hatchkit 0.1.47 → 0.2.1

package/dist/index.js

@@ -3,7 +3,7 @@ import { existsSync } from "node:fs";
 import { dirname, join, resolve } from "node:path";
 import { confirm } from "@inquirer/prompts";
 import chalk from "chalk";
-import { ensureCoolify, ensureGitHub, ensureHetzner, ensureS3, getConfig, getConfigPath, getMlServices, isFirstRun, reconfigureProvider, resetConfig, runOnboarding, } from "./config.js";
+import { ensureCoolify, ensureGitHub, ensureHetzner, ensureS3, getConfig, getConfigPath, getCoolifyConfig, getGhcrConfig, getMlServices, isFirstRun, reconfigureProvider, resetConfig, runOnboarding, } from "./config.js";
 import { runCoolifySetup } from "./deploy/coolify.js";
 import { setupGitHub } from "./deploy/github.js";
 import { deployMlServices } from "./deploy/gpu.js";
@@ -108,6 +108,11 @@ async function main() {
                 return printHelp("update");
             await handleUpdate();
             break;
+        case "server":
+            if (args.includes("--help") && args.length === 2)
+                return printHelp("server");
+            await handleServer();
+            break;
         case "keys":
             if (args.includes("--help") && args.length === 2)
                 return printHelp("keys");
@@ -456,7 +461,15 @@ async function handleAdd() {
     const positional = args.slice(1).filter((a) => !a.startsWith("--"));
     let baseName = positional[0];
     const rawService = positional[1];
-    const allServices = ["glitchtip", "openpanel", "resend", "s3", "email"];
+    const allServices = [
+        "glitchtip",
+        "openpanel",
+        "plausible",
+        "resend",
+        "s3",
+        "email",
+        "search-console",
+    ];
     if (!baseName) {
         const { input } = await import("@inquirer/prompts");
         const { validateProjectName } = await import("./utils/validate.js");
@@ -473,6 +486,7 @@ async function handleAdd() {
             choices: [
                 { name: "GlitchTip (error tracking)", value: "glitchtip", checked: true },
                 { name: "OpenPanel (product analytics)", value: "openpanel", checked: true },
+                { name: "Plausible (web analytics)", value: "plausible", checked: false },
                 { name: "Resend (transactional email)", value: "resend", checked: true },
                 {
                     name: "S3 / R2 (per-bucket scoped credentials from .hatchkit.json)",
@@ -484,6 +498,11 @@ async function handleAdd() {
                     value: "email",
                     checked: false,
                 },
+                {
+                    name: "Google Search Console (DNS verification + domain property)",
+                    value: "search-console",
+                    checked: false,
+                },
             ],
             required: true,
         });
@@ -503,7 +522,7 @@ async function handleAdd() {
     }
     // Flag parsing:
     //   --no-write                      → never write; print a cache summary only
-    //   --enable-dev-obs                → also populate .env.development with GlitchTip/OpenPanel creds
+    //   --enable-dev-obs                → also populate .env.development with observability creds
     //   --surfaces=<shared|separate|server-only|client-only>
     //   --server-dir <path>             → absolute or project-relative env dir for the server
     //   --client-dir <path>             → same for the client
@@ -783,7 +802,15 @@ async function handleRemove() {
     const skipConfirm = args.includes("--yes") || args.includes("-y");
     let baseName = positional[0];
     const rawService = positional[1];
-    const allServices = ["glitchtip", "openpanel", "resend", "s3", "email"];
+    const allServices = [
+        "glitchtip",
+        "openpanel",
+        "plausible",
+        "resend",
+        "s3",
+        "email",
+        "search-console",
+    ];
     if (!baseName) {
         const { input } = await import("@inquirer/prompts");
         const { validateProjectName } = await import("./utils/validate.js");
@@ -800,6 +827,7 @@ async function handleRemove() {
             choices: [
                 { name: "GlitchTip (deletes the project)", value: "glitchtip", checked: true },
                 { name: "OpenPanel (deletes the project)", value: "openpanel", checked: true },
+                { name: "Plausible (deletes the site)", value: "plausible", checked: false },
                 { name: "Resend (deletes the API key)", value: "resend", checked: true },
                 { name: "S3 / R2 (deletes per-bucket scoped tokens)", value: "s3", checked: false },
                 {
@@ -807,6 +835,11 @@ async function handleRemove() {
                     value: "email",
                     checked: false,
                 },
+                {
+                    name: "Google Search Console (removes property; keeps verification token)",
+                    value: "search-console",
+                    checked: false,
+                },
             ],
             required: true,
         });
@@ -841,7 +874,7 @@ async function handleRemove() {
     // project directory if it exists; the s3 unprovision falls back to
     // a keychain sweep when the manifest can't be found.
     let projectDir;
-    if (services.includes("s3")) {
+    if (services.includes("s3") || services.includes("search-console")) {
         const guess = resolve(baseName);
         if (existsSync(join(guess, ".hatchkit.json"))) {
             projectDir = guess;
@@ -867,6 +900,52 @@ async function handleDns() {
             printHelp("dns");
     }
 }
+async function configureGhcrForCreate(repoUrl, isPrivateRepo, ledger) {
+    const { repoSlugFromRemote } = await import("./deploy/gh-actions-secrets.js");
+    const slug = repoSlugFromRemote(repoUrl);
+    if (!slug) {
+        console.log(chalk.dim("  · Couldn't resolve owner/repo from GitHub URL — skipping GHCR pull setup."));
+        return;
+    }
+    const coolify = await getCoolifyConfig();
+    if (!coolify) {
+        console.log(chalk.dim("  · Coolify not configured — skipping GHCR pull setup."));
+        return;
+    }
+    const { CoolifyApi } = await import("./utils/coolify-api.js");
+    const { makeGhcrPackagePublic, registerGhcrCredsWithCoolify } = await import("./deploy/ghcr.js");
+    if (!isPrivateRepo) {
+        const result = await makeGhcrPackagePublic({ repoSlug: slug });
+        if (result.kind === "public-set")
+            return;
+        if (result.kind === "skipped" || result.kind === "failed") {
+            console.log(chalk.yellow(`  GHCR public-image setup skipped: ${result.reason}`));
+            console.log(chalk.dim(result.recovery.map((line) => `  ${line}`).join("\n")));
+        }
+        return;
+    }
+    const ghcrConfig = await getGhcrConfig();
+    const api = new CoolifyApi({ url: coolify.url, token: coolify.token });
+    const result = await registerGhcrCredsWithCoolify({
+        api,
+        repoSlug: slug,
+        pullToken: ghcrConfig?.pullToken,
+        username: ghcrConfig?.username,
+    });
+    if (result.kind === "private-registered") {
+        if (result.created) {
+            ledger?.record({ kind: "coolifyPrivateRegistry", uuid: result.registryUuid });
+        }
+        return;
+    }
+    if (result.kind === "skipped" || result.kind === "failed") {
+        console.log(chalk.yellow(`  GHCR private-image pull setup skipped: ${result.reason}`));
+        console.log(chalk.dim(result.recovery.map((line) => `  ${line}`).join("\n")));
+    }
+}
+function isCreatedGithubRepoPrivate(config) {
+    return config.createGithubRepo && (config.githubRepoVisibility ?? "private") === "private";
+}
 // ---------------------------------------------------------------------------
 // Commands
 // ---------------------------------------------------------------------------
@@ -875,20 +954,22 @@ async function handleCreate() {
     // the flow non-interactive; otherwise we still prompt for anything
     // not supplied via flags / config file.
     const flags = parseCreateFlags(args);
-    const { yes: nonInteractive, dryRun, presets, forceNoGithub, forceNoDeploy, forceNoInstall, } = flags;
+    const { yes: nonInteractive, dryRun, presets, forceNoGithub, forceNoDeploy, forceNoInstall, forceNoLocalDev, } = flags;
     // Check if first run (skip onboarding when non-interactive — the
     // onboarding prompts would stall automation).
     if (!nonInteractive && (await isFirstRun())) {
         await runOnboarding();
     }
     // Collect project config via interactive prompts (or presets).
-    const config = await collectProjectConfig({ dryRun, presets, nonInteractive });
+    const config = await collectProjectConfig({ dryRun, presets, nonInteractive, forceNoLocalDev });
     if (forceNoGithub)
         config.createGithubRepo = false;
     if (forceNoDeploy)
         config.runDeployment = false;
     if (forceNoInstall)
         config.installDeps = false;
+    if (forceNoLocalDev)
+        config.localDev = undefined;
     // Ensure needed providers are configured (lazy prompting).
     // Coolify + Hetzner only matter for the coolify deployment mode.
     // gh-pages skips them entirely (no server, no Docker registry).
@@ -917,13 +998,19 @@ async function handleCreate() {
             await ensureS3(config.s3Provider);
         }
     }
-    // Pre-flight observability + email + Stripe providers used by `hatchkit
-    // create` directly (not just `add`): if the user picked the analytics
-    // feature, GlitchTip needs to be configured before we can mint a DSN
-    // for them. Same for Stripe webhook auto-provisioning.
+    // Pre-flight observability + Stripe providers used by `hatchkit
+    // create` directly (not just `add`): if the user picked analytics
+    // providers, make sure they are configured before we can mint
+    // project-scoped resources. Same for Stripe webhook auto-provisioning.
     if (config.features.includes("analytics")) {
-        const { ensureGlitchtip } = await import("./config.js");
-        await ensureGlitchtip();
+        const providers = config.analyticsProviders ?? ["glitchtip"];
+        const { ensureGlitchtip, ensureOpenpanel, ensurePlausible } = await import("./config.js");
+        if (providers.includes("glitchtip"))
+            await ensureGlitchtip();
+        if (providers.includes("openpanel"))
+            await ensureOpenpanel();
+        if (providers.includes("plausible"))
+            await ensurePlausible();
     }
     if (config.features.includes("stripe")) {
         const { ensureStripe } = await import("./config.js");
@@ -954,7 +1041,7 @@ async function handleCreate() {
     console.log(`  Features:   ${config.features.length > 0 ? config.features.join(", ") : "none"}`);
     console.log(`  ML:         ${config.mlServices.length > 0 ? config.mlServices.join(", ") : "none"}`);
     console.log(`  Scaffold:   ${config.scaffoldRepo ? "yes" : "no"}`);
-    console.log(`  GitHub:     ${config.createGithubRepo ? "yes" : "no"}`);
+    console.log(`  GitHub:     ${config.createGithubRepo ? `yes (${config.githubRepoVisibility ?? "private"})` : "no"}`);
     console.log(`  Install:    ${config.installDeps ? "yes (pnpm install)" : "no"}`);
     console.log(`  Deploy now: ${config.runDeployment ? "yes" : "no"}`);
     if (config.dryRun) {
@@ -996,28 +1083,47 @@ async function handleCreate() {
                 const { printDotenvxSummary } = await import("./scaffold/dotenvx.js");
                 printDotenvxSummary(scaffoldResult.dotenvx, config.name);
             }
-            // Auto-provision GlitchTip + write its DSN encrypted into
-            // .env.production. The user picked the `analytics` feature; we
-            // already verified GlitchTip is configured during pre-flight.
-            // Skipped for client-only — the encrypt target lives in
-            // packages/server/, which doesn't exist post-prune. The client
-            // side of analytics (OpenPanel via NEXT_PUBLIC_*) still works
-            // without any provisioning.
-            if (config.features.includes("analytics") && config.surfaces !== "client-only") {
+            // Auto-provision selected observability/analytics providers
+            // through the same machinery used by `hatchkit add`, so create,
+            // adopt, and existing-project provisioning stay aligned.
+            if (config.features.includes("analytics")) {
+                const analyticsServices = [
+                    ...(config.analyticsProviders ?? ["glitchtip"]),
+                ];
                 try {
-                    const { provisionGlitchtipClient } = await import("./provision/glitchtip.js");
-                    const { set: dotenvxSet } = await import("@dotenvx/dotenvx");
-                    const ora = (await import("ora")).default;
-                    const spinner = ora(`GlitchTip: creating project ${config.name}`).start();
-                    const res = await provisionGlitchtipClient(config.name);
-                    ledger?.record({ kind: "glitchtip", project: config.name });
-                    spinner.succeed(`GlitchTip project ready (DSN encrypted into .env.production)`);
-                    const prodEnvPath = join(appDir, "packages/server/.env.production");
-                    dotenvxSet("GLITCHTIP_DSN", res.dsn, { path: prodEnvPath, encrypt: true });
+                    if (analyticsServices.length > 0) {
+                        const provisionMode = config.surfaces === "both"
+                            ? "shared"
+                            : config.surfaces === "server-only"
+                                ? "server-only"
+                                : "client-only";
+                        await runProvision({
+                            baseName: config.name,
+                            services: analyticsServices,
+                            domain: config.domain,
+                            surfaces: {
+                                mode: provisionMode,
+                                projectDir: appDir,
+                                serverEnvDir: config.surfaces === "client-only" ? undefined : join(appDir, "packages/server"),
+                                clientEnvDir: config.surfaces === "server-only" ? undefined : join(appDir, "packages/client"),
+                            },
+                            onProvisioned: (event) => {
+                                if (event.service === "glitchtip") {
+                                    ledger?.record({ kind: "glitchtip", project: event.project });
+                                }
+                                else if (event.service === "openpanel") {
+                                    ledger?.record({ kind: "openpanel", project: event.project });
+                                }
+                                else if (event.service === "plausible") {
+                                    ledger?.record({ kind: "plausible", project: event.project });
+                                }
+                            },
+                        });
+                    }
                 }
                 catch (err) {
-                    console.log(chalk.yellow(`  Couldn't auto-provision GlitchTip: ${err.message}`));
-                    console.log(chalk.dim(`  Run \`hatchkit add ${config.name} glitchtip\` once GlitchTip is reachable.`));
+                    console.log(chalk.yellow(`  Couldn't auto-provision analytics: ${err.message}`));
+                    console.log(chalk.dim(`  Run \`hatchkit add ${config.name} ${analyticsServices.join(",")}\` once providers are reachable.`));
                 }
             }
             // Stripe: walk the user through pasting per-project keys (sk + pk
@@ -1170,6 +1276,7 @@ async function handleCreate() {
                 repoUrl: repoUrl ?? undefined,
                 serverPort: scaffoldResult?.ports.server,
                 clientPort: scaffoldResult?.ports.client,
+                isPrivateRepo: isCreatedGithubRepoPrivate(config),
             });
             // Order matters: rollback iterates the ledger in REVERSE, so we
             // record parent-before-child (project before app). Otherwise
@@ -1223,18 +1330,26 @@ async function handleCreate() {
             if (repoUrl && config.scaffoldRepo) {
                 try {
                     const { findCoolifyAppsForProject } = await import("./deploy/coolify-app.js");
-                    const { repoSlugFromRemote, setCoolifyDeploySecrets } = await import("./deploy/gh-actions-secrets.js");
+                    const { ghSecretExists, repoSlugFromRemote, setCoolifyDeploySecrets } = await import("./deploy/gh-actions-secrets.js");
                     const slug = repoSlugFromRemote(repoUrl);
                     const apps = await findCoolifyAppsForProject(config.name);
-                    if (slug && apps.length > 0) {
-                        await setCoolifyDeploySecrets({
-                            projectDir: appDir,
-                            repoSlug: slug,
-                            apps,
-                        });
-                    }
-                    else if (apps.length === 0) {
-                        console.log(chalk.dim(`  · No Coolify app named "${config.name}" / "${config.name}-server" / "${config.name}-client" / "${config.name}-web" found — skipping Actions secret push.`));
+                    if (slug) {
+                        if (apps.length > 0) {
+                            await setCoolifyDeploySecrets({
+                                projectDir: appDir,
+                                repoSlug: slug,
+                                apps,
+                            });
+                        }
+                        else {
+                            console.log(chalk.dim(`  · No Coolify app named "${config.name}" / "${config.name}-server" / "${config.name}-client" / "${config.name}-web" found — skipping Coolify deploy secret push.`));
+                        }
+                        const secretName = "DOTENV_PRIVATE_KEY_PRODUCTION";
+                        const preExisted = await ghSecretExists(appDir, slug, secretName);
+                        await pushProjectKeyToGh(config.name, slug);
+                        if (!preExisted) {
+                            ledger?.record({ kind: "ghActionsSecret", repo: slug, name: secretName });
+                        }
                     }
                 }
                 catch (err) {
@@ -1305,7 +1420,10 @@ async function handleCreate() {
         // created the repo + `origin` but deliberately skipped the push.
         if (config.scaffoldRepo && config.createGithubRepo && repoUrl) {
             const { pushInitialBranch } = await import("./deploy/github.js");
-            await pushInitialBranch(appDir);
+            const pushed = await pushInitialBranch(appDir);
+            if (pushed && config.deploymentMode === "coolify") {
+                await configureGhcrForCreate(repoUrl, isCreatedGithubRepoPrivate(config), ledger);
+            }
         }
         // Step 6.6: optional email forwarding setup (Cloudflare Email
         // Routing). Opt-in prompt — most projects want it but a scripted
@@ -1470,6 +1588,48 @@ async function handleUpdate() {
         console.log(chalk.yellow("  Run `pnpm install` to pick up @hatchkit/dev-plugin-next, then `hatchkit doctor` to confirm host plumbing."));
     }
 }
+async function handleServer() {
+    const sub = args[1];
+    if (sub !== "add") {
+        console.log("Usage: hatchkit server add [--yes] [--dry-run] [--server-dir <path>]");
+        console.log("Run `hatchkit help server` for details.");
+        process.exit(1);
+    }
+    const { runServerAdd } = await import("./scaffold/server-add.js");
+    const result = await runServerAdd(resolve("."), {
+        yes: args.includes("--yes") || args.includes("-y"),
+        dryRun: args.includes("--dry-run"),
+        serverDir: flagValue("--server-dir"),
+        sharedDir: flagValue("--shared-dir"),
+    });
+    if (args.includes("--json")) {
+        console.log(JSON.stringify(result, null, 2));
+        return;
+    }
+    if (result.dryRun) {
+        console.log(chalk.yellow("  --dry-run — no files were changed."));
+    }
+    if (result.created.length > 0) {
+        console.log(chalk.green(`  ✓ Created: ${result.created.join(", ")}`));
+    }
+    if (result.updated.length > 0) {
+        console.log(chalk.green(`  ✓ Updated: ${result.updated.join(", ")}`));
+    }
+    if (result.reused.length > 0) {
+        console.log(chalk.dim(`  · Reused existing: ${result.reused.join(", ")}`));
+    }
+    for (const warning of result.warnings) {
+        console.log(chalk.yellow(`  ! ${warning}`));
+    }
+    if (result.skipped.length > 0 && !result.changed) {
+        console.log(chalk.dim(`  · ${result.skipped.join(", ")}`));
+    }
+    if (result.nextSteps.length > 0) {
+        console.log(chalk.bold("\n  Next:"));
+        for (const step of result.nextSteps)
+            console.log(`    ${step}`);
+    }
+}
 async function handleConfig() {
     const subcommand = args[1];
     switch (subcommand) {
@@ -1477,7 +1637,7 @@ async function handleConfig() {
             const provider = args[2];
             if (!provider) {
                 console.log("Usage: hatchkit config add <provider>");
-                console.log("Providers: coolify, ghcr, hetzner, dns, s3, modal, runpod, hf, replicate, glitchtip, openpanel, resend, stripe");
+                console.log("Providers: coolify, ghcr, hetzner, dns, s3, modal, runpod, hf, replicate, glitchtip, openpanel, plausible, resend, search-console, stripe");
                 return;
             }
             // Handle provider setup based on name
@@ -1489,7 +1649,9 @@ async function handleConfig() {
                 case "dns":
                 case "glitchtip":
                 case "openpanel":
+                case "plausible":
                 case "resend":
+                case "search-console":
                 case "stripe":
                 case "ghcr":
                     await reconfigureProvider(provider);
@@ -1528,7 +1690,7 @@ async function handleConfig() {
                 default:
                     if (!isGpuPlatform(provider)) {
                         console.log(chalk.red(`  Unknown provider: ${provider}`));
-                        console.log(chalk.dim("  Valid: coolify, ghcr, hetzner, dns, s3, modal, runpod, hf, replicate, glitchtip, openpanel, resend, stripe"));
+                        console.log(chalk.dim("  Valid: coolify, ghcr, hetzner, dns, s3, modal, runpod, hf, replicate, glitchtip, openpanel, plausible, resend, search-console, stripe"));
                         return;
                     }
                     await reconfigureProvider(`gpu.${provider}`);
@@ -1673,6 +1835,37 @@ function printHelp(topic) {
 
   ${chalk.bold("Removal is not supported.")} Removing features could delete
     user code — remove manually + edit the manifest.
+`);
+        return;
+    }
+    if (topic === "server") {
+        console.log(`
+  ${chalk.bold("hatchkit server add")} — retrofit a server into a client-only project
+
+  ${chalk.bold("Usage:")}
+    cd <project-dir> && hatchkit server add
+    cd <project-dir> && hatchkit server add --yes
+
+  ${chalk.bold("What it does:")}
+    Reads .hatchkit.json, copies the Hatchkit server package from the
+    starter, restores shared server types, updates root scripts/workspace
+    files, flips manifest surfaces from ${chalk.cyan("client-only")} to
+    ${chalk.cyan("both")}, and switches gh-pages projects back to coolify.
+
+  ${chalk.bold("What it does not do:")}
+    No provider calls. No Coolify, DNS, GitHub, keychain, or Terraform
+    mutation. To wire deploy infra after the local scaffold:
+
+      hatchkit adopt --resume --regenerate-pipeline
+
+  ${chalk.bold("Options:")}
+    --server-dir <path>   Destination for the server package. Default:
+                          ${chalk.dim("packages/server")}.
+    --shared-dir <path>   Destination for the shared package. Default:
+                          ${chalk.dim("packages/shared")}.
+    --yes, -y             Skip confirmation.
+    --dry-run             Show planned local changes without writing.
+    --json                Machine-readable result.
 `);
         return;
     }
@@ -1792,20 +1985,22 @@ function printHelp(topic) {
     }
     if (topic === "dev-setup") {
         console.log(`
-  ${chalk.bold("hatchkit dev-setup")} — opt-in Tailscale-served dev URLs
+  ${chalk.bold("hatchkit dev-setup")} — Tailscale-served dev URLs
 
   Wires up the host-wide plumbing that makes every scaffolded project
   reachable from any Tailscale peer at:
 
-    ${chalk.cyan("https://<slug>.local.ricoslabs.com/")}
+    ${chalk.cyan("https://<slug>.local.<your-domain>/")}
 
   …without per-project DNS, port juggling, or framework basePath config.
 
   ${chalk.bold("Host-wide subcommands (run once per machine):")}
     dev-setup init [--force]   Auto-write ~/.config/dev/Caddyfile, register
                                a launchd job to run Caddy on a free port
-                               (default 9443, auto-bumps on collision), and
-                               register a tailscale serve TCP=443 bridge.
+                               (default 9443, auto-bumps on collision),
+                               register a tailscale serve TCP=443 bridge,
+                               and auto-upsert the wildcard DNS A record
+                               when Cloudflare credentials are available.
                                Idempotent — safe to re-run.
     dev-setup status           Print the same Local-dev rows that
                                ${chalk.cyan("hatchkit doctor")} would show.
@@ -1825,8 +2020,11 @@ function printHelp(topic) {
                                next.config + dep in place (they're inert
                                without the fragment).
 
-  ${chalk.bold("One-time DNS bit you do yourself (per machine, not per project):")}
-    *.local.ricoslabs.com  CNAME  <your-machine>.<tailnet>.ts.net.
+  ${chalk.bold("DNS:")}
+    ${chalk.cyan("dev-setup init")} auto-upserts a DNS-only A record:
+    *.local.<your-domain>  A  <your-tailnet-ip>  (DNS-only)
+
+    If Cloudflare credentials are unavailable, add that record manually.
 
   This feature is fully optional: until you run ${chalk.cyan("dev-setup init")},
   ${chalk.cyan("hatchkit doctor")} surfaces zero Local-dev rows. Within a project,
@@ -1864,7 +2062,7 @@ function printHelp(topic) {
       · App fqdn references an apex with no Cloudflare zone
       · R2 bucket follows the \`<project>-<role>\` convention but has no
         matching Coolify app (orphan from a destroyed project)
-      · GlitchTip / OpenPanel project with no Coolify app counterpart
+      · GlitchTip / OpenPanel / Plausible project/site with no Coolify app counterpart
       · Cloudflare zone with no Coolify app pointing into it
 
   ${chalk.bold("Flags:")}
@@ -1944,10 +2142,14 @@ function printHelp(topic) {
   ${chalk.bold("What it does:")}
     · GlitchTip / OpenPanel: ${chalk.bold("one project per product")}, events tagged by
       \`environment\` so dev / staging / prod share the same dashboard.
-      Written to ${chalk.cyan(".env.production")} only — dev noise pollutes real metrics.
+    · Plausible: one site for the public project domain, with browser tracker env.
+      Observability values are written to ${chalk.cyan(".env.production")} only — dev noise pollutes real metrics.
       Pass ${chalk.cyan("--enable-dev-obs")} to populate ${chalk.cyan(".env.development")} too.
     · Resend: separate ${chalk.cyan("-dev")} and ${chalk.cyan("-prod")} API keys (audience
       safety). Written to the server's dev + prod env respectively.
+    · Search Console: verifies the project domain via Cloudflare DNS TXT,
+      then adds the ${chalk.cyan("sc-domain:<domain>")} property to your Google account.
+      No runtime env is written.
     · ${chalk.cyan(".env.production")} is dotenvx-encrypted — commit-safe.
       ${chalk.cyan(".env.development")} is plaintext — gitignored, not encrypted.
     · A 0600 cache of every value is saved under
@@ -1967,7 +2169,10 @@ function printHelp(topic) {
   ${chalk.bold("Services:")}
     glitchtip   GLITCHTIP_DSN (server) / PUBLIC_GLITCHTIP_DSN (client)
     openpanel   OPENPANEL_* (server) / PUBLIC_OPENPANEL_* (client)
+    plausible   NEXT_PUBLIC_PLAUSIBLE_DOMAIN / *_SCRIPT_URL (client only)
     resend      RESEND_API_KEY (server only)
+    search-console
+                Google Search Console domain property (DNS verification; no env)
     s3          R2_<BUCKET>_ACCESS_KEY_ID / *_SECRET_ACCESS_KEY / *_BUCKET / R2_ENDPOINT
                 — mints a per-bucket scoped Cloudflare R2 API token for every
                   bucket declared in .hatchkit.json (s3Buckets). Single-bucket
@@ -2016,8 +2221,10 @@ function printHelp(topic) {
       · Writes \`.hatchkit.json\` so \`update\`, \`add\`, \`keys\` recognise
         the project.
       · ${chalk.cyan("GitHub remote")} — \`git init\` (if needed),
-        commit, \`gh repo create --private --source=. --push\`. Skipped
-        when an \`origin\` is already set.
+        commit, \`gh repo create --private|--public --source=. --push\`.
+        Visibility is prompted (default private) or set with
+        \`--github-visibility private|public\`. Skipped when an \`origin\`
+        is already set.
       · ${chalk.cyan("Coolify + DNS")} — direct REST-API calls into the
         Coolify and Cloudflare you already configured (no Terraform,
         no submodule). Finds or creates the Coolify project, picks
@@ -2027,7 +2234,7 @@ function printHelp(topic) {
         (DOTENV_PRIVATE_KEY_PRODUCTION + GITHUB_REPO_URL), upserts an
         A record \`<domain> → <server-ip>\` on Cloudflare, and triggers
         the first deploy. Defaults ON when no matching app exists.
-      · Optionally provisions GlitchTip / OpenPanel / Resend clients
+      · Optionally provisions GlitchTip / OpenPanel / Plausible / Resend clients
         (same machinery as \`hatchkit add\`).
       · Optionally pushes the dotenvx private key to Coolify
         (redundant when the Coolify+DNS step ran — it already does).
@@ -2086,7 +2293,11 @@ function printHelp(topic) {
   ${chalk.bold("Services:")}
     glitchtip   Deletes the GlitchTip project
     openpanel   Deletes the OpenPanel project (and clears cached creds)
+    plausible   Deletes the Plausible site cached for this project
     resend      Finds API keys by name and deletes them
+    search-console
+                Removes the Search Console property from your Google account
+                (keeps DNS verification token / ownership state)
     s3          Deletes per-bucket scoped Cloudflare R2 API tokens
                 (clears the keychain entries and DELETEs upstream)
 
@@ -2124,7 +2335,7 @@ function printHelp(topic) {
     create + adopt:
     - GitHub repo                              ${chalk.dim("gh repo delete")}
     - dotenvx private key in keychain          ${chalk.dim("keytar deletePassword")}
-    - GlitchTip / OpenPanel / Resend           ${chalk.dim("DELETE")} per-vendor
+    - GlitchTip / OpenPanel / Plausible / Resend ${chalk.dim("DELETE")} per-vendor
     - Coolify app / project / database         ${chalk.dim("DELETE /api/v1/...")}
 
     adopt-only (fine-grained, never wider than what adopt itself wrote):
@@ -2269,7 +2480,7 @@ function printHelp(topic) {
     config              Show status of every configured provider (alias: \`status\`)
     config add <p>      Configure a provider
                         (coolify, ghcr, hetzner, dns, s3, modal, runpod, hf, replicate,
-                         glitchtip, openpanel, resend, stripe)
+                         glitchtip, openpanel, plausible, resend, search-console, stripe)
     config reset        Clear ALL CLI config (providers, tokens, ML registry, ports)
 `);
         return;
@@ -2374,7 +2585,8 @@ function printHelp(topic) {
     create          Scaffold a new project (interactive)
     adopt           Bring an existing project under hatchkit management (run in project dir)
     update          Add features to an already-scaffolded project (run in project dir)
-    add             Create GlitchTip / OpenPanel / Resend clients for an existing project
+    server add      Retrofit a server into a client-only project
+    add             Create GlitchTip / OpenPanel / Plausible / Resend clients for an existing project
     assets          Move bytes between local MinIO and prod buckets (seed/push/pull/migrate)
     remove          Delete the -dev/-prod clients created by 'add' (inverse of add)
     destroy         Roll back everything ${chalk.cyan("hatchkit create")} did for a project
@@ -2408,7 +2620,12 @@ function printHelp(topic) {
     --yes, -y       (with \`create\`) skip prompts, use defaults / --config values
     --config <path> (with \`create\`) load JSON overrides for ProjectConfig fields
     --name <name>   (with \`create\`) set project name without prompting
+    --local-dev[=<slug>] (with \`create\`) enable Tailscale dev URL, optionally with slug
+    --no-local-dev  (with \`create\`) skip local-dev wiring
     --no-github     (with \`create\`) skip GitHub repo creation
+    --github-visibility {private|public}
+                    (with \`create\`) visibility for a newly-created GitHub repo.
+                    Default: private. Shorthands: \`--private\`, \`--public\`.
     --no-deploy     (with \`create\`) skip Terraform/Coolify/ML deployment
 
   ${chalk.bold("Environment:")}