hatchkit 0.1.4 → 0.1.5

package/dist/utils/run-ledger.js

@@ -0,0 +1,99 @@
+/*
+ * Run ledger — append-only record of what `hatchkit create` accomplished
+ * for one project. Persisted as JSON next to the Conf store so it
+ * survives crashes and lets us:
+ *
+ *  1. On failure mid-create, print a tailored cleanup recipe and offer
+ *     to undo the steps that did succeed.
+ *  2. Drive `hatchkit destroy <project>` later — the same code path,
+ *     just without the "should I?" prompt.
+ *
+ * Steps are recorded *immediately after each external mutation* so a
+ * SIGKILL between operations leaves an accurate (though possibly
+ * incomplete) ledger. Reverse-order undo is the cleanup strategy.
+ *
+ * Path: <configDir>/runs/<sanitized-name>.json
+ */
+import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { getStore } from "../config.js";
+/** Sanitize project name for use as a filename. Project names are
+ *  already validated to be slug-shaped, but belt-and-braces. */
+function sanitize(name) {
+    return name.replace(/[^a-zA-Z0-9_-]/g, "_");
+}
+function runsDir() {
+    return join(dirname(getStore().path), "runs");
+}
+function ledgerPath(name) {
+    return join(runsDir(), `${sanitize(name)}.json`);
+}
+export class RunLedger {
+    _path;
+    data;
+    constructor(_path, data) {
+        this._path = _path;
+        this.data = data;
+    }
+    /** Begin a new ledger for this project. Overwrites any prior ledger
+     *  for the same name (assumes the caller has already cleaned up). */
+    static start(name) {
+        const data = {
+            name,
+            startedAt: new Date().toISOString(),
+            steps: [],
+        };
+        const path = ledgerPath(name);
+        mkdirSync(dirname(path), { recursive: true });
+        writeFileSync(path, JSON.stringify(data, null, 2));
+        return new RunLedger(path, data);
+    }
+    /** Load the ledger for a project, if one exists. */
+    static load(name) {
+        const path = ledgerPath(name);
+        if (!existsSync(path))
+            return null;
+        try {
+            const data = JSON.parse(readFileSync(path, "utf-8"));
+            return new RunLedger(path, data);
+        }
+        catch {
+            return null;
+        }
+    }
+    /** Append a step and flush immediately. */
+    record(step) {
+        this.data.steps.push(step);
+        this.flush();
+    }
+    /** Mark the run finished. The ledger sticks around so `hatchkit
+     *  destroy` can use it later. */
+    complete() {
+        this.data.finishedAt = new Date().toISOString();
+        this.flush();
+    }
+    /** Remove the ledger from disk. Call after a successful rollback. */
+    delete() {
+        if (existsSync(this._path))
+            unlinkSync(this._path);
+    }
+    get name() {
+        return this.data.name;
+    }
+    get steps() {
+        return this.data.steps;
+    }
+    get startedAt() {
+        return this.data.startedAt;
+    }
+    get finishedAt() {
+        return this.data.finishedAt;
+    }
+    get path() {
+        return this._path;
+    }
+    flush() {
+        writeFileSync(this._path, JSON.stringify(this.data, null, 2));
+    }
+}
+//# sourceMappingURL=run-ledger.js.map

package/dist/utils/run-ledger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-ledger.js","sourceRoot":"","sources":["../../src/utils/run-ledger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACzF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AA0BxC;gEACgE;AAChE,SAAS,QAAQ,CAAC,IAAY;IAC5B,OAAO,IAAI,CAAC,OAAO,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,OAAO;IACd,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,OAAO,SAAS;IAED;IACT;IAFV,YACmB,KAAa,EACtB,IAAgB;QADP,UAAK,GAAL,KAAK,CAAQ;QACtB,SAAI,GAAJ,IAAI,CAAY;IACvB,CAAC;IAEJ;yEACqE;IACrE,MAAM,CAAC,KAAK,CAAC,IAAY;QACvB,MAAM,IAAI,GAAe;YACvB,IAAI;YACJ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,EAAE;SACV,CAAC;QACF,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;QAC9B,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACnD,OAAO,IAAI,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,oDAAoD;IACpD,MAAM,CAAC,IAAI,CAAC,IAAY;QACtB,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;QAC9B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAe,CAAC;YACnE,OAAO,IAAI,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,2CAA2C;IAC3C,MAAM,CAAC,IAAgB;QACrB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,IAAI,CAAC,KAAK,EAAE,CAAC;IACf,CAAC;IAED;qCACiC;IACjC,QAAQ;QACN,IAAI,CAAC,IAAI,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAChD,IAAI,CAAC,KAAK,EAAE,CAAC;IACf,CAAC;IAED,qEAAqE;IACrE,MAAM;QACJ,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;IACxB,CAAC;IAED,IAAI,KAAK;QACP,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC;IACzB,CAAC;IAED,IAAI,SAAS;QACX,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;IAC7B,CAAC;IAED,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC;IAC9B,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAEO,KAAK;QACX,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAChE,CAAC;CACF"}

package/dist/utils/secrets.d.ts

@@ -19,6 +19,8 @@ export declare const SECRET_KEYS: {
     readonly openpanelRootClientSecret: "openpanel:root-client-secret";
     readonly openpanelClientSecret: (name: string) => string;
     readonly resendApiKey: "resend:api-key";
+    readonly stripeSecretKey: "stripe:secret-key";
+    readonly stripePublishableKey: "stripe:publishable-key";
     /** Per-scaffolded-project dotenvx private key for .env.production.
      *  Stored in the OS keychain so the CLI's on-disk state never holds
      *  decryption material for the starter's encrypted env. */

package/dist/utils/secrets.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../../src/utils/secrets.ts"],"names":[],"mappings":"AAoBA;mEACmE;AACnE,eAAO,MAAM,WAAW;;;;;IAKtB;;oDAEgD;;qCAExB,MAAM;qCACN,MAAM;mCACR,MAAM;;IAE5B;wEACoE;;;2CAGtC,MAAM;;IAEpC;;+DAE2D;8CAC1B,MAAM;CAC/B,CAAC;AAEX,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAEnE;AAED,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAEzE;AAED,wBAAsB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAEhE;AAED,iEAAiE;AACjE,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAGrD"}
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../../src/utils/secrets.ts"],"names":[],"mappings":"AAoBA;mEACmE;AACnE,eAAO,MAAM,WAAW;;;;;IAKtB;;oDAEgD;;qCAExB,MAAM;qCACN,MAAM;mCACR,MAAM;;IAE5B;wEACoE;;;2CAGtC,MAAM;;;;IAIpC;;+DAE2D;8CAC1B,MAAM;CAC/B,CAAC;AAEX,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAEnE;AAED,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAEzE;AAED,wBAAsB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAEhE;AAED,iEAAiE;AACjE,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAGrD"}

package/dist/utils/secrets.js

@@ -36,6 +36,8 @@ export const SECRET_KEYS = {
     openpanelRootClientSecret: "openpanel:root-client-secret",
     openpanelClientSecret: (name) => `openpanel:${name}:client-secret`,
     resendApiKey: "resend:api-key",
+    stripeSecretKey: "stripe:secret-key",
+    stripePublishableKey: "stripe:publishable-key",
     /** Per-scaffolded-project dotenvx private key for .env.production.
      *  Stored in the OS keychain so the CLI's on-disk state never holds
      *  decryption material for the starter's encrypted env. */

package/dist/utils/secrets.js.map

@@ -1 +1 @@
-{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../src/utils/secrets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,iEAAiE;AACjE,uEAAuE;AACvE,sEAAsE;AACtE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,UAAU,CAAC;AAElE;mEACmE;AACnE,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,YAAY,EAAE,eAAe;IAC7B,YAAY,EAAE,eAAe;IAC7B,eAAe,EAAE,mBAAmB;IACpC,kBAAkB,EAAE,sBAAsB;IAC1C;;oDAEgD;IAChD,wBAAwB,EAAE,6BAA6B;IACvD,WAAW,EAAE,CAAC,QAAgB,EAAE,EAAE,CAAC,MAAM,QAAQ,aAAa;IAC9D,WAAW,EAAE,CAAC,QAAgB,EAAE,EAAE,CAAC,MAAM,QAAQ,aAAa;IAC9D,SAAS,EAAE,CAAC,QAAgB,EAAE,EAAE,CAAC,OAAO,QAAQ,UAAU;IAC1D,cAAc,EAAE,sBAAsB;IACtC;wEACoE;IACpE,qBAAqB,EAAE,0BAA0B;IACjD,yBAAyB,EAAE,8BAA8B;IACzD,qBAAqB,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,aAAa,IAAI,gBAAgB;IAC1E,YAAY,EAAE,gBAAgB;IAC9B;;+DAE2D;IAC3D,iBAAiB,EAAE,CAAC,WAAmB,EAAE,EAAE,CAAC,WAAW,WAAW,yBAAyB;CACnF,CAAC;AAEX,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAW;IACzC,OAAO,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,KAAa;IACxD,MAAM,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAW;IAC5C,OAAO,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AAC7C,CAAC;AAED,iEAAiE;AACjE,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;IACtD,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AACnF,CAAC"}
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../src/utils/secrets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,iEAAiE;AACjE,uEAAuE;AACvE,sEAAsE;AACtE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,UAAU,CAAC;AAElE;mEACmE;AACnE,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,YAAY,EAAE,eAAe;IAC7B,YAAY,EAAE,eAAe;IAC7B,eAAe,EAAE,mBAAmB;IACpC,kBAAkB,EAAE,sBAAsB;IAC1C;;oDAEgD;IAChD,wBAAwB,EAAE,6BAA6B;IACvD,WAAW,EAAE,CAAC,QAAgB,EAAE,EAAE,CAAC,MAAM,QAAQ,aAAa;IAC9D,WAAW,EAAE,CAAC,QAAgB,EAAE,EAAE,CAAC,MAAM,QAAQ,aAAa;IAC9D,SAAS,EAAE,CAAC,QAAgB,EAAE,EAAE,CAAC,OAAO,QAAQ,UAAU;IAC1D,cAAc,EAAE,sBAAsB;IACtC;wEACoE;IACpE,qBAAqB,EAAE,0BAA0B;IACjD,yBAAyB,EAAE,8BAA8B;IACzD,qBAAqB,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,aAAa,IAAI,gBAAgB;IAC1E,YAAY,EAAE,gBAAgB;IAC9B,eAAe,EAAE,mBAAmB;IACpC,oBAAoB,EAAE,wBAAwB;IAC9C;;+DAE2D;IAC3D,iBAAiB,EAAE,CAAC,WAAmB,EAAE,EAAE,CAAC,WAAW,WAAW,yBAAyB;CACnF,CAAC;AAEX,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAW;IACzC,OAAO,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,KAAa;IACxD,MAAM,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAW;IAC5C,OAAO,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AAC7C,CAAC;AAED,iEAAiE;AACjE,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;IACtD,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AACnF,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hatchkit",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "packageManager": "pnpm@10.33.2",
   "description": "Interactive CLI for scaffolding full-stack projects and provisioning observability/email clients",
   "type": "module",
@@ -27,7 +27,7 @@
     "release:patch": "node scripts/release-prep.mjs && npm version patch -m \"chore: release v%s\" && pnpm run _release:finish",
     "release:minor": "node scripts/release-prep.mjs && npm version minor -m \"chore: release v%s\" && pnpm run _release:finish",
     "release:major": "node scripts/release-prep.mjs && npm version major -m \"chore: release v%s\" && pnpm run _release:finish",
-    "_release:finish": "pnpm run build && pnpm run typecheck && npm publish --access public && git push --follow-tags && npm install -g .",
+    "_release:finish": "pnpm run build && pnpm run typecheck && npm publish --access public && git -C ../infra push && git -C ../starter push && git push --follow-tags && npm install -g .",
     "prepublishOnly": "pnpm run build"
   },
   "dependencies": {

package/scripts/release-prep.mjs

@@ -1,30 +1,21 @@
 #!/usr/bin/env node
 /*
- * release-prep — run before `npm version` so any dangling working-tree
- * changes get committed and shipped with the release instead of hanging
- * around on main afterwards.
+ * release-prep — strict pre-release verification.
  *
- * Runs from cli/ (where the release scripts live). Finds the repo root
- * via `git rev-parse --show-toplevel` and operates on the whole repo,
- * not just cli/ — if you've left changes under infra/ or docs/ they get
- * picked up too.
+ * Refuses to release if any of the three repos (hatchkit main,
+ * infra submodule, starter submodule) has uncommitted or untracked
+ * changes. Exits with a clear list of which repos need handling and
+ * what's dirty in each — release scripts assume a clean baseline so
+ * the version commit + tag, the npm publish, and the cross-repo push
+ * all line up against the same set of trees.
  *
- * Safety rails:
- *   - Refuses to run if any staged/untracked path looks like a secret
- *     (.env*, *.pem, *.key, *credentials*, *secret*).
- *   - Submodule pointer changes (git shows as ` M infra` vs `M  infra`)
- *     are fine, but untracked content INSIDE a submodule is NOT auto-
- *     committed from the parent repo — you'd want to commit that inside
- *     the submodule yourself first. We warn + bail in that case.
- *   - Interactive: prompts for a commit message (default:
- *     "chore: pre-release changes").
- *   - Non-interactive (no TTY): uses the default message and proceeds.
- *     Skip the whole thing with RELEASE_SKIP_PREP=1.
+ * Skip with RELEASE_SKIP_PREP=1 (e.g. a CI-driven release that's
+ * already vouched for cleanliness).
  */
 
-import { execSync, spawnSync } from "node:child_process";
-import { createInterface } from "node:readline";
-import { stdin as input, stdout as output } from "node:process";
+import { execSync } from "node:child_process";
+import { existsSync } from "node:fs";
+import { join, relative } from "node:path";
 
 if (process.env.RELEASE_SKIP_PREP === "1") {
   console.log("  release-prep: RELEASE_SKIP_PREP=1 — skipping.");
@@ -35,96 +26,63 @@ function sh(cmd, opts = {}) {
   return execSync(cmd, { encoding: "utf8", ...opts }).trim();
 }
 
-// Find the repo root so git commands work no matter where the script was
-// launched from (pnpm invokes scripts with cwd=cli/).
 let repoRoot;
 try {
   repoRoot = sh("git rev-parse --show-toplevel");
-} catch (err) {
+} catch {
   console.error("  release-prep: not inside a git repo. Aborting.");
   process.exit(1);
 }
 
-const porcelain = sh("git status --porcelain", { cwd: repoRoot });
-if (!porcelain) {
-  console.log("  release-prep: working tree clean. Nothing to commit.");
-  process.exit(0);
-}
-
-const entries = porcelain.split("\n").map((l) => {
-  // Porcelain format: "XY path". X = index, Y = worktree. Submodules
-  // show up with `m`/`M` in position Y + 1 for content changes.
-  const code = l.slice(0, 2);
-  const path = l.slice(3);
-  return { code, path };
-});
+const repos = [
+  { label: "hatchkit (main)", path: repoRoot, hint: `cd ${repoRoot}` },
+  {
+    label: "infra (submodule)",
+    path: join(repoRoot, "infra"),
+    hint: `cd ${join(repoRoot, "infra")}`,
+  },
+  {
+    label: "starter (submodule)",
+    path: join(repoRoot, "starter"),
+    hint: `cd ${join(repoRoot, "starter")}`,
+  },
+];
 
-console.log("\n  release-prep: working tree isn't clean.\n");
-console.log(sh("git status --short", { cwd: repoRoot }));
-
-// Refuse secret-looking paths. Keep the pattern conservative — better a
-// false positive that requires manual commit than a leaked token.
-const SECRET_RE = /(^|\/)(\.env(\.|$)|[^/]*credentials[^/]*|[^/]*secret[^/]*|[^/]*\.(pem|key|pfx|p12)$)/i;
-const secretsFound = entries.filter((e) => SECRET_RE.test(e.path));
-if (secretsFound.length > 0) {
-  console.error("\n  release-prep: refusing — these paths look like secrets:\n");
-  for (const e of secretsFound) console.error(`    ${e.path}`);
-  console.error(
-    "\n  Resolve manually: gitignore, delete, or commit yourself and re-run the release.",
-  );
-  process.exit(1);
-}
+const dirty = [];
+for (const r of repos) {
+  // Submodule may not be initialized — skip silently rather than fail.
+  // (`.git` is a file inside an initialized submodule, a dir at the root.)
+  if (!existsSync(join(r.path, ".git"))) continue;
 
-// Untracked content inside a submodule shows as e.g. ' m infra' with
-// only the second column set to lowercase 'm'. Parent-repo `git add`
-// can't reach inside; bail so the user commits in the submodule first.
-const untrackedInSubmodule = entries.filter((e) => e.code === " m" || e.code === "?m");
-if (untrackedInSubmodule.length > 0) {
-  console.error(
-    "\n  release-prep: submodule has untracked changes inside it:\n",
-  );
-  for (const e of untrackedInSubmodule) {
-    console.error(`    ${e.path} — commit inside the submodule first`);
+  let status;
+  try {
+    status = sh("git status --porcelain", { cwd: r.path });
+  } catch (err) {
+    console.error(`  release-prep: couldn't read ${r.label}: ${err.message}`);
+    process.exit(1);
+  }
+  if (status) {
+    dirty.push({ ...r, status });
   }
-  console.error(
-    "\n  cd into each submodule, commit, then `git add <submodule>` + re-run the release.",
-  );
-  process.exit(1);
 }
 
-// Prompt for a commit message unless we're non-interactive.
-const DEFAULT_MSG = "chore: pre-release changes";
-let message = DEFAULT_MSG;
-if (input.isTTY && output.isTTY) {
-  const rl = createInterface({ input, output });
-  message = await new Promise((resolve) => {
-    rl.question(`  Commit message [${DEFAULT_MSG}]: `, (answer) => {
-      rl.close();
-      resolve(answer.trim() || DEFAULT_MSG);
-    });
-  });
-} else {
-  console.log(`  release-prep: non-interactive — using default message "${DEFAULT_MSG}".`);
+if (dirty.length === 0) {
+  console.log("  ✓ release-prep: all trees clean. Continuing release.");
+  process.exit(0);
 }
 
-// Stage + commit at the repo root. Using `git add -A` here is intentional
-// (the whole point of this helper is to sweep everything into the release
-// commit); the secret-path guard above is what keeps it safe.
-const add = spawnSync("git", ["add", "-A"], { cwd: repoRoot, stdio: "inherit" });
-if (add.status !== 0) {
-  console.error("  release-prep: `git add -A` failed.");
-  process.exit(add.status ?? 1);
+console.error("\n  ✗ release-prep: cannot release — dangling changes.\n");
+for (const r of dirty) {
+  const rel = r.path === repoRoot ? "." : relative(repoRoot, r.path);
+  console.error(`  ── ${r.label}  (${rel}/)`);
+  for (const line of r.status.split("\n")) {
+    console.error(`      ${line}`);
+  }
+  console.error();
 }
-
-const commit = spawnSync("git", ["commit", "-m", message], {
-  cwd: repoRoot,
-  stdio: "inherit",
-});
-if (commit.status !== 0) {
-  console.error(
-    "  release-prep: `git commit` failed (pre-commit hook? empty diff after filters?).",
-  );
-  process.exit(commit.status ?? 1);
+console.error("  Handle each tree before releasing:");
+for (const r of dirty) {
+  console.error(`    ${r.hint} && git status   # commit / stash / discard`);
 }
-
-console.log("\n  release-prep: committed. Continuing release.\n");
+console.error("\n  Then re-run the release.\n");
+process.exit(1);