feat(network): canonical template reconciliation + CIDR-aware inventory (network epic)

[pparage]

What

Backend half of the "drawn networks actually provision" epic — makes the canvas's network definitions authoritative end-to-end. Five commits, all TDD, full overlay+core suites green (the one unrelated test_alembic failure is pre-existing: system alembic on SQLAlchemy 1.x vs project 2.x).

1. d4edbd7 / 673ad00 — reconcile expand_replication to the canonical schema (fix(compose): expand_replication reads network templates from config, but canonical schema defines them node-level #84). Network templates (cidr_template/bridge_template/gateway_template) are now read at node level and rendered with the canonical Jinja {{ bridge_base + team_id }} form (legacy {N+team_id} still accepted). Byte-parity with the deployer-ui TS expander, enforced by the shared vector harness. Fixes a 3-way schema↔impl divergence (location, placeholder syntax, vlan field).
2. b5afd2b — bridge_base null/non-int falls back to 140 (TS parity). Caught by a Sonnet verification pass: Python crashed where TS defaulted. Also adds node-level gateway_template to the schema/Pydantic (it was rendered but would fail strict validation).
3. b779a05 — derive ansible_host from the bound network CIDR (fix(deploy): derive inventory ansible_host from topology instead of hardcoded 192.168.x scheme #73). A host NIC's node_ref resolves to its network's cidr (per-team rendered via the same canonical renderer). Precedence: explicit NIC ip > node_ref CIDR > legacy 192.168.{bridge_base+team} fallback.
4. ca063ab — emit per-host cloud-init net vars + r42_network_map. Backend becomes the single source of resolved network values so the _universal playbook stops recomputing them: each host carries r42_ci_netmask/r42_ci_gateway/r42_net_bridge; all.vars.r42_network_map carries per-network/per-team resolved bridge/cidr/gateway.

Companion PRs / context

• range42-playbooks#90 consumes r42_network_map + the per-host ci vars (slices 4/5). It depends on this PR.
• deployer-ui counterparts (TS expander, schema, vectors) are already on dev per that repo's direct-commit convention.
• Verified by two Sonnet review agents (parity + regressions); both real findings fixed here.

Test

pytest tests/overlay tests/core green (excluding the pre-existing test_alembic env failure). Deployer-ui full unit suite: 539 passed.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ca063abb10

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Allow static network fields in the generated schema

The new inventory path reads cidr, bridge, and gateway on network nodes (and the added tests create those topologies), but this model still has extra="forbid" and only adds gateway_template here. Since validate_project validates base docs with CatalogEntry.model_validate, any catalog that uses a static custom CIDR/gateway is reported invalid before it can be deployed; add the materialized fields to the schema alongside the templates.

Useful? React with 👍 / 👎.

[pparage]

Addressed review in 526a25b: team_count is now a global extravar (the proxmox-cli plays can't see a localhost set_fact), and Node now declares materialized cidr/bridge/gateway so static-CIDR catalogs pass CatalogEntry validation.