hatchkit 0.1.1

package/dist/scaffold/dotenvx.js

@@ -0,0 +1,142 @@
+/*
+ * dotenvx integration for scaffolded projects.
+ *
+ * Flow at scaffold time:
+ *   1. For each key → value mapping the user supplied (prompts OR
+ *      presets), call `dotenvx.set(key, value, { encrypt: true, path })`.
+ *      On first call, dotenvx generates a fresh ECIES keypair and
+ *      writes the public key into `.env.production` + the private
+ *      key into `.env.keys`.
+ *   2. Read `.env.keys` to pull out DOTENV_PRIVATE_KEY_PRODUCTION and
+ *      mirror it into the OS keychain under
+ *      `dotenvx:<project-name>:production-private-key`.
+ *      The on-disk .env.keys stays (gitignored) for local dev
+ *      ergonomics; keychain is the canonical backup + source for
+ *      re-deploy.
+ *   3. Values the user DIDN'T supply land as plaintext "CHANGE_ME_*"
+ *      in .env.production — the user can encrypt them later with
+ *      `dotenvx set KEY value -f .env.production`.
+ *
+ * None of the values (including the generated BETTER_AUTH_SECRET)
+ * are ever logged. The private key is printed once via a deferred
+ * hint pointing at `hatchkit keys show <project>`.
+ */
+import { randomBytes } from "node:crypto";
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { set as dotenvxSet } from "@dotenvx/dotenvx";
+import chalk from "chalk";
+import ora from "ora";
+import { SECRET_KEYS, setSecret } from "../utils/secrets.js";
+/** Set of keys that are always safe to auto-generate if the user
+ *  doesn't supply them (cryptographically random, no external
+ *  coordination needed). */
+function autoGeneratedDefaults() {
+    return {
+        BETTER_AUTH_SECRET: randomBytes(32).toString("hex"),
+    };
+}
+/** Populate the starter's `packages/server/.env.production` with
+ *  encrypted values + a plaintext CHANGE_ME_<KEY> for anything the
+ *  user didn't supply. Mirrors the generated private key into the
+ *  macOS Keychain (or equivalent) and returns it so callers can push
+ *  it to Coolify / print a retrieval hint. */
+export async function seedDotenvxProduction(outputDir, config, userValues) {
+    const envPath = join(outputDir, "packages/server/.env.production");
+    const envKeysPath = join(outputDir, "packages/server/.env.keys");
+    // Determine the full key → value map.
+    const defaults = autoGeneratedDefaults();
+    const merged = { ...defaults, ...userValues };
+    // Every key we want present in .env.production. Includes ones the
+    // user didn't supply — those get plaintext CHANGE_ME_<KEY> so
+    // misconfigured deploys fail loudly rather than silently running
+    // with empty secrets.
+    const allKeys = candidateKeys(config);
+    const encryptedKeys = [];
+    const placeholderKeys = [];
+    const spinner = ora("Seeding encrypted .env.production").start();
+    try {
+        for (const key of allKeys) {
+            const raw = merged[key];
+            const hasValue = raw !== undefined && raw.trim() !== "";
+            if (hasValue) {
+                dotenvxSet(key, raw, { path: envPath, encrypt: true });
+                encryptedKeys.push(key);
+            }
+            else {
+                // CHANGE_ME_<KEY> is intentionally noisy — anything that tries
+                // to use it at runtime will either fail validation (zod /
+                // `getRequired`) or point clearly at its own source.
+                dotenvxSet(key, `CHANGE_ME_${key}`, { path: envPath, encrypt: false });
+                placeholderKeys.push(key);
+            }
+        }
+        spinner.succeed(`Seeded .env.production (${encryptedKeys.length} encrypted, ${placeholderKeys.length} placeholders)`);
+    }
+    catch (err) {
+        spinner.fail("Failed to seed .env.production");
+        throw err;
+    }
+    // Pull the freshly-generated private key out of .env.keys.
+    const { privateKey, publicKey } = readKeypair(envKeysPath, envPath);
+    // Mirror the private key into the OS keychain. Keep .env.keys on
+    // disk too (gitignored) so local `pnpm start` works with no extra
+    // steps — the keychain copy is for re-deploy + recovery.
+    await setSecret(SECRET_KEYS.dotenvxPrivateKey(config.name), privateKey);
+    return { privateKey, publicKey, encryptedKeys, placeholderKeys };
+}
+/** Keys the scaffolder seeds into .env.production. Extend here when
+ *  the starter gains new required env entries. */
+function candidateKeys(config) {
+    const base = ["MONGODB_URI", "BETTER_AUTH_SECRET", "BETTER_AUTH_URL", "FRONTEND_URL"];
+    if (config.features.includes("stripe")) {
+        base.push("STRIPE_SECRET_KEY", "STRIPE_WEBHOOK_SECRET");
+    }
+    if (config.features.includes("analytics")) {
+        base.push("SENTRY_DSN");
+    }
+    if (config.features.includes("s3")) {
+        base.push("S3_ENDPOINT", "S3_BUCKET_NAME", "S3_PUBLIC_URL", "AWS_REGION", "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY");
+    }
+    if (config.features.includes("websocket")) {
+        base.push("REDIS_URL");
+    }
+    return base;
+}
+/** Parse the generated .env.keys + the header of .env.production to
+ *  recover the hex-encoded production keypair. */
+function readKeypair(envKeysPath, envPath) {
+    if (!existsSync(envKeysPath)) {
+        throw new Error(`dotenvx was expected to create ${envKeysPath}, but it's missing. Nothing was encrypted.`);
+    }
+    const keysContent = readFileSync(envKeysPath, "utf-8");
+    const privateMatch = keysContent.match(/^DOTENV_PRIVATE_KEY_PRODUCTION="?([0-9a-fA-F]+)"?/m);
+    if (!privateMatch) {
+        throw new Error(`Could not find DOTENV_PRIVATE_KEY_PRODUCTION in ${envKeysPath}.`);
+    }
+    const envContent = existsSync(envPath) ? readFileSync(envPath, "utf-8") : "";
+    const publicMatch = envContent.match(/^DOTENV_PUBLIC_KEY_PRODUCTION="?([0-9a-fA-F]+)"?/m);
+    return {
+        privateKey: privateMatch[1],
+        publicKey: publicMatch ? publicMatch[1] : "",
+    };
+}
+/** Prompt the user for the subset of candidate keys that are
+ *  sensitive + likely already known at scaffold time. Anything they
+ *  leave blank falls through to CHANGE_ME. Skipped entirely in
+ *  non-interactive mode — presets should carry the values instead. */
+export function printDotenvxSummary(result, projectName) {
+    if (result.encryptedKeys.length > 0) {
+        console.log(chalk.green(`  ✓ Encrypted ${result.encryptedKeys.length} values into .env.production`));
+    }
+    if (result.placeholderKeys.length > 0) {
+        console.log(chalk.dim(`    Placeholders (edit later with \`dotenvx set KEY value -f .env.production\`):`));
+        for (const k of result.placeholderKeys) {
+            console.log(chalk.dim(`      ${k}`));
+        }
+    }
+    console.log(chalk.yellow(`\n  dotenvx private key stored in macOS Keychain (hatchkit:${projectName}).`));
+    console.log(chalk.dim(`  Retrieve anytime:   hatchkit keys show ${projectName}`));
+    console.log(chalk.dim(`  Push to Coolify:    hatchkit keys push ${projectName}`));
+}
+//# sourceMappingURL=dotenvx.js.map

package/dist/scaffold/dotenvx.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dotenvx.js","sourceRoot":"","sources":["../../src/scaffold/dotenvx.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,GAAG,IAAI,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,GAAG,MAAM,KAAK,CAAC;AAEtB,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAqB7D;;4BAE4B;AAC5B,SAAS,qBAAqB;IAC5B,OAAO;QACL,kBAAkB,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;KACpD,CAAC;AACJ,CAAC;AAED;;;;8CAI8C;AAC9C,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,SAAiB,EACjB,MAAqB,EACrB,UAAyB;IAEzB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,EAAE,iCAAiC,CAAC,CAAC;IACnE,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,EAAE,2BAA2B,CAAC,CAAC;IAEjE,sCAAsC;IACtC,MAAM,QAAQ,GAAG,qBAAqB,EAAE,CAAC;IACzC,MAAM,MAAM,GAAuC,EAAE,GAAG,QAAQ,EAAE,GAAG,UAAU,EAAE,CAAC;IAElF,kEAAkE;IAClE,8DAA8D;IAC9D,iEAAiE;IACjE,sBAAsB;IACtB,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,aAAa,GAAa,EAAE,CAAC;IACnC,MAAM,eAAe,GAAa,EAAE,CAAC;IAErC,MAAM,OAAO,GAAG,GAAG,CAAC,mCAAmC,CAAC,CAAC,KAAK,EAAE,CAAC;IACjE,IAAI,CAAC;QACH,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;YACxB,MAAM,QAAQ,GAAG,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;YACxD,IAAI,QAAQ,EAAE,CAAC;gBACb,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;gBACvD,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1B,CAAC;iBAAM,CAAC;gBACN,+DAA+D;gBAC/D,0DAA0D;gBAC1D,qDAAqD;gBACrD,UAAU,CAAC,GAAG,EAAE,aAAa,GAAG,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;gBACvE,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QACD,OAAO,CAAC,OAAO,CACb,2BAA2B,aAAa,CAAC,MAAM,eAAe,eAAe,CAAC,MAAM,gBAAgB,CACrG,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;QAC/C,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,2DAA2D;IAC3D,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,WAAW,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAEpE,iEAAiE;IACjE,kEAAkE;IAClE,yDAAyD;IACzD,MAAM,SAAS,CAAC,WAAW,CAAC,iBAAiB,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,UAAU,CAAC,CAAC;IAExE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,CAAC;AACnE,CAAC;AAED;kDACkD;AAClD,SAAS,aAAa,CAAC,MAAqB;IAC1C,MAAM,IAAI,GAAG,CAAC,aAAa,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,cAAc,CAAC,CAAC;IACtF,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,uBAAuB,CAAC,CAAC;IAC1D,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QAC1C,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC1B,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,CACP,aAAa,EACb,gBAAgB,EAChB,eAAe,EACf,YAAY,EACZ,mBAAmB,EACnB,uBAAuB,CACxB,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QAC1C,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAOD;kDACkD;AAClD,SAAS,WAAW,CAAC,WAAmB,EAAE,OAAe;IACvD,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,kCAAkC,WAAW,4CAA4C,CAC1F,CAAC;IACJ,CAAC;IACD,MAAM,WAAW,GAAG,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IACvD,MAAM,YAAY,GAAG,WAAW,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;IAC7F,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,mDAAmD,WAAW,GAAG,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7E,MAAM,WAAW,GAAG,UAAU,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;IAE1F,OAAO;QACL,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC;QAC3B,SAAS,EAAE,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE;KAC7C,CAAC;AACJ,CAAC;AAED;;;sEAGsE;AACtE,MAAM,UAAU,mBAAmB,CAAC,MAAyB,EAAE,WAAmB;IAChF,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,KAAK,CAAC,iBAAiB,MAAM,CAAC,aAAa,CAAC,MAAM,8BAA8B,CAAC,CACxF,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CAAC,kFAAkF,CAAC,CAC9F,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,MAAM,CAAC,8DAA8D,WAAW,IAAI,CAAC,CAC5F,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,4CAA4C,WAAW,EAAE,CAAC,CAAC,CAAC;IAClF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,4CAA4C,WAAW,EAAE,CAAC,CAAC,CAAC;AACpF,CAAC"}

package/dist/scaffold/infra.d.ts

@@ -0,0 +1,17 @@
+import type { ProjectConfig } from "../prompts.js";
+/** Generate Terraform tfvars for the project. */
+export declare function generateTfvars(config: ProjectConfig): string;
+/** Generate Coolify stack .env for the project. */
+export declare function generateCoolifyEnv(config: ProjectConfig, extras?: {
+    repoUrl?: string;
+    serverPort?: number;
+    clientPort?: number;
+}): string;
+export interface ScaffoldInfraOptions {
+    repoUrl?: string;
+    serverPort?: number;
+    clientPort?: number;
+}
+/** Write infra config files. */
+export declare function scaffoldInfra(config: ProjectConfig, repoRoot: string, options?: ScaffoldInfraOptions): void;
+//# sourceMappingURL=infra.d.ts.map

package/dist/scaffold/infra.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"infra.d.ts","sourceRoot":"","sources":["../../src/scaffold/infra.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAGnD,iDAAiD;AACjD,wBAAgB,cAAc,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAkC5D;AAED,mDAAmD;AACnD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,aAAa,EACrB,MAAM,GAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAO,GAC1E,MAAM,CAqBR;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,gCAAgC;AAChC,wBAAgB,aAAa,CAC3B,MAAM,EAAE,aAAa,EACrB,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,oBAAyB,GACjC,IAAI,CA0CN"}

package/dist/scaffold/infra.js

@@ -0,0 +1,200 @@
+import { existsSync, mkdirSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import chalk from "chalk";
+import { getConfig } from "../config.js";
+import { renderString } from "../utils/template.js";
+/** Generate Terraform tfvars for the project. */
+export function generateTfvars(config) {
+    // Avoid silent duplicate-key drop when the user's chosen subdomain
+    // collides with a reserved name ("admin", "api.<sub>"). Build the map
+    // iteratively and skip duplicates.
+    const subdomains = {};
+    const addSubdomain = (key, description) => {
+        if (!key)
+            return;
+        if (subdomains[key])
+            return;
+        subdomains[key] = description;
+    };
+    addSubdomain(config.subdomain, "Web app + API paths");
+    addSubdomain(`api.${config.subdomain}`, "REST API");
+    addSubdomain("admin", "Coolify dashboard");
+    if (config.deployTarget === "new") {
+        return renderString(TFVARS_TEMPLATE, {
+            name: config.name,
+            serverType: config.serverSize || "cpx21",
+            serverLocation: config.serverLocation || "nbg1",
+            domain: config.baseDomain,
+            subdomains,
+            s3Enabled: config.features.includes("s3") && config.s3Provider !== "existing",
+            s3BucketName: `${config.name}-assets`,
+            s3Location: config.serverLocation || "nbg1",
+        });
+    }
+    // For existing server: DNS-only tfvars
+    return renderString(DNS_ONLY_TFVARS_TEMPLATE, {
+        domain: config.baseDomain,
+        subdomains,
+        targetIpv4: config.serverIp || "",
+        targetIpv6: "",
+    });
+}
+/** Generate Coolify stack .env for the project. */
+export function generateCoolifyEnv(config, extras = {}) {
+    const coolifyConfig = getConfig().providers.coolify;
+    const s3Config = getS3Config(config);
+    return renderString(COOLIFY_ENV_TEMPLATE, {
+        coolifyUrl: coolifyConfig?.url || "https://admin.example.com",
+        name: config.name,
+        domain: config.domain,
+        repoUrl: extras.repoUrl ?? "",
+        serverPort: extras.serverPort ?? 3000,
+        clientPort: extras.clientPort ?? 3000,
+        mongoEnabled: true,
+        redisEnabled: config.features.includes("websocket"),
+        s3Provider: config.s3Provider === "existing" ? "custom" : config.s3Provider,
+        s3Bucket: s3Config?.bucket || "",
+        s3Endpoint: s3Config?.endpoint || "",
+        s3Region: s3Config?.region || "",
+        stripe: config.features.includes("stripe"),
+        analytics: config.features.includes("analytics"),
+        mlServices: config.mlServices,
+    });
+}
+/** Write infra config files. */
+export function scaffoldInfra(config, repoRoot, options = {}) {
+    // Fail early with a clear message if the infra submodule isn't
+    // populated — otherwise Terraform writes are silently skipped and the
+    // later terraform/coolify exec steps crash cryptically.
+    if (!config.dryRun && !existsSync(join(repoRoot, "terraform"))) {
+        throw new Error(`Infra submodule is empty at ${repoRoot}. Run 'git submodule update --init' in the monorepo root before deploying.`);
+    }
+    const stacksDir = join(repoRoot, "stacks");
+    if (!existsSync(stacksDir))
+        mkdirSync(stacksDir, { recursive: true });
+    const tfvars = generateTfvars(config);
+    const coolifyEnv = generateCoolifyEnv(config, {
+        repoUrl: options.repoUrl,
+        serverPort: options.serverPort,
+        clientPort: options.clientPort,
+    });
+    if (config.dryRun) {
+        console.log(chalk.bold("\n  [dry-run] Infra config:\n"));
+        console.log(chalk.dim("  --- terraform.tfvars ---"));
+        console.log(chalk.dim(tfvars));
+        console.log(chalk.dim("  --- coolify .env ---"));
+        console.log(chalk.dim(coolifyEnv));
+        return;
+    }
+    // Write Terraform tfvars
+    const tfDir = config.deployTarget === "new"
+        ? join(repoRoot, "terraform", "stacks", "node-realtime")
+        : join(repoRoot, "terraform", "stacks", "dns-only");
+    if (existsSync(tfDir)) {
+        writeFileSync(join(tfDir, `${config.name}.tfvars`), tfvars, "utf-8");
+        console.log(chalk.green(`  ✓ Terraform config: ${tfDir}/${config.name}.tfvars`));
+    }
+    // Write Coolify .env
+    writeFileSync(join(stacksDir, `${config.name}.env`), coolifyEnv, "utf-8");
+    console.log(chalk.green(`  ✓ Coolify config: stacks/${config.name}.env`));
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function getS3Config(config) {
+    if (!config.features.includes("s3"))
+        return null;
+    if (config.s3Provider === "existing") {
+        return {
+            bucket: config.s3ExistingBucket || "",
+            endpoint: config.s3ExistingEndpoint || "",
+            region: config.s3ExistingRegion || "",
+        };
+    }
+    const providerConfig = getConfig().providers.s3[config.s3Provider];
+    return {
+        bucket: `${config.name}-assets`,
+        endpoint: providerConfig?.endpoint || "",
+        region: providerConfig?.region || "",
+    };
+}
+// ---------------------------------------------------------------------------
+// Templates (inline — small enough to not warrant separate files)
+// ---------------------------------------------------------------------------
+const TFVARS_TEMPLATE = `server_name     = "{{name}}-prod"
+server_type     = "{{serverType}}"
+server_location = "{{serverLocation}}"
+ssh_key_name    = "deploy-key"
+ssh_public_key  = "ssh-ed25519 CHANGE_ME"
+
+domain = "{{domain}}"
+subdomains = {
+{{#each subdomains}}
+  "{{@key}}" = "{{this}}"
+{{/each}}
+}
+dns_ttl = 300
+
+firewall_enabled = true
+
+{{#if s3Enabled}}
+s3_enabled     = true
+s3_bucket_name = "{{s3BucketName}}"
+s3_bucket_acl  = "private"
+s3_location    = "{{s3Location}}"
+{{else}}
+s3_enabled     = false
+{{/if}}
+`;
+const DNS_ONLY_TFVARS_TEMPLATE = `domain = "{{domain}}"
+subdomains = {
+{{#each subdomains}}
+  "{{@key}}" = "{{this}}"
+{{/each}}
+}
+target_ipv4 = "{{targetIpv4}}"
+target_ipv6 = "{{targetIpv6}}"
+dns_ttl = 300
+`;
+const COOLIFY_ENV_TEMPLATE = `COOLIFY_URL="{{coolifyUrl}}"
+
+PROJECT_NAME="{{name}}"
+ENVIRONMENT_NAME="production"
+
+APP_NAME="{{name}}-web"
+GITHUB_REPO_URL="{{repoUrl}}"
+APP_PORT="{{clientPort}}"
+SERVER_PORT="{{serverPort}}"
+
+APP_DOMAIN="{{domain}}"
+
+MONGO_ENABLED="yes"
+REDIS_ENABLED="{{#if redisEnabled}}yes{{else}}no{{/if}}"
+
+S3_PROVIDER="{{s3Provider}}"
+S3_BUCKET="{{s3Bucket}}"
+S3_ENDPOINT="{{s3Endpoint}}"
+S3_ACCESS_KEY=""
+S3_SECRET_KEY=""
+S3_REGION="{{s3Region}}"
+
+{{#if stripe}}
+STRIPE_SECRET_KEY=""
+STRIPE_PUBLISHABLE_KEY=""
+STRIPE_WEBHOOK_SECRET=""
+{{/if}}
+
+{{#if analytics}}
+GLITCHTIP_DSN=""
+OPENPANEL_API_URL=""
+OPENPANEL_CLIENT_ID=""
+OPENPANEL_CLIENT_SECRET=""
+{{/if}}
+
+{{#each mlServices}}
+ML_{{this}}_ENDPOINT=""
+{{/each}}
+
+TOKEN_SECRET=""
+`;
+//# sourceMappingURL=infra.js.map

package/dist/scaffold/infra.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"infra.js","sourceRoot":"","sources":["../../src/scaffold/infra.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAuB,SAAS,EAAE,MAAM,cAAc,CAAC;AAE9D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAEpD,iDAAiD;AACjD,MAAM,UAAU,cAAc,CAAC,MAAqB;IAClD,mEAAmE;IACnE,sEAAsE;IACtE,mCAAmC;IACnC,MAAM,UAAU,GAA2B,EAAE,CAAC;IAC9C,MAAM,YAAY,GAAG,CAAC,GAAW,EAAE,WAAmB,EAAE,EAAE;QACxD,IAAI,CAAC,GAAG;YAAE,OAAO;QACjB,IAAI,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAC5B,UAAU,CAAC,GAAG,CAAC,GAAG,WAAW,CAAC;IAChC,CAAC,CAAC;IACF,YAAY,CAAC,MAAM,CAAC,SAAS,EAAE,qBAAqB,CAAC,CAAC;IACtD,YAAY,CAAC,OAAO,MAAM,CAAC,SAAS,EAAE,EAAE,UAAU,CAAC,CAAC;IACpD,YAAY,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IAE3C,IAAI,MAAM,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;QAClC,OAAO,YAAY,CAAC,eAAe,EAAE;YACnC,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,OAAO;YACxC,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,MAAM;YAC/C,MAAM,EAAE,MAAM,CAAC,UAAU;YACzB,UAAU;YACV,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,UAAU,KAAK,UAAU;YAC7E,YAAY,EAAE,GAAG,MAAM,CAAC,IAAI,SAAS;YACrC,UAAU,EAAE,MAAM,CAAC,cAAc,IAAI,MAAM;SAC5C,CAAC,CAAC;IACL,CAAC;IAED,uCAAuC;IACvC,OAAO,YAAY,CAAC,wBAAwB,EAAE;QAC5C,MAAM,EAAE,MAAM,CAAC,UAAU;QACzB,UAAU;QACV,UAAU,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE;QACjC,UAAU,EAAE,EAAE;KACf,CAAC,CAAC;AACL,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,kBAAkB,CAChC,MAAqB,EACrB,SAAyE,EAAE;IAE3E,MAAM,aAAa,GAAG,SAAS,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC;IACpD,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IAErC,OAAO,YAAY,CAAC,oBAAoB,EAAE;QACxC,UAAU,EAAE,aAAa,EAAE,GAAG,IAAI,2BAA2B;QAC7D,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,EAAE;QAC7B,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,IAAI;QACrC,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,IAAI;QACrC,YAAY,EAAE,IAAI;QAClB,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC;QACnD,UAAU,EAAE,MAAM,CAAC,UAAU,KAAK,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU;QAC3E,QAAQ,EAAE,QAAQ,EAAE,MAAM,IAAI,EAAE;QAChC,UAAU,EAAE,QAAQ,EAAE,QAAQ,IAAI,EAAE;QACpC,QAAQ,EAAE,QAAQ,EAAE,MAAM,IAAI,EAAE;QAChC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC1C,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC;QAChD,UAAU,EAAE,MAAM,CAAC,UAAU;KAC9B,CAAC,CAAC;AACL,CAAC;AAQD,gCAAgC;AAChC,MAAM,UAAU,aAAa,CAC3B,MAAqB,EACrB,QAAgB,EAChB,UAAgC,EAAE;IAElC,+DAA+D;IAC/D,sEAAsE;IACtE,wDAAwD;IACxD,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,EAAE,CAAC;QAC/D,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,4EAA4E,CACpH,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC3C,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEtE,MAAM,MAAM,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,EAAE;QAC5C,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,UAAU,EAAE,OAAO,CAAC,UAAU;KAC/B,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC,CAAC;QACzD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;QACnC,OAAO;IACT,CAAC;IAED,yBAAyB;IACzB,MAAM,KAAK,GACT,MAAM,CAAC,YAAY,KAAK,KAAK;QAC3B,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,eAAe,CAAC;QACxD,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;IAExD,IAAI,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACtB,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,MAAM,CAAC,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QACrE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,yBAAyB,KAAK,IAAI,MAAM,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC;IACnF,CAAC;IAED,qBAAqB;IACrB,aAAa,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,MAAM,CAAC,IAAI,MAAM,CAAC,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;IAC1E,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,8BAA8B,MAAM,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC;AAC5E,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,WAAW,CAClB,MAAqB;IAErB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAEjD,IAAI,MAAM,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QACrC,OAAO;YACL,MAAM,EAAE,MAAM,CAAC,gBAAgB,IAAI,EAAE;YACrC,QAAQ,EAAE,MAAM,CAAC,kBAAkB,IAAI,EAAE;YACzC,MAAM,EAAE,MAAM,CAAC,gBAAgB,IAAI,EAAE;SACtC,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,SAAS,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,CAAC,UAAU,CAA+B,CAAC;IACjG,OAAO;QACL,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,SAAS;QAC/B,QAAQ,EAAE,cAAc,EAAE,QAAQ,IAAI,EAAE;QACxC,MAAM,EAAE,cAAc,EAAE,MAAM,IAAI,EAAE;KACrC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,kEAAkE;AAClE,8EAA8E;AAE9E,MAAM,eAAe,GAAG;;;;;;;;;;;;;;;;;;;;;;;;CAwBvB,CAAC;AAEF,MAAM,wBAAwB,GAAG;;;;;;;;;CAShC,CAAC;AAEF,MAAM,oBAAoB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAwC5B,CAAC"}

package/dist/scaffold/manifest.d.ts

@@ -0,0 +1,50 @@
+import type { Feature, GpuPlatform, MlService, ProjectConfig, S3Provider } from "../prompts.js";
+import type { ProjectPorts } from "../utils/ports.js";
+export declare const MANIFEST_FILENAME = ".hatchkit.json";
+export declare const MANIFEST_VERSION = 1;
+export interface ProjectManifest {
+    /** Schema version. Increment when the shape changes incompatibly. */
+    version: typeof MANIFEST_VERSION;
+    /** CLI version that produced this manifest (diagnostic only). */
+    cliVersion: string;
+    /** ISO timestamp of the scaffold. */
+    scaffoldedAt: string;
+    /** Project name — duplicated from package.json for convenience. */
+    name: string;
+    /** Production domain — already public in DNS + .env.example. */
+    domain: string;
+    /** Feature flags selected at scaffold. */
+    features: Feature[];
+    /** ML services wired into the backend. */
+    mlServices: MlService[];
+    /** S3 provider name (`hetzner` / `aws` / `r2` / `existing` / `none`).
+     *  Credentials are NOT stored here — only the choice. */
+    s3Provider: S3Provider;
+    /** Where the app deploys. `existing` vs `new` is public-safe; the
+     *  actual serverId/IP is not in the manifest. */
+    deployTarget: "existing" | "new";
+    /** GPU platform choice, if any ML services need deployment. */
+    gpuPlatform?: GpuPlatform;
+    /** HF model ID for custom-hf, if selected. HF models are public. */
+    customHfModelId?: string;
+    /** GPU tier (T4/A10G/A100/H100) — public product names. */
+    customHfGpuType?: string;
+    /** Ports assigned to this project. They're already public in the
+     *  scaffolded .env.development files and docker-compose.yml. */
+    ports: {
+        server: number;
+        client: number;
+        nativeHmr?: number;
+    };
+}
+/** Build a manifest from the internal ProjectConfig, explicitly
+ *  whitelisting only the safe fields. Any new field on ProjectConfig
+ *  will NOT leak into the manifest unless added here on purpose. */
+export declare function toManifest(config: ProjectConfig, ports: ProjectPorts, cliVersion: string): ProjectManifest;
+export declare function writeManifest(outputDir: string, manifest: ProjectManifest): void;
+/** Read + validate a manifest from a scaffolded project directory.
+ *  Returns null if the file doesn't exist. Throws on malformed JSON
+ *  or an unknown schema version so downstream code doesn't silently
+ *  operate on a wrong shape. */
+export declare function readManifest(projectDir: string): ProjectManifest | null;
+//# sourceMappingURL=manifest.d.ts.map

package/dist/scaffold/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../../src/scaffold/manifest.ts"],"names":[],"mappings":"AA+BA,OAAO,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChG,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEtD,eAAO,MAAM,iBAAiB,mBAAmB,CAAC;AAClD,eAAO,MAAM,gBAAgB,IAAI,CAAC;AAElC,MAAM,WAAW,eAAe;IAC9B,qEAAqE;IACrE,OAAO,EAAE,OAAO,gBAAgB,CAAC;IACjC,iEAAiE;IACjE,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,YAAY,EAAE,MAAM,CAAC;IACrB,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAC;IACb,gEAAgE;IAChE,MAAM,EAAE,MAAM,CAAC;IACf,0CAA0C;IAC1C,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,0CAA0C;IAC1C,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB;6DACyD;IACzD,UAAU,EAAE,UAAU,CAAC;IACvB;qDACiD;IACjD,YAAY,EAAE,UAAU,GAAG,KAAK,CAAC;IACjC,+DAA+D;IAC/D,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,oEAAoE;IACpE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;oEACgE;IAChE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAC/D;AAED;;oEAEoE;AACpE,wBAAgB,UAAU,CACxB,MAAM,EAAE,aAAa,EACrB,KAAK,EAAE,YAAY,EACnB,UAAU,EAAE,MAAM,GACjB,eAAe,CAoBjB;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,eAAe,GAAG,IAAI,CAGhF;AAED;;;gCAGgC;AAChC,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAiBvE"}

package/dist/scaffold/manifest.js

@@ -0,0 +1,83 @@
+/*
+ * Project manifest — .hatchkit.json at the root of a scaffolded project.
+ *
+ * Purpose: capture just enough about how this project was scaffolded
+ * that `hatchkit update` can diff the current feature set against a
+ * desired new one and apply only the delta.
+ *
+ * ============================================================
+ * SECURITY: WHAT GOES IN — AND WHAT ABSOLUTELY DOES NOT
+ * ============================================================
+ *
+ * The manifest file gets committed to the project's git repo. Treat
+ * every field as eventually public. The included fields below are all
+ * already public in one way or another (package.json `name`, the
+ * domain is in DNS + .env.example, feature flags are inferable from
+ * dependency lists, ports are in .env.* and docker-compose.yml).
+ *
+ * Fields that MUST NEVER be written here:
+ *   - tokens, passwords, API keys (any credential)
+ *   - serverIp, serverId (Coolify server coordinates)
+ *   - s3ExistingAccessKey / SecretKey / Endpoint / Bucket  (user creds)
+ *   - serverSize / serverLocation (infrastructure cost signal)
+ *
+ * ProjectConfig has those fields; the `toManifest` function below is
+ * the single choke point that picks out the safe subset. Any time a
+ * new field is added to ProjectConfig, it must be triaged here — the
+ * default is to NOT include it.
+ */
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+export const MANIFEST_FILENAME = ".hatchkit.json";
+export const MANIFEST_VERSION = 1;
+/** Build a manifest from the internal ProjectConfig, explicitly
+ *  whitelisting only the safe fields. Any new field on ProjectConfig
+ *  will NOT leak into the manifest unless added here on purpose. */
+export function toManifest(config, ports, cliVersion) {
+    return {
+        version: MANIFEST_VERSION,
+        cliVersion,
+        scaffoldedAt: new Date().toISOString(),
+        name: config.name,
+        domain: config.domain,
+        features: [...config.features],
+        mlServices: [...config.mlServices],
+        s3Provider: config.s3Provider,
+        deployTarget: config.deployTarget,
+        gpuPlatform: config.gpuPlatform,
+        customHfModelId: config.customHfModelId,
+        customHfGpuType: config.customHfGpuType,
+        ports: {
+            server: ports.server,
+            client: ports.client,
+            nativeHmr: ports.nativeHmr,
+        },
+    };
+}
+export function writeManifest(outputDir, manifest) {
+    const path = join(outputDir, MANIFEST_FILENAME);
+    writeFileSync(path, JSON.stringify(manifest, null, 2) + "\n", "utf-8");
+}
+/** Read + validate a manifest from a scaffolded project directory.
+ *  Returns null if the file doesn't exist. Throws on malformed JSON
+ *  or an unknown schema version so downstream code doesn't silently
+ *  operate on a wrong shape. */
+export function readManifest(projectDir) {
+    const path = join(projectDir, MANIFEST_FILENAME);
+    if (!existsSync(path))
+        return null;
+    let parsed;
+    try {
+        parsed = JSON.parse(readFileSync(path, "utf-8"));
+    }
+    catch (err) {
+        throw new Error(`Manifest at ${path} is not valid JSON: ${err.message}`);
+    }
+    if (!parsed ||
+        typeof parsed !== "object" ||
+        parsed.version !== MANIFEST_VERSION) {
+        throw new Error(`Manifest at ${path} has unknown version. Expected ${MANIFEST_VERSION}.`);
+    }
+    return parsed;
+}
+//# sourceMappingURL=manifest.js.map

package/dist/scaffold/manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../../src/scaffold/manifest.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAIjC,MAAM,CAAC,MAAM,iBAAiB,GAAG,gBAAgB,CAAC;AAClD,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAkClC;;oEAEoE;AACpE,MAAM,UAAU,UAAU,CACxB,MAAqB,EACrB,KAAmB,EACnB,UAAkB;IAElB,OAAO;QACL,OAAO,EAAE,gBAAgB;QACzB,UAAU;QACV,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC;QAC9B,UAAU,EAAE,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC;QAClC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,KAAK,EAAE;YACL,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,QAAyB;IACxE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAChD,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AACzE,CAAC;AAED;;;gCAGgC;AAChC,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IACjD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,eAAe,IAAI,uBAAwB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IACtF,CAAC;IACD,IACE,CAAC,MAAM;QACP,OAAO,MAAM,KAAK,QAAQ;QACzB,MAAgC,CAAC,OAAO,KAAK,gBAAgB,EAC9D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,eAAe,IAAI,kCAAkC,gBAAgB,GAAG,CAAC,CAAC;IAC5F,CAAC;IACD,OAAO,MAAyB,CAAC;AACnC,CAAC"}

package/dist/scaffold/ml-client.d.ts

@@ -0,0 +1,20 @@
+import { type MlServiceEntry } from "../config.js";
+import type { MlService, ProjectConfig } from "../prompts.js";
+/** Resolve ML services — reuse existing or mark for deployment.
+ *  Services in config.forceRedeployMl bypass the registry and always
+ *  go to the deploy list, which recovers from stale registry entries. */
+export declare function resolveMlServices(config: ProjectConfig): Promise<{
+    reuse: Array<{
+        service: MlService;
+        entry: MlServiceEntry;
+    }>;
+    deploy: MlService[];
+}>;
+/** Get the env var name for an ML service endpoint. */
+export declare function mlEnvVarName(service: MlService): string;
+/** Print ML service resolution summary. */
+export declare function printMlSummary(reuse: Array<{
+    service: MlService;
+    entry: MlServiceEntry;
+}>, deploy: MlService[]): void;
+//# sourceMappingURL=ml-client.d.ts.map

package/dist/scaffold/ml-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ml-client.d.ts","sourceRoot":"","sources":["../../src/scaffold/ml-client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,cAAc,CAAC;AAClE,OAAO,KAAK,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9D;;yEAEyE;AACzE,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC;IACtE,KAAK,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,SAAS,CAAC;QAAC,KAAK,EAAE,cAAc,CAAA;KAAE,CAAC,CAAC;IAC5D,MAAM,EAAE,SAAS,EAAE,CAAC;CACrB,CAAC,CAeD;AAED,uDAAuD;AACvD,wBAAgB,YAAY,CAAC,OAAO,EAAE,SAAS,GAAG,MAAM,CAGvD;AAED,2CAA2C;AAC3C,wBAAgB,cAAc,CAC5B,KAAK,EAAE,KAAK,CAAC;IAAE,OAAO,EAAE,SAAS,CAAC;IAAC,KAAK,EAAE,cAAc,CAAA;CAAE,CAAC,EAC3D,MAAM,EAAE,SAAS,EAAE,GAClB,IAAI,CAUN"}

package/dist/scaffold/ml-client.js

@@ -0,0 +1,38 @@
+import chalk from "chalk";
+import { getMlServices } from "../config.js";
+/** Resolve ML services — reuse existing or mark for deployment.
+ *  Services in config.forceRedeployMl bypass the registry and always
+ *  go to the deploy list, which recovers from stale registry entries. */
+export async function resolveMlServices(config) {
+    const registry = getMlServices();
+    const forceSet = new Set(config.forceRedeployMl ?? []);
+    const reuse = [];
+    const deploy = [];
+    for (const service of config.mlServices) {
+        if (registry[service] && !forceSet.has(service)) {
+            reuse.push({ service, entry: registry[service] });
+        }
+        else {
+            deploy.push(service);
+        }
+    }
+    return { reuse, deploy };
+}
+/** Get the env var name for an ML service endpoint. */
+export function mlEnvVarName(service) {
+    const name = service.replace(/-/g, "_").toUpperCase();
+    return `ML_${name}_ENDPOINT`;
+}
+/** Print ML service resolution summary. */
+export function printMlSummary(reuse, deploy) {
+    if (reuse.length > 0) {
+        console.log(chalk.dim("\n  Reusing existing ML services:"));
+        for (const { service, entry } of reuse) {
+            console.log(chalk.dim(`    ${service} → ${entry.endpoint}`));
+        }
+    }
+    if (deploy.length > 0) {
+        console.log(chalk.yellow(`\n  New ML services to deploy: ${deploy.join(", ")}`));
+    }
+}
+//# sourceMappingURL=ml-client.js.map

package/dist/scaffold/ml-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ml-client.js","sourceRoot":"","sources":["../../src/scaffold/ml-client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAuB,aAAa,EAAE,MAAM,cAAc,CAAC;AAGlE;;yEAEyE;AACzE,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAqB;IAI3D,MAAM,QAAQ,GAAG,aAAa,EAAE,CAAC;IACjC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;IACvD,MAAM,KAAK,GAAyD,EAAE,CAAC;IACvE,MAAM,MAAM,GAAgB,EAAE,CAAC;IAE/B,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACxC,IAAI,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YAChD,KAAK,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;AAC3B,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,YAAY,CAAC,OAAkB;IAC7C,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IACtD,OAAO,MAAM,IAAI,WAAW,CAAC;AAC/B,CAAC;AAED,2CAA2C;AAC3C,MAAM,UAAU,cAAc,CAC5B,KAA2D,EAC3D,MAAmB;IAEnB,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC,CAAC;QAC5D,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,KAAK,EAAE,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,OAAO,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,kCAAkC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;IACnF,CAAC;AACH,CAAC"}

package/dist/scaffold/pkg-json.d.ts

@@ -0,0 +1,20 @@
+export declare function stripPackageJsonScripts(outputDir: string, names: string[]): void;
+export declare function stripPackageJsonDeps(outputDir: string, names: string[]): void;
+export declare function stripPackageJsonBuildBlock(outputDir: string): void;
+/** Drop the `pnpm typecheck:electron` segment from the root `typecheck`
+ *  script regardless of where it sits in the `&&` chain. Handles:
+ *    "A && pnpm typecheck:electron"   → "A"
+ *    "pnpm typecheck:electron && A"   → "A"
+ *    "pnpm typecheck:electron"        → <script deleted entirely>
+ */
+export declare function unchainTypecheckScript(outputDir: string): void;
+/** Set a specific script entry in the root `package.json`. Creates
+ *  `scripts` if missing. */
+export declare function setPackageJsonScript(outputDir: string, name: string, value: string): void;
+/** Read the `name` field from a workspace package's package.json. */
+export declare function readPackageName(pkgDir: string): string | undefined;
+/** Return every workspace package's `name` field from its package.json.
+ *  Used to populate Next's `transpilePackages` dynamically instead of
+ *  hardcoding `@starter/*` names. */
+export declare function readWorkspacePackageNames(outputDir: string): string[];
+//# sourceMappingURL=pkg-json.d.ts.map

package/dist/scaffold/pkg-json.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkg-json.d.ts","sourceRoot":"","sources":["../../src/scaffold/pkg-json.ts"],"names":[],"mappings":"AAaA,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,CAOhF;AAED,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,CAU7E;AAED,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAMlE;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAkB9D;AAED;4BAC4B;AAC5B,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAOzF;AAED,qEAAqE;AACrE,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CASlE;AAED;;qCAEqC;AACrC,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,EAAE,CASrE"}