hatchkit 0.1.40 → 0.1.42

package/dist/index.js

@@ -166,6 +166,13 @@ async function main() {
             await runDoctor({ json: isJson });
             break;
         }
+        case "overview": {
+            if (args.includes("--help"))
+                return printHelp("overview");
+            const { runOverview } = await import("./overview.js");
+            await runOverview({ json: isJson, all: args.includes("--all") });
+            break;
+        }
         case "inventory": {
             if (args.includes("--help"))
                 return printHelp("inventory");
@@ -183,6 +190,8 @@ async function main() {
             await runInventory(resolve("."), {
                 json: isJson,
                 yes: args.includes("--yes") || args.includes("-y"),
+                save: args.includes("--save"),
+                noSave: args.includes("--no-save"),
                 input: Object.keys(inputOverride).length > 0 ? inputOverride : undefined,
             });
             break;
@@ -226,6 +235,13 @@ async function main() {
             await handleDns();
             break;
         }
+        case "email": {
+            if (args.includes("--help") && args.length === 2)
+                return printHelp("email");
+            const { handleEmailCommand } = await import("./email/index.js");
+            await handleEmailCommand(args.slice(1));
+            break;
+        }
         case "gh-pages":
         case "pages": {
             if (args.includes("--help"))
@@ -233,6 +249,14 @@ async function main() {
             if (command === "pages") {
                 console.log(chalk.yellow("  Note: `hatchkit pages` has been renamed to `hatchkit gh-pages`."));
             }
+            if (args.includes("--undo")) {
+                const { runPagesUndo } = await import("./deploy/pages.js");
+                await runPagesUndo(resolve("."), {
+                    dryRun: args.includes("--dry-run"),
+                    yes: args.includes("--yes") || args.includes("-y"),
+                });
+                break;
+            }
             const { runPagesSetup } = await import("./deploy/pages.js");
             await runPagesSetup(resolve("."));
             break;
@@ -425,7 +449,7 @@ async function handleAdd() {
     const positional = args.slice(1).filter((a) => !a.startsWith("--"));
     let baseName = positional[0];
     const rawService = positional[1];
-    const allServices = ["glitchtip", "openpanel", "resend", "s3"];
+    const allServices = ["glitchtip", "openpanel", "resend", "s3", "email"];
     if (!baseName) {
         const { input } = await import("@inquirer/prompts");
         const { validateProjectName } = await import("./utils/validate.js");
@@ -448,6 +472,11 @@ async function handleAdd() {
                     value: "s3",
                     checked: false,
                 },
+                {
+                    name: "Email forwarding (Cloudflare Email Routing — MX/SPF/DMARC + rules)",
+                    value: "email",
+                    checked: false,
+                },
             ],
             required: true,
         });
@@ -747,7 +776,7 @@ async function handleRemove() {
     const skipConfirm = args.includes("--yes") || args.includes("-y");
     let baseName = positional[0];
     const rawService = positional[1];
-    const allServices = ["glitchtip", "openpanel", "resend", "s3"];
+    const allServices = ["glitchtip", "openpanel", "resend", "s3", "email"];
     if (!baseName) {
         const { input } = await import("@inquirer/prompts");
         const { validateProjectName } = await import("./utils/validate.js");
@@ -766,6 +795,11 @@ async function handleRemove() {
                 { name: "OpenPanel (deletes the project)", value: "openpanel", checked: true },
                 { name: "Resend (deletes the API key)", value: "resend", checked: true },
                 { name: "S3 / R2 (deletes per-bucket scoped tokens)", value: "s3", checked: false },
+                {
+                    name: "Email forwarding (deletes routing rules + DNS records; keeps destination)",
+                    value: "email",
+                    checked: false,
+                },
             ],
             required: true,
         });
@@ -849,17 +883,22 @@ async function handleCreate() {
     if (forceNoInstall)
         config.installDeps = false;
     // Ensure needed providers are configured (lazy prompting).
-    // Coolify + Hetzner are only needed when actually deploying —
-    // scaffold-only + --no-deploy runs skip their setup prompts.
-    if (config.deployTarget === "existing" || config.runDeployment) {
+    // Coolify + Hetzner only matter for the coolify deployment mode.
+    // gh-pages skips them entirely (no server, no Docker registry).
+    if (config.deploymentMode === "coolify" &&
+        (config.deployTarget === "existing" || config.runDeployment)) {
         await ensureCoolify();
     }
     // GitHub is checked here so auth failures surface before scaffold
-    // (not deep inside `setupGitHub` after files are on disk).
-    if (config.createGithubRepo) {
+    // (not deep inside `setupGitHub` after files are on disk). Pages
+    // also needs GitHub auth for the API calls that enable Pages and
+    // set the cname — so we require it whenever gh-pages is involved.
+    if (config.createGithubRepo || config.deploymentMode === "gh-pages") {
         await ensureGitHub();
     }
-    if (config.deployTarget === "new" && config.runDeployment) {
+    if (config.deploymentMode === "coolify" &&
+        config.deployTarget === "new" &&
+        config.runDeployment) {
         await ensureHetzner();
     }
     if (config.features.includes("s3") &&
@@ -892,8 +931,19 @@ async function handleCreate() {
     // Summary before execution
     console.log(chalk.bold("\n  ── Summary ───────────────────────────────────────────────\n"));
     console.log(`  Project:    ${chalk.cyan(config.name)}`);
+    if (config.description) {
+        console.log(`  Descr.:     ${chalk.cyan(config.description)}`);
+    }
     console.log(`  Domain:     ${chalk.cyan(config.domain)}`);
-    console.log(`  Deploy to:  ${config.deployTarget === "existing" ? `existing server (${config.serverIpv4 ?? config.serverIp ?? "?"}${config.serverIpv6 ? ` · ${config.serverIpv6}` : ""})` : `new Hetzner ${config.serverSize}`}`);
+    if (config.deploymentMode === "gh-pages") {
+        console.log(`  Deploy to:  ${chalk.cyan("GitHub Pages (static)")}`);
+    }
+    else if (config.deploymentMode === "scaffold-only") {
+        console.log(`  Deploy to:  ${chalk.dim("scaffold only (no deploy)")}`);
+    }
+    else {
+        console.log(`  Deploy to:  ${config.deployTarget === "existing" ? `existing server (${config.serverIpv4 ?? config.serverIp ?? "?"}${config.serverIpv6 ? ` · ${config.serverIpv6}` : ""})` : `new Hetzner ${config.serverSize}`}`);
+    }
     console.log(`  Features:   ${config.features.length > 0 ? config.features.join(", ") : "none"}`);
     console.log(`  ML:         ${config.mlServices.length > 0 ? config.mlServices.join(", ") : "none"}`);
     console.log(`  Scaffold:   ${config.scaffoldRepo ? "yes" : "no"}`);
@@ -1028,10 +1078,19 @@ async function handleCreate() {
             }
         }
         if (config.dryRun) {
-            scaffoldInfra(config, INFRA_ROOT, {
-                serverPort: scaffoldResult?.ports.server,
-                clientPort: scaffoldResult?.ports.client,
-            });
+            // Coolify mode previews the Terraform tfvars + Coolify env that
+            // would be written. gh-pages and scaffold-only have nothing
+            // equivalent — Pages reads no env, scaffold-only writes no infra.
+            if (config.deploymentMode === "coolify") {
+                scaffoldInfra(config, INFRA_ROOT, {
+                    serverPort: scaffoldResult?.ports.server,
+                    clientPort: scaffoldResult?.ports.client,
+                });
+            }
+            else if (config.deploymentMode === "gh-pages") {
+                console.log(chalk.dim("  · gh-pages mode — would write `.github/workflows/gh-pages.yml`, patch `next.config`,\n" +
+                    "    write CNAME, enable Pages, configure DNS, and wait for the Let's Encrypt cert."));
+            }
             console.log(chalk.green("\n  ✓ Dry run complete. No changes were made.\n"));
             return;
         }
@@ -1081,8 +1140,10 @@ async function handleCreate() {
         if (infraResult.coolifyEnvPath) {
             ledger?.record({ kind: "coolifyEnv", path: infraResult.coolifyEnvPath });
         }
-        // Step 5: Terraform (DNS + optionally server)
-        if (config.runDeployment) {
+        // Step 5: Terraform (DNS + optionally server). Coolify-only —
+        // gh-pages handles its own DNS via `runPagesSetupProgrammatic`
+        // a few steps down, and `scaffold-only` skips deploy entirely.
+        if (config.runDeployment && config.deploymentMode === "coolify") {
             const tfResult = await runTerraform(config, INFRA_ROOT);
             if (tfResult.applied) {
                 ledger?.record({
@@ -1092,8 +1153,9 @@ async function handleCreate() {
                 });
             }
         }
-        // Step 6: Coolify setup
-        if (config.runDeployment) {
+        // Step 6: Coolify setup. Only runs in coolify mode; gh-pages has
+        // no Coolify app to provision (the site lives on GitHub's CDN).
+        if (config.runDeployment && config.deploymentMode === "coolify") {
             const coolifyResult = await runCoolifySetup(config, {
                 repoUrl: repoUrl ?? undefined,
                 serverPort: scaffoldResult?.ports.server,
@@ -1170,6 +1232,63 @@ async function handleCreate() {
                 }
             }
         }
+        // Step 6.25 (gh-pages only): run Pages setup. Writes the
+        // .github/workflows/gh-pages.yml + CNAME file locally and wires
+        // the remote side (enable Pages, register cname, configure DNS,
+        // poll for the Let's Encrypt cert, flip https_enforced). Must
+        // happen BEFORE push so the new files land in the first push and
+        // the workflow runs immediately.
+        if (config.deploymentMode === "gh-pages" &&
+            config.scaffoldRepo &&
+            config.runDeployment &&
+            repoUrl) {
+            const { runPagesSetupProgrammatic } = await import("./deploy/pages.js");
+            const { exec: bashExec } = await import("./utils/exec.js");
+            // The scaffold's `pruneToClientOnly` rewrites the root build
+            // script to `pnpm --filter @starter/shared run build && pnpm
+            // --filter @starter/client run build` — runs from the repo
+            // root, outputs to `packages/client/out/` (after the Pages-
+            // mode Next config patch sets `output: "export"`).
+            const detected = {
+                kind: "node-build",
+                publishDir: "packages/client/out",
+                packageManager: "pnpm",
+                buildScript: "build",
+                workDir: "",
+            };
+            const slug = repoUrl.replace(/^https?:\/\/github\.com\//, "");
+            try {
+                const { pageUrl } = await runPagesSetupProgrammatic(appDir, {
+                    detected,
+                    domain: config.domain,
+                });
+                ledger?.record({
+                    kind: "ghPages",
+                    repo: slug,
+                    projectDir: appDir,
+                    cname: config.domain,
+                });
+                // Commit the workflow + CNAME file before the push step
+                // below picks up the staged changes. Empty diffs (e.g. re-
+                // running on an idempotent state) just produce a no-op commit.
+                await bashExec("git", ["add", "-A"], { cwd: appDir, silent: true });
+                const status = await bashExec("git", ["status", "--porcelain"], {
+                    cwd: appDir,
+                    silent: true,
+                });
+                if (status.stdout.trim()) {
+                    await bashExec("git", ["commit", "-m", "ci: GitHub Pages setup"], {
+                        cwd: appDir,
+                        silent: true,
+                    });
+                }
+                console.log(chalk.green(`  ✓ GitHub Pages will publish at ${pageUrl}`));
+            }
+            catch (err) {
+                console.log(chalk.yellow(`  Couldn't auto-wire GitHub Pages: ${err.message}`));
+                console.log(chalk.dim(`  Run \`hatchkit gh-pages\` from ${appDir} once the issue is resolved.`));
+            }
+        }
         // Step 6.5: push the working branch to origin. Done AFTER Coolify
         // wiring + Actions-secret upserts so the workflow's first run
         // already has the secrets it needs to deploy. setupGitHub above
@@ -1178,6 +1297,61 @@ async function handleCreate() {
             const { pushInitialBranch } = await import("./deploy/github.js");
             await pushInitialBranch(appDir);
         }
+        // Step 6.6: optional email forwarding setup (Cloudflare Email
+        // Routing). Opt-in prompt — most projects want it but a scripted
+        // / non-interactive create shouldn't pay the latency cost or sink
+        // on a missing accountId without explicit consent.
+        if (config.scaffoldRepo && !config.dryRun && !nonInteractive && process.stdin.isTTY) {
+            try {
+                const wantsEmail = await confirm({
+                    message: `Set up email forwarding for ${chalk.cyan(config.domain)} (Cloudflare Email Routing)?`,
+                    default: true,
+                });
+                if (wantsEmail) {
+                    const { runEmailSetupForDomain } = await import("./email/index.js");
+                    const result = await runEmailSetupForDomain({ domain: config.domain }, appDir);
+                    // Mirror adopt's ledger plumbing so `hatchkit destroy <project>`
+                    // can roll back the email-routing state we just created.
+                    if (ledger && result.destination.createdThisRun) {
+                        ledger.record({
+                            kind: "cloudflareEmailDestination",
+                            accountId: result.accountId,
+                            destinationId: result.destination.record.id,
+                            email: result.destination.record.email,
+                        });
+                    }
+                    for (const dns of result.dnsRecords) {
+                        if (!dns.created)
+                            continue;
+                        ledger?.record({
+                            kind: "cloudflareDnsRecord",
+                            zoneId: result.zoneId,
+                            recordId: dns.id,
+                            name: dns.name,
+                            type: dns.type,
+                        });
+                    }
+                    for (const rule of result.rules) {
+                        if (!rule.created)
+                            continue;
+                        ledger?.record({
+                            kind: "cloudflareEmailRoutingRule",
+                            zoneId: result.zoneId,
+                            ruleId: rule.id,
+                            address: rule.address,
+                        });
+                    }
+                }
+            }
+            catch (err) {
+                // Soft-fail: email forwarding is a follow-up convenience, not a
+                // gating step for the rest of `create`. The user can re-run
+                // `hatchkit email setup` once any underlying issue (e.g. zone
+                // not yet in Cloudflare) is fixed.
+                console.log(chalk.yellow(`  ⚠ Email forwarding setup skipped: ${err.message}`));
+                console.log(chalk.dim(`    Re-run with \`hatchkit email setup --domain ${config.domain}\`.`));
+            }
+        }
         // Step 7: Deploy ML services
         if (config.runDeployment &&
             deploy.length > 0 &&
@@ -1242,6 +1416,9 @@ async function handleCreate() {
     if (config.surfaces !== "client-only") {
         console.log(`  API:       ${chalk.cyan(`https://${config.domain}/api`)}`);
     }
+    if (config.deploymentMode === "gh-pages") {
+        console.log(chalk.dim(`  Hosting:   GitHub Pages — first build kicks off on push, https cert provisions over the next few minutes.`));
+    }
     console.log(`  App dir:   ${chalk.dim(appDir)}`);
     console.log(`  Config:    ${chalk.dim(getConfigPath())}`);
     if (config.scaffoldRepo) {
@@ -1259,7 +1436,7 @@ async function handleCreate() {
     }
     if (config.features.includes("desktop")) {
         console.log(chalk.yellow("\n  Next (desktop): replace build/icon.png with a 512×512 logo, then:"));
-        console.log(chalk.dim("    pnpm icons:desktop     # cross-platform (electron-icon-builder)"));
+        console.log(chalk.dim("    pnpm icons:desktop     # cross-platform (icon-gen)"));
     }
     if (config.features.includes("desktop") || config.features.includes("mobile")) {
         console.log(chalk.yellow("\n  Server CORS: TRUSTED_ORIGINS is already set in .env.example for native clients."));
@@ -1391,13 +1568,20 @@ function printHelp(topic) {
     hatchkit create [--dry-run]
 
   ${chalk.bold("What it does (interactively):")}
-    1. Prompts for project name, domain, deploy target, features, ML services
+    1. Prompts for project name, domain, surfaces, deployment mode, features, ML
     2. Copies the starter template and strips unselected features
     3. Assigns unique ports per project (server, client, native HMR)
     4. Runs \`pnpm install\` (if pnpm is present and you opt in)
     5. Initializes git, optionally creates a GitHub repo
-    6. Generates Terraform tfvars + Coolify .env
-    7. Optionally deploys: Terraform → Coolify → ML services
+    6. Generates Terraform tfvars + Coolify .env (Coolify mode)
+    7. Deploys: Terraform → Coolify → ML  ${chalk.dim("OR")}  GitHub Pages setup
+
+  ${chalk.bold("Deployment modes:")}
+    ${chalk.cyan("coolify")}        Full-stack on Hetzner — DB, providers, Docker. Default.
+    ${chalk.cyan("gh-pages")}       Static-only on GitHub Pages. Only offered when surfaces
+                   is ${chalk.dim("client-only")}; the scaffold's Next config is patched to
+                   ${chalk.dim('`output: "export"`')} and the gh-pages workflow is written.
+    ${chalk.cyan("scaffold-only")}  Write files, skip deploy. Pick this to defer setup.
 
   ${chalk.bold("Options:")}
     --dry-run       Show the plan without writing anything
@@ -1485,6 +1669,7 @@ function printHelp(topic) {
 
   ${chalk.bold("Usage:")}
     cd <project-dir> && hatchkit gh-pages
+    cd <project-dir> && hatchkit gh-pages --undo [--dry-run] [--yes]
 
   ${chalk.bold("What it does:")}
     1. Reads the repo via \`gh repo view\` (must be a GitHub repo you own).
@@ -1506,6 +1691,17 @@ function printHelp(topic) {
   ${chalk.bold("After running:")}
     git add -A && git commit -m "ci: deploy to GitHub Pages" && git push
 
+  ${chalk.bold("Undo (--undo):")}
+    Reverses what the command put in place:
+      - Disables Pages via ${chalk.dim("DELETE /repos/<owner>/<repo>/pages")} (clears the cname too).
+      - Deletes Cloudflare records that point at GitHub's Pages IPs / ${chalk.dim("<user>.github.io")}
+        for the registered domain (only when a Cloudflare token is configured + the
+        zone is in this account).
+      - Removes ${chalk.cyan(".github/workflows/gh-pages.yml")} (only the file hatchkit writes
+        — hand-written Pages workflows are left untouched).
+      - Removes any ${chalk.cyan("CNAME")} files whose content matches the registered domain.
+    ${chalk.dim("--dry-run")} prints the plan without changing anything. ${chalk.dim("--yes")} skips the confirm.
+
   ${chalk.bold("Notes:")}
     - Private repos need a paid GitHub plan for Pages. Free-tier repos
       must be made public first.
@@ -1532,8 +1728,41 @@ function printHelp(topic) {
         ${chalk.dim("INWX_SANDBOX=1")} → use the OTE sandbox instead of production.
 
   ${chalk.bold("Prerequisites:")}
-    Run ${chalk.cyan("hatchkit config add dns")} and choose Cloudflare, then answer
+    Run ${chalk.cyan("hatchkit config add dns")} (Cloudflare-only), then answer
     ${chalk.cyan("yes")} to "Is INWX your domain registrar?" when prompted.
+`);
+        return;
+    }
+    if (topic === "email") {
+        console.log(`
+  ${chalk.bold("hatchkit email")} — Cloudflare Email Routing setup
+
+  ${chalk.bold("Subcommands:")}
+    setup    Configure Email Routing + DNS (MX, SPF, DMARC) for a domain
+    status   Print current routing state (read-only)
+
+  ${chalk.bold("Flags (setup):")}
+    --domain <fqdn>           Override the project domain
+    --to <email>              Forwarding destination (saved globally on first use)
+    --addresses <list>        Comma-separated local parts (skips picker)
+    --all-defaults            Use every default preset; skip picker
+    --no-catch-all            Don't set the *@domain catch-all rule
+    --dmarc <none|quarantine|reject>  DMARC policy (default: quarantine)
+    --no-resend-spf           Skip auto-merging _spf.resend.com
+
+  ${chalk.bold("What it sets:")}
+    · Email Routing enabled on the zone
+    · Destination address verified at Cloudflare (verification email sent)
+    · MX records → route1/route2/route3.mx.cloudflare.net
+    · SPF TXT (single record, merged with Resend if detected)
+    · DMARC TXT at _dmarc.<domain> (default p=quarantine sp=none)
+    · One forwarding rule per picked address
+    · Optional catch-all rule (*@<domain>)
+
+  ${chalk.bold("Prerequisites:")}
+    DNS must be on Cloudflare (${chalk.cyan("hatchkit config add dns")}). The token
+    needs Zone:DNS:Edit + Zone:Email Routing Rules:Edit +
+    Account:Email Routing Addresses:Edit.
 `);
         return;
     }
@@ -1545,6 +1774,46 @@ function printHelp(topic) {
   stored (Coolify /version, Hetzner /servers, Cloudflare /tokens/verify,
   Resend /domains, …). Reports ok / fail / not-configured per provider
   and exits non-zero if any check fails. Safe to run repeatedly.
+`);
+        return;
+    }
+    if (topic === "overview") {
+        console.log(`
+  ${chalk.bold("hatchkit overview")} — fleet-level view of every configured provider
+
+  Distinct from ${chalk.cyan("status")} (which providers do I have credentials for?),
+  ${chalk.cyan("doctor")} (are those credentials valid?), and ${chalk.cyan("inventory")} (what does THIS
+  project have?). ${chalk.cyan("overview")} answers "what does my whole hatchkit
+  footprint look like, across every configured provider?" — no name or
+  domain filter, just a roll-up of top-level resources.
+
+  ${chalk.bold("What it lists:")}
+    · Coolify              applications, projects, databases
+    · Cloudflare DNS       zones
+    · R2                   buckets (whole account)
+    · Hetzner S3 / AWS S3  credential presence (bucket listing not implemented)
+    · Resend               verified domains
+    · GlitchTip            projects in the configured org
+    · OpenPanel            projects
+    · Stripe               webhook endpoints (test + live)
+
+  ${chalk.bold("Cross-references:")}
+    After listing every provider, ${chalk.cyan("overview")} cross-references the
+    raw data to flag fleet-level inconsistencies — the kind of bitrot
+    that a single-provider lens can't see:
+
+      · Coolify app deploys from a repo \`gh\` can't find (deleted/renamed)
+      · App fqdn references an apex with no Cloudflare zone
+      · R2 bucket follows the \`<project>-<role>\` convention but has no
+        matching Coolify app (orphan from a destroyed project)
+      · GlitchTip / OpenPanel project with no Coolify app counterpart
+      · Cloudflare zone with no Coolify app pointing into it
+
+  ${chalk.bold("Flags:")}
+    --all                Print every resource per provider (default: 6-line preview)
+    --json               Machine-readable OverviewReport (non-interactive)
+
+  Read-only — every call is a GET. Safe to run repeatedly.
 `);
         return;
     }
@@ -1591,7 +1860,19 @@ function printHelp(topic) {
     --domain <domain>    Override inferred domain
     --repo <owner/name>  Override inferred GitHub repo
     --yes, -y            Skip confirm-inferred-value prompts
+    --save               Write a minimal .hatchkit.json without prompting
+    --no-save            Suppress the end-of-run save prompt
     --json               Machine-readable InventoryReport (non-interactive)
+
+  ${chalk.bold("Persisting identity:")}
+    After an interactive run, when ${chalk.cyan(".hatchkit.json")} doesn't yet exist
+    and both name + domain are inferred, hatchkit offers to write a
+    minimal manifest. The manifest carries the right schema for every
+    other command (adopt, update, sync, keys), with conservative defaults
+    for fields inventory can't infer (features=[], s3Provider="none",
+    deployTarget="existing", ports={server:3000,client:5173}). Run
+    ${chalk.cyan("hatchkit adopt --resume")} afterwards to flesh out the rest via
+    the adopt stepper.
 `);
         return;
     }
@@ -2028,6 +2309,7 @@ function printHelp(topic) {
     status          Show what's configured and what's next
     doctor          Health-check every provider with contextual fix hints
     inventory       Survey what already exists for this project (and flag drift)
+    overview        Fleet-level survey — every resource across all configured providers
     explain         One-page mental model of the CLI
 
   ${chalk.bold("Projects:")}
@@ -2042,6 +2324,7 @@ function printHelp(topic) {
     sync            Push the manifest's domain/ports onto the matching Coolify app(s)
     gh-pages        Wire GitHub Pages for the current repo (static / Vite / Jekyll — with DNS)
     dns             DNS reconciliation helpers (link-to-cloudflare, …)
+    email           Set up Cloudflare Email Routing + MX/SPF/DMARC (setup/status)
     keys show <p>   Print the dotenvx private key for a project
     keys set <p>    Upsert the key into the OS keychain (after \`dotenvx rotate\`)
     keys rotate <p> Rotate the dotenvx keypair, mirror to keychain + (optional) deploy targets
@@ -2056,6 +2339,7 @@ function printHelp(topic) {
     status --json     StatusSnapshot as JSON
     doctor --json     Per-provider health with fix hints as JSON
     inventory --json  InventoryReport — resources found per provider + drift
+    overview --json   OverviewReport — fleet-level resource counts + names
     completion <shell>  Print a zsh/bash/fish completion script
 
   ${chalk.bold("Options:")}