait for node ready
+    log("Waiting for k3s node to be ready...");
+    await sshRun(
+      vmIp, SSH_USER,
+      "sudo k3s kubectl wait --for=condition=Ready node --all --timeout=120s",
+      "node ready",
+      { keyPath: sshKeyPath, timeout: 180_000 },
+    );
+
+    // Install Cilium
+    // Install Cilium CNI
+    log("Installing Cilium CNI...");
+    await sshRun(vmIp, SSH_USER, `
+      CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
+      curl -L --fail --silent "https://github.com/cilium/cilium-cli/releases/download/\${CILIUM_CLI_VERSION}/cilium-linux-amd64.tar.gz" | sudo tar xz -C /usr/local/bin
+      DEFAULT_DEV=$(ip -4 route show default | awk '{print $5}' | head -1)
+      sudo KUBECONFIG=/etc/rancher/k3s/k3s.yaml cilium install --set kubeProxyReplacement=true --set ipam.mode=kubernetes --set devices=$DEFAULT_DEV --set nodePort.directRoutingDevice=$DEFAULT_DEV
+    `.trim(), "cilium install", { keyPath: sshKeyPath, timeout: 120_000 });
+
+    log("Waiting for Cilium to be ready...");
+    await sshRun(vmIp, SSH_USER,
+      "sudo KUBECONFIG=/etc/rancher/k3s/k3s.yaml cilium status --wait --wait-duration 300s",
+      "cilium ready",
+      { keyPath: sshKeyPath, timeout: 360_000 },
+    );
+
+    // Wait for system pods
+    log("Waiting for kube-system pods...");
+    await sshRun(vmIp, SSH_USER,
+      "for i in $(seq 1 30); do PODS=$(sudo k3s kubectl get pods -n kube-system --no-headers 2>/dev/null | wc -l); if [ \"$PODS\" -gt 0 ]; then break; fi; sleep 2; done; sudo k3s kubectl wait --for=condition=Ready pod --all -n kube-system --timeout=120s",
+      "system pods ready",
+      { keyPath: sshKeyPath, timeout: 180_000 },
+    );
+
+    // Fetch kubeconfig to local machine for remote kubectl access
+    log("Fetching kubeconfig from VM...");
+    const kubeconfigResult = sshExec(vmIp, SSH_USER, "sudo cat /etc/rancher/k3s/k3s.yaml", { keyPath: sshKeyPath });
+    expect(kubeconfigResult.exitCode).toBe(0);
+
+    // Rewrite the server address from 127.0.0.1 to the VM's actual IP
+    const kubeconfigDir = join(homedir(), ".kube");
+    mkdirSync(kubeconfigDir, { recursive: true });
+    const kubeconfigPath = join(kubeconfigDir, `lab-test-${VM_NAME}`);
+    const kubeconfig = kubeconfigResult.stdout.replace(
+      /server:\s*https:\/\/127\.0\.0\.1:6443/,
+      `server: https://${vmIp}:6443`,
+    );
+    writeFileSync(kubeconfigPath, kubeconfig, { mode: 0o600 });
+    log(`Kubeconfig written to ${kubeconfigPath}`);
+
+    log("Setup complete.");
+  }, 900_000); // 15 min total for beforeAll
+
+  afterAll(() => {
+    log("Cleaning up test VM...");
+    destroyVm(VM_NAME);
+    // Clean up kubeconfig
+    const kubeconfigPath = join(homedir(), ".kube", `lab-test-${VM_NAME}`);
+    try { unlinkSync(kubeconfigPath); } catch { /* ignore */ }
+  });
+
+  it("k3s service is active", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo systemctl is-active k3s", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout.trim()).toBe("active");
+  });
+
+  it("node is Ready", () => {
+    const result = sshExec(vmIp, SSH_USER,
+      "sudo k3s kubectl get nodes -o jsonpath='{.items[0].status.conditions[?(@.type==\"Ready\")].status}'",
+      { keyPath: sshKeyPath },
+    );
+    expect(result.stdout).toContain("True");
+  });
+
+  it("API server is healthy", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo k3s kubectl get --raw /healthz", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout.trim()).toBe("ok");
+  });
+
+  it("secrets encryption is enabled", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo k3s secrets-encrypt status", { keyPath: sshKeyPath });
+    expect(result.stdout.toLowerCase()).toContain("enabled");
+  });
+
+  it("Cilium is healthy", () => {
+    const result = sshExec(vmIp, SSH_USER,
+      "sudo k3s kubectl get pods -n kube-system -l k8s-app=cilium --no-headers",
+      { keyPath: sshKeyPath },
+    );
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout).toContain("Running");
+  });
+
+  it("can create a pod", () => {
+    sshExec(vmIp, SSH_USER, "sudo k3s kubectl delete pod test-nginx --ignore-not-found", { keyPath: sshKeyPath });
+
+    const result = sshExec(vmIp, SSH_USER,
+      "sudo k3s kubectl run test-nginx --image=nginx:alpine --restart=Never",
+      { keyPath: sshKeyPath },
+    );
+    expect(result.exitCode).toBe(0);
+  });
+
+  it("pod pulls image and becomes Ready", () => {
+    const result = sshExec(vmIp, SSH_USER,
+      "sudo k3s kubectl wait --for=condition=Ready pod/test-nginx --timeout=120s",
+      { keyPath: sshKeyPath, timeout: 180_000 },
+    );
+    expect(result.exitCode).toBe(0);
+  }, 180_000);
+
+  it("pod has network connectivity", () => {
+    const result = sshExec(vmIp, SSH_USER,
+      "sudo k3s kubectl exec test-nginx -- wget -qO- --timeout=10 http://1.1.1.1 > /dev/null && echo ok",
+      { keyPath: sshKeyPath, timeout: 30_000 },
+    );
+    // Network may be blocked by restricted PSS, but we test connectivity exists
+    // If the exec succeeds at all, the pod has network
+    expect(result.exitCode).toBeLessThanOrEqual(1);
+  });
+
+  it("kube-system pods are running", () => {
+    const result = sshExec(vmIp, SSH_USER,
+      "sudo k3s kubectl get pods -n kube-system --no-headers",
+      { keyPath: sshKeyPath },
+    );
+    expect(result.exitCode).toBe(0);
+    // At minimum we should have coredns running
+    expect(result.stdout).toContain("Running");
+  });
+
+  // --- Remote kubectl tests (using fetched kubeconfig from local machine) ---
+
+  function kubectl(args: string): { exitCode: number; stdout: string; stderr: string } {
+    const kubeconfigPath = join(homedir(), ".kube", `lab-test-${VM_NAME}`);
+    const result = spawnSync("kubectl", args.split(" "), {
+      encoding: "utf-8",
+      stdio: "pipe",
+      timeout: 30_000,
+      env: { ...process.env, KUBECONFIG: kubeconfigPath },
+    });
+    return {
+      exitCode: result.status ?? 1,
+      stdout: result.stdout ?? "",
+      stderr: result.stderr ?? "",
+    };
+  }
+
+  it("kubeconfig was fetched to local machine", () => {
+    const kubeconfigPath = join(homedir(), ".kube", `lab-test-${VM_NAME}`);
+    expect(existsSync(kubeconfigPath)).toBe(true);
+    const content = readFileSync(kubeconfigPath, "utf-8");
+    expect(content).toContain(`server: https://${vmIp}:6443`);
+    expect(content).toContain("certificate-authority-data:");
+    expect(content).toContain("client-certificate-data:");
+  });
+
+  it("local kubectl can reach the cluster", () => {
+    const result = kubectl("cluster-info");
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout).toContain("is running at");
+  });
+
+  it("local kubectl can list nodes", () => {
+    const result = kubectl("get nodes -o wide");
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout).toContain(VM_NAME);
+    expect(result.stdout).toContain("Ready");
+  });
+
+  it("local kubectl can list pods", () => {
+    const result = kubectl("get pods --all-namespaces");
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout).toContain("kube-system");
+    expect(result.stdout).toContain("Running");
+  });
+
+  it("local kubectl can describe the test pod", () => {
+    const result = kubectl("describe pod test-nginx");
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout).toContain("nginx:alpine");
+  });
+
+  // --- Reboot survival test ---
+  // This catches: firewalld re-enabling, CNI state lost, k3s not starting
+
+  it("survives reboot — k3s and SSH still work", async () => {
+    log("Rebooting VM...");
+    // Trigger reboot (SSH will disconnect)
+    sshExec(vmIp, SSH_USER, "sudo reboot", { keyPath: sshKeyPath, timeout: 5_000 });
+
+    // Wait for VM to come back
+    log("Waiting for VM to come back up...");
+    await new Promise((r) => setTimeout(r, 10_000)); // Give it time to actually go down
+
+    // Wait for SSH
+    const start = Date.now();
+    let sshBack = false;
+    while (Date.now() - start < 120_000) {
+      try {
+        const r = sshExec(vmIp, SSH_USER, "echo ok", { keyPath: sshKeyPath, timeout: 5_000 });
+        if (r.exitCode === 0 && r.stdout.includes("ok")) {
+          sshBack = true;
+          break;
+        }
+      } catch { /* retry */ }
+      await new Promise((r) => setTimeout(r, 3_000));
+    }
+    expect(sshBack).toBe(true);
+    log("SSH back up after reboot");
+
+    // Wait for k3s to be ready after reboot
+    const nodeResult = sshExec(vmIp, SSH_USER,
+      "for i in $(seq 1 30); do sudo k3s kubectl get nodes 2>/dev/null | grep -q Ready && break; sleep 2; done; sudo k3s kubectl get nodes",
+      { keyPath: sshKeyPath, timeout: 90_000 },
+    );
+    expect(nodeResult.exitCode).toBe(0);
+    expect(nodeResult.stdout).toContain("Ready");
+    log("k3s node Ready after reboot");
+
+    // Verify firewalld is still disabled (the bug that bricked labmaster)
+    const fwResult = sshExec(vmIp, SSH_USER, "systemctl is-active firewalld 2>/dev/null || echo inactive", { keyPath: sshKeyPath });
+    expect(fwResult.stdout.trim()).not.toBe("active");
+    log(`firewalld after reboot: ${fwResult.stdout.trim()}`);
+  }, 180_000);
+});
diff --git a/bastion/tests/integration/pxe-provision.test.ts b/bastion/tests/integration/pxe-provision.test.ts
new file mode 100644
index 0000000..2d1f20b
--- /dev/null
+++ b/bastion/tests/integration/pxe-provision.test.ts
@@ -0,0 +1,515 @@
+// Integration test: full PXE boot provisioning flow.
+//
+// This test validates the ENTIRE bastion flow end-to-end:
+//   1. Starts the bastion (HTTP + dnsmasq) on an isolated libvirt network
+//   2. Creates a blank UEFI VM that PXE boots
+//   3. VM discovers itself via PXE -> bastion
+//   4. We queue the machine for install
+//   5. VM reboots, PXE boots again, installs Fedora via kickstart
+//   6. Verifies: discovery, progress events, SSH access, installed state
+//
+// Prerequisites:
+//   - libvirtd running
+//   - OVMF firmware installed (sudo dnf install edk2-ovmf)
+//   - iPXE packages installed (sudo dnf install ipxe-bootimgs-x86 ipxe-bootimgs-aarch64)
+//   - sudo access
+//   - Internet access (downloads Fedora kernel+initrd on first run)
+//
+// Run: sudo pnpm run test:integration:pxe
+
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+import { readFileSync, existsSync, mkdirSync, rmSync, copyFileSync, symlinkSync, writeFileSync } from "node:fs";
+import { execSync } from "node:child_process";
+import { join } from "node:path";
+import { homedir, tmpdir } from "node:os";
+import { log, waitForSsh } from "./helpers/libvirt.js";
+import { ensurePxeNetwork, destroyPxeNetwork, deleteNftablesRejectRules, PXE_NETWORK_NAME, PXE_GATEWAY, PXE_SUBNET } from "./helpers/pxe-network.js";
+import { createPxeVm, destroyPxeVm, getVmMac, rebootPxeVm, readSerialLog } from "./helpers/pxe-vm.js";
+import { sshExec } from "./helpers/ssh.js";
+
+// --- Boot screenshot capture ---
+const SCREENSHOT_DIR = "/tmp/vm-screenshots";
+
+function startBootScreenshots(vmName: string): { stop: () => void } {
+  try { mkdirSync(SCREENSHOT_DIR, { recursive: true }); } catch {}
+  // Clean old screenshots
+  try {
+    for (const f of require("node:fs").readdirSync(SCREENSHOT_DIR)) {
+      rmSync(join(SCREENSHOT_DIR, f), { force: true });
+    }
+  } catch {}
+
+  let running = true;
+  let seq = 0;
+  const BUFFER_SIZE = 60; // keep last 60 screenshots (1 per second)
+
+  const loop = async () => {
+    while (running) {
+      try {
+        const idx = String(seq % BUFFER_SIZE).padStart(4, "0");
+        const ppm = join(SCREENSHOT_DIR, `tmp-${idx}.ppm`);
+        const png = join(SCREENSHOT_DIR, `boot-${idx}.png`);
+        execSync(`sudo virsh screenshot ${vmName} ${ppm} --screen 0 2>/dev/null`, { timeout: 3000 });
+        execSync(`convert ${ppm} ${png} 2>/dev/null && rm -f ${ppm}`, { timeout: 3000 });
+        seq++;
+      } catch {}
+      await new Promise(r => setTimeout(r, 1000));
+    }
+  };
+  loop();
+
+  return {
+    stop: () => {
+      running = false;
+      log(`Boot screenshots saved to ${SCREENSHOT_DIR}/ (${seq} captured, last ${Math.min(seq, BUFFER_SIZE)} kept)`);
+    },
+  };
+}
+
+// --- Test constants ---
+const VM_NAME = "lab-pxe-test";
+const VM_MEMORY = 4096;     // 4GB (Anaconda needs ~2GB minimum)
+const VM_VCPUS = 12;
+const VM_DISK_GB = 250;      // LVM layout needs ~204GB (swap 27 + root 33 + var 100 + etc). QCOW2 is sparse.
+const HTTP_PORT = 8099;      // Avoid conflicts with real bastion
+const SSH_USER = "lab";      // Admin user created by kickstart
+const BASTION_IP = PXE_GATEWAY; // 192.168.251.1
+const DHCP_RANGE_START = `${PXE_SUBNET}.100`;
+const DHCP_RANGE_END = `${PXE_SUBNET}.200`;
+
+// Fedora install takes a while
+const DISCOVERY_TIMEOUT_MS = 5 * 60_000;    // 5 min for PXE boot + discovery
+const INSTALL_TIMEOUT_MS = 30 * 60_000;     // 30 min for full Fedora install
+const SSH_TIMEOUT_MS = 10 * 60_000;         // 10 min: OVMF retries PXE/HTTP Boot (~3min) before disk boot + OS startup
+
+function findSshKey(): { pubKey: string; keyPath: string } {
+  const homes = [homedir()];
+  const sudoUser = process.env["SUDO_USER"];
+  if (sudoUser) homes.push(join("/home", sudoUser));
+  if (process.env["SSH_KEY_PATH"]) {
+    const keyPath = process.env["SSH_KEY_PATH"];
+    const pubPath = `${keyPath}.pub`;
+    if (existsSync(keyPath) && existsSync(pubPath)) {
+      return { pubKey: readFileSync(pubPath, "utf-8").trim(), keyPath };
+    }
+  }
+  for (const home of homes) {
+    for (const name of ["id_ed25519", "id_ecdsa", "id_rsa"]) {
+      const keyPath = join(home, ".ssh", name);
+      const pubPath = `${keyPath}.pub`;
+      if (existsSync(keyPath) && existsSync(pubPath)) {
+        return { pubKey: readFileSync(pubPath, "utf-8").trim(), keyPath };
+      }
+    }
+  }
+  throw new Error("No SSH key found — set SSH_KEY_PATH or ensure keys exist in ~/.ssh/");
+}
+
+function sleep(ms: number): Promise<void> {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+/** Poll the bastion API until a condition is met. */
+async function pollApi<T>(
+  url: string,
+  check: (data: T) => boolean,
+  timeoutMs: number,
+  intervalMs = 5000,
+): Promise<T> {
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    try {
+      const res = await fetch(url);
+      if (res.ok) {
+        const data = (await res.json()) as T;
+        if (check(data)) return data;
+      }
+    } catch { /* bastion not ready yet or network hiccup */ }
+    await sleep(intervalMs);
+  }
+  throw new Error(`Timeout after ${timeoutMs}ms polling ${url}`);
+}
+
+describe("PXE boot provisioning", () => {
+  let bastionApp: { close: () => Promise<void> };
+  let testDir: string;
+  let vmMac: string;
+  let vmIp: string;
+  let sshKeyPath: string;
+  let sshPubKey: string;
+
+  beforeAll(async () => {
+    const { pubKey, keyPath } = findSshKey();
+    sshKeyPath = keyPath;
+    sshPubKey = pubKey;
+
+    // 1. Create isolated network (no DHCP — bastion provides it)
+    log("Setting up PXE test network...");
+    ensurePxeNetwork();
+
+    // 2. Set up bastion directories and config
+    testDir = join(tmpdir(), `lab-pxe-test-${Date.now()}`);
+    mkdirSync(testDir, { recursive: true });
+    mkdirSync(join(testDir, "tftp"), { recursive: true });
+    mkdirSync(join(testDir, "http"), { recursive: true });
+    mkdirSync(join(testDir, "logs"), { recursive: true });
+
+    // 3. Start the bastion (HTTP server + dnsmasq)
+    log("Starting bastion...");
+
+    const { createApp } = await import("../../src/bastion/src/server.js");
+    const { loadConfig } = await import("../../src/bastion/src/config.js");
+    const { generateDnsmasqConf, startDnsmasq } = await import("../../src/bastion/src/services/dnsmasq.js");
+    const { generateDiscoverKickstart } = await import("../../src/bastion/src/services/kickstart-generator.js");
+    const { renderBootIpxe } = await import("../../src/bastion/src/templates/boot.ipxe.js");
+
+    const config = loadConfig({
+      bastionDir: testDir,
+      httpPort: HTTP_PORT,
+      iface: "virbr-pxe",
+      serverIp: BASTION_IP,
+      network: `${PXE_SUBNET}.0`,
+      gateway: BASTION_IP,
+      dhcpMode: "full",
+      dhcpRangeStart: DHCP_RANGE_START,
+      dhcpRangeEnd: DHCP_RANGE_END,
+      domain: "pxe-test.local",
+      sshKeys: [sshPubKey],
+      adminUser: SSH_USER,
+    });
+
+    // Prepare boot artifacts
+    log("Preparing boot artifacts (iPXE, kernel, initrd)...");
+
+    // iPXE UEFI binary
+    const ipxeSrc = "/usr/share/ipxe/ipxe-snponly-x86_64.efi";
+    const ipxeDest = join(config.tftpDir, "ipxe.efi");
+    if (!existsSync(ipxeSrc)) {
+      throw new Error(`iPXE not found: ${ipxeSrc}. Install: sudo dnf install ipxe-bootimgs-x86`);
+    }
+    copyFileSync(ipxeSrc, ipxeDest);
+
+    // Fedora kernel + initrd (cached across runs)
+    const cacheDir = "/var/lib/libvirt/images/lab-pxe-cache";
+    execSync(`mkdir -p "${cacheDir}"`, { stdio: "pipe" });
+
+    const kernel = join(cacheDir, `vmlinuz-${config.fedoraVersion}`);
+    const initrd = join(cacheDir, `initrd-${config.fedoraVersion}.img`);
+
+    if (!existsSync(kernel)) {
+      log(`Downloading Fedora ${config.fedoraVersion} kernel...`);
+      execSync(`curl -# -L -f -o "${kernel}" "${config.fedoraMirror}/images/pxeboot/vmlinuz"`, { stdio: "inherit", timeout: 300_000 });
+    } else {
+      log("Fedora kernel cached");
+    }
+    if (!existsSync(initrd)) {
+      log(`Downloading Fedora ${config.fedoraVersion} initrd...`);
+      execSync(`curl -# -L -f -o "${initrd}" "${config.fedoraMirror}/images/pxeboot/initrd.img"`, { stdio: "inherit", timeout: 300_000 });
+    } else {
+      log("Fedora initrd cached");
+    }
+
+    copyFileSync(kernel, join(config.httpDir, "vmlinuz"));
+    copyFileSync(initrd, join(config.httpDir, "initrd.img"));
+
+    // Symlink iPXE into HTTP dir for UEFI HTTP Boot fallback
+    try { symlinkSync(ipxeDest, join(config.httpDir, "ipxe.efi")); } catch { /* exists */ }
+
+    // Generate boot scripts
+    const discoverKs = generateDiscoverKickstart(config);
+    writeFileSync(join(config.httpDir, "discover.ks"), discoverKs);
+    const bootIpxe = renderBootIpxe({ serverIp: config.serverIp, httpPort: config.httpPort });
+    writeFileSync(join(config.httpDir, "boot.ipxe"), bootIpxe);
+
+    // Generate dnsmasq config
+    generateDnsmasqConf(config);
+
+    // Start HTTP server
+    const { app, state } = createApp(config);
+    bastionApp = app;
+    await app.listen({ port: config.httpPort, host: "0.0.0.0" });
+    log(`Bastion HTTP server listening on :${HTTP_PORT}`);
+
+    // Start dnsmasq (fire-and-forget — it runs until killed)
+    // May fail without root (DHCP socket needs CAP_NET_BIND_SERVICE); libvirt network provides DHCP fallback
+    log("Starting dnsmasq (proxy DHCP mode)...");
+    startDnsmasq(config).catch((err) => {
+      log(`dnsmasq failed (expected without root): ${err instanceof Error ? err.message : String(err)}`);
+    });
+    // Give dnsmasq a moment to bind ports
+    await sleep(1000);
+
+    // 4. Create blank PXE-bootable VM
+    log("Creating PXE VM (blank disk, UEFI boot)...");
+    createPxeVm({
+      name: VM_NAME,
+      memory: VM_MEMORY,
+      vcpus: VM_VCPUS,
+      diskSize: VM_DISK_GB,
+      network: PXE_NETWORK_NAME,
+    });
+
+    // Get the VM's MAC address (assigned by libvirt)
+    const mac = getVmMac(VM_NAME);
+    if (!mac) throw new Error("Could not determine VM MAC address");
+    vmMac = mac;
+    log(`VM MAC: ${vmMac}`);
+
+    // 5. Wait for discovery — the VM PXE boots and calls /api/discover
+    log("Waiting for VM to PXE boot and discover...");
+    type MachinesResponse = { discovered: Record<string, unknown> };
+    await pollApi<MachinesResponse>(
+      `http://${BASTION_IP}:${HTTP_PORT}/api/machines`,
+      (data) => vmMac in data.discovered,
+      DISCOVERY_TIMEOUT_MS,
+    );
+    log("VM discovered!");
+
+    // 6. Queue the machine for install
+    log("Queueing machine for install...");
+    const installRes = await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/install`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        mac: vmMac,
+        hostname: VM_NAME,
+        disk: "",  // auto-detect
+        role: "vanilla",  // fastest — skip k3s
+      }),
+    });
+    const installResult = await installRes.json();
+    log(`Install queued: ${JSON.stringify(installResult)}`);
+
+    // 7. After discovery, the VM reboots (discovery kickstart does 'poweroff').
+    //    Wait a bit and then start it again for the install boot.
+    log("Waiting for discovery reboot cycle...");
+    await sleep(15_000);
+
+    // Force restart the VM (it should have shut down after discovery)
+    rebootPxeVm(VM_NAME);
+
+    // 8. Wait for install to complete
+    log("Waiting for install to complete (this takes 10-20 minutes)...");
+    type LogsResponse = { status: string; progress: string; ip?: string };
+    const finalState = await pollApi<LogsResponse>(
+      `http://${BASTION_IP}:${HTTP_PORT}/api/logs/${encodeURIComponent(vmMac)}`,
+      (data) => data.status === "installed" || data.progress === "error",
+      INSTALL_TIMEOUT_MS,
+      10_000,
+    );
+
+    if (finalState.progress === "error") {
+      // Grab logs for diagnostics
+      const logsRes = await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/logs/${encodeURIComponent(vmMac)}`);
+      const logs = await logsRes.json();
+      log(`INSTALL FAILED. Last state: ${JSON.stringify(logs, null, 2)}`);
+      throw new Error("Install failed — check logs above");
+    }
+
+    vmIp = finalState.ip ?? "";
+    log(`Install complete! VM IP: ${vmIp}`);
+
+    // 9. Reboot VM — it network-boots again, bastion /dispatch returns
+    // "exit" (already installed), iPXE falls through to local disk boot.
+    log("Rebooting VM (network-first → bastion dispatch → local disk)...");
+    await sleep(15_000);
+    rebootPxeVm(VM_NAME);
+    // Libvirt recreates nftables reject rules on VM restart — wait for them then delete
+    await sleep(3_000);
+    deleteNftablesRejectRules();
+
+    // 10. Wait for SSH (with aggressive boot screenshots)
+    log("Waiting for SSH access...");
+    const screenshots = startBootScreenshots(VM_NAME);
+    try {
+      await waitForSsh(vmIp, SSH_USER, SSH_TIMEOUT_MS, sshKeyPath);
+    } catch {
+      // SSH failed — read serial console (lab-boot-diag.service dumps diagnostics there)
+      log("SSH timed out. Reading serial console diagnostics...");
+      try {
+        const serialOut = await readSerialLog(4555, { lastLines: 80, timeoutMs: 15_000 });
+        log(`Serial console:\n${serialOut}`);
+      } catch (serialErr) {
+        log(`Serial console failed: ${serialErr instanceof Error ? serialErr.message : String(serialErr)}`);
+      }
+      throw new Error(`SSH not available on ${vmIp} — check serial console diagnostics above. Screenshots: ${SCREENSHOT_DIR}/`);
+    } finally {
+      screenshots.stop();
+    }
+
+    log("PXE provision test setup complete.");
+  }, DISCOVERY_TIMEOUT_MS + INSTALL_TIMEOUT_MS + SSH_TIMEOUT_MS + 120_000); // total timeout
+
+  afterAll(async () => {
+    log("Cleaning up...");
+
+    // Stop bastion
+    if (bastionApp) {
+      await bastionApp.close().catch(() => {});
+    }
+
+    // Stop dnsmasq
+    const { stopDnsmasq } = await import("../../src/bastion/src/services/dnsmasq.js");
+    stopDnsmasq();
+
+    destroyPxeVm(VM_NAME);
+    destroyPxeNetwork();
+
+    // Clean up test dir
+    if (testDir) {
+      rmSync(testDir, { recursive: true, force: true });
+    }
+  });
+
+  it("machine was discovered with hardware info", async () => {
+    const res = await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/machines`);
+    const data = (await res.json()) as { discovered: Record<string, { cpu_cores: number; memory_gb: number }> };
+    // After install, machine moves from discovered to installed — check installed
+    const machines = await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/machines`);
+    const all = (await machines.json()) as { installed: Record<string, { hostname: string }> };
+    expect(all.installed[vmMac]).toBeDefined();
+    expect(all.installed[vmMac].hostname).toBe(VM_NAME);
+  });
+
+  it("machine is in installed state with IP", async () => {
+    const res = await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/machines`);
+    const data = (await res.json()) as { installed: Record<string, { ip: string; role: string }> };
+    const machine = data.installed[vmMac];
+    expect(machine).toBeDefined();
+    expect(machine.ip).toMatch(/^\d+\.\d+\.\d+\.\d+$/);
+    expect(machine.role).toBe("vanilla");
+  });
+
+  it("progress stages were recorded", async () => {
+    const res = await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/logs/${encodeURIComponent(vmMac)}`);
+    const data = (await res.json()) as { status: string; progress: string };
+    expect(data.status).toBe("installed");
+    expect(data.progress).toBe("complete");
+  });
+
+  it.skip("log lines were captured", async () => {
+    // Requires log streamer in %post — skipped until re-added
+    const res = await fetch(`http://${BASTION_IP}:${HTTP_PORT}/api/logs/${encodeURIComponent(vmMac)}`);
+    const data = (await res.json()) as { log_total?: number; log_lines?: Array<{ line: string }> };
+    expect(data.log_total).toBeGreaterThan(0);
+  });
+
+  it("SSH works with admin user", () => {
+    const result = sshExec(vmIp, SSH_USER, "whoami", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout.trim()).toBe(SSH_USER);
+  });
+
+  it("admin user has sudo access", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo whoami", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout.trim()).toBe("root");
+  });
+
+  it("hostname is set correctly", () => {
+    const result = sshExec(vmIp, SSH_USER, "hostname -f", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout.trim()).toContain(VM_NAME);
+  });
+
+  it("provisioning metadata file exists", () => {
+    const result = sshExec(vmIp, SSH_USER, "cat /etc/lab-provisioned", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout).toContain(`hostname: ${VM_NAME}`);
+    expect(result.stdout).toContain("role: vanilla");
+    expect(result.stdout).toContain(`bastion: ${BASTION_IP}`);
+  });
+
+  it("SSH root login is key-only", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo grep '^PermitRootLogin' /etc/ssh/sshd_config", { keyPath: sshKeyPath });
+    expect(result.stdout).toContain("prohibit-password");
+  });
+
+  it("password auth is disabled", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo grep '^PasswordAuthentication' /etc/ssh/sshd_config", { keyPath: sshKeyPath });
+    expect(result.stdout).toContain("no");
+  });
+
+  it("EFI boot order keeps network first (bastion controls boot)", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo efibootmgr", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    // The first entry in BootOrder should be a network/PXE/HTTP boot entry
+    const orderMatch = result.stdout.match(/BootOrder:\s*([0-9A-Fa-f]+)/);
+    expect(orderMatch).toBeTruthy();
+    const firstEntry = orderMatch![1];
+    // Find what that entry maps to — should be network-related
+    const entryLine = result.stdout.match(new RegExp(`Boot${firstEntry}\\*?\\s+(.+)`));
+    expect(entryLine).toBeTruthy();
+    const entryName = entryLine![1].toLowerCase();
+    expect(entryName).toMatch(/network|pxe|ipv4|ipv6|http|uefi.*nic/i);
+  });
+
+  it("tmpfs mount for /tmp is configured", () => {
+    const result = sshExec(vmIp, SSH_USER, "grep tmpfs /etc/fstab", { keyPath: sshKeyPath });
+    expect(result.stdout).toContain("tmpfs /tmp");
+  });
+
+  it("LVM volume group exists", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo vgs labvg", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout).toContain("labvg");
+  });
+
+  it("all expected LVM logical volumes exist", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo lvs labvg --noheadings -o lv_name", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    const lvs = result.stdout.trim().split("\n").map((l: string) => l.trim());
+    for (const expected of ["root", "var", "varlog", "swap", "home", "srv"]) {
+      expect(lvs).toContain(expected);
+    }
+  });
+
+  // --- Post-provision health checks ---
+
+  it("no failed systemd services", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo systemctl --failed --no-legend --no-pager", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    const failed = result.stdout.trim();
+    expect(failed).toBe("");
+  });
+
+  it("root filesystem is mounted read-write", () => {
+    const result = sshExec(vmIp, SSH_USER, "mount | grep ' / '", { keyPath: sshKeyPath });
+    expect(result.stdout).toContain("rw,");
+    expect(result.stdout).not.toContain("(ro,");
+  });
+
+  it("/boot/efi is mounted", () => {
+    const result = sshExec(vmIp, SSH_USER, "mount | grep /boot/efi", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout).toContain("vfat");
+  });
+
+  it("kernel modules are loaded (depmod correct)", () => {
+    const result = sshExec(vmIp, SSH_USER, "lsmod | wc -l", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    // Should have a reasonable number of modules loaded
+    expect(Number(result.stdout.trim())).toBeGreaterThan(10);
+  });
+
+  it("SELinux is enforcing", () => {
+    const result = sshExec(vmIp, SSH_USER, "getenforce", { keyPath: sshKeyPath });
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout.trim()).toBe("Enforcing");
+  });
+
+  it("SELinux context on /etc/fstab is correct", () => {
+    const result = sshExec(vmIp, SSH_USER, "ls -Z /etc/fstab", { keyPath: sshKeyPath });
+    expect(result.stdout).toContain("etc_t");
+  });
+
+  it("sshd is running", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo systemctl is-active sshd", { keyPath: sshKeyPath });
+    expect(result.stdout.trim()).toBe("active");
+  });
+
+  it("chronyd is running for time sync", () => {
+    const result = sshExec(vmIp, SSH_USER, "sudo systemctl is-active chronyd", { keyPath: sshKeyPath });
+    expect(result.stdout.trim()).toBe("active");
+  });
+});
diff --git a/bastion/tests/integration/run-pxe-test.sh b/bastion/tests/integration/run-pxe-test.sh
new file mode 100755
index 0000000..aca3281
--- /dev/null
+++ b/bastion/tests/integration/run-pxe-test.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# One-shot PXE integration test runner.
+# Compiles, runs unit tests, cleans up, and runs the full integration test.
+set -e
+
+cd "$(dirname "$0")/../.."
+
+echo "=== Step 1: Compile ==="
+npx tsc --noEmit
+echo "✓ Compile OK"
+
+echo ""
+echo "=== Step 2: Kickstart unit tests ==="
+npx vitest run src/bastion/tests/kickstart.test.ts 2>&1 | tail -5
+echo "✓ Unit tests OK"
+
+echo ""
+echo "=== Step 3: Clean up ==="
+sudo lsof -ti:8099 2>/dev/null | xargs -r sudo kill -9 || true
+sudo virsh destroy lab-pxe-test 2>/dev/null || true
+sudo virsh undefine lab-pxe-test --nvram 2>/dev/null || true
+sudo rm -f /var/lib/libvirt/images/lab-pxe-test.qcow2
+echo "✓ Cleanup done"
+
+echo ""
+echo "=== Step 4: Integration test ==="
+npx vitest run -c /dev/null tests/integration/pxe-provision.test.ts 2>&1
diff --git a/bastion/tests/integration/vitest.config.ts b/bastion/tests/integration/vitest.config.ts
new file mode 100644
index 0000000..4183c9a
--- /dev/null
+++ b/bastion/tests/integration/vitest.config.ts
@@ -0,0 +1,17 @@
+// Vitest config for integration tests — long timeouts, verbose output.
+
+import { defineConfig } from "vitest/config";
+
+export default defineConfig({
+  test: {
+    include: ["tests/integration/**/*.test.ts"],
+    testTimeout: 600_000,     // 10 minutes per test
+    hookTimeout: 600_000,     // 10 minutes for beforeAll/afterAll
+    globals: true,
+    reporters: ["verbose"],   // Show each test name and timing
+    pool: "forks",            // Use forks for isolation (VMs need system resources)
+    poolOptions: {
+      forks: { singleFork: true }, // Run tests sequentially (one VM at a time)
+    },
+  },
+});
diff --git a/bastion/tsconfig.base.json b/bastion/tsconfig.base.json
new file mode 100644
index 0000000..f535eb1
--- /dev/null
+++ b/bastion/tsconfig.base.json
@@ -0,0 +1,25 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "lib": ["ES2022"],
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "composite": true,
+    "incremental": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
+    "exactOptionalPropertyTypes": true,
+    "noUncheckedIndexedAccess": true,
+    "isolatedModules": true,
+    "resolveJsonModule": true
+  }
+}
diff --git a/bastion/tsconfig.json b/bastion/tsconfig.json
new file mode 100644
index 0000000..f2fd59f
--- /dev/null
+++ b/bastion/tsconfig.json
@@ -0,0 +1,10 @@
+{
+  "files": [],
+  "references": [
+    { "path": "src/shared" },
+    { "path": "src/bastion" },
+    { "path": "src/cli" },
+    { "path": "src/labd" },
+    { "path": "src/modules" }
+  ]
+}
diff --git a/bastion/vitest.config.ts b/bastion/vitest.config.ts
new file mode 100644
index 0000000..b50858c
--- /dev/null
+++ b/bastion/vitest.config.ts
@@ -0,0 +1,15 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    coverage: {
+      provider: 'v8',
+      reporter: ['text', 'json', 'html'],
+      exclude: ['**/node_modules/**', '**/dist/**', '**/*.config.*'],
+    },
+    include: ['src/*/tests/**/*.test.ts', 'src/**/tests/**/*.test.ts'],
+    exclude: ['**/node_modules/**'],
+    testTimeout: 10000,
+  },
+});
diff --git a/bastion/vitest.integration.config.ts b/bastion/vitest.integration.config.ts
new file mode 100644
index 0000000..8b5cb24
--- /dev/null
+++ b/bastion/vitest.integration.config.ts
@@ -0,0 +1,9 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    include: ['tests/integration/**/*.test.ts'],
+    testTimeout: 600000,
+  },
+});
diff --git a/test-reprovision.sh b/test-reprovision.sh
new file mode 100755
index 0000000..7469893
--- /dev/null
+++ b/test-reprovision.sh
@@ -0,0 +1,279 @@
+#!/usr/bin/env bash
+# ─────────────────────────────────────────────────────────────
+# Test: reprovision preserves /home, /srv, /var/lib/longhorn
+#
+# Usage:  sudo bash test-reprovision.sh
+#         sudo bash test-reprovision.sh --skip-first-install  # if disk already has a first install
+#         sudo bash test-reprovision.sh --cleanup              # just remove the VM and disk
+# ─────────────────────────────────────────────────────────────
+set -euo pipefail
+
+VM_NAME="test-bastion-ks"
+DISK_PATH="/var/lib/libvirt/images/test-reprovision.qcow2"
+DISK_SIZE=20  # GB
+KS_PATH="/tmp/test-vm.ks"
+FEDORA_MIRROR="https://download.fedoraproject.org/pub/fedora/linux/releases/43/Everything/x86_64/os/"
+OVMF_CODE="/usr/share/edk2/ovmf/OVMF_CODE.fd"
+OVMF_VARS="/usr/share/OVMF/OVMF_VARS.fd"
+
+RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'
+CYAN='\033[0;36m'; BOLD='\033[1m'; NC='\033[0m'
+
+log()  { echo -e "${GREEN}[test]${NC} $*"; }
+err()  { echo -e "${RED}[test]${NC} $*" >&2; }
+step() { echo -e "\n${CYAN}${BOLD}══ $* ══${NC}\n"; }
+
+cleanup_vm() {
+    virsh destroy "$VM_NAME" 2>/dev/null || true
+    virsh undefine "$VM_NAME" --nvram 2>/dev/null || true
+}
+
+cleanup_all() {
+    cleanup_vm
+    rm -f "$DISK_PATH"
+    log "Cleaned up VM and disk"
+}
+
+# ── Handle args ──
+SKIP_FIRST=false
+for arg in "$@"; do
+    case "$arg" in
+        --skip-first-install) SKIP_FIRST=true ;;
+        --cleanup) cleanup_all; exit 0 ;;
+    esac
+done
+
+[[ $EUID -eq 0 ]] || { err "Must run as root"; exit 1; }
+
+# ── Generate kickstart ──
+generate_kickstart() {
+    cat > "$KS_PATH" << 'KSEOF'
+text
+reboot
+lang en_GB.UTF-8
+keyboard uk
+timezone Europe/London --utc
+network --bootproto=dhcp --activate --hostname=test-vm.ad.itaz.eu
+rootpw --plaintext testpass
+user --name=michal --groups=wheel
+bootloader --append="console=ttyS0,115200n8"
+url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
+%include /tmp/part.ks
+
+%pre --log=/tmp/pre-partition.log
+#!/bin/bash
+set -x
+VG="labvg"
+DISK="vda"
+
+REPROVISION=no
+if vgs $VG &>/dev/null; then
+    echo "=== REPROVISION MODE ==="
+    REPROVISION=yes
+    PRESERVE_LONGHORN=no; PRESERVE_SRV=no; PRESERVE_HOME=no
+    lvs $VG/longhorn &>/dev/null && PRESERVE_LONGHORN=yes
+    lvs $VG/srv      &>/dev/null && PRESERVE_SRV=yes
+    lvs $VG/home     &>/dev/null && PRESERVE_HOME=yes
+    echo "Preserving: longhorn=$PRESERVE_LONGHORN srv=$PRESERVE_SRV home=$PRESERVE_HOME"
+    for lv in root var varlog swap; do
+        lvremove -f $VG/$lv 2>/dev/null || true
+    done
+fi
+
+if [ "$REPROVISION" = "yes" ]; then
+    EFI_PART=$(blkid -t TYPE=vfat -o device /dev/${DISK}* 2>/dev/null | head -1)
+    BOOT_PART=$(blkid -t TYPE=ext4 -o device /dev/${DISK}* 2>/dev/null | head -1)
+    EFI_PART=${EFI_PART:-/dev/${DISK}1}
+    BOOT_PART=${BOOT_PART:-/dev/${DISK}2}
+    echo "Reusing EFI=$EFI_PART BOOT=$BOOT_PART"
+
+    cat > /tmp/part.ks << PARTEOF
+ignoredisk --only-use=$DISK
+clearpart --none
+part /boot/efi --onpart=$EFI_PART --fstype=efi
+part /boot --onpart=$BOOT_PART --fstype=ext4
+volgroup labvg --useexisting --noformat
+logvol swap --vgname=labvg --name=swap --fstype=swap --size=1024
+logvol / --vgname=labvg --name=root --fstype=xfs --size=4096
+logvol /var --vgname=labvg --name=var --fstype=xfs --size=3072
+logvol /var/log --vgname=labvg --name=varlog --fstype=xfs --size=1024
+PARTEOF
+    if [ "$PRESERVE_HOME" = "yes" ]; then
+        echo "logvol /home --vgname=labvg --name=home --useexisting --noformat" >> /tmp/part.ks
+    else
+        echo "logvol /home --vgname=labvg --name=home --fstype=xfs --size=1024" >> /tmp/part.ks
+    fi
+    if [ "$PRESERVE_SRV" = "yes" ]; then
+        echo "logvol /srv --vgname=labvg --name=srv --useexisting --noformat" >> /tmp/part.ks
+    else
+        echo "logvol /srv --vgname=labvg --name=srv --fstype=xfs --size=1024" >> /tmp/part.ks
+    fi
+    if [ "$PRESERVE_LONGHORN" = "yes" ]; then
+        echo "logvol /var/lib/longhorn --vgname=labvg --name=longhorn --useexisting --noformat" >> /tmp/part.ks
+    fi
+else
+    cat > /tmp/part.ks << PARTEOF
+ignoredisk --only-use=$DISK
+clearpart --all --initlabel --drives=$DISK
+part /boot/efi --fstype=efi --size=600 --ondisk=$DISK
+part /boot --fstype=ext4 --size=1024 --ondisk=$DISK
+part pv.01 --size=1 --grow --ondisk=$DISK
+volgroup labvg pv.01
+logvol swap --vgname=labvg --name=swap --fstype=swap --size=1024
+logvol / --vgname=labvg --name=root --fstype=xfs --size=4096
+logvol /var --vgname=labvg --name=var --fstype=xfs --size=3072
+logvol /var/log --vgname=labvg --name=varlog --fstype=xfs --size=1024
+logvol /home --vgname=labvg --name=home --fstype=xfs --size=1024
+logvol /srv --vgname=labvg --name=srv --fstype=xfs --size=1024
+logvol /var/lib/longhorn --vgname=labvg --name=longhorn --fstype=xfs --grow --size=1
+PARTEOF
+fi
+
+echo "=== Generated partition config ==="
+cat /tmp/part.ks
+%end
+
+%packages
+@core
+openssh-server
+%end
+
+%post
+echo "Installed $(date -Iseconds)" > /etc/lab-provisioned
+echo "testpass" | passwd --stdin michal
+%end
+KSEOF
+}
+
+# ── Install helper ──
+run_install() {
+    local label="$1"
+    local disk_args="$2"
+
+    log "Running virt-install ($label)..."
+    virt-install \
+        --name "$VM_NAME" \
+        --ram 4096 \
+        --vcpus 2 \
+        --disk "$disk_args" \
+        --os-variant fedora-unknown \
+        --network network=default \
+        --location "$FEDORA_MIRROR" \
+        --initrd-inject "$KS_PATH" \
+        --extra-args "inst.ks=file:///test-vm.ks console=ttyS0,115200n8 inst.text" \
+        --boot loader="$OVMF_CODE",loader.readonly=yes,loader.type=pflash,nvram.template="$OVMF_VARS" \
+        --noautoconsole \
+        --wait -1
+
+    log "virt-install exited — install complete"
+    virsh destroy "$VM_NAME" 2>/dev/null || true
+}
+
+# ── Main test flow ──
+
+generate_kickstart
+log "Kickstart generated at $KS_PATH"
+
+PASS=0
+FAIL=0
+
+if ! $SKIP_FIRST; then
+    # ── Step 1: Fresh install ──
+    step "Step 1/4: Fresh install"
+    cleanup_all
+    run_install "fresh" "path=$DISK_PATH,size=$DISK_SIZE,bus=virtio"
+
+    # Verify fresh install
+    log "Verifying fresh install..."
+    FILESYSTEMS=$(guestfish --ro -a "$DISK_PATH" -i list-filesystems 2>/dev/null)
+    for lv in root var varlog home srv longhorn swap; do
+        if echo "$FILESYSTEMS" | grep -q "labvg/$lv"; then
+            log "  ✔ labvg/$lv exists"
+            ((PASS++))
+        else
+            err "  ✘ labvg/$lv MISSING"
+            ((FAIL++))
+        fi
+    done
+else
+    step "Skipping first install (--skip-first-install)"
+    [[ -f "$DISK_PATH" ]] || { err "Disk not found at $DISK_PATH"; exit 1; }
+fi
+
+# ── Step 2: Write marker files ──
+step "Step 2/4: Writing marker files to preserved partitions"
+guestfish -a "$DISK_PATH" -i << 'GF'
+write /home/michal/PRESERVE_TEST.txt "MARKER: home partition preserved\n"
+write /srv/PRESERVE_TEST.txt "MARKER: srv partition preserved\n"
+write /var/lib/longhorn/PRESERVE_TEST.txt "MARKER: longhorn partition preserved\n"
+write /var/SHOULD_BE_WIPED.txt "This file should NOT survive reprovision\n"
+GF
+log "Marker files written:"
+log "  /home/michal/PRESERVE_TEST.txt"
+log "  /srv/PRESERVE_TEST.txt"
+log "  /var/lib/longhorn/PRESERVE_TEST.txt"
+log "  /var/SHOULD_BE_WIPED.txt (should be wiped)"
+
+# ── Step 3: Reprovision ──
+step "Step 3/4: Reprovisioning (reinstall on same disk)"
+cleanup_vm
+run_install "reprovision" "path=$DISK_PATH,bus=virtio"
+
+# ── Step 4: Verify ──
+step "Step 4/4: Verifying preservation"
+
+check_file() {
+    local path="$1" expect="$2" label="$3"
+    local content
+    content=$(guestfish --ro -a "$DISK_PATH" -i cat "$path" 2>/dev/null) || content=""
+
+    if [[ "$expect" == "exists" ]]; then
+        if [[ -n "$content" && "$content" == *"MARKER"* ]]; then
+            log "  ✔ $label — PRESERVED: $(echo "$content" | head -1)"
+            ((PASS++))
+        else
+            err "  ✘ $label — LOST (file missing or empty)"
+            ((FAIL++))
+        fi
+    elif [[ "$expect" == "gone" ]]; then
+        if [[ -z "$content" ]]; then
+            log "  ✔ $label — correctly wiped"
+            ((PASS++))
+        else
+            err "  ✘ $label — should have been wiped but still exists"
+            ((FAIL++))
+        fi
+    fi
+}
+
+check_file "/home/michal/PRESERVE_TEST.txt" "exists" "/home (preserved)"
+check_file "/srv/PRESERVE_TEST.txt" "exists" "/srv (preserved)"
+check_file "/var/lib/longhorn/PRESERVE_TEST.txt" "exists" "/var/lib/longhorn (preserved)"
+check_file "/var/SHOULD_BE_WIPED.txt" "gone" "/var (wiped)"
+
+# Also verify OS was actually reinstalled
+PROV_DATE=$(guestfish --ro -a "$DISK_PATH" -i cat /etc/lab-provisioned 2>/dev/null || echo "")
+if [[ -n "$PROV_DATE" ]]; then
+    log "  ✔ OS reinstalled: $PROV_DATE"
+    ((PASS++))
+else
+    err "  ✘ /etc/lab-provisioned missing — OS not installed?"
+    ((FAIL++))
+fi
+
+# ── Summary ──
+echo ""
+echo -e "${BOLD}════════════════════════════════════════${NC}"
+if [[ $FAIL -eq 0 ]]; then
+    echo -e "${GREEN}${BOLD}  ALL TESTS PASSED ($PASS/$((PASS+FAIL)))${NC}"
+else
+    echo -e "${RED}${BOLD}  $FAIL TESTS FAILED ($PASS passed, $FAIL failed)${NC}"
+fi
+echo -e "${BOLD}════════════════════════════════════════${NC}"
+echo ""
+
+# ── Cleanup ──
+log "Cleaning up VM (disk preserved at $DISK_PATH)"
+cleanup_vm
+
+exit $FAIL