nebius
diff --git a/‎services/nebius-cxcli/CHANGELOG.md‎
Lines changed: 7 additions & 0 deletions b/‎services/nebius-cxcli/CHANGELOG.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎services/nebius-cxcli/README.md‎
Lines changed: 10 additions & 2 deletions b/‎services/nebius-cxcli/README.md‎
Lines changed: 10 additions & 2 deletions
diff --git a/‎services/nebius-cxcli/docs/design.md‎
Lines changed: 8 additions & 2 deletions b/‎services/nebius-cxcli/docs/design.md‎
Lines changed: 8 additions & 2 deletions
@@ -6,6 +6,13 @@ All notable changes to this project are tracked here. This changelog follows
 
 ## [Unreleased]
 
+## [nebius-cxcli-v0.1.6] - 2026-03-23
+
+- Simplified `bootstrap-ci` so reruns automatically reconcile the CLI-managed customer workflow to the latest generated contract; `--auth-bootstrap` remains enabled by default and workflow-only runs are now the explicit opt-out via `--no-auth-bootstrap`.
+- Added regression coverage that `bootstrap-ci --help` and the command surface keep `--auth-bootstrap` enabled by default.
+- Fixed customer-side Terraform plan/apply flows for private repos by persisting rendered tfvars in the generated manifest and recreating ignored `generated/infra/terraform.auto.tfvars.json` from that manifest before Terraform runs, both in CLI-generated bundle commands and generated customer workflows.
+- Clarified and tested that `deploy <generated-dir>` remains a local/customer-side bundle operation only and does not auto-run `bootstrap-ci` or mutate GitHub CI workflow/environment state.
+
 ## [nebius-cxcli-v0.1.5] - 2026-03-22
 
 - Added PR-side coverage for `bootstrap-ci` workflow generation across both development (`main`) and stable tagged (`nebius-cxcli-v<version>`) default CLI refs.
 
@@ -45,6 +45,7 @@ The current implementation is provider-driven and source-configured for Nebius e
 - `render` writes deterministic Terraform, Flux, inventory, and `generated/nebius-cxcli-manifest.json`.
 - `render` resets the generated bundle by recreating managed files from a clean layout, while preserving bootstrap-owned `generated/flux/flux-system` so rerendering does not tear down an existing Flux GitOps bootstrap.
 - `render` warns before overwriting existing generated artifacts, so rerendering is an explicit reset back to the original `config.yaml` contract.
+- Customer-side generated-bundle commands recreate ignored `generated/infra/terraform.auto.tfvars.json` from the committed manifest before Terraform runs, so deployable repos do not need to version that sensitive duplicate file.
 - `deploy`, `terraform plan/apply/unlock`, `flux apply/bootstrap`, `inventory write`, and `email` all operate on an existing generated bundle instead of reading `config.yaml`.
 - `terraform apply`, `flux apply`, and `deploy` are designed for sequential idempotent reruns against the same generated bundle.
 - `bootstrap-ci` generates CI workflow and can bootstrap/sync CI environment secrets.
@@ -523,6 +524,7 @@ nebius-cxcli flux bootstrap /path/to/generated
   - Uses the generated bundle as the deploy contract; it does not need the original render machine's local module paths.
 - `deploy <generated-dir>`
   - Full local deploy from the generated bundle: Terraform apply first, then inventory refresh for both infra and apps artifacts, then Flux apply. If GitOps bootstrap is not configured yet, the CLI warns and prints the follow-up `flux bootstrap` command.
+  - `deploy` does not run `bootstrap-ci` automatically, even when the bundle lives inside a git repository. GitHub workflow/environment bootstrap stays an explicit generator-side step.
 - `terraform apply <generated-dir>`
   - Infra-only apply from the generated Terraform bundle. Safe to rerun sequentially for convergence, and does not depend on resolving the original source catalog's module paths.
 - `flux apply <generated-dir>`
@@ -547,9 +549,12 @@ nebius-cxcli auth --instance-config /path/to/config.yaml --validate-profile
   - Scaffolds or reconciles the instance `config.yaml` and generated-folder skeleton.
 - `bootstrap-ci <config.yaml>`
   - Generates the customer GitHub Actions workflow and can optionally bootstrap/sync CI auth secrets. The generated workflow watches and deploys only `generated/**`.
+  - The workflow file is CLI-managed. Re-running `bootstrap-ci` automatically reconciles `.github/workflows/nebius-deployments.yml` to the latest generated contract and is idempotent when no drift exists.
   - Generated workflows validate changed bundles with `nebius-cxcli validate-generated --portable` before Terraform plan/apply.
+  - Generated workflows restore ignored `generated/infra/terraform.auto.tfvars.json` from `generated/nebius-cxcli-manifest.json` before Terraform plan/apply.
   - Generated workflows also keep the Python version in one env var and emit compact single-line discovery JSON into `GITHUB_OUTPUT` so matrix handoff stays deterministic.
   - The target `config.yaml` must already live inside the customer git repository because the workflow is written at that repo root under `.github/workflows/`.
+  - `--auth-bootstrap` is already enabled by default. Re-running `bootstrap-ci` normally reconciles both the managed workflow and the GitHub Environment/Secrets contract; use `--no-auth-bootstrap` only when you intentionally want workflow-only reconciliation without touching GitHub secrets.
   - With default `--auth-bootstrap`, the command auto-detects the target GitHub repo from that checkout's `origin` remote. Use `--github-repo <owner/repo>` only as an explicit override when the remote is missing, non-GitHub, or not the repo you want to manage.
   - When `--cli-ref` is omitted, generated workflows default to `main` for development builds and to `nebius-cxcli-v<version>` for stable tagged releases.
   - Use `--cli-ref <branch|tag|sha>` when the workflow should install a specific nebius-cxcli ref for PR or branch validation instead of the default release tag or `main`.
@@ -573,7 +578,7 @@ Common command flags:
 - `create`:
   `--client-name`, `--tenant-id`, `--project-id`, `--region-id`, `--email`, `--infra`, `--app`, `--app-namespace`, `--app-releasename`, `--validate-sources/--no-validate-sources`, `--no-interactive`, `--force`
 - `bootstrap-ci`:
-  `--force`, `--auth-bootstrap/--no-auth-bootstrap`, `--github-repo`, `--github-token-env`, `--cli-ref`
+  `--auth-bootstrap/--no-auth-bootstrap`, `--github-repo`, `--github-token-env`, `--cli-ref`
 - `validate`: `--strict`, `--render-profile`
 - `validate-generated`: `--auto-auth-bootstrap/--no-auto-auth-bootstrap`, `--portable`
 - `render`: `--force`, `--render-profile`
@@ -617,7 +622,9 @@ Terraform runtime auth behavior:
   - GitHub environment name is `<client_name>-<project_id>`.
   - Requires existing local runtime auth profile (create first if missing).
 
-`bootstrap-ci <config.yaml>` remains the full CI workflow bootstrap command and can still perform complete CI auth bootstrap/sync for that config. The generated customer workflow is artifact-driven: it watches and deploys only `generated/**`. The command requires the target config to be inside the customer git repository, auto-detects the GitHub repo from that checkout when `--auth-bootstrap` is enabled, and uses `--github-repo` only as an explicit override.
+`bootstrap-ci <config.yaml>` remains the full CI workflow bootstrap command and can still perform complete CI auth bootstrap/sync for that config. The generated customer workflow is artifact-driven: it watches and deploys only `generated/**`. Re-running the command automatically reconciles the CLI-managed workflow file to the latest template. The command requires the target config to be inside the customer git repository, auto-detects the GitHub repo from that checkout when `--auth-bootstrap` is enabled by default, and uses `--github-repo` only as an explicit override.
+
+`deploy <generated-dir>` is intentionally separate from `bootstrap-ci <config.yaml>`. Local/customer-side deploy commands operate only on the committed generated bundle and runtime auth material; they do not create or update GitHub workflows, GitHub environments, or CI secrets automatically.
 
 Generated workflow CLI ref:
 
@@ -749,5 +756,6 @@ Runtime plugin env knobs:
 - `generated/` is the deploy contract and should also be versioned, except for ignored runtime/transient files.
 - Managed deployments `.gitignore` keeps generated Terraform runtime files and generated tfvars out of git, but does not ignore `config.yaml` or deployable generated manifests.
 - Keep `generated/infra/terraform.auto.tfvars.json` ignored even in a private repo: it is a generated, sensitive duplicate of values already present in `config.yaml`.
+- Customer-side `validate-generated`, `terraform plan/apply`, and `deploy` recreate `generated/infra/terraform.auto.tfvars.json` from `generated/nebius-cxcli-manifest.json` before Terraform runs.
 - GitHub sync requires a token with permission to write GitHub environment secrets.
 - Key rotation is explicit with `auth --recreate` and automatic in deploy only when runtime auth bootstrap is needed.
@@ -322,6 +322,7 @@ The command boundary is intentional:
 ### `bootstrap-ci <config.yaml>`
 
 - Generates `.github/workflows/nebius-deployments.yml`.
+- Re-running it automatically reconciles that CLI-managed workflow file to the latest template for the target repo/deployments path.
 - Generated customer workflow is artifact-driven: it watches and deploys only `generated/**`.
 - `config.yaml` remains in the customer repo as a manual render/reset contract and does not trigger customer CI deployment.
 - The target `config.yaml` must already live inside the customer git repository because the workflow is written at that repo root.
@@ -366,6 +367,7 @@ The command boundary is intentional:
 - `deploy <generated-dir>`
   - Full local deployment from the generated bundle: Terraform first, then inventory refresh for infra and apps artifacts, then Flux direct apply.
   - `--auto-auth-bootstrap/--no-auto-auth-bootstrap` controls runtime auth creation (default enabled).
+  - Does not run `bootstrap-ci` automatically, even when the generated bundle is inside a git repository; GitHub workflow/environment bootstrap stays an explicit generator-side action.
 - `terraform apply <generated-dir>`
   - Infra-only apply from the generated Terraform bundle.
   - `--auto-auth-bootstrap/--no-auto-auth-bootstrap` controls runtime auth creation (default enabled).
@@ -381,7 +383,7 @@ The command boundary is intentional:
 - `create <target_path>`
   - Scaffolds or reconciles the instance `config.yaml` and generated skeleton.
 - `bootstrap-ci <config.yaml>`
-  - Generates the customer workflow. The generated workflow watches and deploys only `generated/**`.
+  - Generates or reconciles the customer workflow. The generated workflow watches and deploys only `generated/**`.
 - `discover <target_path>`
   - Returns deployment-instance discovery payload for CI.
 - `terraform plan <generated-dir>`
@@ -404,11 +406,12 @@ The command boundary is intentional:
 - `validate`/`render`: deterministic and repeatable.
 - `validate-generated`: deterministic for a given generated bundle.
 - `deploy`: convergent behavior expected from apply/reconcile against a fixed generated bundle.
-- `bootstrap-ci`: idempotent workflow file handling; `--force` only for overwrite.
+- `bootstrap-ci`: idempotent reconcile; reruns auto-update the CLI-managed customer workflow and re-check GitHub environment secret presence.
 - `auth --create`: idempotent create-if-missing.
 - `auth --recreate`: explicit rotation path.
 - `auth --validate-profile`: read-only profile validation; safe to re-run.
 - `auth --bootstrap-ci`: idempotent environment-secret upsert from local cache.
+- `deploy` and other customer-side generated-bundle commands do not mutate GitHub CI state as a side effect.
 
 ## 10. Validation Model
 
@@ -525,13 +528,16 @@ Flux render:
 `bootstrap-ci`:
 
 - Generates workflow file.
+- Treats `.github/workflows/nebius-deployments.yml` as a CLI-managed file and automatically reconciles it to the latest generated contract on every rerun.
 - Requires the target config path to be inside the customer git repository so the workflow can be written at the repo root.
 - With auth bootstrap enabled, auto-detects the target GitHub repo from the checkout `origin` remote unless `--github-repo` overrides it.
 - Fails before writing the workflow if full GitHub bootstrap prerequisites are missing.
 - Derives GitHub environment name as `<client_name>-<project_id>`, ensures that environment exists, then checks/syncs missing environment secrets.
 - Generated customer workflows validate with `nebius-cxcli validate-generated --portable` before Terraform plan/apply so non-portable local module paths are rejected in PRs and main-branch deploy runs.
+- Generated customer workflows restore ignored `generated/infra/terraform.auto.tfvars.json` from `generated/nebius-cxcli-manifest.json` before Terraform plan/apply.
 - Generated customer workflows also keep the Python runtime version in one env var and write compact single-line discovery JSON to `GITHUB_OUTPUT` for stable matrix handoff.
 - Does not manage GitHub repo/org variables; `NEBIUS_CXCLI_REF` remains an optional manual override consumed by the generated workflow.
+- `generated/infra/terraform.auto.tfvars.json` remains ignored in private deployment repos; customer-side generated-bundle commands recreate it from `generated/nebius-cxcli-manifest.json` before Terraform plan/apply so CI does not depend on a committed tfvars file.
 
 `auth`: