Refine deploy CLI, test-deploy workflow and Ansible output

Changes:
- Update GitHub Actions test-deploy workflow to run three staged deploys (normal+debug, reset+debug, async) using inventory-generated vault password files.
- Switch Ansible stdout_callback to ansible.builtin.default and enable YAML-style result_format via callback_default.
- Refactor cli/deploy.py: typed run_ansible_playbook(), structured MODE_* handling, better error reporting, and preserved vault/interactive behaviour.
- Add unit tests for deploy CLI (bool parsing, MODE_* loading, dynamic args, validation, and ansible-playbook command construction) under tests/unit/cli/test_deploy.py.

Context: see ChatGPT conversation on 2025-12-02: https://chatgpt.com/share/692f1035-6bc4-800f-91a9-342db54e1a75

.github/workflows/test-deploy.yml

@@ -15,40 +15,58 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Generate vault password automatically
-        run: |
-          python3 - << 'EOF' > .vault_pass
-          import secrets
-          import string
-
-          alphabet = string.ascii_letters + string.digits
-          pw = ''.join(secrets.choice(alphabet) for _ in range(64))
-          print(pw, end="")
-          EOF
-
-          chmod 600 .vault_pass
-
-          # Export password as environment variable
-          echo "VAULT_PASSWORD=$(cat .vault_pass)" >> "$GITHUB_ENV"
-        shell: bash
-
       - name: Build Docker image
         run: |
           docker build --network=host --no-cache --pull -t infinito:latest .
 
-      # ----------------------------------------------------------------------
-      # 1) First deploy: NORMAL DEPLOY + DEBUG enabled
-      # ----------------------------------------------------------------------
+      # 1) First deploy: normal + debug
       - name: First deploy (normal + debug)
         run: |
           docker run --network=host --rm \
-            -e VAULT_PASSWORD="${VAULT_PASSWORD}" \
             infinito:latest \
             /bin/sh -lc '
-              echo "$VAULT_PASSWORD" > /tmp/.vault_pass
-              chmod 600 /tmp/.vault_pass
-              export ANSIBLE_VAULT_PASSWORD_FILE=/tmp/.vault_pass
+              set -e
+              cd /opt/infinito-src
 
+              # Create inventory (also creates inventories/github-ci/.password if missing)
+              infinito create inventory inventories/github-ci \
+                --host localhost \
+                --ssl-disabled
+
+              INVENTORY_PATH="inventories/github-ci/servers.yml"
+              VAULT_FILE="inventories/github-ci/.password"
+
+              # First deploy with debug
+              infinito deploy "$INVENTORY_PATH" -T server -p "$VAULT_FILE" --debug
+            '
+
+      # 2) Second deploy: reset + debug
+      - name: Second deploy (--reset --debug)
+        run: |
+          docker run --network=host --rm \
+            infinito:latest \
+            /bin/sh -lc '
+              set -e
+              cd /opt/infinito-src
+
+              # Rebuild inventory; .password will be reused if present
+              infinito create inventory inventories/github-ci \
+                --host localhost \
+                --ssl-disabled
+
+              INVENTORY_PATH="inventories/github-ci/servers.yml"
+              VAULT_FILE="inventories/github-ci/.password"
+
+              infinito deploy "$INVENTORY_PATH" -T server -p "$VAULT_FILE" --skip-tests --reset --debug
+            '
+
+      # 3) Third deploy: async (no debug)
+      - name: Third deploy (async deploy – no debug)
+        run: |
+          docker run --network=host --rm \
+            infinito:latest \
+            /bin/sh -lc '
+              set -e
               cd /opt/infinito-src
 
               infinito create inventory inventories/github-ci \
@@ -56,44 +74,8 @@ jobs:
                 --ssl-disabled
 
               INVENTORY_PATH="inventories/github-ci/servers.yml"
-              infinito deploy "$INVENTORY_PATH" -T server --debug
-            '
-
-      # ----------------------------------------------------------------------
-      # 2) Second deploy: RESET + DEBUG
-      # ----------------------------------------------------------------------
-      - name: Second deploy (--reset --debug)
-        run: |
-          docker run --network=host --rm \
-            -e VAULT_PASSWORD="${VAULT_PASSWORD}" \
-            infinito:latest \
-            /bin/sh -lc '
-              echo "$VAULT_PASSWORD" > /tmp/.vault_pass
-              chmod 600 /tmp/.vault_pass
-              export ANSIBLE_VAULT_PASSWORD_FILE=/tmp/.vault_pass
-
-              cd /opt/infinito-src
-              INVENTORY_PATH="inventories/github-ci/servers.yml"
-
-              infinito deploy "$INVENTORY_PATH" -T server --reset --debug
-            '
-
-      # ----------------------------------------------------------------------
-      # 3) Third deploy: ASYNC DEPLOY (no debug flag)
-      # ----------------------------------------------------------------------
-      - name: Third deploy (async deploy – no debug)
-        run: |
-          docker run --network=host --rm \
-            -e VAULT_PASSWORD="${VAULT_PASSWORD}" \
-            infinito:latest \
-            /bin/sh -lc '
-              echo "$VAULT_PASSWORD" > /tmp/.vault_pass
-              chmod 600 /tmp/.vault_pass
-              export ANSIBLE_VAULT_PASSWORD_FILE=/tmp/.vault_pass
-
-              cd /opt/infinito-src
-              INVENTORY_PATH="inventories/github-ci/servers.yml"
-
-              # Without --debug the deploy is asynchronous in several roles
-              infinito deploy "$INVENTORY_PATH" -T server
+              VAULT_FILE="inventories/github-ci/.password"
+
+              # Async-style deploy: no --debug, so some processes run in parallel
+              infinito deploy "$INVENTORY_PATH" -T server -p "$VAULT_FILE" --skip-tests
             '