hatchkit 0.1.2 → 0.1.3

package/dist/config.js

@@ -1,11 +1,46 @@
-import { confirm, input, password, select } from "@inquirer/prompts";
+import { Separator, confirm, input, password, select } from "@inquirer/prompts";
 import chalk from "chalk";
 import Conf from "conf";
 import ora from "ora";
 import { verifyCoolify } from "./utils/coolify-api.js";
 import { execOk } from "./utils/exec.js";
-import { SECRET_KEYS, clearAllSecrets, getSecret, setSecret } from "./utils/secrets.js";
+import { SECRET_KEYS, clearAllSecrets, deleteSecret, getSecret, setSecret, } from "./utils/secrets.js";
 import { validateRequired, validateUrl } from "./utils/validate.js";
+/** Pretty-print "where to create this token" hint before a password prompt. */
+function tokenHint(url, scope) {
+    console.log(chalk.dim(`  → Create at: ${chalk.cyan(url)}`));
+    console.log(chalk.dim(`    Permissions: ${scope}`));
+}
+/** Sanitize pasted secret: strip bracketed-paste escapes + non-printable
+ *  ASCII that some terminals inject on paste. Plain `.trim()` misses these. */
+function sanitizePastedSecret(raw) {
+    return raw
+        .replace(/\x1b\[2\d\d~/g, "")
+        .replace(/[^\x20-\x7e]/g, "")
+        .trim();
+}
+/** Prompt for a secret, show a masked preview (`abcd…wxyz, 50 chars`),
+ *  and let the user re-enter if the paste looks wrong. Loops until the
+ *  user confirms. Values are never echoed in full. */
+async function confirmPastedSecret(label) {
+    for (;;) {
+        const raw = await password({ message: `${label}:` });
+        const value = sanitizePastedSecret(raw);
+        if (!value) {
+            console.log(chalk.yellow("  (empty — please paste again)"));
+            continue;
+        }
+        const preview = value.length <= 8
+            ? `${"*".repeat(value.length)} (${value.length} chars — looks short?)`
+            : `${value.slice(0, 4)}…${value.slice(-4)} (${value.length} chars)`;
+        const ok = await confirm({
+            message: `Looks like: ${chalk.cyan(preview)} — use this?`,
+            default: true,
+        });
+        if (ok)
+            return value;
+    }
+}
 // ---------------------------------------------------------------------------
 // Config store
 // ---------------------------------------------------------------------------
@@ -54,6 +89,12 @@ function createStore() {
     }
 }
 const store = createStore();
+/** Exposed for internal modules that need raw access (e.g. the `doctor`
+ *  command). External consumers should prefer the typed `getXConfig()`
+ *  helpers. */
+export function getStore() {
+    return store;
+}
 export function getConfig() {
     return store.store;
 }
@@ -137,19 +178,29 @@ export async function ensureCoolify() {
         default: existing?.url,
         validate: (v) => validateUrl(v.trim()),
     })).trim();
-    const token = (await password({
-        message: "Coolify API token (from Settings → API Tokens):",
-    })).trim();
-    const spinner = ora("Testing Coolify connection...").start();
-    try {
-        const version = await verifyCoolify(url, token);
-        spinner.succeed(`Connected to Coolify v${version}`);
-    }
-    catch (error) {
-        spinner.fail("Could not connect to Coolify");
-        throw error;
+    // Loop on the token until it authenticates — pasting the wrong token
+    // is easy, and re-running the whole onboarding just to retry is rude.
+    let token = "";
+    tokenHint(`${url.replace(/\/$/, "")}/security/api-tokens`, "root (full access)");
+    for (;;) {
+        token = await confirmPastedSecret("Coolify API token");
+        const spinner = ora("Testing Coolify connection...").start();
+        try {
+            const version = await verifyCoolify(url, token);
+            spinner.succeed(`Connected to Coolify v${version}`);
+            break;
+        }
+        catch (error) {
+            spinner.fail("Could not connect to Coolify");
+            console.log(chalk.dim(`  ${error instanceof Error ? error.message : String(error)}`));
+            const retry = await confirm({
+                message: "Try a different token?",
+                default: true,
+            });
+            if (!retry)
+                throw error;
+        }
     }
-    // Cache server list
     const { CoolifyApi } = await import("./utils/coolify-api.js");
     const api = new CoolifyApi({ url, token });
     const servers = await api.listServers();
@@ -186,9 +237,8 @@ export async function ensureHetzner() {
     if (existing?.status === "configured" && existingToken) {
         return { ...existing, token: existingToken };
     }
-    const token = await password({
-        message: "Hetzner Cloud API token:",
-    });
+    tokenHint("https://console.hetzner.cloud/projects → Security → API Tokens", "Read & Write (needed to create servers)");
+    const token = await confirmPastedSecret("Hetzner Cloud API token");
     const spinner = ora("Testing Hetzner connection...").start();
     try {
         const res = await fetch("https://api.hetzner.cloud/v1/servers", {
@@ -214,6 +264,15 @@ export async function getHetznerToken() {
     await migrateSecret("providers.hetzner.token", SECRET_KEYS.hetznerToken);
     return getSecret(SECRET_KEYS.hetznerToken);
 }
+export async function getHetznerConfig() {
+    const meta = store.get("providers.hetzner");
+    if (!meta || meta.status !== "configured")
+        return null;
+    const token = await getHetznerToken();
+    if (!token)
+        return null;
+    return { ...meta, token };
+}
 // ---------------------------------------------------------------------------
 // Provider: DNS
 // ---------------------------------------------------------------------------
@@ -224,10 +283,12 @@ export async function ensureDns() {
     if (existing?.status === "configured") {
         const password = await getSecret(SECRET_KEYS.dnsInwxPassword);
         const apiToken = await getSecret(SECRET_KEYS.dnsCloudflareToken);
+        const registrarPassword = await getSecret(SECRET_KEYS.dnsInwxRegistrarPassword);
         return {
             ...existing,
             password: password ?? undefined,
             apiToken: apiToken ?? undefined,
+            registrarPassword: registrarPassword ?? undefined,
         };
     }
     const provider = await select({
@@ -245,7 +306,7 @@ export async function ensureDns() {
     }
     if (provider === "inwx") {
         const username = await input({ message: "INWX username:", validate: validateRequired });
-        const pwd = await password({ message: "INWX password:" });
+        const pwd = await confirmPastedSecret("INWX password");
         const meta = {
             status: "configured",
             provider: "inwx",
@@ -257,15 +318,45 @@ export async function ensureDns() {
         return { ...meta, password: pwd };
     }
     // Cloudflare
-    const apiToken = await password({ message: "Cloudflare API token:" });
+    tokenHint("https://dash.cloudflare.com/profile/api-tokens → Create Token", "Zone:DNS:Edit + Zone:Zone:Read (scope to the zones you'll use)");
+    const apiToken = await confirmPastedSecret("Cloudflare API token");
+    const accountId = await input({
+        message: "Cloudflare account ID (optional — leave blank to span all accounts):",
+        default: "",
+    });
+    // Cross-provider case: DNS on Cloudflare, but the domain is still
+    // registered at INWX. Offer to store INWX registrar creds so deploys
+    // (and the `dns link-to-cloudflare` command) can flip the delegated NS
+    // to Cloudflare automatically without a UI click-through per domain.
+    const wireInwxRegistrar = await confirm({
+        message: "Is INWX your domain registrar? (if yes, hatchkit will auto-point NS at Cloudflare on deploy)",
+        default: false,
+    });
+    let registrarUsername;
+    let registrarPassword;
+    if (wireInwxRegistrar) {
+        registrarUsername = await input({
+            message: "INWX username (registrar):",
+            validate: validateRequired,
+        });
+        registrarPassword = await confirmPastedSecret("INWX password (registrar)");
+    }
     const meta = {
         status: "configured",
         provider: "cloudflare",
+        accountId: accountId.trim() || undefined,
+        registrarUsername,
     };
     store.set("providers.dns", meta);
     await setSecret(SECRET_KEYS.dnsCloudflareToken, apiToken);
+    if (registrarPassword) {
+        await setSecret(SECRET_KEYS.dnsInwxRegistrarPassword, registrarPassword);
+    }
     console.log(chalk.green("  ✓ Cloudflare DNS configured"));
-    return { ...meta, apiToken };
+    if (registrarUsername) {
+        console.log(chalk.green("  ✓ INWX registrar wired for auto-NS updates"));
+    }
+    return { ...meta, apiToken, registrarPassword };
 }
 export async function getDnsConfig() {
     await migrateSecret("providers.dns.password", SECRET_KEYS.dnsInwxPassword);
@@ -275,10 +366,12 @@ export async function getDnsConfig() {
         return null;
     const password = await getSecret(SECRET_KEYS.dnsInwxPassword);
     const apiToken = await getSecret(SECRET_KEYS.dnsCloudflareToken);
+    const registrarPassword = await getSecret(SECRET_KEYS.dnsInwxRegistrarPassword);
     return {
         ...meta,
         password: password ?? undefined,
         apiToken: apiToken ?? undefined,
+        registrarPassword: registrarPassword ?? undefined,
     };
 }
 // ---------------------------------------------------------------------------
@@ -294,11 +387,39 @@ export async function ensureS3(provider) {
         return { ...existing, accessKey, secretKey };
     }
     console.log(chalk.yellow(`\n  ${provider.toUpperCase()} S3 is not configured yet. Let's set it up.`));
-    const promptedAccessKey = await password({ message: `${provider} S3 access key:` });
-    const promptedSecretKey = await password({ message: `${provider} S3 secret key:` });
+    // For R2 we need the account id BEFORE showing the create-token URL, so
+    // we can deep-link to the account-scoped page.
     let endpoint;
     let region;
     let location;
+    let accountId;
+    if (provider === "r2") {
+        console.log(chalk.dim("  Your Cloudflare account ID is in the dashboard URL:\n" +
+            "    dash.cloudflare.com/<account-id>/home/overview"));
+        accountId = (await input({
+            message: "Cloudflare account ID:",
+            validate: validateRequired,
+        })).trim();
+        endpoint = `https://${accountId}.r2.cloudflarestorage.com`;
+        region = "auto";
+    }
+    const s3Hints = {
+        hetzner: {
+            url: "https://console.hetzner.cloud → your project → Security → S3 credentials",
+            scope: "any (credentials are per-project)",
+        },
+        aws: {
+            url: "https://console.aws.amazon.com/iam → Users → Security credentials → Create access key",
+            scope: "s3:PutObject, s3:GetObject, s3:DeleteObject on the target bucket",
+        },
+        r2: {
+            url: `https://dash.cloudflare.com/${accountId ?? ""}/r2/api-tokens → Create Token`,
+            scope: "Object Read & Write — then copy from the 'Use the following credentials for S3 clients' section (NOT the 'Token value' at the top)",
+        },
+    };
+    tokenHint(s3Hints[provider].url, s3Hints[provider].scope);
+    const promptedAccessKey = await confirmPastedSecret(`${provider} S3 Access Key ID`);
+    const promptedSecretKey = await confirmPastedSecret(`${provider} S3 Secret Access Key`);
     if (provider === "hetzner") {
         location = await select({
             message: "Hetzner Object Storage location:",
@@ -311,15 +432,7 @@ export async function ensureS3(provider) {
         endpoint = `https://${location}.your-objectstorage.com`;
         region = location;
     }
-    else if (provider === "r2") {
-        const accountId = await input({
-            message: "Cloudflare account ID:",
-            validate: validateRequired,
-        });
-        endpoint = `https://${accountId}.r2.cloudflarestorage.com`;
-        region = "auto";
-    }
-    else {
+    else if (provider === "aws") {
         region = await input({ message: "AWS region:", default: "us-east-1" });
         endpoint = `https://s3.${region}.amazonaws.com`;
     }
@@ -372,13 +485,16 @@ export async function ensureGpuProvider(platform) {
             break;
         }
         case "runpod":
-            apiKey = await password({ message: "RunPod API key:" });
+            tokenHint("https://runpod.io/user/settings → API Keys", "Read & Write");
+            apiKey = await confirmPastedSecret("RunPod API key");
             break;
         case "hf":
-            apiKey = await password({ message: "HuggingFace token (from hf.co/settings/tokens):" });
+            tokenHint("https://huggingface.co/settings/tokens", "Read (or Write if you'll push models)");
+            apiKey = await confirmPastedSecret("HuggingFace token");
             break;
         case "replicate":
-            apiKey = await password({ message: "Replicate API token:" });
+            tokenHint("https://replicate.com/account/api-tokens", "any (account-scoped)");
+            apiKey = await confirmPastedSecret("Replicate API token");
             break;
     }
     const meta = {
@@ -442,9 +558,8 @@ export async function ensureGlitchtip() {
         default: existing?.url ?? "https://glitchtip.trebeljahr.com",
         validate: (v) => validateUrl(v.trim()),
     })).trim();
-    const token = (await password({
-        message: "GlitchTip auth token (Profile → Auth Tokens, needs project:admin):",
-    })).trim();
+    tokenHint(`${url.replace(/\/$/, "")}/profile/auth-tokens`, "project:admin (read + write projects & teams)");
+    const token = await confirmPastedSecret("GlitchTip auth token");
     const organizationSlug = (await input({
         message: "GlitchTip organization slug:",
         default: existing?.organizationSlug,
@@ -481,43 +596,79 @@ export async function getGlitchtipConfig() {
 // ---------------------------------------------------------------------------
 export async function ensureOpenpanel() {
     const existing = store.get("providers.openpanel");
-    const existingToken = await getSecret(SECRET_KEYS.openpanelToken);
-    if (existing?.status === "configured" && existingToken) {
-        return { ...existing, token: existingToken };
+    const existingId = await getSecret(SECRET_KEYS.openpanelRootClientId);
+    const existingSecret = await getSecret(SECRET_KEYS.openpanelRootClientSecret);
+    // Short-circuit only if *every* field is present. `apiUrl` was added
+    // after 0.1.x — configs written by earlier versions lack it, which is
+    // why a previously-"configured" setup now hits the dashboard URL
+    // instead of the API host. Fall through to the prompt flow so we can
+    // top it up without losing the rest of the config.
+    if (existing?.status === "configured" && existing.apiUrl && existingId && existingSecret) {
+        return { ...existing, rootClientId: existingId, rootClientSecret: existingSecret };
+    }
+    if (existing?.status === "configured" && !existing.apiUrl) {
+        console.log(chalk.yellow("\n  OpenPanel config is missing the Management API URL — let's fill that in."));
+    }
+    else {
+        console.log(chalk.yellow("\n  OpenPanel is not configured yet. Let's set it up."));
     }
-    console.log(chalk.yellow("\n  OpenPanel is not configured yet. Let's set it up."));
     const url = (await input({
-        message: "OpenPanel base URL:",
+        message: "OpenPanel dashboard URL:",
         default: existing?.url ?? "https://analytics.trebeljahr.com",
         validate: (v) => validateUrl(v.trim()),
     })).trim();
-    const token = (await password({
-        message: "OpenPanel personal access token (Settings → Access Tokens):",
-    })).trim();
+    // Self-hosted OpenPanel exposes the Management API on a separate
+    // subdomain (e.g. `api.op.example.com`). Default by prepending `api.`
+    // to the dashboard host, which matches the docs' recommended layout.
+    const defaultApiUrl = existing?.apiUrl ?? url.replace(/^https?:\/\//, (m) => `${m}api.`).replace(/\/$/, "");
+    const apiUrl = (await input({
+        message: "OpenPanel API URL (Management API base — usually api.<dashboard>):",
+        default: defaultApiUrl,
+        validate: (v) => validateUrl(v.trim()),
+    }))
+        .trim()
+        .replace(/\/$/, "");
     const organizationSlug = (await input({
         message: "OpenPanel organization slug:",
         default: existing?.organizationSlug,
         validate: validateRequired,
     })).trim();
+    console.log(chalk.dim(`\n  OpenPanel auth uses a client id/secret pair, not a bearer token.\n` +
+        `  Create a root-mode client once so hatchkit can auto-create\n` +
+        `  per-project clients via the Management API.\n\n` +
+        `  Where to create it:\n` +
+        `    1. Open ${chalk.cyan(`${url.replace(/\/$/, "")}/${organizationSlug}`)}\n` +
+        `    2. Pick any project (or create a placeholder "hatchkit-root" project)\n` +
+        `    3. Project → Settings → Clients → New client\n` +
+        `    4. Type: ${chalk.cyan("root")} (Management API access — full org-wide)\n` +
+        `    5. Copy the clientId and clientSecret (secret is shown once)\n`));
+    const rootClientId = (await input({
+        message: "OpenPanel root clientId:",
+        validate: validateRequired,
+    })).trim();
+    const rootClientSecret = await confirmPastedSecret("OpenPanel root clientSecret (shown once at creation)");
     const meta = {
         status: "configured",
         url: url.replace(/\/$/, ""),
+        apiUrl,
         organizationSlug,
         lastVerified: new Date().toISOString(),
     };
     store.set("providers.openpanel", meta);
-    await setSecret(SECRET_KEYS.openpanelToken, token);
+    await setSecret(SECRET_KEYS.openpanelRootClientId, rootClientId);
+    await setSecret(SECRET_KEYS.openpanelRootClientSecret, rootClientSecret);
     console.log(chalk.green("  ✓ OpenPanel configured"));
-    return { ...meta, token };
+    return { ...meta, rootClientId, rootClientSecret };
 }
 export async function getOpenpanelConfig() {
     const meta = store.get("providers.openpanel");
     if (!meta || meta.status !== "configured")
         return null;
-    const token = await getSecret(SECRET_KEYS.openpanelToken);
-    if (!token)
+    const rootClientId = await getSecret(SECRET_KEYS.openpanelRootClientId);
+    const rootClientSecret = await getSecret(SECRET_KEYS.openpanelRootClientSecret);
+    if (!rootClientId || !rootClientSecret)
         return null;
-    return { ...meta, token };
+    return { ...meta, rootClientId, rootClientSecret };
 }
 // ---------------------------------------------------------------------------
 // Provider: Resend (transactional email SaaS)
@@ -529,9 +680,8 @@ export async function ensureResend() {
         return { ...existing, apiKey: existingKey };
     }
     console.log(chalk.yellow("\n  Resend is not configured yet. Let's set it up."));
-    const apiKey = (await password({
-        message: "Resend API key (resend.com/api-keys, needs 'full access'):",
-    })).trim();
+    tokenHint("https://resend.com/api-keys", "Full access (needed to create domain-scoped keys)");
+    const apiKey = await confirmPastedSecret("Resend API key");
     const spinner = ora("Verifying Resend API key...").start();
     try {
         const res = await fetch("https://api.resend.com/domains", {
@@ -570,86 +720,248 @@ export async function isFirstRun() {
     const config = getConfig();
     return config.providers.github.status === "unconfigured" && !config.providers.coolify;
 }
-export async function runOnboarding() {
-    console.log(chalk.bold("\n  Welcome! Let's set up your development infrastructure."));
-    console.log(chalk.dim("  This is a one-time setup — metadata is stored locally in"));
-    console.log(chalk.dim(`  ${getConfigPath()}`));
-    console.log(chalk.dim(`  Secrets (tokens, passwords) go to your OS keychain.\n`));
-    // Core providers
-    console.log(chalk.bold("  ── Core Providers (required) ──────────────────────────────\n"));
-    await ensureGitHub();
-    await ensureCoolify();
-    // Infrastructure providers
-    console.log(chalk.bold("\n  ── Infrastructure Providers ───────────────────────────────\n"));
-    const configHetzner = await confirm({
-        message: "Configure Hetzner Cloud? (needed for new servers)",
-        default: true,
-    });
-    if (configHetzner) {
+/** Wipe a provider's stored meta + secret keys so its ensureFn re-prompts. */
+async function wipeProvider(storeKey, secretKeys) {
+    store.delete(storeKey);
+    for (const k of secretKeys)
+        await deleteSecret(k);
+}
+/** Wipe + re-prompt for a single provider. Shared by the stepper and by
+ *  `hatchkit config add <provider>` so both paths always re-prompt rather
+ *  than silently no-op on already-configured providers. */
+export async function reconfigureProvider(name) {
+    if (name === "coolify") {
+        await wipeProvider("providers.coolify", [SECRET_KEYS.coolifyToken]);
+        await ensureCoolify();
+    }
+    else if (name === "hetzner") {
+        await wipeProvider("providers.hetzner", [SECRET_KEYS.hetznerToken]);
         await ensureHetzner();
     }
-    await ensureDns();
-    // Storage — all skippable
-    console.log(chalk.bold("\n  ── Storage Providers (configure as needed) ────────────────\n"));
-    const configStorage = await confirm({
-        message: "Configure any S3 storage provider now?",
-        default: false,
-    });
-    if (configStorage) {
-        const s3Provider = await select({
-            message: "Which S3 provider?",
-            choices: [
-                { name: "Hetzner Object Storage", value: "hetzner" },
-                { name: "AWS S3", value: "aws" },
-                { name: "Cloudflare R2", value: "r2" },
+    else if (name === "dns") {
+        await wipeProvider("providers.dns", [
+            SECRET_KEYS.dnsInwxPassword,
+            SECRET_KEYS.dnsCloudflareToken,
+        ]);
+        await ensureDns();
+    }
+    else if (name === "glitchtip") {
+        await wipeProvider("providers.glitchtip", [SECRET_KEYS.glitchtipToken]);
+        await ensureGlitchtip();
+    }
+    else if (name === "openpanel") {
+        await wipeProvider("providers.openpanel", [
+            SECRET_KEYS.openpanelRootClientId,
+            SECRET_KEYS.openpanelRootClientSecret,
+        ]);
+        await ensureOpenpanel();
+    }
+    else if (name === "resend") {
+        await wipeProvider("providers.resend", [SECRET_KEYS.resendApiKey]);
+        await ensureResend();
+    }
+    else if (name.startsWith("s3.")) {
+        const p = name.slice(3);
+        await wipeProvider(`providers.s3.${p}`, [
+            SECRET_KEYS.s3AccessKey(p),
+            SECRET_KEYS.s3SecretKey(p),
+        ]);
+        await ensureS3(p);
+    }
+    else if (name.startsWith("gpu.")) {
+        const p = name.slice(4);
+        await wipeProvider(`providers.gpu.${p}`, [SECRET_KEYS.gpuApiKey(p)]);
+        await ensureGpuProvider(p);
+    }
+}
+function buildSetupGroups() {
+    return [
+        {
+            title: "Core",
+            steps: [
+                {
+                    key: "github",
+                    label: "GitHub (gh CLI)",
+                    status: () => {
+                        const s = store.get("providers.github.status");
+                        return { configured: s === "configured" };
+                    },
+                    run: async () => {
+                        store.set("providers.github.status", "unconfigured");
+                        await ensureGitHub();
+                    },
+                },
+                {
+                    key: "coolify",
+                    label: "Coolify",
+                    status: () => {
+                        const m = store.get("providers.coolify");
+                        return { configured: m?.status === "configured", summary: m?.url };
+                    },
+                    run: () => reconfigureProvider("coolify"),
+                },
+            ],
+        },
+        {
+            title: "Infrastructure",
+            steps: [
+                {
+                    key: "hetzner",
+                    label: "Hetzner Cloud",
+                    status: () => {
+                        const m = store.get("providers.hetzner");
+                        return { configured: m?.status === "configured" };
+                    },
+                    run: () => reconfigureProvider("hetzner"),
+                },
+                {
+                    key: "dns",
+                    label: "DNS",
+                    status: () => {
+                        const m = store.get("providers.dns");
+                        return {
+                            configured: m?.status === "configured",
+                            summary: m?.provider && m.provider !== "manual" ? m.provider : undefined,
+                        };
+                    },
+                    run: () => reconfigureProvider("dns"),
+                },
+            ],
+        },
+        {
+            title: "S3 Storage",
+            steps: ["hetzner", "aws", "r2"].map((p) => ({
+                key: `s3.${p}`,
+                label: p === "hetzner" ? "Hetzner Object Storage" : p === "aws" ? "AWS S3" : "Cloudflare R2",
+                status: () => {
+                    const m = store.get(`providers.s3.${p}`);
+                    return { configured: m?.status === "configured", summary: m?.endpoint };
+                },
+                run: () => reconfigureProvider(`s3.${p}`),
+            })),
+        },
+        {
+            title: "Observability & Email",
+            steps: [
+                {
+                    key: "glitchtip",
+                    label: "GlitchTip (error tracking)",
+                    status: () => {
+                        const m = store.get("providers.glitchtip");
+                        return { configured: m?.status === "configured", summary: m?.url };
+                    },
+                    run: () => reconfigureProvider("glitchtip"),
+                },
+                {
+                    key: "openpanel",
+                    label: "OpenPanel (product analytics)",
+                    status: () => {
+                        const m = store.get("providers.openpanel");
+                        return { configured: m?.status === "configured", summary: m?.url };
+                    },
+                    run: () => reconfigureProvider("openpanel"),
+                },
+                {
+                    key: "resend",
+                    label: "Resend (transactional email)",
+                    status: () => {
+                        const m = store.get("providers.resend");
+                        return { configured: m?.status === "configured" };
+                    },
+                    run: () => reconfigureProvider("resend"),
+                },
             ],
+        },
+        {
+            title: "GPU / ML Providers",
+            steps: [
+                { key: "modal", name: "Modal" },
+                { key: "runpod", name: "RunPod" },
+                { key: "hf", name: "HuggingFace Inference" },
+                { key: "replicate", name: "Replicate" },
+            ].map((p) => ({
+                key: `gpu.${p.key}`,
+                label: p.name,
+                status: () => {
+                    const m = store.get(`providers.gpu.${p.key}`);
+                    return { configured: m?.status === "configured" };
+                },
+                run: () => reconfigureProvider(`gpu.${p.key}`),
+            })),
+        },
+    ];
+}
+function renderStepLabel(step) {
+    const { configured, summary } = step.status();
+    const mark = configured ? chalk.green("✓") : chalk.dim("·");
+    const tail = configured
+        ? chalk.dim(` — ${summary ?? "configured"}`)
+        : chalk.dim(" — not configured");
+    return `${mark}  ${step.label}${tail}`;
+}
+function renderGroupHeader(group) {
+    const total = group.steps.length;
+    const done = group.steps.filter((s) => s.status().configured).length;
+    const count = total > 1 ? chalk.dim(` ${done}/${total}`) : "";
+    return chalk.bold(`── ${group.title} ──${count}`);
+}
+export async function runOnboarding() {
+    console.log(chalk.bold("\n  hatchkit setup"));
+    console.log(chalk.dim(`  Metadata: ${getConfigPath()}`));
+    console.log(chalk.dim("  Secrets: OS keychain"));
+    console.log(chalk.dim("  Pick any step to (re)configure. Choose 'Done' to exit.\n"));
+    const groups = buildSetupGroups();
+    const allSteps = groups.flatMap((g) => g.steps);
+    for (;;) {
+        // Default the cursor to the first unconfigured step so Enter advances
+        // naturally on a first-time setup.
+        const firstUnconfigured = allSteps.find((s) => !s.status().configured);
+        const defaultKey = firstUnconfigured?.key ?? "__done__";
+        const choices = [];
+        for (const group of groups) {
+            choices.push(new Separator(renderGroupHeader(group)));
+            for (const step of group.steps) {
+                choices.push({ name: renderStepLabel(step), value: step.key });
+            }
+        }
+        choices.push(new Separator(" "));
+        choices.push({ name: chalk.bold("Done — exit setup"), value: "__done__" });
+        const picked = await select({
+            message: "Next step:",
+            default: defaultKey,
+            pageSize: Math.min(30, choices.length),
+            choices,
         });
-        await ensureS3(s3Provider);
+        if (picked === "__done__")
+            break;
+        const step = allSteps.find((s) => s.key === picked);
+        if (!step)
+            continue;
+        console.log();
+        try {
+            await step.run();
+        }
+        catch (err) {
+            console.log(chalk.red(`\n  ✗ ${step.label} failed: ${err instanceof Error ? err.message : String(err)}`));
+        }
+        console.log();
+    }
+    // Summary — show both what's configured and what's still missing so
+    // the user notices optional-but-important steps (GlitchTip / OpenPanel
+    // / Resend) they may have skipped.
+    const configured = allSteps.filter((s) => s.status().configured);
+    const unconfigured = allSteps.filter((s) => !s.status().configured);
+    console.log(chalk.bold("\n  ── Done ───────────────────────────────────────────────────\n"));
+    if (configured.length === 0) {
+        console.log(chalk.yellow("  Nothing configured yet. Run `hatchkit setup` again anytime.\n"));
     }
     else {
-        console.log(chalk.dim("  Skipped — will prompt when you first need S3 storage."));
+        console.log(chalk.green(`  ✓ Configured: ${configured.map((s) => s.label).join(", ")}`));
     }
-    // Observability & email — all skippable
-    console.log(chalk.bold("\n  ── Observability & Email (configure as needed) ────────────\n"));
-    const configGlitchtip = await confirm({
-        message: "Configure GlitchTip (error tracking)?",
-        default: false,
-    });
-    if (configGlitchtip)
-        await ensureGlitchtip();
-    const configOpenpanel = await confirm({
-        message: "Configure OpenPanel (product analytics)?",
-        default: false,
-    });
-    if (configOpenpanel)
-        await ensureOpenpanel();
-    const configResend = await confirm({
-        message: "Configure Resend (transactional email)?",
-        default: false,
-    });
-    if (configResend)
-        await ensureResend();
-    // GPU — all skippable
-    console.log(chalk.bold("\n  ── GPU / ML Providers (configure when needed) ─────────────\n"));
-    console.log(chalk.dim("  Skipped — will prompt when you first add an ML service.\n"));
-    // Done
-    console.log(chalk.bold("  ── Done! ──────────────────────────────────────────────────\n"));
-    const configuredProviders = ["GitHub"];
-    if (store.get("providers.coolify"))
-        configuredProviders.push("Coolify");
-    if (store.get("providers.hetzner"))
-        configuredProviders.push("Hetzner Cloud");
-    const dnsMeta = store.get("providers.dns");
-    if (dnsMeta?.provider && dnsMeta.provider !== "manual") {
-        configuredProviders.push(dnsMeta.provider.toUpperCase());
-    }
-    if (store.get("providers.glitchtip"))
-        configuredProviders.push("GlitchTip");
-    if (store.get("providers.openpanel"))
-        configuredProviders.push("OpenPanel");
-    if (store.get("providers.resend"))
-        configuredProviders.push("Resend");
-    console.log(chalk.green(`  ✓ Providers configured: ${configuredProviders.join(", ")}`));
-    console.log(chalk.dim("  ✓ Skipped providers will be prompted when first needed.\n"));
+    if (unconfigured.length > 0) {
+        console.log(chalk.dim(`  · Still unconfigured: ${unconfigured.map((s) => s.label).join(", ")}`));
+        console.log(chalk.dim("    (optional — add later via `hatchkit setup` or `hatchkit config add <provider>`)"));
+    }
+    console.log(chalk.dim("\n  ✓ Run `hatchkit doctor` to verify every configured provider.\n"));
 }
 //# sourceMappingURL=config.js.map