hatchkit 0.1.40 → 0.1.42

package/dist/inventory.js

@@ -23,16 +23,17 @@
  *
  * Everything is read-only. No mutations. Safe to run anywhere.
  */
-import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
+import { existsSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
 import { join, resolve } from "node:path";
 import { confirm, input } from "@inquirer/prompts";
 import chalk from "chalk";
 import { getCoolifyConfig, getDnsConfig, getGlitchtipConfig, getOpenpanelConfig, getResendConfig, getS3Config, getStripeConfig, } from "./config.js";
 import { locateEnvKeysFile, locateEnvProductionFile } from "./deploy/keys.js";
-import { MANIFEST_FILENAME, readManifest } from "./scaffold/manifest.js";
+import { MANIFEST_FILENAME, MANIFEST_VERSION, readManifest, } from "./scaffold/manifest.js";
 import { CloudflareApi } from "./utils/cloudflare-api.js";
 import { CoolifyApi } from "./utils/coolify-api.js";
 import { exec, execOk } from "./utils/exec.js";
+import { listS3Buckets } from "./utils/s3-admin.js";
 import { SECRET_KEYS, getSecret } from "./utils/secrets.js";
 import { getCliVersion } from "./utils/version.js";
 export async function runInventory(cwd, opts = {}) {
@@ -42,10 +43,40 @@ export async function runInventory(cwd, opts = {}) {
         autoAccept: opts.yes ?? false,
     });
     if (opts.json) {
-        console.log(JSON.stringify(report, null, 2));
+        // Sets serialize as `{}` by default — surface them as arrays so
+        // JSON consumers can actually read the detected signals.
+        console.log(JSON.stringify(report, (_k, v) => (v instanceof Set ? Array.from(v).sort() : v), 2));
         return;
     }
     console.log(renderInventoryHuman(report));
+    // Persist inferred identity as a minimal `.hatchkit.json` unless
+    // suppressed. Skip when there's already a manifest (adopt owns it
+    // — we don't overwrite), when the inputs aren't sufficient (name +
+    // domain are required by the schema), or when `--no-save` was passed.
+    if (opts.noSave)
+        return;
+    if (report.local.manifestPresent)
+        return;
+    if (!report.inferred.name || !report.inferred.domain)
+        return;
+    const absCwd = resolve(cwd);
+    const writeIt = () => {
+        writeMinimalManifest(absCwd, report.inferred, report.local);
+        console.log(chalk.dim(`  Wrote minimal ${MANIFEST_FILENAME}. Run \`hatchkit adopt --resume\` to wire features + deploy config.`));
+    };
+    if (opts.save) {
+        writeIt();
+        return;
+    }
+    // Only ask in interactive mode (TTY + not --yes).
+    if (!process.stdin.isTTY || opts.yes)
+        return;
+    const ok = await confirm({
+        message: `Save inferred identity as a minimal ${MANIFEST_FILENAME}? (Run \`hatchkit adopt --resume\` afterwards to flesh out features + deploy config.)`,
+        default: true,
+    });
+    if (ok)
+        writeIt();
 }
 export async function collectInventory(cwd, opts = {}) {
     const absCwd = resolve(cwd);
@@ -67,19 +98,25 @@ export async function collectInventory(cwd, opts = {}) {
     if (opts.interactive) {
         identity = await promptForGaps(local, inferred, sources, !!opts.autoAccept);
     }
+    // Per-provider expectation flags — drives which `missing` findings
+    // surface as red ✗ vs dim ·. A library with no Coolify-deploy signals
+    // gets dim · for "no Coolify app named foo" (expected absence), but a
+    // project whose .env.development declares STRIPE_* gets red ✗ if no
+    // matching webhook exists (genuine missing).
+    const expectations = computeExpectations(local, identity);
     // Provider scans — every one is best-effort and returns its own
     // findings + skip reason. Running them in parallel keeps wall-time
     // close to the slowest single round-trip.
     const scanResults = await Promise.all([
-        scanCoolify(identity),
-        scanDns(identity),
-        scanR2(identity, local.manifest),
+        scanCoolify(identity, expectations.coolify),
+        scanDns(identity, expectations.dns),
+        scanR2(identity, local.manifest, expectations.r2),
         scanS3Other(identity),
-        scanGitHub(identity),
-        scanResend(identity),
-        scanGlitchtip(identity),
-        scanOpenpanel(identity),
-        scanStripe(identity),
+        scanGitHub(identity, { github: expectations.github, githubPages: expectations.githubPages }),
+        scanResend(identity, expectations.resend),
+        scanGlitchtip(identity, expectations.glitchtip),
+        scanOpenpanel(identity, expectations.openpanel),
+        scanStripe(identity, expectations.stripe),
     ]);
     const findings = [];
     const skipped = [];
@@ -94,7 +131,8 @@ export async function collectInventory(cwd, opts = {}) {
     findings.push(...driftFindings);
     const drifts = findings.filter((f) => f.status === "drift");
     const present = findings.filter((f) => f.status === "present").length;
-    const missing = findings.filter((f) => f.status === "missing").length;
+    const missingAll = findings.filter((f) => f.status === "missing");
+    const expectedMissing = missingAll.filter((f) => f.expected).length;
     return {
         cliVersion: getCliVersion(),
         cwd: absCwd,
@@ -104,7 +142,13 @@ export async function collectInventory(cwd, opts = {}) {
         findings,
         drifts,
         skipped,
-        summary: { present, drift: drifts.length, missing, skipped: skipped.length },
+        summary: {
+            present,
+            drift: drifts.length,
+            missing: missingAll.length,
+            expectedMissing,
+            skipped: skipped.length,
+        },
     };
 }
 // ---------------------------------------------------------------------------
@@ -250,6 +294,13 @@ function inferLocal(cwd) {
         }
     }
     const envKeysPresent = !!locateEnvKeysFile(cwd);
+    // Provider expectation signals — read plaintext .env.* files and
+    // every package.json under the project for hints about which
+    // providers this project actually depends on. Used to mark `missing`
+    // findings as `expected: true` so the renderer only shows red ✗ when
+    // local state declares the resource should exist.
+    const envSignals = collectEnvSignals(cwd, serverDir, clientDir);
+    const packageDeps = collectPackageDeps(cwd, serverDir, clientDir);
     // `.git` lives at the repo root — in a worktree it's a file pointing
     // at the main repo, in a normal clone it's a directory. Either form
     // is fine for existsSync. Walk up from cwd so running `hatchkit
@@ -273,7 +324,131 @@ function inferLocal(cwd) {
         cnameFile,
         dotenvxEncrypted,
         envKeysPresent,
+        envSignals,
+        packageDeps,
+    };
+}
+// ---------------------------------------------------------------------------
+// Expectation-signal collectors (used to mark findings as `expected`)
+// ---------------------------------------------------------------------------
+/** Walk plaintext .env.example / .env.development files at the project
+ *  root and any detected server/client dirs, returning the set of
+ *  env-var-name prefixes encountered. Encrypted .env.production is
+ *  intentionally NOT decrypted — we read declarative templates only. */
+function collectEnvSignals(cwd, serverDir, clientDir) {
+    const signals = new Set();
+    const filenames = [".env.example", ".env.development", ".env"];
+    const dirs = [cwd, serverDir, clientDir].filter((d) => !!d);
+    // Patterns we recognize — prefix → signal name. Keep this list
+    // tight; over-broad matches lead to spurious "expected" flags.
+    const patterns = [
+        { re: /^\s*RESEND_/m, signal: "RESEND" },
+        { re: /^\s*GLITCHTIP_DSN|^\s*PUBLIC_GLITCHTIP_DSN/m, signal: "GLITCHTIP" },
+        { re: /^\s*SENTRY_DSN|^\s*PUBLIC_SENTRY_DSN/m, signal: "SENTRY" },
+        { re: /^\s*OPENPANEL_|^\s*PUBLIC_OPENPANEL_/m, signal: "OPENPANEL" },
+        { re: /^\s*STRIPE_/m, signal: "STRIPE" },
+        { re: /^\s*R2_/m, signal: "R2" },
+        { re: /^\s*S3_|^\s*AWS_(ACCESS_KEY_ID|SECRET_ACCESS_KEY|REGION)/m, signal: "S3" },
+    ];
+    for (const dir of dirs) {
+        for (const name of filenames) {
+            const p = join(dir, name);
+            if (!existsSync(p))
+                continue;
+            let body;
+            try {
+                body = readFileSync(p, "utf-8");
+            }
+            catch {
+                continue;
+            }
+            // Strip commented-out lines — `# RESEND_API_KEY=...` shouldn't
+            // count as a signal that the project uses Resend.
+            const live = body
+                .split("\n")
+                .filter((l) => !/^\s*#/.test(l))
+                .join("\n");
+            for (const { re, signal } of patterns) {
+                if (re.test(live))
+                    signals.add(signal);
+            }
+        }
+    }
+    return signals;
+}
+/** Read every package.json under the project (root + server/client
+ *  dirs) and return the union of declared dependency names (deps +
+ *  devDeps + peerDeps). Cheap heuristic — we don't follow workspace
+ *  globs, just probe the conventional monorepo locations. */
+function collectPackageDeps(cwd, serverDir, clientDir) {
+    const out = new Set();
+    const dirs = [cwd, serverDir, clientDir].filter((d) => !!d);
+    for (const dir of dirs) {
+        const p = join(dir, "package.json");
+        if (!existsSync(p))
+            continue;
+        try {
+            const pkg = JSON.parse(readFileSync(p, "utf-8"));
+            for (const block of [pkg.dependencies, pkg.devDependencies, pkg.peerDependencies]) {
+                if (!block)
+                    continue;
+                for (const name of Object.keys(block))
+                    out.add(name);
+            }
+        }
+        catch {
+            // Unparseable package.json — skip.
+        }
+    }
+    return out;
+}
+// ---------------------------------------------------------------------------
+// Minimal `.hatchkit.json` writer
+// ---------------------------------------------------------------------------
+//
+// When inventory saves inferred identity it writes a minimal manifest
+// that follows the full schema (so every other hatchkit command — adopt,
+// update, sync, keys — can read it) but with conservative defaults for
+// fields inventory can't reliably infer. Run `hatchkit adopt --resume`
+// afterwards to flesh out features, surfaces, ports, etc. — adopt's
+// stepper reads this manifest as its starting state.
+export function writeMinimalManifest(cwd, identity, local) {
+    if (!identity.name || !identity.domain) {
+        throw new Error("Can't write .hatchkit.json without an inferred name and domain. " +
+            "Pass --name / --domain or run inventory interactively to provide them.");
+    }
+    // Surfaces from local layout — both dirs → "both", just one → that
+    // one, neither → fall back to "both" (most common scaffold shape).
+    const surfaces = local.serverDir && local.clientDir
+        ? "both"
+        : local.serverDir
+            ? "server-only"
+            : local.clientDir
+                ? "client-only"
+                : "both";
+    const manifest = {
+        version: MANIFEST_VERSION,
+        cliVersion: getCliVersion(),
+        scaffoldedAt: new Date().toISOString(),
+        name: identity.name,
+        domain: identity.domain,
+        features: [],
+        mlServices: [],
+        // "none" is the conservative default — even if local deps signal R2
+        // usage, we don't claim ownership of buckets we haven't provisioned.
+        // `hatchkit adopt --resume` will prompt for the real value.
+        s3Provider: "none",
+        deployTarget: "existing",
+        surfaces,
+        // Conventional defaults — `hatchkit adopt --resume` lets the user
+        // override if the project actually uses different ports.
+        ports: { server: 3000, client: 5173 },
     };
+    writeManifestFile(cwd, manifest);
+    return manifest;
+}
+function writeManifestFile(cwd, manifest) {
+    writeFileSync(join(cwd, MANIFEST_FILENAME), `${JSON.stringify(manifest, null, 2)}\n`, "utf-8");
 }
 function findGitRoot(startDir) {
     let dir = startDir;
@@ -306,7 +481,8 @@ function firstExistingDir(root, rels) {
 function inferIdentity(local, override) {
     const sources = {};
     const out = {};
-    // name: flag > manifest > package.json > basename(cwd) as last resort
+    // name: flag > manifest > identity-file > package.json > basename(cwd)
+    // name: flag > manifest > package.json > basename(cwd)
     if (override.name) {
         out.name = override.name;
         sources.name = "flag";
@@ -329,10 +505,9 @@ function inferIdentity(local, override) {
             sources.name = "cwd-basename";
         }
     }
-    // domain: flag > manifest > CNAME file > package homepage url? (skip;
-    // too noisy). We deliberately don't derive a domain from the project
-    // name — too speculative, and the matching layer already tries common
-    // domain patterns against any zone we list.
+    // domain: flag > manifest > CNAME file. We deliberately don't derive
+    // a domain from the project name — too speculative, and the matching
+    // layer already tries common domain patterns against any zone we list.
     if (override.domain) {
         out.domain = override.domain;
         sources.domain = "flag";
@@ -345,15 +520,11 @@ function inferIdentity(local, override) {
         out.domain = local.cnameFile.content;
         sources.domain = "cname-file";
     }
-    // repo: flag > git remote
+    // repo: flag (else filled in by caller from git remote)
     if (override.repo) {
         out.repo = override.repo;
         sources.repo = "flag";
     }
-    else {
-        // git remote is resolved async — leave undefined here; the caller
-        // fills it via resolveGitRemote (run before prompting).
-    }
     return { input: out, sources };
 }
 async function resolveGitRemote(local) {
@@ -522,7 +693,46 @@ function rel(cwd, abs) {
         return abs.slice(cwd.length + 1);
     return abs;
 }
-async function scanCoolify(input) {
+export function computeExpectations(local, identity) {
+    const env = local.envSignals;
+    const deps = local.packageDeps;
+    const hasManifestBuckets = (() => {
+        const b = local.manifest?.s3Buckets;
+        if (!b)
+            return false;
+        return Object.values(b).some((v) => v && typeof v === "object");
+    })();
+    return {
+        // Coolify is the project's deploy target whenever there's a manifest
+        // (every hatchkit-scaffolded project deploys there) or a deploy
+        // workflow committed.
+        coolify: !!local.manifest || !!local.deployWorkflowPath,
+        // DNS is always relevant when we know a domain — the user wouldn't
+        // have a domain unless they intended to route something to it.
+        dns: !!identity.domain,
+        r2: hasManifestBuckets || env.has("R2") || env.has("S3") || deps.has("@aws-sdk/client-s3"),
+        github: !!identity.repo,
+        // Pages is expected when a deploy workflow is committed or the
+        // repo has a CNAME file at one of the conventional locations.
+        githubPages: !!local.ghPagesWorkflowPath || !!local.cnameFile,
+        resend: env.has("RESEND") || deps.has("resend"),
+        // The Sentry SDK works against GlitchTip (same wire protocol), so
+        // either signal counts. Same for an explicit GLITCHTIP_DSN.
+        glitchtip: env.has("GLITCHTIP") ||
+            env.has("SENTRY") ||
+            deps.has("glitchtip") ||
+            hasDepMatching(deps, /^@sentry\//),
+        openpanel: env.has("OPENPANEL") || hasDepMatching(deps, /^@openpanel\//) || deps.has("openpanel"),
+        stripe: env.has("STRIPE") || deps.has("stripe") || deps.has("@stripe/stripe-js"),
+    };
+}
+function hasDepMatching(deps, re) {
+    for (const d of deps)
+        if (re.test(d))
+            return true;
+    return false;
+}
+async function scanCoolify(input, expected) {
     const provider = "coolify";
     const findings = [];
     const skipped = [];
@@ -602,6 +812,7 @@ async function scanCoolify(input) {
             kind: "application",
             identity: input.name,
             status: "missing",
+            expected,
             detail: `no Coolify project or app named ${wantedNames.join(" / ")} (${apps.length} app(s) total)`,
         });
     }
@@ -634,7 +845,7 @@ function collectFqdns(app) {
 function nameAliases(name) {
     return [name, `${name}-server`, `${name}-client`, `${name}-web`, `${name}-api`];
 }
-async function scanDns(input) {
+async function scanDns(input, expected) {
     const provider = "dns";
     const findings = [];
     const skipped = [];
@@ -677,6 +888,7 @@ async function scanDns(input) {
             kind: "zone",
             identity: apex,
             status: "missing",
+            expected,
             detail: "no Cloudflare zone for this apex",
         });
         return { provider, findings, skipped };
@@ -745,7 +957,7 @@ function relevantRecordProbes(input) {
     }
     return out;
 }
-async function scanR2(input, manifest) {
+async function scanR2(input, manifest, expected) {
     const provider = "s3:r2";
     const findings = [];
     const skipped = [];
@@ -839,39 +1051,62 @@ async function scanR2(input, manifest) {
             kind: "bucket",
             identity: input.name ?? "(candidates)",
             status: "missing",
+            expected,
             detail: `no R2 bucket matches ${Array.from(candidates).join(" / ")} (account ${accountId.slice(0, 6)}…)`,
         });
     }
     return { provider, findings, skipped, raw: { accountId, live, manifestBuckets } };
 }
-async function scanS3Other(_input) {
-    // Hetzner Object Storage + AWS S3 don't have a "list all buckets for
-    // this access key" call exposed in the existing client. We surface
-    // presence only, so the user knows where else to look. A full impl
-    // would need an `@aws-sdk/client-s3` `ListBuckets` call, which is
-    // already a dep — but adding that here doubles the surface area;
-    // ship without for now and revisit if anyone asks.
+async function scanS3Other(input) {
+    // Account-wide `ListBuckets` over Hetzner Object Storage + AWS S3 via
+    // the AWS SDK (already a dep — assets/mirror.ts uses it for the
+    // streaming copy path). Emits one `present` finding per live bucket
+    // plus a credentials-level info line so the user can spot a misrouted
+    // endpoint without scrolling to drift.
     const provider = "s3";
     const findings = [];
     const skipped = [];
+    const nameMatch = input.name?.toLowerCase();
     for (const p of ["hetzner", "aws"]) {
         const cfg = await getS3Config(p);
-        if (cfg) {
+        if (!cfg) {
+            skipped.push({ provider: `s3:${p}`, reason: "not configured" });
+            continue;
+        }
+        try {
+            const buckets = await listS3Buckets(cfg);
             findings.push({
                 provider: `s3:${p}`,
                 kind: "credentials",
                 identity: p,
                 status: "info",
-                detail: `endpoint: ${cfg.endpoint} — bucket inventory not implemented for ${p}`,
+                detail: `endpoint: ${cfg.endpoint} · ${buckets.length} bucket${buckets.length === 1 ? "" : "s"}`,
             });
+            for (const b of buckets) {
+                const matchesProject = nameMatch !== undefined &&
+                    (b.name.toLowerCase() === nameMatch || b.name.toLowerCase().startsWith(`${nameMatch}-`));
+                findings.push({
+                    provider: `s3:${p}`,
+                    kind: "bucket",
+                    identity: b.name,
+                    status: "present",
+                    detail: b.creationDate
+                        ? `created ${b.creationDate.toISOString().slice(0, 10)}`
+                        : undefined,
+                    expected: matchesProject || undefined,
+                });
+            }
         }
-        else {
-            skipped.push({ provider: `s3:${p}`, reason: "not configured" });
+        catch (err) {
+            skipped.push({
+                provider: `s3:${p}`,
+                reason: `ListBuckets failed: ${err.message.split("\n")[0]}`,
+            });
         }
     }
     return { provider, findings, skipped };
 }
-async function scanGitHub(input) {
+async function scanGitHub(input, expects) {
     const provider = "github";
     const findings = [];
     const skipped = [];
@@ -920,6 +1155,7 @@ async function scanGitHub(input) {
                 kind: "repository",
                 identity: input.repo,
                 status: "missing",
+                expected: expects.github,
                 detail: res.stderr.trim().split("\n")[0],
             });
             return { provider, findings, skipped, raw: { repoInfo } };
@@ -959,6 +1195,7 @@ async function scanGitHub(input) {
                 kind: "page-site",
                 identity: input.repo,
                 status: "missing",
+                expected: expects.githubPages,
                 detail: "Pages is not enabled on this repo",
             });
         }
@@ -1019,7 +1256,7 @@ async function scanGitHub(input) {
     }
     return { provider, findings, skipped, raw: { repoInfo, pages } };
 }
-async function scanResend(input) {
+async function scanResend(input, expected) {
     const provider = "resend";
     const findings = [];
     const skipped = [];
@@ -1047,6 +1284,7 @@ async function scanResend(input) {
                 kind: "verified-domain",
                 identity: input.domain,
                 status: "missing",
+                expected,
                 detail: `no Resend domain entry for ${input.domain} (${(body.data ?? []).length} domain(s) total)`,
             });
         }
@@ -1070,7 +1308,7 @@ async function scanResend(input) {
     }
     return { provider, findings, skipped };
 }
-async function scanGlitchtip(input) {
+async function scanGlitchtip(input, expected) {
     const provider = "glitchtip";
     const findings = [];
     const skipped = [];
@@ -1097,6 +1335,7 @@ async function scanGlitchtip(input) {
                 kind: "project",
                 identity: input.name,
                 status: "missing",
+                expected,
                 detail: `no GlitchTip project matching ${wanted.join(" / ")} (${body.length} total in org)`,
             });
         }
@@ -1120,7 +1359,7 @@ async function scanGlitchtip(input) {
     }
     return { provider, findings, skipped };
 }
-async function scanOpenpanel(input) {
+async function scanOpenpanel(input, expected) {
     const provider = "openpanel";
     const findings = [];
     const skipped = [];
@@ -1158,6 +1397,7 @@ async function scanOpenpanel(input) {
                 kind: "project",
                 identity: input.name,
                 status: "missing",
+                expected,
                 detail: `no OpenPanel project matching ${wanted.join(" / ")} (${projects.length} total)`,
             });
         }
@@ -1180,7 +1420,7 @@ async function scanOpenpanel(input) {
     }
     return { provider, findings, skipped };
 }
-async function scanStripe(input) {
+async function scanStripe(input, expected) {
     const provider = "stripe";
     const findings = [];
     const skipped = [];
@@ -1215,6 +1455,7 @@ async function scanStripe(input) {
                     kind: "webhook-endpoint",
                     identity: `${mode} mode`,
                     status: "missing",
+                    expected,
                     detail: `no webhook endpoint with URL containing ${input.domain} (${(body.data ?? []).length} endpoint(s) in ${mode} mode)`,
                 });
             }
@@ -1486,13 +1727,7 @@ export function renderInventoryHuman(report) {
             continue;
         lines.push(chalk.bold(`  ${providerKey}`));
         for (const f of findings) {
-            const icon = f.status === "present"
-                ? chalk.green("✓")
-                : f.status === "missing"
-                    ? chalk.red("✗")
-                    : f.status === "drift"
-                        ? chalk.yellow("⚠")
-                        : chalk.dim("·");
+            const icon = findingIcon(f);
             const kind = chalk.dim(`(${f.kind})`);
             const detail = f.detail ? chalk.dim(` — ${f.detail}`) : "";
             lines.push(`    ${icon} ${f.identity} ${kind}${detail}`);
@@ -1506,12 +1741,10 @@ export function renderInventoryHuman(report) {
         }
         lines.push("");
     }
-    lines.push(`  ${chalk.green(`${report.summary.present} present`)}  ${report.summary.drift > 0
-        ? chalk.yellow(`${report.summary.drift} drift`)
-        : chalk.dim("0 drift")}  ${report.summary.missing > 0
-        ? chalk.red(`${report.summary.missing} missing`)
-        : chalk.dim("0 missing")}  ${chalk.dim(`${report.summary.skipped} skipped`)}`);
-    lines.push("");
+    // Final one-page summary — compact per-provider roll-up, no detail
+    // fluff. The reader can scroll up for specifics; this block answers
+    // "what does this project have, and what needs attention?" at a glance.
+    lines.push(renderInventorySummary(report));
     return lines.join("\n");
 }
 function sourceTag(s) {
@@ -1519,4 +1752,252 @@ function sourceTag(s) {
         return chalk.dim("  (will prompt)");
     return chalk.dim(`  ← ${s}`);
 }
+/** Status icon for a single finding. Red ✗ is reserved for `missing`
+ *  findings the project actually expects (declared in manifest, env,
+ *  package deps, workflows). An unexpected absence — e.g. "no Coolify
+ *  app named foo" for a library that doesn't deploy — is dim · instead. */
+function findingIcon(f) {
+    if (f.status === "present")
+        return chalk.green("✓");
+    if (f.status === "drift")
+        return chalk.yellow("⚠");
+    if (f.status === "missing")
+        return f.expected ? chalk.red("✗") : chalk.dim("·");
+    return chalk.dim("·");
+}
+function renderInventorySummary(report) {
+    const lines = [];
+    lines.push(chalk.dim(`  ${"─".repeat(58)}`));
+    lines.push(chalk.bold("  Summary"));
+    lines.push("");
+    // Group findings by *effective* provider — drift findings get
+    // re-attributed to the provider they're about, so each provider's
+    // summary line reflects all its state (including drift).
+    const grouped = new Map();
+    for (const f of report.findings) {
+        const effective = f.provider === "drift" ? driftToProvider(f.kind) : f.provider;
+        const list = grouped.get(effective);
+        if (list)
+            list.push(f);
+        else
+            grouped.set(effective, [f]);
+    }
+    const rolls = [];
+    for (const [providerKey, findings] of grouped) {
+        rolls.push(rollUpProvider(providerKey, findings));
+    }
+    // Append skipped providers (not in grouped) as dim rows so the
+    // summary lists every provider hatchkit knows about, not just the
+    // ones that returned findings.
+    const seen = new Set(grouped.keys());
+    for (const s of report.skipped) {
+        if (seen.has(s.provider))
+            continue;
+        seen.add(s.provider);
+        rolls.push({
+            label: providerLabel(s.provider),
+            icon: chalk.dim("·"),
+            text: chalk.dim(s.reason),
+        });
+    }
+    const labelWidth = Math.max(...rolls.map((r) => r.label.length), 10);
+    for (const r of rolls) {
+        lines.push(`    ${r.label.padEnd(labelWidth + 2)} ${r.icon} ${r.text}`);
+    }
+    // Bottom-line takeaway — counts only `expected` missing (the
+    // actionable subset). Unexpected absences ("no Coolify app named foo"
+    // for a CLI library) are excluded; they're not problems to fix.
+    lines.push("");
+    const drift = report.summary.drift;
+    const missing = report.summary.expectedMissing;
+    const present = report.summary.present;
+    if (drift > 0 || missing > 0) {
+        const parts = [];
+        if (drift > 0) {
+            parts.push(chalk.yellow(`⚠ ${drift} drift${drift === 1 ? "" : "s"} to reconcile`));
+        }
+        if (missing > 0) {
+            parts.push(chalk.red(`✗ ${missing} expected resource${missing === 1 ? "" : "s"} missing`));
+        }
+        lines.push(`  ${parts.join(chalk.dim("  ·  "))}`);
+    }
+    else if (present > 0) {
+        lines.push(`  ${chalk.green("✓ All clear")} — ${present} resource${present === 1 ? "" : "s"} tracked, nothing out of sync.`);
+    }
+    else {
+        lines.push(chalk.dim("  Nothing matched — try `--name`, `--domain`, or `--repo` to narrow."));
+    }
+    lines.push("");
+    return lines.join("\n");
+}
+/** Drift findings live under provider "drift" in `report.findings`,
+ *  but conceptually they belong to the provider they describe. Pin
+ *  each drift `kind` to its source provider for the summary roll-up. */
+function driftToProvider(driftKind) {
+    if (driftKind.startsWith("coolify"))
+        return "coolify";
+    if (driftKind === "bucket" || driftKind === "bucket-cors")
+        return "s3:r2";
+    if (driftKind.startsWith("github-pages"))
+        return "github-pages";
+    if (driftKind === "missing-secret")
+        return "github";
+    return "drift";
+}
+function rollUpProvider(providerKey, findings) {
+    const drifts = findings.filter((f) => f.status === "drift");
+    const present = findings.filter((f) => f.status === "present");
+    const missing = findings.filter((f) => f.status === "missing");
+    const label = providerLabel(providerKey);
+    if (drifts.length > 0) {
+        return {
+            label,
+            icon: chalk.yellow("⚠"),
+            text: chalk.yellow(`${drifts.length} drift${drifts.length === 1 ? "" : "s"} — see above`),
+        };
+    }
+    if (present.length > 0) {
+        return {
+            label,
+            icon: chalk.green("✓"),
+            text: summarizePresent(providerKey, present, missing),
+        };
+    }
+    if (missing.length > 0) {
+        // Red ✗ only when the project locally declares this resource
+        // should exist. Otherwise dim · with a softer "no match" label —
+        // a CLI library shouldn't get a red mark for "no Coolify app".
+        const anyExpected = missing.some((f) => f.expected);
+        return {
+            label,
+            icon: anyExpected ? chalk.red("✗") : chalk.dim("·"),
+            text: anyExpected
+                ? chalk.red(summarizeMissing(providerKey))
+                : chalk.dim("no match (not declared by this project)"),
+        };
+    }
+    // Only `info`-level findings → no actionable state to surface.
+    return {
+        label,
+        icon: chalk.dim("·"),
+        text: chalk.dim(findings[0]?.identity ?? ""),
+    };
+}
+/** Compact "what's here" string for a provider that has at least one
+ *  present finding. Per-provider tuned to keep the line short. */
+function summarizePresent(providerKey, present, missing) {
+    const partial = missing.length > 0 ? chalk.dim(` (${missing.length} missing)`) : "";
+    switch (providerKey) {
+        case "coolify": {
+            const apps = present.filter((f) => f.kind === "application").map((f) => f.identity);
+            const projects = present.filter((f) => f.kind === "project");
+            const parts = [];
+            if (apps.length)
+                parts.push(`${apps.length} app: ${apps.join(", ")}`);
+            if (projects.length)
+                parts.push(`${projects.length} project${projects.length === 1 ? "" : "s"}`);
+            return (parts.join(", ") || present[0].identity) + partial;
+        }
+        case "dns": {
+            const zone = present.find((f) => f.kind === "zone");
+            const records = present.filter((f) => f.kind === "dns-record");
+            const base = zone
+                ? `${zone.identity} (${records.length} record${records.length === 1 ? "" : "s"})`
+                : `${records.length} record${records.length === 1 ? "" : "s"}`;
+            return base + partial;
+        }
+        case "s3:r2": {
+            const buckets = present.filter((f) => f.kind === "bucket").map((f) => f.identity);
+            return (`${buckets.length} bucket${buckets.length === 1 ? "" : "s"}: ${buckets.join(", ")}` +
+                partial);
+        }
+        case "github": {
+            const repo = present.find((f) => f.kind === "repository");
+            if (repo) {
+                // Detail is "private · default: main · …" — pull just the
+                // visibility (first segment) to keep the line short.
+                const visibility = repo.detail?.split(" · ")[0];
+                return `${repo.identity}${visibility ? chalk.dim(` (${visibility})`) : ""}`;
+            }
+            return present[0].identity;
+        }
+        case "github-pages": {
+            const site = present.find((f) => f.kind === "page-site");
+            if (site) {
+                const cname = site.detail?.match(/cname:\s*([^\s·]+)/)?.[1];
+                return cname ? `live at ${cname}` : "enabled";
+            }
+            return "enabled";
+        }
+        case "resend": {
+            const domains = present.filter((f) => f.kind === "verified-domain").map((f) => f.identity);
+            return domains.join(", ") + partial;
+        }
+        case "glitchtip":
+        case "openpanel": {
+            const projects = present.filter((f) => f.kind === "project").map((f) => f.identity);
+            return projects.join(", ") + partial;
+        }
+        case "stripe": {
+            const hooks = present.filter((f) => f.kind === "webhook-endpoint");
+            return `${hooks.length} webhook${hooks.length === 1 ? "" : "s"}` + partial;
+        }
+        default:
+            return present[0].identity + partial;
+    }
+}
+/** Compact "what's not here" string for a provider where every
+ *  finding is `missing`. The detailed reason is in the per-provider
+ *  block above — this is just the headline. */
+function summarizeMissing(providerKey) {
+    switch (providerKey) {
+        case "coolify":
+            return "no matching app";
+        case "dns":
+            return "no zone for this domain";
+        case "s3:r2":
+            return "no matching buckets";
+        case "github":
+            return "repo not found";
+        case "github-pages":
+            return "Pages not enabled";
+        case "resend":
+            return "domain not verified";
+        case "glitchtip":
+        case "openpanel":
+            return "no matching project";
+        case "stripe":
+            return "no webhook for this domain";
+        default:
+            return "not found";
+    }
+}
+function providerLabel(key) {
+    switch (key) {
+        case "coolify":
+            return "Coolify";
+        case "dns":
+            return "DNS";
+        case "s3:r2":
+            return "R2";
+        case "s3:hetzner":
+            return "Hetzner S3";
+        case "s3:aws":
+            return "AWS S3";
+        case "github":
+            return "GitHub";
+        case "github-pages":
+            return "Pages";
+        case "resend":
+            return "Resend";
+        case "glitchtip":
+            return "GlitchTip";
+        case "openpanel":
+            return "OpenPanel";
+        case "stripe":
+            return "Stripe";
+        default:
+            return key;
+    }
+}
 //# sourceMappingURL=inventory.js.map