@factiii/stack 0.1.200 → 0.1.203

package/bin/stack

@@ -1,334 +1,334 @@
-#!/usr/bin/env node
-
-const { program } = require('commander');
-const path = require('path');
-
-// Import plugin command registration
-const { registerPluginCommands } = require('../dist/cli/plugin-commands');
-
-// Import CLI commands from compiled TypeScript
-const { init } = require('../dist/cli/init');
-const { scan } = require('../dist/cli/scan');
-const { fix } = require('../dist/cli/fix');
-const { deploy } = require('../dist/cli/deploy');
-const { prCheck } = require('../dist/cli/pr-check');
-const { undeploy } = require('../dist/cli/undeploy');
-const { secrets } = require('../dist/cli/secrets');
-const { upgrade } = require('../dist/cli/upgrade');
-const { validate } = require('../dist/cli/validate');
-const { checkConfig } = require('../dist/cli/check-config');
-const { devSync } = require('../dist/cli/dev-sync');
-const { devReset } = require('../dist/cli/dev-reset');
-
-// Read version from package.json
-const packageJson = require('../package.json');
-
-program
-  .name('stack')
-  .description('Stack - Infrastructure management CLI')
-  .version(packageJson.version);
-
-// Init command (primary setup command)
-program
-  .command('init')
-  .description('Initialize Stack in your project (run this first)')
-  .option('-f, --force', 'Overwrite existing config files')
-  .action(async (options) => {
-    await init(options);
-  });
-
-// Default action: run scan when no subcommand provided (self-bootstrapping)
-program
-  .action(async (options, command) => {
-    if (command.args.length === 0) {
-      await scan({});
-    }
-  });
-
-// Scan command (explicit)
-program
-  .command('scan')
-  .description('Scan all environments for issues')
-  .option('--dev', 'Scan dev environment only')
-  .option('--staging', 'Scan staging environment only')
-  .option('--prod', 'Scan production environment only')
-  .option('--secrets', 'Scan secrets only')
-  .option('--commit <hash>', 'Commit hash to verify (for deployment verification)')
-  .action(async (options) => {
-    await scan(options);
-  });
-
-// Fix command
-program
-  .command('fix')
-  .description('Fix all environments including uploading secrets to GitHub and installing server dependencies')
-  .option('--dev', 'Fix dev environment only')
-  .option('--staging', 'Fix staging environment only')
-  .option('--prod', 'Fix production environment only')
-  .option('--secrets', 'Fix secrets only')
-  .option('--token <token>', 'GitHub token (or set GITHUB_TOKEN env var)')
-  .option('--continue-on-error', 'Continue even if some fixes fail')
-  .action(async (options) => {
-    await fix(options);
-  });
-
-// PR Check command (validates builds before merge)
-program
-  .command('pr-check')
-  .description('Run server/client/mobile builds and report to GitHub (for PR validation)')
-  .option('--staging', 'Run on staging server')
-  .action(async (options) => {
-    const result = await prCheck(options);
-    if (!result.success) {
-      process.exit(1);
-    }
-  });
-
-// Deploy command (also handles secrets management via --secrets [action])
-program
-  .command('deploy [secretName]')
-  .description('Deploy to environments, or manage secrets with --secrets <action>')
-  .option('--dev', 'Deploy dev environment only (local containers)')
-  .option('--staging', 'Deploy staging environment only')
-  .option('--prod', 'Deploy production environment only')
-  .option('-e, --environment <env>', 'Environment (staging|prod)')
-  .option('-b, --branch <branch>', 'Branch to deploy from (defaults to current branch)')
-  .option('--commit <hash>', 'Commit hash to deploy (passed by workflow)')
-  .option('--token <token>', 'GitHub token (or set GITHUB_TOKEN env var)')
-  .option('--secrets [action]', 'Manage or deploy secrets (list|set|get|delete|check|set-env|list-env|delete-env|deploy|write-ssh-keys)')
-  .option('--value <value>', 'Secret value (for scripting)')
-  .option('--restart', 'Restart containers after deploying secrets')
-  .option('--dry-run', 'Show deployment plan without actually deploying')
-  .action(async (secretName, options) => {
-    // --secrets with an action string = vault management mode
-    if (typeof options.secrets === 'string') {
-      const action = options.secrets;
-      const validActions = ['list', 'set', 'get', 'delete', 'check', 'set-env', 'list-env', 'delete-env', 'deploy', 'write-ssh-keys'];
-
-      if (!validActions.includes(action)) {
-        console.log('');
-        console.log('Unknown secrets action: ' + action);
-        console.log('');
-        console.log('Usage: npx stack deploy --secrets <action> [name] [options]');
-        console.log('');
-        console.log('Actions:');
-        console.log('  list              List all secrets (SSH keys + env vars)');
-        console.log('  set <name>        Set a secret (STAGING_SSH, PROD_SSH, etc.)');
-        console.log('  get <name>        Show a secret value');
-        console.log('  delete <name>     Delete a secret from vault');
-        console.log('  check [name]      Check if secrets exist');
-        console.log('  set-env <name>    Set environment variable for a stage');
-        console.log('  list-env          List environment variable keys for a stage');
-        console.log('  delete-env <name> Delete environment variable from a stage');
-        console.log('  deploy            Deploy secrets to staging/prod servers');
-        console.log('  write-ssh-keys    Write SSH keys to ~/.ssh/ (for workflows)');
-        console.log('');
-        console.log('Examples:');
-        console.log('  npx stack deploy --secrets list');
-        console.log('  npx stack deploy --secrets set STAGING_SSH');
-        console.log('  npx stack deploy --secrets get AWS_SECRET_ACCESS_KEY');
-        console.log('  npx stack deploy --secrets delete STAGING_SSH');
-        console.log('  npx stack deploy --secrets set-env DATABASE_URL --staging');
-        console.log('  npx stack deploy --secrets delete-env DATABASE_URL --staging');
-        console.log('  npx stack deploy --secrets deploy --staging');
-        console.log('');
-        return;
-      }
-
-      await secrets(action, secretName, options);
-      return;
-    }
-
-    // --secrets as boolean flag = deploy secrets before app deploy
-    // Determine which environment to deploy
-    let environment = options.environment;
-    if (options.dev) environment = 'dev';
-    if (options.staging) environment = 'staging';
-    if (options.prod) environment = 'prod';
-
-    if (!environment) {
-      console.log('Please specify an environment: --dev, --staging, or --prod');
-      process.exit(1);
-    }
-
-    // Map --secrets boolean flag to deploySecrets option
-    if (options.secrets === true) {
-      options.deploySecrets = true;
-    }
-
-    const result = await deploy(environment, options);
-    if (!result.success) {
-      process.exit(1);
-    }
-  });
-
-// Secrets command (top-level shortcut — same as deploy --secrets)
-program
-  .command('secrets [action] [name]')
-  .description('Manage Ansible Vault secrets (shortcut for deploy --secrets)')
-  .option('--staging', 'Target staging environment')
-  .option('--prod', 'Target production environment')
-  .option('--value <value>', 'Secret value (for scripting)')
-  .option('--restart', 'Restart containers after deploying secrets')
-  .action(async (action, name, options) => {
-    if (!action) {
-      // No action = interactive mode
-      const { secretsInteractive } = require('../dist/cli/secrets');
-      await secretsInteractive(options);
-      return;
-    }
-    const validActions = ['list', 'set', 'get', 'delete', 'check', 'set-env', 'list-env', 'delete-env', 'deploy', 'write-ssh-keys'];
-    if (!validActions.includes(action)) {
-      console.log('Unknown action: ' + action);
-      console.log('Valid actions: ' + validActions.join(', '));
-      return;
-    }
-    await secrets(action, name, options);
-  });
-
-// Undeploy command
-program
-  .command('undeploy')
-  .description('Remove deployment from servers')
-  .option('--dev', 'Undeploy dev environment only')
-  .option('--staging', 'Undeploy staging environment only')
-  .option('--prod', 'Undeploy production environment only')
-  .option('-e, --environment <env>', 'Environment (staging|prod|all)', 'all')
-  .action(async (options) => {
-    // Determine which environment to undeploy
-    let environment = options.environment;
-    if (options.dev) environment = 'dev';
-    if (options.staging) environment = 'staging';
-    if (options.prod) environment = 'prod';
-
-    await undeploy(environment, options);
-  });
-
-// Generate workflows command
-program
-  .command('generate-workflows')
-  .description('Generate GitHub workflow files')
-  .option('-o, --output <dir>', 'Output directory', '.github/workflows')
-  .action(async (options) => {
-    const FactiiiPipeline = require('../dist/plugins/pipelines/factiii').default;
-    await FactiiiPipeline.generateWorkflows(process.cwd());
-  });
-
-// Upgrade command
-program
-  .command('upgrade')
-  .description('Check for updates and regenerate configs for new version')
-  .option('--check', 'Only check for updates, do not upgrade')
-  .action(async (options) => {
-    await upgrade(options);
-  });
-
-// Dev sync command - only available in dev mode
-if (process.env.DEV_MODE === 'true') {
-  program
-    .command('dev-sync')
-    .description('Sync locally built infrastructure to servers')
-    .option('--staging', 'Sync to staging environment only')
-    .option('--prod', 'Sync to production environment only')
-    .option('--deploy', 'Deploy after syncing')
-    .action(async (options) => {
-      await devSync(options);
-    });
-}
-
-// Dev reset command
-program
-  .command('dev-reset')
-  .description('Reset local config/secrets to test 0-to-deployed flow')
-  .option('--dry-run', 'Show what would be deleted without doing it')
-  .action(async (options) => {
-    await devReset(options);
-  });
-
-// Legacy commands (for backwards compatibility)
-program
-  .command('validate')
-  .description('[Legacy] Validate stack.yml config file')
-  .option('-c, --config <path>', 'Path to config file', 'stack.yml')
-  .action(async (options) => {
-    await validate(options);
-  });
-
-program
-  .command('check-config')
-  .description('[Legacy] Check and regenerate configs on servers')
-  .option('-e, --environment <env>', 'Environment (staging|prod|all)', 'all')
-  .action(async (options) => {
-    await checkConfig(options);
-  });
-
-// Register plugin commands (db, ops, backup)
-// Pipeline plugin provides these commands via static commands array
-try {
-  const FactiiiPipeline = require('../dist/plugins/pipelines/factiii').default;
-  if (FactiiiPipeline.commands && FactiiiPipeline.commands.length > 0) {
-    registerPluginCommands(program, FactiiiPipeline);
-  }
-} catch (e) {
-  // Plugin commands not available - continue without them
-}
-
-// Add detailed help text after Commander's default output
-program.addHelpText('after', '\n' +
-  'CORE COMMANDS\n' +
-  '  npx stack                          Scan all environments (default command)\n' +
-  '  npx stack init                     First-time setup — creates stack.yml, configures vault\n' +
-  '  npx stack scan [--stage]           Detect issues across environments (read-only, never modifies files)\n' +
-  '  npx stack fix [--stage]            Auto-fix detected issues (installs tools, creates configs)\n' +
-  '  npx stack deploy --<stage>         Build and deploy to an environment\n' +
-  '  npx stack undeploy --<stage>       Remove deployment from a server\n' +
-  '  npx stack dev-reset [--dry-run]    Reset local config/secrets for fresh bootstrap\n' +
-  '\n' +
-  'SECRETS — npx stack deploy --secrets <action>\n' +
-  '  list                               Show all stored vault secrets\n' +
-  '  set <name>                         Set a secret (STAGING_SSH, PROD_SSH, etc.)\n' +
-  '  get <name>                         Show a secret value\n' +
-  '  delete <name>                      Delete a secret from vault\n' +
-  '  check [name]                       Check if secrets exist\n' +
-  '  set-env <name> --<stage>           Set environment variable for a stage\n' +
-  '  list-env --<stage>                 List environment variable keys for a stage\n' +
-  '  delete-env <name> --<stage>        Delete environment variable from a stage\n' +
-  '  deploy --<stage>                   Push secrets to server\n' +
-  '  write-ssh-keys                     Write SSH keys to ~/.ssh/\n' +
-  '\n' +
-  'DATABASE — npx stack db <command> --<stage>\n' +
-  '  seed --staging                     Run db:seed script to populate initial data\n' +
-  '  migrate --prod                     Apply pending Prisma migrations (safe, non-destructive)\n' +
-  '  reset --staging                    Drop all tables, re-run all migrations (DESTRUCTIVE)\n' +
-  '  status --prod                      List pending and applied migrations\n' +
-  '\n' +
-  'OPERATIONS — npx stack ops <command> --<stage>\n' +
-  '  logs --staging [-f] [-n 50]        View container logs (-f to follow, -n for line count)\n' +
-  '  restart --prod [-s service]        Restart containers without rebuilding images\n' +
-  '  shell --staging                    Open /bin/sh inside the app container\n' +
-  '  status --staging                   Show docker compose container status\n' +
-  '  change-vault-password              Change the Ansible Vault encryption password\n' +
-  '\n' +
-  'BACKUP — npx stack backup <command> --<stage>\n' +
-  '  create --prod [-o backup.sql]      Export database via pg_dump\n' +
-  '  restore --staging -i backup.sql    Restore database from SQL dump (DESTRUCTIVE)\n' +
-  '  health --prod                      Check container and database connectivity\n' +
-  '\n' +
-  'STAGES\n' +
-  '  --dev         Local development environment\n' +
-  '  --secrets     Ansible Vault secrets (SSH keys, credentials)\n' +
-  '  --staging     Staging server (accessed via SSH)\n' +
-  '  --prod        Production server (via SSH or AWS provisioning)\n' +
-  '\n' +
-  'EXAMPLES\n' +
-  '  npx stack                          Scan and bootstrap a new project\n' +
-  '  npx stack fix --prod               Provision AWS infrastructure or fix server issues\n' +
-  '  npx stack deploy --staging         Build and deploy to staging\n' +
-  '  npx stack deploy --secrets list    Show all stored vault secrets\n' +
-  '  npx stack deploy --secrets deploy --prod   Push secrets to production server\n' +
-  '  npx stack db migrate --prod        Run production database migrations\n' +
-  '  npx stack backup create --prod     Create production database backup\n' +
-  '  npx stack ops logs --staging -f    Follow staging container logs\n'
-);
-
-program.parse();
+#!/usr/bin/env node
+
+const { program } = require('commander');
+const path = require('path');
+
+// Import plugin command registration
+const { registerPluginCommands } = require('../dist/cli/plugin-commands');
+
+// Import CLI commands from compiled TypeScript
+const { init } = require('../dist/cli/init');
+const { scan } = require('../dist/cli/scan');
+const { fix } = require('../dist/cli/fix');
+const { deploy } = require('../dist/cli/deploy');
+const { prCheck } = require('../dist/cli/pr-check');
+const { undeploy } = require('../dist/cli/undeploy');
+const { secrets } = require('../dist/cli/secrets');
+const { upgrade } = require('../dist/cli/upgrade');
+const { validate } = require('../dist/cli/validate');
+const { checkConfig } = require('../dist/cli/check-config');
+const { devSync } = require('../dist/cli/dev-sync');
+const { devReset } = require('../dist/cli/dev-reset');
+
+// Read version from package.json
+const packageJson = require('../package.json');
+
+program
+  .name('stack')
+  .description('Stack - Infrastructure management CLI')
+  .version(packageJson.version);
+
+// Init command (primary setup command)
+program
+  .command('init')
+  .description('Initialize Stack in your project (run this first)')
+  .option('-f, --force', 'Overwrite existing config files')
+  .action(async (options) => {
+    await init(options);
+  });
+
+// Default action: run scan when no subcommand provided (self-bootstrapping)
+program
+  .action(async (options, command) => {
+    if (command.args.length === 0) {
+      await scan({});
+    }
+  });
+
+// Scan command (explicit)
+program
+  .command('scan')
+  .description('Scan all environments for issues')
+  .option('--dev', 'Scan dev environment only')
+  .option('--staging', 'Scan staging environment only')
+  .option('--prod', 'Scan production environment only')
+  .option('--secrets', 'Scan secrets only')
+  .option('--commit <hash>', 'Commit hash to verify (for deployment verification)')
+  .action(async (options) => {
+    await scan(options);
+  });
+
+// Fix command
+program
+  .command('fix')
+  .description('Fix all environments including uploading secrets to GitHub and installing server dependencies')
+  .option('--dev', 'Fix dev environment only')
+  .option('--staging', 'Fix staging environment only')
+  .option('--prod', 'Fix production environment only')
+  .option('--secrets', 'Fix secrets only')
+  .option('--token <token>', 'GitHub token (or set GITHUB_TOKEN env var)')
+  .option('--continue-on-error', 'Continue even if some fixes fail')
+  .action(async (options) => {
+    await fix(options);
+  });
+
+// PR Check command (validates builds before merge)
+program
+  .command('pr-check')
+  .description('Run server/client/mobile builds and report to GitHub (for PR validation)')
+  .option('--staging', 'Run on staging server')
+  .action(async (options) => {
+    const result = await prCheck(options);
+    if (!result.success) {
+      process.exit(1);
+    }
+  });
+
+// Deploy command (also handles secrets management via --secrets [action])
+program
+  .command('deploy [secretName]')
+  .description('Deploy to environments, or manage secrets with --secrets <action>')
+  .option('--dev', 'Deploy dev environment only (local containers)')
+  .option('--staging', 'Deploy staging environment only')
+  .option('--prod', 'Deploy production environment only')
+  .option('-e, --environment <env>', 'Environment (staging|prod)')
+  .option('-b, --branch <branch>', 'Branch to deploy from (defaults to current branch)')
+  .option('--commit <hash>', 'Commit hash to deploy (passed by workflow)')
+  .option('--token <token>', 'GitHub token (or set GITHUB_TOKEN env var)')
+  .option('--secrets [action]', 'Manage or deploy secrets (list|set|get|delete|check|set-env|list-env|delete-env|deploy|write-ssh-keys)')
+  .option('--value <value>', 'Secret value (for scripting)')
+  .option('--restart', 'Restart containers after deploying secrets')
+  .option('--dry-run', 'Show deployment plan without actually deploying')
+  .action(async (secretName, options) => {
+    // --secrets with an action string = vault management mode
+    if (typeof options.secrets === 'string') {
+      const action = options.secrets;
+      const validActions = ['list', 'set', 'get', 'delete', 'check', 'set-env', 'list-env', 'delete-env', 'deploy', 'write-ssh-keys'];
+
+      if (!validActions.includes(action)) {
+        console.log('');
+        console.log('Unknown secrets action: ' + action);
+        console.log('');
+        console.log('Usage: npx stack deploy --secrets <action> [name] [options]');
+        console.log('');
+        console.log('Actions:');
+        console.log('  list              List all secrets (SSH keys + env vars)');
+        console.log('  set <name>        Set a secret (STAGING_SSH, PROD_SSH, etc.)');
+        console.log('  get <name>        Show a secret value');
+        console.log('  delete <name>     Delete a secret from vault');
+        console.log('  check [name]      Check if secrets exist');
+        console.log('  set-env <name>    Set environment variable for a stage');
+        console.log('  list-env          List environment variable keys for a stage');
+        console.log('  delete-env <name> Delete environment variable from a stage');
+        console.log('  deploy            Deploy secrets to staging/prod servers');
+        console.log('  write-ssh-keys    Write SSH keys to ~/.ssh/ (for workflows)');
+        console.log('');
+        console.log('Examples:');
+        console.log('  npx stack deploy --secrets list');
+        console.log('  npx stack deploy --secrets set STAGING_SSH');
+        console.log('  npx stack deploy --secrets get AWS_SECRET_ACCESS_KEY');
+        console.log('  npx stack deploy --secrets delete STAGING_SSH');
+        console.log('  npx stack deploy --secrets set-env DATABASE_URL --staging');
+        console.log('  npx stack deploy --secrets delete-env DATABASE_URL --staging');
+        console.log('  npx stack deploy --secrets deploy --staging');
+        console.log('');
+        return;
+      }
+
+      await secrets(action, secretName, options);
+      return;
+    }
+
+    // --secrets as boolean flag = deploy secrets before app deploy
+    // Determine which environment to deploy
+    let environment = options.environment;
+    if (options.dev) environment = 'dev';
+    if (options.staging) environment = 'staging';
+    if (options.prod) environment = 'prod';
+
+    if (!environment) {
+      console.log('Please specify an environment: --dev, --staging, or --prod');
+      process.exit(1);
+    }
+
+    // Map --secrets boolean flag to deploySecrets option
+    if (options.secrets === true) {
+      options.deploySecrets = true;
+    }
+
+    const result = await deploy(environment, options);
+    if (!result.success) {
+      process.exit(1);
+    }
+  });
+
+// Secrets command (top-level shortcut — same as deploy --secrets)
+program
+  .command('secrets [action] [name]')
+  .description('Manage Ansible Vault secrets (shortcut for deploy --secrets)')
+  .option('--staging', 'Target staging environment')
+  .option('--prod', 'Target production environment')
+  .option('--value <value>', 'Secret value (for scripting)')
+  .option('--restart', 'Restart containers after deploying secrets')
+  .action(async (action, name, options) => {
+    if (!action) {
+      // No action = interactive mode
+      const { secretsInteractive } = require('../dist/cli/secrets');
+      await secretsInteractive(options);
+      return;
+    }
+    const validActions = ['list', 'set', 'get', 'delete', 'check', 'set-env', 'list-env', 'delete-env', 'deploy', 'write-ssh-keys'];
+    if (!validActions.includes(action)) {
+      console.log('Unknown action: ' + action);
+      console.log('Valid actions: ' + validActions.join(', '));
+      return;
+    }
+    await secrets(action, name, options);
+  });
+
+// Undeploy command
+program
+  .command('undeploy')
+  .description('Remove deployment from servers')
+  .option('--dev', 'Undeploy dev environment only')
+  .option('--staging', 'Undeploy staging environment only')
+  .option('--prod', 'Undeploy production environment only')
+  .option('-e, --environment <env>', 'Environment (staging|prod|all)', 'all')
+  .action(async (options) => {
+    // Determine which environment to undeploy
+    let environment = options.environment;
+    if (options.dev) environment = 'dev';
+    if (options.staging) environment = 'staging';
+    if (options.prod) environment = 'prod';
+
+    await undeploy(environment, options);
+  });
+
+// Generate workflows command
+program
+  .command('generate-workflows')
+  .description('Generate GitHub workflow files')
+  .option('-o, --output <dir>', 'Output directory', '.github/workflows')
+  .action(async (options) => {
+    const FactiiiPipeline = require('../dist/plugins/pipelines/factiii').default;
+    await FactiiiPipeline.generateWorkflows(process.cwd());
+  });
+
+// Upgrade command
+program
+  .command('upgrade')
+  .description('Check for updates and regenerate configs for new version')
+  .option('--check', 'Only check for updates, do not upgrade')
+  .action(async (options) => {
+    await upgrade(options);
+  });
+
+// Dev sync command - only available in dev mode
+if (process.env.DEV_MODE === 'true') {
+  program
+    .command('dev-sync')
+    .description('Sync locally built infrastructure to servers')
+    .option('--staging', 'Sync to staging environment only')
+    .option('--prod', 'Sync to production environment only')
+    .option('--deploy', 'Deploy after syncing')
+    .action(async (options) => {
+      await devSync(options);
+    });
+}
+
+// Dev reset command
+program
+  .command('dev-reset')
+  .description('Reset local config/secrets to test 0-to-deployed flow')
+  .option('--dry-run', 'Show what would be deleted without doing it')
+  .action(async (options) => {
+    await devReset(options);
+  });
+
+// Legacy commands (for backwards compatibility)
+program
+  .command('validate')
+  .description('[Legacy] Validate stack.yml config file')
+  .option('-c, --config <path>', 'Path to config file', 'stack.yml')
+  .action(async (options) => {
+    await validate(options);
+  });
+
+program
+  .command('check-config')
+  .description('[Legacy] Check and regenerate configs on servers')
+  .option('-e, --environment <env>', 'Environment (staging|prod|all)', 'all')
+  .action(async (options) => {
+    await checkConfig(options);
+  });
+
+// Register plugin commands (db, ops, backup)
+// Pipeline plugin provides these commands via static commands array
+try {
+  const FactiiiPipeline = require('../dist/plugins/pipelines/factiii').default;
+  if (FactiiiPipeline.commands && FactiiiPipeline.commands.length > 0) {
+    registerPluginCommands(program, FactiiiPipeline);
+  }
+} catch (e) {
+  // Plugin commands not available - continue without them
+}
+
+// Add detailed help text after Commander's default output
+program.addHelpText('after', '\n' +
+  'CORE COMMANDS\n' +
+  '  npx stack                          Scan all environments (default command)\n' +
+  '  npx stack init                     First-time setup — creates stack.yml, configures vault\n' +
+  '  npx stack scan [--stage]           Detect issues across environments (read-only, never modifies files)\n' +
+  '  npx stack fix [--stage]            Auto-fix detected issues (installs tools, creates configs)\n' +
+  '  npx stack deploy --<stage>         Build and deploy to an environment\n' +
+  '  npx stack undeploy --<stage>       Remove deployment from a server\n' +
+  '  npx stack dev-reset [--dry-run]    Reset local config/secrets for fresh bootstrap\n' +
+  '\n' +
+  'SECRETS — npx stack deploy --secrets <action>\n' +
+  '  list                               Show all stored vault secrets\n' +
+  '  set <name>                         Set a secret (STAGING_SSH, PROD_SSH, etc.)\n' +
+  '  get <name>                         Show a secret value\n' +
+  '  delete <name>                      Delete a secret from vault\n' +
+  '  check [name]                       Check if secrets exist\n' +
+  '  set-env <name> --<stage>           Set environment variable for a stage\n' +
+  '  list-env --<stage>                 List environment variable keys for a stage\n' +
+  '  delete-env <name> --<stage>        Delete environment variable from a stage\n' +
+  '  deploy --<stage>                   Push secrets to server\n' +
+  '  write-ssh-keys                     Write SSH keys to ~/.ssh/\n' +
+  '\n' +
+  'DATABASE — npx stack db <command> --<stage>\n' +
+  '  seed --staging                     Run db:seed script to populate initial data\n' +
+  '  migrate --prod                     Apply pending Prisma migrations (safe, non-destructive)\n' +
+  '  reset --staging                    Drop all tables, re-run all migrations (DESTRUCTIVE)\n' +
+  '  status --prod                      List pending and applied migrations\n' +
+  '\n' +
+  'OPERATIONS — npx stack ops <command> --<stage>\n' +
+  '  logs --staging [-f] [-n 50]        View container logs (-f to follow, -n for line count)\n' +
+  '  restart --prod [-s service]        Restart containers without rebuilding images\n' +
+  '  shell --staging                    Open /bin/sh inside the app container\n' +
+  '  status --staging                   Show docker compose container status\n' +
+  '  change-vault-password              Change the Ansible Vault encryption password\n' +
+  '\n' +
+  'BACKUP — npx stack backup <command> --<stage>\n' +
+  '  create --prod [-o backup.sql]      Export database via pg_dump\n' +
+  '  restore --staging -i backup.sql    Restore database from SQL dump (DESTRUCTIVE)\n' +
+  '  health --prod                      Check container and database connectivity\n' +
+  '\n' +
+  'STAGES\n' +
+  '  --dev         Local development environment\n' +
+  '  --secrets     Ansible Vault secrets (SSH keys, credentials)\n' +
+  '  --staging     Staging server (accessed via SSH)\n' +
+  '  --prod        Production server (via SSH or AWS provisioning)\n' +
+  '\n' +
+  'EXAMPLES\n' +
+  '  npx stack                          Scan and bootstrap a new project\n' +
+  '  npx stack fix --prod               Provision AWS infrastructure or fix server issues\n' +
+  '  npx stack deploy --staging         Build and deploy to staging\n' +
+  '  npx stack deploy --secrets list    Show all stored vault secrets\n' +
+  '  npx stack deploy --secrets deploy --prod   Push secrets to production server\n' +
+  '  npx stack db migrate --prod        Run production database migrations\n' +
+  '  npx stack backup create --prod     Create production database backup\n' +
+  '  npx stack ops logs --staging -f    Follow staging container logs\n'
+);
+
+program.parse();