hatchkit 0.1.39 → 0.1.41

package/dist/index.js

@@ -166,6 +166,36 @@ async function main() {
             await runDoctor({ json: isJson });
             break;
         }
+        case "overview": {
+            if (args.includes("--help"))
+                return printHelp("overview");
+            const { runOverview } = await import("./overview.js");
+            await runOverview({ json: isJson, all: args.includes("--all") });
+            break;
+        }
+        case "inventory": {
+            if (args.includes("--help"))
+                return printHelp("inventory");
+            const { runInventory } = await import("./inventory.js");
+            const nameFlag = flagValue("--name");
+            const domainFlag = flagValue("--domain");
+            const repoFlag = flagValue("--repo");
+            const inputOverride = {};
+            if (nameFlag)
+                inputOverride.name = nameFlag;
+            if (domainFlag)
+                inputOverride.domain = domainFlag;
+            if (repoFlag)
+                inputOverride.repo = repoFlag;
+            await runInventory(resolve("."), {
+                json: isJson,
+                yes: args.includes("--yes") || args.includes("-y"),
+                save: args.includes("--save"),
+                noSave: args.includes("--no-save"),
+                input: Object.keys(inputOverride).length > 0 ? inputOverride : undefined,
+            });
+            break;
+        }
         case "provision": {
             const sub = args[1];
             if (sub === "s3") {
@@ -212,6 +242,14 @@ async function main() {
             if (command === "pages") {
                 console.log(chalk.yellow("  Note: `hatchkit pages` has been renamed to `hatchkit gh-pages`."));
             }
+            if (args.includes("--undo")) {
+                const { runPagesUndo } = await import("./deploy/pages.js");
+                await runPagesUndo(resolve("."), {
+                    dryRun: args.includes("--dry-run"),
+                    yes: args.includes("--yes") || args.includes("-y"),
+                });
+                break;
+            }
             const { runPagesSetup } = await import("./deploy/pages.js");
             await runPagesSetup(resolve("."));
             break;
@@ -828,17 +866,22 @@ async function handleCreate() {
     if (forceNoInstall)
         config.installDeps = false;
     // Ensure needed providers are configured (lazy prompting).
-    // Coolify + Hetzner are only needed when actually deploying —
-    // scaffold-only + --no-deploy runs skip their setup prompts.
-    if (config.deployTarget === "existing" || config.runDeployment) {
+    // Coolify + Hetzner only matter for the coolify deployment mode.
+    // gh-pages skips them entirely (no server, no Docker registry).
+    if (config.deploymentMode === "coolify" &&
+        (config.deployTarget === "existing" || config.runDeployment)) {
         await ensureCoolify();
     }
     // GitHub is checked here so auth failures surface before scaffold
-    // (not deep inside `setupGitHub` after files are on disk).
-    if (config.createGithubRepo) {
+    // (not deep inside `setupGitHub` after files are on disk). Pages
+    // also needs GitHub auth for the API calls that enable Pages and
+    // set the cname — so we require it whenever gh-pages is involved.
+    if (config.createGithubRepo || config.deploymentMode === "gh-pages") {
         await ensureGitHub();
     }
-    if (config.deployTarget === "new" && config.runDeployment) {
+    if (config.deploymentMode === "coolify" &&
+        config.deployTarget === "new" &&
+        config.runDeployment) {
         await ensureHetzner();
     }
     if (config.features.includes("s3") &&
@@ -872,9 +915,14 @@ async function handleCreate() {
     console.log(chalk.bold("\n  ── Summary ───────────────────────────────────────────────\n"));
     console.log(`  Project:    ${chalk.cyan(config.name)}`);
     console.log(`  Domain:     ${chalk.cyan(config.domain)}`);
-    console.log(`  Deploy to:  ${config.deployTarget === "existing" ? `existing server (${config.serverIpv4 ?? config.serverIp ?? "?"}${config.serverIpv6 ? ` · ${config.serverIpv6}` : ""})` : `new Hetzner ${config.serverSize}`}`);
-    if (config.serverIpMismatchWarning) {
-        console.log(chalk.yellow(`              ⚠ ${config.serverIpMismatchWarning}`));
+    if (config.deploymentMode === "gh-pages") {
+        console.log(`  Deploy to:  ${chalk.cyan("GitHub Pages (static)")}`);
+    }
+    else if (config.deploymentMode === "scaffold-only") {
+        console.log(`  Deploy to:  ${chalk.dim("scaffold only (no deploy)")}`);
+    }
+    else {
+        console.log(`  Deploy to:  ${config.deployTarget === "existing" ? `existing server (${config.serverIpv4 ?? config.serverIp ?? "?"}${config.serverIpv6 ? ` · ${config.serverIpv6}` : ""})` : `new Hetzner ${config.serverSize}`}`);
     }
     console.log(`  Features:   ${config.features.length > 0 ? config.features.join(", ") : "none"}`);
     console.log(`  ML:         ${config.mlServices.length > 0 ? config.mlServices.join(", ") : "none"}`);
@@ -1010,10 +1058,19 @@ async function handleCreate() {
             }
         }
         if (config.dryRun) {
-            scaffoldInfra(config, INFRA_ROOT, {
-                serverPort: scaffoldResult?.ports.server,
-                clientPort: scaffoldResult?.ports.client,
-            });
+            // Coolify mode previews the Terraform tfvars + Coolify env that
+            // would be written. gh-pages and scaffold-only have nothing
+            // equivalent — Pages reads no env, scaffold-only writes no infra.
+            if (config.deploymentMode === "coolify") {
+                scaffoldInfra(config, INFRA_ROOT, {
+                    serverPort: scaffoldResult?.ports.server,
+                    clientPort: scaffoldResult?.ports.client,
+                });
+            }
+            else if (config.deploymentMode === "gh-pages") {
+                console.log(chalk.dim("  · gh-pages mode — would write `.github/workflows/gh-pages.yml`, patch `next.config`,\n" +
+                    "    write CNAME, enable Pages, configure DNS, and wait for the Let's Encrypt cert."));
+            }
             console.log(chalk.green("\n  ✓ Dry run complete. No changes were made.\n"));
             return;
         }
@@ -1063,8 +1120,10 @@ async function handleCreate() {
         if (infraResult.coolifyEnvPath) {
             ledger?.record({ kind: "coolifyEnv", path: infraResult.coolifyEnvPath });
         }
-        // Step 5: Terraform (DNS + optionally server)
-        if (config.runDeployment) {
+        // Step 5: Terraform (DNS + optionally server). Coolify-only —
+        // gh-pages handles its own DNS via `runPagesSetupProgrammatic`
+        // a few steps down, and `scaffold-only` skips deploy entirely.
+        if (config.runDeployment && config.deploymentMode === "coolify") {
             const tfResult = await runTerraform(config, INFRA_ROOT);
             if (tfResult.applied) {
                 ledger?.record({
@@ -1074,8 +1133,9 @@ async function handleCreate() {
                 });
             }
         }
-        // Step 6: Coolify setup
-        if (config.runDeployment) {
+        // Step 6: Coolify setup. Only runs in coolify mode; gh-pages has
+        // no Coolify app to provision (the site lives on GitHub's CDN).
+        if (config.runDeployment && config.deploymentMode === "coolify") {
             const coolifyResult = await runCoolifySetup(config, {
                 repoUrl: repoUrl ?? undefined,
                 serverPort: scaffoldResult?.ports.server,
@@ -1113,7 +1173,11 @@ async function handleCreate() {
             // print the manual command instead of failing the whole flow.
             if (scaffoldResult?.dotenvx) {
                 try {
-                    await pushProjectKeyToCoolify(config.name);
+                    // App name matches the project name (the dockercompose
+                    // wrapper). The candidate-list fallback in
+                    // `pushProjectKeyToCoolify` still catches legacy `-web`
+                    // projects.
+                    await pushProjectKeyToCoolify(config.name, { appName: config.name });
                 }
                 catch (err) {
                     console.log(chalk.yellow(`  Couldn't auto-push dotenvx key: ${err.message}`));
@@ -1148,6 +1212,63 @@ async function handleCreate() {
                 }
             }
         }
+        // Step 6.25 (gh-pages only): run Pages setup. Writes the
+        // .github/workflows/gh-pages.yml + CNAME file locally and wires
+        // the remote side (enable Pages, register cname, configure DNS,
+        // poll for the Let's Encrypt cert, flip https_enforced). Must
+        // happen BEFORE push so the new files land in the first push and
+        // the workflow runs immediately.
+        if (config.deploymentMode === "gh-pages" &&
+            config.scaffoldRepo &&
+            config.runDeployment &&
+            repoUrl) {
+            const { runPagesSetupProgrammatic } = await import("./deploy/pages.js");
+            const { exec: bashExec } = await import("./utils/exec.js");
+            // The scaffold's `pruneToClientOnly` rewrites the root build
+            // script to `pnpm --filter @starter/shared run build && pnpm
+            // --filter @starter/client run build` — runs from the repo
+            // root, outputs to `packages/client/out/` (after the Pages-
+            // mode Next config patch sets `output: "export"`).
+            const detected = {
+                kind: "node-build",
+                publishDir: "packages/client/out",
+                packageManager: "pnpm",
+                buildScript: "build",
+                workDir: "",
+            };
+            const slug = repoUrl.replace(/^https?:\/\/github\.com\//, "");
+            try {
+                const { pageUrl } = await runPagesSetupProgrammatic(appDir, {
+                    detected,
+                    domain: config.domain,
+                });
+                ledger?.record({
+                    kind: "ghPages",
+                    repo: slug,
+                    projectDir: appDir,
+                    cname: config.domain,
+                });
+                // Commit the workflow + CNAME file before the push step
+                // below picks up the staged changes. Empty diffs (e.g. re-
+                // running on an idempotent state) just produce a no-op commit.
+                await bashExec("git", ["add", "-A"], { cwd: appDir, silent: true });
+                const status = await bashExec("git", ["status", "--porcelain"], {
+                    cwd: appDir,
+                    silent: true,
+                });
+                if (status.stdout.trim()) {
+                    await bashExec("git", ["commit", "-m", "ci: GitHub Pages setup"], {
+                        cwd: appDir,
+                        silent: true,
+                    });
+                }
+                console.log(chalk.green(`  ✓ GitHub Pages will publish at ${pageUrl}`));
+            }
+            catch (err) {
+                console.log(chalk.yellow(`  Couldn't auto-wire GitHub Pages: ${err.message}`));
+                console.log(chalk.dim(`  Run \`hatchkit gh-pages\` from ${appDir} once the issue is resolved.`));
+            }
+        }
         // Step 6.5: push the working branch to origin. Done AFTER Coolify
         // wiring + Actions-secret upserts so the workflow's first run
         // already has the secrets it needs to deploy. setupGitHub above
@@ -1220,6 +1341,9 @@ async function handleCreate() {
     if (config.surfaces !== "client-only") {
         console.log(`  API:       ${chalk.cyan(`https://${config.domain}/api`)}`);
     }
+    if (config.deploymentMode === "gh-pages") {
+        console.log(chalk.dim(`  Hosting:   GitHub Pages — first build kicks off on push, https cert provisions over the next few minutes.`));
+    }
     console.log(`  App dir:   ${chalk.dim(appDir)}`);
     console.log(`  Config:    ${chalk.dim(getConfigPath())}`);
     if (config.scaffoldRepo) {
@@ -1369,13 +1493,20 @@ function printHelp(topic) {
     hatchkit create [--dry-run]
 
   ${chalk.bold("What it does (interactively):")}
-    1. Prompts for project name, domain, deploy target, features, ML services
+    1. Prompts for project name, domain, surfaces, deployment mode, features, ML
     2. Copies the starter template and strips unselected features
     3. Assigns unique ports per project (server, client, native HMR)
     4. Runs \`pnpm install\` (if pnpm is present and you opt in)
     5. Initializes git, optionally creates a GitHub repo
-    6. Generates Terraform tfvars + Coolify .env
-    7. Optionally deploys: Terraform → Coolify → ML services
+    6. Generates Terraform tfvars + Coolify .env (Coolify mode)
+    7. Deploys: Terraform → Coolify → ML  ${chalk.dim("OR")}  GitHub Pages setup
+
+  ${chalk.bold("Deployment modes:")}
+    ${chalk.cyan("coolify")}        Full-stack on Hetzner — DB, providers, Docker. Default.
+    ${chalk.cyan("gh-pages")}       Static-only on GitHub Pages. Only offered when surfaces
+                   is ${chalk.dim("client-only")}; the scaffold's Next config is patched to
+                   ${chalk.dim('`output: "export"`')} and the gh-pages workflow is written.
+    ${chalk.cyan("scaffold-only")}  Write files, skip deploy. Pick this to defer setup.
 
   ${chalk.bold("Options:")}
     --dry-run       Show the plan without writing anything
@@ -1463,6 +1594,7 @@ function printHelp(topic) {
 
   ${chalk.bold("Usage:")}
     cd <project-dir> && hatchkit gh-pages
+    cd <project-dir> && hatchkit gh-pages --undo [--dry-run] [--yes]
 
   ${chalk.bold("What it does:")}
     1. Reads the repo via \`gh repo view\` (must be a GitHub repo you own).
@@ -1484,6 +1616,17 @@ function printHelp(topic) {
   ${chalk.bold("After running:")}
     git add -A && git commit -m "ci: deploy to GitHub Pages" && git push
 
+  ${chalk.bold("Undo (--undo):")}
+    Reverses what the command put in place:
+      - Disables Pages via ${chalk.dim("DELETE /repos/<owner>/<repo>/pages")} (clears the cname too).
+      - Deletes Cloudflare records that point at GitHub's Pages IPs / ${chalk.dim("<user>.github.io")}
+        for the registered domain (only when a Cloudflare token is configured + the
+        zone is in this account).
+      - Removes ${chalk.cyan(".github/workflows/gh-pages.yml")} (only the file hatchkit writes
+        — hand-written Pages workflows are left untouched).
+      - Removes any ${chalk.cyan("CNAME")} files whose content matches the registered domain.
+    ${chalk.dim("--dry-run")} prints the plan without changing anything. ${chalk.dim("--yes")} skips the confirm.
+
   ${chalk.bold("Notes:")}
     - Private repos need a paid GitHub plan for Pages. Free-tier repos
       must be made public first.
@@ -1523,6 +1666,105 @@ function printHelp(topic) {
   stored (Coolify /version, Hetzner /servers, Cloudflare /tokens/verify,
   Resend /domains, …). Reports ok / fail / not-configured per provider
   and exits non-zero if any check fails. Safe to run repeatedly.
+`);
+        return;
+    }
+    if (topic === "overview") {
+        console.log(`
+  ${chalk.bold("hatchkit overview")} — fleet-level view of every configured provider
+
+  Distinct from ${chalk.cyan("status")} (which providers do I have credentials for?),
+  ${chalk.cyan("doctor")} (are those credentials valid?), and ${chalk.cyan("inventory")} (what does THIS
+  project have?). ${chalk.cyan("overview")} answers "what does my whole hatchkit
+  footprint look like, across every configured provider?" — no name or
+  domain filter, just a roll-up of top-level resources.
+
+  ${chalk.bold("What it lists:")}
+    · Coolify              applications, projects, databases
+    · Cloudflare DNS       zones
+    · R2                   buckets (whole account)
+    · Hetzner S3 / AWS S3  credential presence (bucket listing not implemented)
+    · Resend               verified domains
+    · GlitchTip            projects in the configured org
+    · OpenPanel            projects
+    · Stripe               webhook endpoints (test + live)
+
+  ${chalk.bold("Cross-references:")}
+    After listing every provider, ${chalk.cyan("overview")} cross-references the
+    raw data to flag fleet-level inconsistencies — the kind of bitrot
+    that a single-provider lens can't see:
+
+      · Coolify app deploys from a repo \`gh\` can't find (deleted/renamed)
+      · App fqdn references an apex with no Cloudflare zone
+      · R2 bucket follows the \`<project>-<role>\` convention but has no
+        matching Coolify app (orphan from a destroyed project)
+      · GlitchTip / OpenPanel project with no Coolify app counterpart
+      · Cloudflare zone with no Coolify app pointing into it
+
+  ${chalk.bold("Flags:")}
+    --all                Print every resource per provider (default: 6-line preview)
+    --json               Machine-readable OverviewReport (non-interactive)
+
+  Read-only — every call is a GET. Safe to run repeatedly.
+`);
+        return;
+    }
+    if (topic === "inventory") {
+        console.log(`
+  ${chalk.bold("hatchkit inventory")} — survey what already exists for this project
+
+  Inverse of ${chalk.cyan("doctor")}: instead of "are my credentials valid?", asks
+  "given THIS project (cwd / name / domain / repo), what resources
+  already exist across every configured provider — and is anything
+  out of sync?"
+
+  ${chalk.bold("Inference (cwd → identity):")}
+    · .hatchkit.json            — name, domain
+    · package.json              — name, description
+    · git remote                — GitHub owner/repo
+    · CNAME file                — gh-pages custom domain
+    · .env.production dotenvx   — encryption state
+    · .github/workflows/        — gh-pages / Coolify deploy workflows
+
+  Asks interactively for anything that couldn't be inferred. Confirms
+  inferred values unless ${chalk.cyan("--yes")} is passed.
+
+  ${chalk.bold("Scans (parallel, read-only):")}
+    · Coolify    — projects, applications (with fqdn + git source)
+    · DNS        — Cloudflare zone + relevant records (apex/www/api/s3/…)
+    · R2         — buckets (manifest + naming-convention candidates) + CORS
+    · GitHub     — repo visibility, Pages status, relevant repo secrets
+    · Resend     — verified-domain match
+    · GlitchTip  — projects in the configured org
+    · OpenPanel  — projects
+    · Stripe     — webhook endpoints whose URL contains the project domain
+
+  ${chalk.bold("Drift detection (cross-references):")}
+    · Coolify app fqdn vs DNS A record (and the linked server's public IP)
+    · Coolify app git source vs local git remote (renamed repo gotcha)
+    · Manifest s3Buckets entries vs live R2 buckets
+    · Bucket CORS — manifest origins vs live policy
+    · gh-pages workflow on disk vs Pages enabled on repo (and CNAME ↔ Pages cname)
+    · dotenvx encrypted locally but no DOTENV_PRIVATE_KEY_PRODUCTION secret in GH
+
+  ${chalk.bold("Flags:")}
+    --name <project>     Override inferred project name
+    --domain <domain>    Override inferred domain
+    --repo <owner/name>  Override inferred GitHub repo
+    --yes, -y            Skip confirm-inferred-value prompts
+    --save               Write a minimal .hatchkit.json without prompting
+    --no-save            Suppress the end-of-run save prompt
+    --json               Machine-readable InventoryReport (non-interactive)
+
+  ${chalk.bold("Persisting identity:")}
+    After an interactive run, when ${chalk.cyan(".hatchkit.json")} doesn't yet exist
+    and both name + domain are inferred, hatchkit offers to write a
+    minimal manifest. The manifest carries the right schema for every
+    other command (adopt, update, sync, keys), with conservative defaults
+    for fields inventory can't infer (features=[], s3Provider="none",
+    deployTarget="existing", ports={server:3000,client:5173}). Run
+    ${chalk.cyan("hatchkit adopt --resume")} afterwards to flesh out the rest via
+    the adopt stepper.
 `);
         return;
     }
@@ -1958,6 +2200,8 @@ function printHelp(topic) {
     setup           One-time onboarding — wires up all credentials (alias: init)
     status          Show what's configured and what's next
     doctor          Health-check every provider with contextual fix hints
+    inventory       Survey what already exists for this project (and flag drift)
+    overview        Fleet-level survey — every resource across all configured providers
     explain         One-page mental model of the CLI
 
   ${chalk.bold("Projects:")}
@@ -1983,8 +2227,10 @@ function printHelp(topic) {
     config reset    Clear ALL CLI config (providers, tokens, ML registry, ports)
 
   ${chalk.bold("For agents / scripts:")}
-    status --json   StatusSnapshot as JSON
-    doctor --json   Per-provider health with fix hints as JSON
+    status --json     StatusSnapshot as JSON
+    doctor --json     Per-provider health with fix hints as JSON
+    inventory --json  InventoryReport — resources found per provider + drift
+    overview --json   OverviewReport — fleet-level resource counts + names
     completion <shell>  Print a zsh/bash/fish completion script
 
   ${chalk.bold("Options:")}