create-host: add approle removal and secrets detection

- Remove host entries from terraform/vault/approle.tf on --remove
- Detect and warn about secrets in terraform/vault/secrets.tf
- Include vault kv delete commands in removal instructions
- Update check_entries_exist to return approle status

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/create-host/manipulators.py

@@ -101,7 +101,68 @@ def remove_from_vault_terraform(hostname: str, repo_root: Path) -> bool:
     return True
 
 
-def check_entries_exist(hostname: str, repo_root: Path) -> Tuple[bool, bool, bool]:
+def remove_from_approle_tf(hostname: str, repo_root: Path) -> bool:
+    """
+    Remove host entry from terraform/vault/approle.tf locals.host_policies.
+
+    Args:
+        hostname: Hostname to remove
+        repo_root: Path to repository root
+
+    Returns:
+        True if found and removed, False if not found
+    """
+    approle_path = repo_root / "terraform" / "vault" / "approle.tf"
+
+    if not approle_path.exists():
+        return False
+
+    content = approle_path.read_text()
+
+    # Check if hostname exists in host_policies
+    hostname_pattern = rf'^\s+"{re.escape(hostname)}" = \{{'
+    if not re.search(hostname_pattern, content, re.MULTILINE):
+        return False
+
+    # Match the entire block from "hostname" = { to closing }
+    # The block contains paths = [ ... ] and possibly extra_policies = [...]
+    replace_pattern = rf'\n?\s+"{re.escape(hostname)}" = \{{[^}}]*\}}\n?'
+    new_content, count = re.subn(replace_pattern, "\n", content, flags=re.DOTALL)
+
+    if count == 0:
+        return False
+
+    approle_path.write_text(new_content)
+    return True
+
+
+def find_host_secrets(hostname: str, repo_root: Path) -> list:
+    """
+    Find secrets in terraform/vault/secrets.tf that belong to a host.
+
+    Args:
+        hostname: Hostname to search for
+        repo_root: Path to repository root
+
+    Returns:
+        List of secret paths found (e.g., ["hosts/hostname/test-service"])
+    """
+    secrets_path = repo_root / "terraform" / "vault" / "secrets.tf"
+
+    if not secrets_path.exists():
+        return []
+
+    content = secrets_path.read_text()
+
+    # Find all secret paths matching hosts/{hostname}/
+    pattern = rf'"(hosts/{re.escape(hostname)}/[^"]+)"'
+    matches = re.findall(pattern, content)
+
+    # Return unique paths, preserving order
+    return list(dict.fromkeys(matches))
+
+
+def check_entries_exist(hostname: str, repo_root: Path) -> Tuple[bool, bool, bool, bool]:
     """
     Check which entries exist for a hostname.
 
@@ -110,7 +171,7 @@ def check_entries_exist(hostname: str, repo_root: Path) -> Tuple[bool, bool, boo
         repo_root: Path to repository root
 
     Returns:
-        Tuple of (flake_exists, terraform_vms_exists, vault_exists)
+        Tuple of (flake_exists, terraform_vms_exists, vault_generated_exists, approle_exists)
     """
     # Check flake.nix
     flake_path = repo_root / "flake.nix"
@@ -131,7 +192,15 @@ def check_entries_exist(hostname: str, repo_root: Path) -> Tuple[bool, bool, boo
         vault_content = vault_tf_path.read_text()
         vault_exists = f'"{hostname}"' in vault_content
 
-    return (flake_exists, terraform_exists, vault_exists)
+    # Check terraform/vault/approle.tf
+    approle_path = repo_root / "terraform" / "vault" / "approle.tf"
+    approle_exists = False
+    if approle_path.exists():
+        approle_content = approle_path.read_text()
+        approle_pattern = rf'^\s+"{re.escape(hostname)}" = \{{'
+        approle_exists = bool(re.search(approle_pattern, approle_content, re.MULTILINE))
+
+    return (flake_exists, terraform_exists, vault_exists, approle_exists)
 
 
 def update_flake_nix(config: HostConfig, repo_root: Path, force: bool = False) -> None: