npm - hatchkit - Versions diffs - 0.1.2 → 0.1.4 - Mend

hatchkit 0.1.2 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (113) hide show

package/dist/completion.d.ts +2 -0
package/dist/completion.d.ts.map +1 -0
package/dist/completion.js +207 -0
package/dist/completion.js.map +1 -0
package/dist/config.d.ts +33 -1
package/dist/config.d.ts.map +1 -1
package/dist/config.js +439 -127
package/dist/config.js.map +1 -1
package/dist/deploy/coolify-mongo.d.ts +12 -0
package/dist/deploy/coolify-mongo.d.ts.map +1 -0
package/dist/deploy/coolify-mongo.js +109 -0
package/dist/deploy/coolify-mongo.js.map +1 -0
package/dist/deploy/gpu.d.ts +9 -2
package/dist/deploy/gpu.d.ts.map +1 -1
package/dist/deploy/gpu.js +63 -39
package/dist/deploy/gpu.js.map +1 -1
package/dist/deploy/keys.d.ts +6 -2
package/dist/deploy/keys.d.ts.map +1 -1
package/dist/deploy/keys.js +16 -2
package/dist/deploy/keys.js.map +1 -1
package/dist/deploy/pages.d.ts +2 -0
package/dist/deploy/pages.d.ts.map +1 -0
package/dist/deploy/pages.js +537 -0
package/dist/deploy/pages.js.map +1 -0
package/dist/deploy/rename-domain.d.ts +55 -0
package/dist/deploy/rename-domain.d.ts.map +1 -0
package/dist/deploy/rename-domain.js +290 -0
package/dist/deploy/rename-domain.js.map +1 -0
package/dist/deploy/terraform.d.ts.map +1 -1
package/dist/deploy/terraform.js +90 -0
package/dist/deploy/terraform.js.map +1 -1
package/dist/dns.d.ts +7 -0
package/dist/dns.d.ts.map +1 -0
package/dist/dns.js +124 -0
package/dist/dns.js.map +1 -0
package/dist/doctor.d.ts +13 -0
package/dist/doctor.d.ts.map +1 -0
package/dist/doctor.js +368 -0
package/dist/doctor.js.map +1 -0
package/dist/explain.d.ts +4 -0
package/dist/explain.d.ts.map +1 -0
package/dist/explain.js +173 -0
package/dist/explain.js.map +1 -0
package/dist/index.js +521 -61
package/dist/index.js.map +1 -1
package/dist/prompts.d.ts +15 -2
package/dist/prompts.d.ts.map +1 -1
package/dist/prompts.js +52 -7
package/dist/prompts.js.map +1 -1
package/dist/provision/glitchtip.d.ts +3 -0
package/dist/provision/glitchtip.d.ts.map +1 -1
package/dist/provision/glitchtip.js +18 -0
package/dist/provision/glitchtip.js.map +1 -1
package/dist/provision/index.d.ts +26 -0
package/dist/provision/index.d.ts.map +1 -1
package/dist/provision/index.js +435 -60
package/dist/provision/index.js.map +1 -1
package/dist/provision/openpanel.d.ts +7 -0
package/dist/provision/openpanel.d.ts.map +1 -1
package/dist/provision/openpanel.js +113 -48
package/dist/provision/openpanel.js.map +1 -1
package/dist/provision/resend.d.ts +23 -1
package/dist/provision/resend.d.ts.map +1 -1
package/dist/provision/resend.js +62 -1
package/dist/provision/resend.js.map +1 -1
package/dist/provision/write-env.d.ts +31 -0
package/dist/provision/write-env.d.ts.map +1 -0
package/dist/provision/write-env.js +94 -0
package/dist/provision/write-env.js.map +1 -0
package/dist/scaffold/app.js +8 -0
package/dist/scaffold/app.js.map +1 -1
package/dist/scaffold/dotenvx.d.ts.map +1 -1
package/dist/scaffold/dotenvx.js +8 -1
package/dist/scaffold/dotenvx.js.map +1 -1
package/dist/scaffold/infra.d.ts.map +1 -1
package/dist/scaffold/infra.js +18 -1
package/dist/scaffold/infra.js.map +1 -1
package/dist/scaffold/manifest.d.ts +4 -2
package/dist/scaffold/manifest.d.ts.map +1 -1
package/dist/scaffold/manifest.js +1 -1
package/dist/scaffold/manifest.js.map +1 -1
package/dist/scaffold/ml-client.d.ts +9 -2
package/dist/scaffold/ml-client.d.ts.map +1 -1
package/dist/scaffold/ml-client.js +11 -1
package/dist/scaffold/ml-client.js.map +1 -1
package/dist/status.d.ts +30 -0
package/dist/status.d.ts.map +1 -0
package/dist/status.js +169 -0
package/dist/status.js.map +1 -0
package/dist/templates/addons/analytics/sentry.ts.hbs +6 -0
package/dist/templates/base/env.example.hbs +10 -0
package/dist/templates/base/src/config.ts.hbs +24 -4
package/dist/utils/cloudflare-api.d.ts +30 -0
package/dist/utils/cloudflare-api.d.ts.map +1 -0
package/dist/utils/cloudflare-api.js +85 -0
package/dist/utils/cloudflare-api.js.map +1 -0
package/dist/utils/coolify-api.d.ts +47 -1
package/dist/utils/coolify-api.d.ts.map +1 -1
package/dist/utils/coolify-api.js +75 -4
package/dist/utils/coolify-api.js.map +1 -1
package/dist/utils/flags.d.ts.map +1 -1
package/dist/utils/flags.js +4 -0
package/dist/utils/flags.js.map +1 -1
package/dist/utils/inwx-api.d.ts +36 -0
package/dist/utils/inwx-api.d.ts.map +1 -0
package/dist/utils/inwx-api.js +105 -0
package/dist/utils/inwx-api.js.map +1 -0
package/dist/utils/secrets.d.ts +8 -1
package/dist/utils/secrets.d.ts.map +1 -1
package/dist/utils/secrets.js +8 -1
package/dist/utils/secrets.js.map +1 -1
package/package.json +5 -4
package/scripts/release-prep.mjs +130 -0

package/dist/config.js CHANGED Viewed

@@ -1,11 +1,46 @@
-import { confirm, input, password, select } from "@inquirer/prompts";
+import { Separator, confirm, input, password, select } from "@inquirer/prompts";
 import chalk from "chalk";
 import Conf from "conf";
 import ora from "ora";
 import { verifyCoolify } from "./utils/coolify-api.js";
 import { execOk } from "./utils/exec.js";
-import { SECRET_KEYS, clearAllSecrets, getSecret, setSecret } from "./utils/secrets.js";
+import { SECRET_KEYS, clearAllSecrets, deleteSecret, getSecret, setSecret, } from "./utils/secrets.js";
 import { validateRequired, validateUrl } from "./utils/validate.js";
+/** Pretty-print "where to create this token" hint before a password prompt. */
+function tokenHint(url, scope) {
+    console.log(chalk.dim(`  → Create at: ${chalk.cyan(url)}`));
+    console.log(chalk.dim(`    Permissions: ${scope}`));
+}
+/** Sanitize pasted secret: strip bracketed-paste escapes + non-printable
+ *  ASCII that some terminals inject on paste. Plain `.trim()` misses these. */
+function sanitizePastedSecret(raw) {
+    return raw
+        .replace(/\x1b\[2\d\d~/g, "")
+        .replace(/[^\x20-\x7e]/g, "")
+        .trim();
+}
+/** Prompt for a secret, show a masked preview (`abcd…wxyz, 50 chars`),
+ *  and let the user re-enter if the paste looks wrong. Loops until the
+ *  user confirms. Values are never echoed in full. */
+async function confirmPastedSecret(label) {
+    for (;;) {
+        const raw = await password({ message: `${label}:` });
+        const value = sanitizePastedSecret(raw);
+        if (!value) {
+            console.log(chalk.yellow("  (empty — please paste again)"));
+            continue;
+        }
+        const preview = value.length <= 8
+            ? `${"*".repeat(value.length)} (${value.length} chars — looks short?)`
+            : `${value.slice(0, 4)}…${value.slice(-4)} (${value.length} chars)`;
+        const ok = await confirm({
+            message: `Looks like: ${chalk.cyan(preview)} — use this?`,
+            default: true,
+        });
+        if (ok)
+            return value;
+    }
+}
 // ---------------------------------------------------------------------------
 // Config store
 // ---------------------------------------------------------------------------
@@ -54,6 +89,12 @@ function createStore() {
     }
 }
 const store = createStore();
+/** Exposed for internal modules that need raw access (e.g. the `doctor`
+ *  command). External consumers should prefer the typed `getXConfig()`
+ *  helpers. */
+export function getStore() {
+    return store;
+}
 export function getConfig() {
     return store.store;
 }
@@ -137,19 +178,29 @@ export async function ensureCoolify() {
         default: existing?.url,
         validate: (v) => validateUrl(v.trim()),
     })).trim();
-    const token = (await password({
-        message: "Coolify API token (from Settings → API Tokens):",
-    })).trim();
-    const spinner = ora("Testing Coolify connection...").start();
-    try {
-        const version = await verifyCoolify(url, token);
-        spinner.succeed(`Connected to Coolify v${version}`);
-    }
-    catch (error) {
-        spinner.fail("Could not connect to Coolify");
-        throw error;
+    // Loop on the token until it authenticates — pasting the wrong token
+    // is easy, and re-running the whole onboarding just to retry is rude.
+    let token = "";
+    tokenHint(`${url.replace(/\/$/, "")}/security/api-tokens`, "root (full access)");
+    for (;;) {
+        token = await confirmPastedSecret("Coolify API token");
+        const spinner = ora("Testing Coolify connection...").start();
+        try {
+            const version = await verifyCoolify(url, token);
+            spinner.succeed(`Connected to Coolify v${version}`);
+            break;
+        }
+        catch (error) {
+            spinner.fail("Could not connect to Coolify");
+            console.log(chalk.dim(`  ${error instanceof Error ? error.message : String(error)}`));
+            const retry = await confirm({
+                message: "Try a different token?",
+                default: true,
+            });
+            if (!retry)
+                throw error;
+        }
     }
-    // Cache server list
     const { CoolifyApi } = await import("./utils/coolify-api.js");
     const api = new CoolifyApi({ url, token });
     const servers = await api.listServers();
@@ -186,9 +237,8 @@ export async function ensureHetzner() {
     if (existing?.status === "configured" && existingToken) {
         return { ...existing, token: existingToken };
     }
-    const token = await password({
-        message: "Hetzner Cloud API token:",
-    });
+    tokenHint("https://console.hetzner.cloud/projects → Security → API Tokens", "Read & Write (needed to create servers)");
+    const token = await confirmPastedSecret("Hetzner Cloud API token");
     const spinner = ora("Testing Hetzner connection...").start();
     try {
         const res = await fetch("https://api.hetzner.cloud/v1/servers", {
@@ -214,6 +264,15 @@ export async function getHetznerToken() {
     await migrateSecret("providers.hetzner.token", SECRET_KEYS.hetznerToken);
     return getSecret(SECRET_KEYS.hetznerToken);
 }
+export async function getHetznerConfig() {
+    const meta = store.get("providers.hetzner");
+    if (!meta || meta.status !== "configured")
+        return null;
+    const token = await getHetznerToken();
+    if (!token)
+        return null;
+    return { ...meta, token };
+}
 // ---------------------------------------------------------------------------
 // Provider: DNS
 // ---------------------------------------------------------------------------
@@ -224,10 +283,12 @@ export async function ensureDns() {
     if (existing?.status === "configured") {
         const password = await getSecret(SECRET_KEYS.dnsInwxPassword);
         const apiToken = await getSecret(SECRET_KEYS.dnsCloudflareToken);
+        const registrarPassword = await getSecret(SECRET_KEYS.dnsInwxRegistrarPassword);
         return {
             ...existing,
             password: password ?? undefined,
             apiToken: apiToken ?? undefined,
+            registrarPassword: registrarPassword ?? undefined,
         };
     }
     const provider = await select({
@@ -245,7 +306,7 @@ export async function ensureDns() {
     }
     if (provider === "inwx") {
         const username = await input({ message: "INWX username:", validate: validateRequired });
-        const pwd = await password({ message: "INWX password:" });
+        const pwd = await confirmPastedSecret("INWX password");
         const meta = {
             status: "configured",
             provider: "inwx",
@@ -257,15 +318,45 @@ export async function ensureDns() {
         return { ...meta, password: pwd };
     }
     // Cloudflare
-    const apiToken = await password({ message: "Cloudflare API token:" });
+    tokenHint("https://dash.cloudflare.com/profile/api-tokens → Create Token", "Zone:DNS:Edit + Zone:Zone:Read (scope to the zones you'll use)");
+    const apiToken = await confirmPastedSecret("Cloudflare API token");
+    const accountId = await input({
+        message: "Cloudflare account ID (optional — leave blank to span all accounts):",
+        default: "",
+    });
+    // Cross-provider case: DNS on Cloudflare, but the domain is still
+    // registered at INWX. Offer to store INWX registrar creds so deploys
+    // (and the `dns link-to-cloudflare` command) can flip the delegated NS
+    // to Cloudflare automatically without a UI click-through per domain.
+    const wireInwxRegistrar = await confirm({
+        message: "Is INWX your domain registrar? (if yes, hatchkit will auto-point NS at Cloudflare on deploy)",
+        default: false,
+    });
+    let registrarUsername;
+    let registrarPassword;
+    if (wireInwxRegistrar) {
+        registrarUsername = await input({
+            message: "INWX username (registrar):",
+            validate: validateRequired,
+        });
+        registrarPassword = await confirmPastedSecret("INWX password (registrar)");
+    }
     const meta = {
         status: "configured",
         provider: "cloudflare",
+        accountId: accountId.trim() || undefined,
+        registrarUsername,
     };
     store.set("providers.dns", meta);
     await setSecret(SECRET_KEYS.dnsCloudflareToken, apiToken);
+    if (registrarPassword) {
+        await setSecret(SECRET_KEYS.dnsInwxRegistrarPassword, registrarPassword);
+    }
     console.log(chalk.green("  ✓ Cloudflare DNS configured"));
-    return { ...meta, apiToken };
+    if (registrarUsername) {
+        console.log(chalk.green("  ✓ INWX registrar wired for auto-NS updates"));
+    }
+    return { ...meta, apiToken, registrarPassword };
 }
 export async function getDnsConfig() {
     await migrateSecret("providers.dns.password", SECRET_KEYS.dnsInwxPassword);
@@ -275,10 +366,12 @@ export async function getDnsConfig() {
         return null;
     const password = await getSecret(SECRET_KEYS.dnsInwxPassword);
     const apiToken = await getSecret(SECRET_KEYS.dnsCloudflareToken);
+    const registrarPassword = await getSecret(SECRET_KEYS.dnsInwxRegistrarPassword);
     return {
         ...meta,
         password: password ?? undefined,
         apiToken: apiToken ?? undefined,
+        registrarPassword: registrarPassword ?? undefined,
     };
 }
 // ---------------------------------------------------------------------------
@@ -294,11 +387,39 @@ export async function ensureS3(provider) {
         return { ...existing, accessKey, secretKey };
     }
     console.log(chalk.yellow(`\n  ${provider.toUpperCase()} S3 is not configured yet. Let's set it up.`));
-    const promptedAccessKey = await password({ message: `${provider} S3 access key:` });
-    const promptedSecretKey = await password({ message: `${provider} S3 secret key:` });
+    // For R2 we need the account id BEFORE showing the create-token URL, so
+    // we can deep-link to the account-scoped page.
     let endpoint;
     let region;
     let location;
+    let accountId;
+    if (provider === "r2") {
+        console.log(chalk.dim("  Your Cloudflare account ID is in the dashboard URL:\n" +
+            "    dash.cloudflare.com/<account-id>/home/overview"));
+        accountId = (await input({
+            message: "Cloudflare account ID:",
+            validate: validateRequired,
+        })).trim();
+        endpoint = `https://${accountId}.r2.cloudflarestorage.com`;
+        region = "auto";
+    }
+    const s3Hints = {
+        hetzner: {
+            url: "https://console.hetzner.cloud → your project → Security → S3 credentials",
+            scope: "any (credentials are per-project)",
+        },
+        aws: {
+            url: "https://console.aws.amazon.com/iam → Users → Security credentials → Create access key",
+            scope: "s3:PutObject, s3:GetObject, s3:DeleteObject on the target bucket",
+        },
+        r2: {
+            url: `https://dash.cloudflare.com/${accountId ?? ""}/r2/api-tokens → Create Token`,
+            scope: "Object Read & Write — then copy from the 'Use the following credentials for S3 clients' section (NOT the 'Token value' at the top)",
+        },
+    };
+    tokenHint(s3Hints[provider].url, s3Hints[provider].scope);
+    const promptedAccessKey = await confirmPastedSecret(`${provider} S3 Access Key ID`);
+    const promptedSecretKey = await confirmPastedSecret(`${provider} S3 Secret Access Key`);
     if (provider === "hetzner") {
         location = await select({
             message: "Hetzner Object Storage location:",
@@ -311,15 +432,7 @@ export async function ensureS3(provider) {
         endpoint = `https://${location}.your-objectstorage.com`;
         region = location;
     }
-    else if (provider === "r2") {
-        const accountId = await input({
-            message: "Cloudflare account ID:",
-            validate: validateRequired,
-        });
-        endpoint = `https://${accountId}.r2.cloudflarestorage.com`;
-        region = "auto";
-    }
-    else {
+    else if (provider === "aws") {
         region = await input({ message: "AWS region:", default: "us-east-1" });
         endpoint = `https://s3.${region}.amazonaws.com`;
     }
@@ -372,13 +485,16 @@ export async function ensureGpuProvider(platform) {
             break;
         }
         case "runpod":
-            apiKey = await password({ message: "RunPod API key:" });
+            tokenHint("https://runpod.io/user/settings → API Keys", "Read & Write");
+            apiKey = await confirmPastedSecret("RunPod API key");
             break;
         case "hf":
-            apiKey = await password({ message: "HuggingFace token (from hf.co/settings/tokens):" });
+            tokenHint("https://huggingface.co/settings/tokens", "Read (or Write if you'll push models)");
+            apiKey = await confirmPastedSecret("HuggingFace token");
             break;
         case "replicate":
-            apiKey = await password({ message: "Replicate API token:" });
+            tokenHint("https://replicate.com/account/api-tokens", "any (account-scoped)");
+            apiKey = await confirmPastedSecret("Replicate API token");
             break;
     }
     const meta = {
@@ -442,9 +558,8 @@ export async function ensureGlitchtip() {
         default: existing?.url ?? "https://glitchtip.trebeljahr.com",
         validate: (v) => validateUrl(v.trim()),
     })).trim();
-    const token = (await password({
-        message: "GlitchTip auth token (Profile → Auth Tokens, needs project:admin):",
-    })).trim();
+    tokenHint(`${url.replace(/\/$/, "")}/profile/auth-tokens`, "project:admin (read + write projects & teams)");
+    const token = await confirmPastedSecret("GlitchTip auth token");
     const organizationSlug = (await input({
         message: "GlitchTip organization slug:",
         default: existing?.organizationSlug,
@@ -481,43 +596,79 @@ export async function getGlitchtipConfig() {
 // ---------------------------------------------------------------------------
 export async function ensureOpenpanel() {
     const existing = store.get("providers.openpanel");
-    const existingToken = await getSecret(SECRET_KEYS.openpanelToken);
-    if (existing?.status === "configured" && existingToken) {
-        return { ...existing, token: existingToken };
+    const existingId = await getSecret(SECRET_KEYS.openpanelRootClientId);
+    const existingSecret = await getSecret(SECRET_KEYS.openpanelRootClientSecret);
+    // Short-circuit only if *every* field is present. `apiUrl` was added
+    // after 0.1.x — configs written by earlier versions lack it, which is
+    // why a previously-"configured" setup now hits the dashboard URL
+    // instead of the API host. Fall through to the prompt flow so we can
+    // top it up without losing the rest of the config.
+    if (existing?.status === "configured" && existing.apiUrl && existingId && existingSecret) {
+        return { ...existing, rootClientId: existingId, rootClientSecret: existingSecret };
+    }
+    if (existing?.status === "configured" && !existing.apiUrl) {
+        console.log(chalk.yellow("\n  OpenPanel config is missing the Management API URL — let's fill that in."));
+    }
+    else {
+        console.log(chalk.yellow("\n  OpenPanel is not configured yet. Let's set it up."));
     }
-    console.log(chalk.yellow("\n  OpenPanel is not configured yet. Let's set it up."));
     const url = (await input({
-        message: "OpenPanel base URL:",
+        message: "OpenPanel dashboard URL:",
         default: existing?.url ?? "https://analytics.trebeljahr.com",
         validate: (v) => validateUrl(v.trim()),
     })).trim();
-    const token = (await password({
-        message: "OpenPanel personal access token (Settings → Access Tokens):",
-    })).trim();
+    // Self-hosted OpenPanel exposes the Management API on a separate
+    // subdomain (e.g. `api.op.example.com`). Default by prepending `api.`
+    // to the dashboard host, which matches the docs' recommended layout.
+    const defaultApiUrl = existing?.apiUrl ?? url.replace(/^https?:\/\//, (m) => `${m}api.`).replace(/\/$/, "");
+    const apiUrl = (await input({
+        message: "OpenPanel API URL (Management API base — usually api.<dashboard>):",
+        default: defaultApiUrl,
+        validate: (v) => validateUrl(v.trim()),
+    }))
+        .trim()
+        .replace(/\/$/, "");
     const organizationSlug = (await input({
         message: "OpenPanel organization slug:",
         default: existing?.organizationSlug,
         validate: validateRequired,
     })).trim();
+    console.log(chalk.dim(`\n  OpenPanel auth uses a client id/secret pair, not a bearer token.\n` +
+        `  Create a root-mode client once so hatchkit can auto-create\n` +
+        `  per-project clients via the Management API.\n\n` +
+        `  Where to create it:\n` +
+        `    1. Open ${chalk.cyan(`${url.replace(/\/$/, "")}/${organizationSlug}`)}\n` +
+        `    2. Pick any project (or create a placeholder "hatchkit-root" project)\n` +
+        `    3. Project → Settings → Clients → New client\n` +
+        `    4. Type: ${chalk.cyan("root")} (Management API access — full org-wide)\n` +
+        `    5. Copy the clientId and clientSecret (secret is shown once)\n`));
+    const rootClientId = (await input({
+        message: "OpenPanel root clientId:",
+        validate: validateRequired,
+    })).trim();
+    const rootClientSecret = await confirmPastedSecret("OpenPanel root clientSecret (shown once at creation)");
     const meta = {
         status: "configured",
         url: url.replace(/\/$/, ""),
+        apiUrl,
         organizationSlug,
         lastVerified: new Date().toISOString(),
     };
     store.set("providers.openpanel", meta);
-    await setSecret(SECRET_KEYS.openpanelToken, token);
+    await setSecret(SECRET_KEYS.openpanelRootClientId, rootClientId);
+    await setSecret(SECRET_KEYS.openpanelRootClientSecret, rootClientSecret);
     console.log(chalk.green("  ✓ OpenPanel configured"));
-    return { ...meta, token };
+    return { ...meta, rootClientId, rootClientSecret };
 }
 export async function getOpenpanelConfig() {
     const meta = store.get("providers.openpanel");
     if (!meta || meta.status !== "configured")
         return null;
-    const token = await getSecret(SECRET_KEYS.openpanelToken);
-    if (!token)
+    const rootClientId = await getSecret(SECRET_KEYS.openpanelRootClientId);
+    const rootClientSecret = await getSecret(SECRET_KEYS.openpanelRootClientSecret);
+    if (!rootClientId || !rootClientSecret)
         return null;
-    return { ...meta, token };
+    return { ...meta, rootClientId, rootClientSecret };
 }
 // ---------------------------------------------------------------------------
 // Provider: Resend (transactional email SaaS)
@@ -529,9 +680,8 @@ export async function ensureResend() {
         return { ...existing, apiKey: existingKey };
     }
     console.log(chalk.yellow("\n  Resend is not configured yet. Let's set it up."));
-    const apiKey = (await password({
-        message: "Resend API key (resend.com/api-keys, needs 'full access'):",
-    })).trim();
+    tokenHint("https://resend.com/api-keys", "Full access (needed to create domain-scoped keys)");
+    const apiKey = await confirmPastedSecret("Resend API key");
     const spinner = ora("Verifying Resend API key...").start();
     try {
         const res = await fetch("https://api.resend.com/domains", {
@@ -570,86 +720,248 @@ export async function isFirstRun() {
     const config = getConfig();
     return config.providers.github.status === "unconfigured" && !config.providers.coolify;
 }
-export async function runOnboarding() {
-    console.log(chalk.bold("\n  Welcome! Let's set up your development infrastructure."));
-    console.log(chalk.dim("  This is a one-time setup — metadata is stored locally in"));
-    console.log(chalk.dim(`  ${getConfigPath()}`));
-    console.log(chalk.dim(`  Secrets (tokens, passwords) go to your OS keychain.\n`));
-    // Core providers
-    console.log(chalk.bold("  ── Core Providers (required) ──────────────────────────────\n"));
-    await ensureGitHub();
-    await ensureCoolify();
-    // Infrastructure providers
-    console.log(chalk.bold("\n  ── Infrastructure Providers ───────────────────────────────\n"));
-    const configHetzner = await confirm({
-        message: "Configure Hetzner Cloud? (needed for new servers)",
-        default: true,
-    });
-    if (configHetzner) {
+/** Wipe a provider's stored meta + secret keys so its ensureFn re-prompts. */
+async function wipeProvider(storeKey, secretKeys) {
+    store.delete(storeKey);
+    for (const k of secretKeys)
+        await deleteSecret(k);
+}
+/** Wipe + re-prompt for a single provider. Shared by the stepper and by
+ *  `hatchkit config add <provider>` so both paths always re-prompt rather
+ *  than silently no-op on already-configured providers. */
+export async function reconfigureProvider(name) {
+    if (name === "coolify") {
+        await wipeProvider("providers.coolify", [SECRET_KEYS.coolifyToken]);
+        await ensureCoolify();
+    }
+    else if (name === "hetzner") {
+        await wipeProvider("providers.hetzner", [SECRET_KEYS.hetznerToken]);
         await ensureHetzner();
     }
-    await ensureDns();
-    // Storage — all skippable
-    console.log(chalk.bold("\n  ── Storage Providers (configure as needed) ────────────────\n"));
-    const configStorage = await confirm({
-        message: "Configure any S3 storage provider now?",
-        default: false,
-    });
-    if (configStorage) {
-        const s3Provider = await select({
-            message: "Which S3 provider?",
-            choices: [
-                { name: "Hetzner Object Storage", value: "hetzner" },
-                { name: "AWS S3", value: "aws" },
-                { name: "Cloudflare R2", value: "r2" },
+    else if (name === "dns") {
+        await wipeProvider("providers.dns", [
+            SECRET_KEYS.dnsInwxPassword,
+            SECRET_KEYS.dnsCloudflareToken,
+        ]);
+        await ensureDns();
+    }
+    else if (name === "glitchtip") {
+        await wipeProvider("providers.glitchtip", [SECRET_KEYS.glitchtipToken]);
+        await ensureGlitchtip();
+    }
+    else if (name === "openpanel") {
+        await wipeProvider("providers.openpanel", [
+            SECRET_KEYS.openpanelRootClientId,
+            SECRET_KEYS.openpanelRootClientSecret,
+        ]);
+        await ensureOpenpanel();
+    }
+    else if (name === "resend") {
+        await wipeProvider("providers.resend", [SECRET_KEYS.resendApiKey]);
+        await ensureResend();
+    }
+    else if (name.startsWith("s3.")) {
+        const p = name.slice(3);
+        await wipeProvider(`providers.s3.${p}`, [
+            SECRET_KEYS.s3AccessKey(p),
+            SECRET_KEYS.s3SecretKey(p),
+        ]);
+        await ensureS3(p);
+    }
+    else if (name.startsWith("gpu.")) {
+        const p = name.slice(4);
+        await wipeProvider(`providers.gpu.${p}`, [SECRET_KEYS.gpuApiKey(p)]);
+        await ensureGpuProvider(p);
+    }
+}
+function buildSetupGroups() {
+    return [
+        {
+            title: "Core",
+            steps: [
+                {
+                    key: "github",
+                    label: "GitHub (gh CLI)",
+                    status: () => {
+                        const s = store.get("providers.github.status");
+                        return { configured: s === "configured" };
+                    },
+                    run: async () => {
+                        store.set("providers.github.status", "unconfigured");
+                        await ensureGitHub();
+                    },
+                },
+                {
+                    key: "coolify",
+                    label: "Coolify",
+                    status: () => {
+                        const m = store.get("providers.coolify");
+                        return { configured: m?.status === "configured", summary: m?.url };
+                    },
+                    run: () => reconfigureProvider("coolify"),
+                },
+            ],
+        },
+        {
+            title: "Infrastructure",
+            steps: [
+                {
+                    key: "hetzner",
+                    label: "Hetzner Cloud",
+                    status: () => {
+                        const m = store.get("providers.hetzner");
+                        return { configured: m?.status === "configured" };
+                    },
+                    run: () => reconfigureProvider("hetzner"),
+                },
+                {
+                    key: "dns",
+                    label: "DNS",
+                    status: () => {
+                        const m = store.get("providers.dns");
+                        return {
+                            configured: m?.status === "configured",
+                            summary: m?.provider && m.provider !== "manual" ? m.provider : undefined,
+                        };
+                    },
+                    run: () => reconfigureProvider("dns"),
+                },
+            ],
+        },
+        {
+            title: "S3 Storage",
+            steps: ["hetzner", "aws", "r2"].map((p) => ({
+                key: `s3.${p}`,
+                label: p === "hetzner" ? "Hetzner Object Storage" : p === "aws" ? "AWS S3" : "Cloudflare R2",
+                status: () => {
+                    const m = store.get(`providers.s3.${p}`);
+                    return { configured: m?.status === "configured", summary: m?.endpoint };
+                },
+                run: () => reconfigureProvider(`s3.${p}`),
+            })),
+        },
+        {
+            title: "Observability & Email",
+            steps: [
+                {
+                    key: "glitchtip",
+                    label: "GlitchTip (error tracking)",
+                    status: () => {
+                        const m = store.get("providers.glitchtip");
+                        return { configured: m?.status === "configured", summary: m?.url };
+                    },
+                    run: () => reconfigureProvider("glitchtip"),
+                },
+                {
+                    key: "openpanel",
+                    label: "OpenPanel (product analytics)",
+                    status: () => {
+                        const m = store.get("providers.openpanel");
+                        return { configured: m?.status === "configured", summary: m?.url };
+                    },
+                    run: () => reconfigureProvider("openpanel"),
+                },
+                {
+                    key: "resend",
+                    label: "Resend (transactional email)",
+                    status: () => {
+                        const m = store.get("providers.resend");
+                        return { configured: m?.status === "configured" };
+                    },
+                    run: () => reconfigureProvider("resend"),
+                },
             ],
+        },
+        {
+            title: "GPU / ML Providers",
+            steps: [
+                { key: "modal", name: "Modal" },
+                { key: "runpod", name: "RunPod" },
+                { key: "hf", name: "HuggingFace Inference" },
+                { key: "replicate", name: "Replicate" },
+            ].map((p) => ({
+                key: `gpu.${p.key}`,
+                label: p.name,
+                status: () => {
+                    const m = store.get(`providers.gpu.${p.key}`);
+                    return { configured: m?.status === "configured" };
+                },
+                run: () => reconfigureProvider(`gpu.${p.key}`),
+            })),
+        },
+    ];
+}
+function renderStepLabel(step) {
+    const { configured, summary } = step.status();
+    const mark = configured ? chalk.green("✓") : chalk.dim("·");
+    const tail = configured
+        ? chalk.dim(` — ${summary ?? "configured"}`)
+        : chalk.dim(" — not configured");
+    return `${mark}  ${step.label}${tail}`;
+}
+function renderGroupHeader(group) {
+    const total = group.steps.length;
+    const done = group.steps.filter((s) => s.status().configured).length;
+    const count = total > 1 ? chalk.dim(` ${done}/${total}`) : "";
+    return chalk.bold(`── ${group.title} ──${count}`);
+}
+export async function runOnboarding() {
+    console.log(chalk.bold("\n  hatchkit setup"));
+    console.log(chalk.dim(`  Metadata: ${getConfigPath()}`));
+    console.log(chalk.dim("  Secrets: OS keychain"));
+    console.log(chalk.dim("  Pick any step to (re)configure. Choose 'Done' to exit.\n"));
+    const groups = buildSetupGroups();
+    const allSteps = groups.flatMap((g) => g.steps);
+    for (;;) {
+        // Default the cursor to the first unconfigured step so Enter advances
+        // naturally on a first-time setup.
+        const firstUnconfigured = allSteps.find((s) => !s.status().configured);
+        const defaultKey = firstUnconfigured?.key ?? "__done__";
+        const choices = [];
+        for (const group of groups) {
+            choices.push(new Separator(renderGroupHeader(group)));
+            for (const step of group.steps) {
+                choices.push({ name: renderStepLabel(step), value: step.key });
+            }
+        }
+        choices.push(new Separator(" "));
+        choices.push({ name: chalk.bold("Done — exit setup"), value: "__done__" });
+        const picked = await select({
+            message: "Next step:",
+            default: defaultKey,
+            pageSize: Math.min(30, choices.length),
+            choices,
         });
-        await ensureS3(s3Provider);
+        if (picked === "__done__")
+            break;
+        const step = allSteps.find((s) => s.key === picked);
+        if (!step)
+            continue;
+        console.log();
+        try {
+            await step.run();
+        }
+        catch (err) {
+            console.log(chalk.red(`\n  ✗ ${step.label} failed: ${err instanceof Error ? err.message : String(err)}`));
+        }
+        console.log();
+    }
+    // Summary — show both what's configured and what's still missing so
+    // the user notices optional-but-important steps (GlitchTip / OpenPanel
+    // / Resend) they may have skipped.
+    const configured = allSteps.filter((s) => s.status().configured);
+    const unconfigured = allSteps.filter((s) => !s.status().configured);
+    console.log(chalk.bold("\n  ── Done ───────────────────────────────────────────────────\n"));
+    if (configured.length === 0) {
+        console.log(chalk.yellow("  Nothing configured yet. Run `hatchkit setup` again anytime.\n"));
     }
     else {
-        console.log(chalk.dim("  Skipped — will prompt when you first need S3 storage."));
+        console.log(chalk.green(`  ✓ Configured: ${configured.map((s) => s.label).join(", ")}`));
     }
-    // Observability & email — all skippable
-    console.log(chalk.bold("\n  ── Observability & Email (configure as needed) ────────────\n"));
-    const configGlitchtip = await confirm({
-        message: "Configure GlitchTip (error tracking)?",
-        default: false,
-    });
-    if (configGlitchtip)
-        await ensureGlitchtip();
-    const configOpenpanel = await confirm({
-        message: "Configure OpenPanel (product analytics)?",
-        default: false,
-    });
-    if (configOpenpanel)
-        await ensureOpenpanel();
-    const configResend = await confirm({
-        message: "Configure Resend (transactional email)?",
-        default: false,
-    });
-    if (configResend)
-        await ensureResend();
-    // GPU — all skippable
-    console.log(chalk.bold("\n  ── GPU / ML Providers (configure when needed) ─────────────\n"));
-    console.log(chalk.dim("  Skipped — will prompt when you first add an ML service.\n"));
-    // Done
-    console.log(chalk.bold("  ── Done! ──────────────────────────────────────────────────\n"));
-    const configuredProviders = ["GitHub"];
-    if (store.get("providers.coolify"))
-        configuredProviders.push("Coolify");
-    if (store.get("providers.hetzner"))
-        configuredProviders.push("Hetzner Cloud");
-    const dnsMeta = store.get("providers.dns");
-    if (dnsMeta?.provider && dnsMeta.provider !== "manual") {
-        configuredProviders.push(dnsMeta.provider.toUpperCase());
-    }
-    if (store.get("providers.glitchtip"))
-        configuredProviders.push("GlitchTip");
-    if (store.get("providers.openpanel"))
-        configuredProviders.push("OpenPanel");
-    if (store.get("providers.resend"))
-        configuredProviders.push("Resend");
-    console.log(chalk.green(`  ✓ Providers configured: ${configuredProviders.join(", ")}`));
-    console.log(chalk.dim("  ✓ Skipped providers will be prompted when first needed.\n"));
+    if (unconfigured.length > 0) {
+        console.log(chalk.dim(`  · Still unconfigured: ${unconfigured.map((s) => s.label).join(", ")}`));
+        console.log(chalk.dim("    (optional — add later via `hatchkit setup` or `hatchkit config add <provider>`)"));
+    }
+    console.log(chalk.dim("\n  ✓ Run `hatchkit doctor` to verify every configured provider.\n"));
 }
 //# sourceMappingURL=config.js.map