hatchkit 0.1.47 → 0.2.2

package/dist/index.js

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
-import { existsSync } from "node:fs";
+import { existsSync, readFileSync, readdirSync } from "node:fs";
 import { dirname, join, resolve } from "node:path";
 import { confirm } from "@inquirer/prompts";
 import chalk from "chalk";
-import { ensureCoolify, ensureGitHub, ensureHetzner, ensureS3, getConfig, getConfigPath, getMlServices, isFirstRun, reconfigureProvider, resetConfig, runOnboarding, } from "./config.js";
+import { ensureCoolify, ensureGitHub, ensureHetzner, ensureS3, getConfig, getConfigPath, getCoolifyConfig, getGhcrConfig, getMlServices, isFirstRun, reconfigureProvider, resetConfig, runOnboarding, } from "./config.js";
 import { runCoolifySetup } from "./deploy/coolify.js";
 import { setupGitHub } from "./deploy/github.js";
 import { deployMlServices } from "./deploy/gpu.js";
@@ -11,9 +11,10 @@ import { pushProjectKeyToCoolify, pushProjectKeyToGh, rotateProjectKey, setProje
 import { handleCreateFailure, runRollback } from "./deploy/rollback.js";
 import { runTerraform } from "./deploy/terraform.js";
 import { collectProjectConfig } from "./prompts.js";
-import { runProvision, runUnprovision } from "./provision/index.js";
+import { runProvision, runUnprovision, } from "./provision/index.js";
 import { scaffoldApp } from "./scaffold/app.js";
 import { scaffoldInfra } from "./scaffold/infra.js";
+import { readManifest } from "./scaffold/manifest.js";
 import { mlEnvVarName, printMlSummary, resolveMlServices } from "./scaffold/ml-client.js";
 import { runUpdate } from "./scaffold/update.js";
 import { installCancelHandler, isCancelInProgress, uninstallCancelHandler, } from "./utils/cancel-handler.js";
@@ -108,6 +109,11 @@ async function main() {
                 return printHelp("update");
             await handleUpdate();
             break;
+        case "server":
+            if (args.includes("--help") && args.length === 2)
+                return printHelp("server");
+            await handleServer();
+            break;
         case "keys":
             if (args.includes("--help") && args.length === 2)
                 return printHelp("keys");
@@ -433,10 +439,10 @@ function opts(result) {
  *  dir already lives inside the project (`packages/server`,
  *  `apps/web`, etc.). Returns undefined when no manifest is found —
  *  callers fall back to "skip s3" with a hint. */
-function inferProjectDir(serverEnvDir) {
-    if (!serverEnvDir)
+function inferProjectDir(startDir) {
+    if (!startDir)
         return undefined;
-    let cur = serverEnvDir;
+    let cur = startDir;
     for (let i = 0; i < 4; i++) {
         if (existsSync(join(cur, ".hatchkit.json")))
             return cur;
@@ -447,16 +453,191 @@ function inferProjectDir(serverEnvDir) {
     }
     return undefined;
 }
+function manifestBucketEntries(manifest) {
+    const buckets = manifest?.s3Buckets;
+    if (!buckets)
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(buckets)) {
+        if (key === "tokenId" || key === "accountId")
+            continue;
+        if (value && typeof value === "object" && "name" in value) {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function readIfExists(path) {
+    if (!existsSync(path))
+        return "";
+    try {
+        return readFileSync(path, "utf-8");
+    }
+    catch {
+        return "";
+    }
+}
+function readProjectEnvText(projectDir, baseName) {
+    const chunks = [];
+    if (projectDir) {
+        for (const dir of [
+            ".",
+            "packages/server",
+            "packages/client",
+            "packages/web",
+            "apps/server",
+            "apps/api",
+            "apps/web",
+            "apps/client",
+            "server",
+            "client",
+            "web",
+        ]) {
+            const abs = resolve(projectDir, dir);
+            chunks.push(readIfExists(join(abs, ".env.production")));
+            chunks.push(readIfExists(join(abs, ".env.development")));
+        }
+    }
+    if (baseName) {
+        const provisionedDir = join(dirname(getConfigPath()), "provisioned");
+        if (existsSync(provisionedDir)) {
+            for (const file of readdirSync(provisionedDir)) {
+                if (file.startsWith(`${baseName}.`) && file.endsWith(".env")) {
+                    chunks.push(readIfExists(join(provisionedDir, file)));
+                }
+            }
+        }
+    }
+    return chunks.join("\n");
+}
+function servicesAlreadyAdded(args) {
+    const text = readProjectEnvText(args.projectDir, args.baseName);
+    const added = new Set();
+    if (/(^|\n)(PUBLIC_)?GLITCHTIP_DSN=/m.test(text))
+        added.add("glitchtip");
+    if (/(^|\n)(PUBLIC_)?OPENPANEL_CLIENT_ID=/m.test(text))
+        added.add("openpanel");
+    if (/(^|\n)(NEXT_PUBLIC_|PUBLIC_)?PLAUSIBLE_DOMAIN=/m.test(text))
+        added.add("plausible");
+    if (/(^|\n)RESEND_API_KEY=/m.test(text))
+        added.add("resend");
+    if (/(^|\n)R2(_[A-Z0-9]+)?_ACCESS_KEY_ID=/m.test(text))
+        added.add("s3");
+    if (manifestBucketEntries(args.manifest).some((bucket) => bucket.tokenId))
+        added.add("s3");
+    if (args.manifest?.integrations?.email)
+        added.add("email");
+    if (args.manifest?.integrations?.searchConsole)
+        added.add("search-console");
+    return added;
+}
+function servicesImpossibleForProject(manifest) {
+    const blocked = new Set();
+    if (!manifest)
+        return blocked;
+    if (!manifest.domain) {
+        blocked.add("email");
+        blocked.add("search-console");
+    }
+    if (manifest.surfaces === "server-only")
+        blocked.add("plausible");
+    if (manifest.surfaces === "client-only") {
+        blocked.add("resend");
+        blocked.add("s3");
+    }
+    if (manifestBucketEntries(manifest).length === 0)
+        blocked.add("s3");
+    return blocked;
+}
+function recordProvisionedEvent(ledger, event) {
+    if (event.service === "glitchtip")
+        ledger.record({ kind: "glitchtip", project: event.project });
+    if (event.service === "openpanel")
+        ledger.record({ kind: "openpanel", project: event.project });
+    if (event.service === "plausible")
+        ledger.record({ kind: "plausible", project: event.project });
+    if (event.service === "resend")
+        ledger.record({ kind: "resend", client: event.client });
+    if (event.service === "s3" && event.minted) {
+        ledger.record({
+            kind: "r2Token",
+            tokenId: event.tokenId,
+            accountId: event.accountId,
+            audience: "account",
+        });
+    }
+    if (event.service === "search-console" && event.dnsRecord?.created) {
+        ledger.record({
+            kind: "cloudflareDnsRecord",
+            zoneId: event.dnsRecord.zoneId,
+            recordId: event.dnsRecord.id,
+            name: event.dnsRecord.name,
+            type: event.dnsRecord.type,
+        });
+    }
+    if (event.service === "email") {
+        if (event.destinationCreatedThisRun) {
+            ledger.record({
+                kind: "cloudflareEmailDestination",
+                accountId: event.accountId,
+                destinationId: event.destinationId,
+                email: event.destinationEmail,
+            });
+        }
+        for (const dns of event.dnsRecords) {
+            ledger.record({
+                kind: "cloudflareDnsRecord",
+                zoneId: event.zoneId,
+                recordId: dns.id,
+                name: dns.name,
+                type: dns.type,
+            });
+        }
+        for (const rule of event.rules) {
+            if (!rule.created)
+                continue;
+            ledger.record({
+                kind: "cloudflareEmailRoutingRule",
+                zoneId: event.zoneId,
+                ruleId: rule.id,
+                address: rule.address,
+            });
+        }
+    }
+}
 async function handleAdd() {
     // Positional args are optional — anything missing is prompted for.
     //   hatchkit add                             (fully interactive)
     //   hatchkit add raptor-runner               (prompts for services)
     //   hatchkit add raptor-runner all
     //   hatchkit add raptor-runner glitchtip,resend
+    const allServices = [
+        "glitchtip",
+        "openpanel",
+        "plausible",
+        "resend",
+        "s3",
+        "email",
+        "search-console",
+    ];
+    const isServiceExpr = (value) => {
+        if (!value)
+            return false;
+        if (value === "all")
+            return true;
+        return value
+            .split(",")
+            .map((s) => s.trim().toLowerCase())
+            .every((s) => allServices.includes(s));
+    };
     const positional = args.slice(1).filter((a) => !a.startsWith("--"));
-    let baseName = positional[0];
-    const rawService = positional[1];
-    const allServices = ["glitchtip", "openpanel", "resend", "s3", "email"];
+    const inferredProjectDir = inferProjectDir(process.cwd());
+    const inferredManifest = inferredProjectDir ? readManifest(inferredProjectDir) : null;
+    const firstArgIsService = isServiceExpr(positional[0]);
+    let baseName = firstArgIsService
+        ? inferredManifest?.name
+        : (positional[0] ?? inferredManifest?.name);
+    const rawService = firstArgIsService ? positional[0] : positional[1];
     if (!baseName) {
         const { input } = await import("@inquirer/prompts");
         const { validateProjectName } = await import("./utils/validate.js");
@@ -465,31 +646,54 @@ async function handleAdd() {
             validate: validateProjectName,
         });
     }
+    const alreadyAdded = servicesAlreadyAdded({
+        baseName,
+        projectDir: inferredProjectDir,
+        manifest: inferredManifest,
+    });
+    const impossible = servicesImpossibleForProject(inferredManifest);
+    const hiddenServices = new Set([...alreadyAdded, ...impossible]);
+    const addableServices = allServices.filter((service) => !hiddenServices.has(service));
     let services;
     if (!rawService) {
+        if (addableServices.length === 0) {
+            console.log(chalk.green(`  Nothing to add — ${baseName} already has every supported service.`));
+            return;
+        }
         const { multiselect } = await import("./utils/multiselect.js");
+        const serviceChoices = [
+            { name: "GlitchTip (error tracking)", value: "glitchtip", checked: false },
+            { name: "OpenPanel (product analytics)", value: "openpanel", checked: false },
+            { name: "Plausible (web analytics)", value: "plausible", checked: false },
+            { name: "Resend (transactional email)", value: "resend", checked: false },
+            {
+                name: "S3 / R2 (per-bucket scoped credentials from .hatchkit.json)",
+                value: "s3",
+                checked: false,
+            },
+            {
+                name: "Email forwarding (Cloudflare Email Routing — MX/SPF/DMARC + rules)",
+                value: "email",
+                checked: false,
+            },
+            {
+                name: "Google Search Console (DNS verification + domain property)",
+                value: "search-console",
+                checked: false,
+            },
+        ];
         services = await multiselect({
             message: "Which services to add?",
-            choices: [
-                { name: "GlitchTip (error tracking)", value: "glitchtip", checked: true },
-                { name: "OpenPanel (product analytics)", value: "openpanel", checked: true },
-                { name: "Resend (transactional email)", value: "resend", checked: true },
-                {
-                    name: "S3 / R2 (per-bucket scoped credentials from .hatchkit.json)",
-                    value: "s3",
-                    checked: false,
-                },
-                {
-                    name: "Email forwarding (Cloudflare Email Routing — MX/SPF/DMARC + rules)",
-                    value: "email",
-                    checked: false,
-                },
-            ],
+            choices: serviceChoices.filter((choice) => addableServices.includes(choice.value)),
             required: true,
         });
     }
     else if (rawService === "all") {
-        services = allServices;
+        services = addableServices;
+        if (services.length === 0) {
+            console.log(chalk.green(`  Nothing to add — ${baseName} already has every supported service.`));
+            return;
+        }
     }
     else {
         const requested = rawService.split(",").map((s) => s.trim().toLowerCase());
@@ -499,11 +703,21 @@ async function handleAdd() {
             console.log(chalk.dim(`  Valid: ${allServices.join(", ")}, or 'all'`));
             process.exit(1);
         }
-        services = requested;
+        const skipped = requested.filter((service) => hiddenServices.has(service));
+        if (skipped.length > 0) {
+            console.log(chalk.red(`  Refusing to add already-present/unavailable service(s): ${skipped.join(", ")}`));
+            console.log(chalk.dim("  Run `hatchkit remove` first if you want Hatchkit to recreate them."));
+            process.exit(1);
+        }
+        services = requested.filter((service) => !hiddenServices.has(service));
+        if (services.length === 0) {
+            console.log(chalk.green(`  Nothing to add — requested service(s) are already present or unavailable.`));
+            return;
+        }
     }
     // Flag parsing:
     //   --no-write                      → never write; print a cache summary only
-    //   --enable-dev-obs                → also populate .env.development with GlitchTip/OpenPanel creds
+    //   --enable-dev-obs                → also populate .env.development with observability creds
     //   --surfaces=<shared|separate|server-only|client-only>
     //   --server-dir <path>             → absolute or project-relative env dir for the server
     //   --client-dir <path>             → same for the client
@@ -554,7 +768,16 @@ async function handleAdd() {
                 : inferProjectDir(needsServer ? resolvePath(serverDirFlag) : undefined),
         };
     }
-    await runProvision({ baseName, services, surfaces, enableDevObs });
+    const ledger = RunLedger.resumeOrStart(baseName);
+    await runProvision({
+        baseName,
+        services,
+        surfaces,
+        enableDevObs,
+        failIfExists: true,
+        onProvisioned: (event) => recordProvisionedEvent(ledger, event),
+    });
+    ledger.complete();
 }
 async function handleProvisionS3() {
     // `hatchkit provision s3` — create the public+private bucket pair
@@ -783,7 +1006,15 @@ async function handleRemove() {
     const skipConfirm = args.includes("--yes") || args.includes("-y");
     let baseName = positional[0];
     const rawService = positional[1];
-    const allServices = ["glitchtip", "openpanel", "resend", "s3", "email"];
+    const allServices = [
+        "glitchtip",
+        "openpanel",
+        "plausible",
+        "resend",
+        "s3",
+        "email",
+        "search-console",
+    ];
     if (!baseName) {
         const { input } = await import("@inquirer/prompts");
         const { validateProjectName } = await import("./utils/validate.js");
@@ -800,6 +1031,7 @@ async function handleRemove() {
             choices: [
                 { name: "GlitchTip (deletes the project)", value: "glitchtip", checked: true },
                 { name: "OpenPanel (deletes the project)", value: "openpanel", checked: true },
+                { name: "Plausible (deletes the site)", value: "plausible", checked: false },
                 { name: "Resend (deletes the API key)", value: "resend", checked: true },
                 { name: "S3 / R2 (deletes per-bucket scoped tokens)", value: "s3", checked: false },
                 {
@@ -807,6 +1039,11 @@ async function handleRemove() {
                     value: "email",
                     checked: false,
                 },
+                {
+                    name: "Google Search Console (removes property; keeps verification token)",
+                    value: "search-console",
+                    checked: false,
+                },
             ],
             required: true,
         });
@@ -841,7 +1078,7 @@ async function handleRemove() {
     // project directory if it exists; the s3 unprovision falls back to
     // a keychain sweep when the manifest can't be found.
     let projectDir;
-    if (services.includes("s3")) {
+    if (services.includes("s3") || services.includes("search-console")) {
         const guess = resolve(baseName);
         if (existsSync(join(guess, ".hatchkit.json"))) {
             projectDir = guess;
@@ -867,6 +1104,52 @@ async function handleDns() {
             printHelp("dns");
     }
 }
+async function configureGhcrForCreate(repoUrl, isPrivateRepo, ledger) {
+    const { repoSlugFromRemote } = await import("./deploy/gh-actions-secrets.js");
+    const slug = repoSlugFromRemote(repoUrl);
+    if (!slug) {
+        console.log(chalk.dim("  · Couldn't resolve owner/repo from GitHub URL — skipping GHCR pull setup."));
+        return;
+    }
+    const coolify = await getCoolifyConfig();
+    if (!coolify) {
+        console.log(chalk.dim("  · Coolify not configured — skipping GHCR pull setup."));
+        return;
+    }
+    const { CoolifyApi } = await import("./utils/coolify-api.js");
+    const { makeGhcrPackagePublic, registerGhcrCredsWithCoolify } = await import("./deploy/ghcr.js");
+    if (!isPrivateRepo) {
+        const result = await makeGhcrPackagePublic({ repoSlug: slug });
+        if (result.kind === "public-set")
+            return;
+        if (result.kind === "skipped" || result.kind === "failed") {
+            console.log(chalk.yellow(`  GHCR public-image setup skipped: ${result.reason}`));
+            console.log(chalk.dim(result.recovery.map((line) => `  ${line}`).join("\n")));
+        }
+        return;
+    }
+    const ghcrConfig = await getGhcrConfig();
+    const api = new CoolifyApi({ url: coolify.url, token: coolify.token });
+    const result = await registerGhcrCredsWithCoolify({
+        api,
+        repoSlug: slug,
+        pullToken: ghcrConfig?.pullToken,
+        username: ghcrConfig?.username,
+    });
+    if (result.kind === "private-registered") {
+        if (result.created) {
+            ledger?.record({ kind: "coolifyPrivateRegistry", uuid: result.registryUuid });
+        }
+        return;
+    }
+    if (result.kind === "skipped" || result.kind === "failed") {
+        console.log(chalk.yellow(`  GHCR private-image pull setup skipped: ${result.reason}`));
+        console.log(chalk.dim(result.recovery.map((line) => `  ${line}`).join("\n")));
+    }
+}
+function isCreatedGithubRepoPrivate(config) {
+    return config.createGithubRepo && (config.githubRepoVisibility ?? "private") === "private";
+}
 // ---------------------------------------------------------------------------
 // Commands
 // ---------------------------------------------------------------------------
@@ -875,20 +1158,22 @@ async function handleCreate() {
     // the flow non-interactive; otherwise we still prompt for anything
     // not supplied via flags / config file.
     const flags = parseCreateFlags(args);
-    const { yes: nonInteractive, dryRun, presets, forceNoGithub, forceNoDeploy, forceNoInstall, } = flags;
+    const { yes: nonInteractive, dryRun, presets, forceNoGithub, forceNoDeploy, forceNoInstall, forceNoLocalDev, } = flags;
     // Check if first run (skip onboarding when non-interactive — the
     // onboarding prompts would stall automation).
     if (!nonInteractive && (await isFirstRun())) {
         await runOnboarding();
     }
     // Collect project config via interactive prompts (or presets).
-    const config = await collectProjectConfig({ dryRun, presets, nonInteractive });
+    const config = await collectProjectConfig({ dryRun, presets, nonInteractive, forceNoLocalDev });
     if (forceNoGithub)
         config.createGithubRepo = false;
     if (forceNoDeploy)
         config.runDeployment = false;
     if (forceNoInstall)
         config.installDeps = false;
+    if (forceNoLocalDev)
+        config.localDev = undefined;
     // Ensure needed providers are configured (lazy prompting).
     // Coolify + Hetzner only matter for the coolify deployment mode.
     // gh-pages skips them entirely (no server, no Docker registry).
@@ -917,13 +1202,19 @@ async function handleCreate() {
             await ensureS3(config.s3Provider);
         }
     }
-    // Pre-flight observability + email + Stripe providers used by `hatchkit
-    // create` directly (not just `add`): if the user picked the analytics
-    // feature, GlitchTip needs to be configured before we can mint a DSN
-    // for them. Same for Stripe webhook auto-provisioning.
+    // Pre-flight observability + Stripe providers used by `hatchkit
+    // create` directly (not just `add`): if the user picked analytics
+    // providers, make sure they are configured before we can mint
+    // project-scoped resources. Same for Stripe webhook auto-provisioning.
     if (config.features.includes("analytics")) {
-        const { ensureGlitchtip } = await import("./config.js");
-        await ensureGlitchtip();
+        const providers = config.analyticsProviders ?? ["glitchtip"];
+        const { ensureGlitchtip, ensureOpenpanel, ensurePlausible } = await import("./config.js");
+        if (providers.includes("glitchtip"))
+            await ensureGlitchtip();
+        if (providers.includes("openpanel"))
+            await ensureOpenpanel();
+        if (providers.includes("plausible"))
+            await ensurePlausible();
     }
     if (config.features.includes("stripe")) {
         const { ensureStripe } = await import("./config.js");
@@ -954,7 +1245,7 @@ async function handleCreate() {
     console.log(`  Features:   ${config.features.length > 0 ? config.features.join(", ") : "none"}`);
     console.log(`  ML:         ${config.mlServices.length > 0 ? config.mlServices.join(", ") : "none"}`);
     console.log(`  Scaffold:   ${config.scaffoldRepo ? "yes" : "no"}`);
-    console.log(`  GitHub:     ${config.createGithubRepo ? "yes" : "no"}`);
+    console.log(`  GitHub:     ${config.createGithubRepo ? `yes (${config.githubRepoVisibility ?? "private"})` : "no"}`);
     console.log(`  Install:    ${config.installDeps ? "yes (pnpm install)" : "no"}`);
     console.log(`  Deploy now: ${config.runDeployment ? "yes" : "no"}`);
     if (config.dryRun) {
@@ -996,28 +1287,47 @@ async function handleCreate() {
                 const { printDotenvxSummary } = await import("./scaffold/dotenvx.js");
                 printDotenvxSummary(scaffoldResult.dotenvx, config.name);
             }
-            // Auto-provision GlitchTip + write its DSN encrypted into
-            // .env.production. The user picked the `analytics` feature; we
-            // already verified GlitchTip is configured during pre-flight.
-            // Skipped for client-only — the encrypt target lives in
-            // packages/server/, which doesn't exist post-prune. The client
-            // side of analytics (OpenPanel via NEXT_PUBLIC_*) still works
-            // without any provisioning.
-            if (config.features.includes("analytics") && config.surfaces !== "client-only") {
+            // Auto-provision selected observability/analytics providers
+            // through the same machinery used by `hatchkit add`, so create,
+            // adopt, and existing-project provisioning stay aligned.
+            if (config.features.includes("analytics")) {
+                const analyticsServices = [
+                    ...(config.analyticsProviders ?? ["glitchtip"]),
+                ];
                 try {
-                    const { provisionGlitchtipClient } = await import("./provision/glitchtip.js");
-                    const { set: dotenvxSet } = await import("@dotenvx/dotenvx");
-                    const ora = (await import("ora")).default;
-                    const spinner = ora(`GlitchTip: creating project ${config.name}`).start();
-                    const res = await provisionGlitchtipClient(config.name);
-                    ledger?.record({ kind: "glitchtip", project: config.name });
-                    spinner.succeed(`GlitchTip project ready (DSN encrypted into .env.production)`);
-                    const prodEnvPath = join(appDir, "packages/server/.env.production");
-                    dotenvxSet("GLITCHTIP_DSN", res.dsn, { path: prodEnvPath, encrypt: true });
+                    if (analyticsServices.length > 0) {
+                        const provisionMode = config.surfaces === "both"
+                            ? "shared"
+                            : config.surfaces === "server-only"
+                                ? "server-only"
+                                : "client-only";
+                        await runProvision({
+                            baseName: config.name,
+                            services: analyticsServices,
+                            domain: config.domain,
+                            surfaces: {
+                                mode: provisionMode,
+                                projectDir: appDir,
+                                serverEnvDir: config.surfaces === "client-only" ? undefined : join(appDir, "packages/server"),
+                                clientEnvDir: config.surfaces === "server-only" ? undefined : join(appDir, "packages/client"),
+                            },
+                            onProvisioned: (event) => {
+                                if (event.service === "glitchtip") {
+                                    ledger?.record({ kind: "glitchtip", project: event.project });
+                                }
+                                else if (event.service === "openpanel") {
+                                    ledger?.record({ kind: "openpanel", project: event.project });
+                                }
+                                else if (event.service === "plausible") {
+                                    ledger?.record({ kind: "plausible", project: event.project });
+                                }
+                            },
+                        });
+                    }
                 }
                 catch (err) {
-                    console.log(chalk.yellow(`  Couldn't auto-provision GlitchTip: ${err.message}`));
-                    console.log(chalk.dim(`  Run \`hatchkit add ${config.name} glitchtip\` once GlitchTip is reachable.`));
+                    console.log(chalk.yellow(`  Couldn't auto-provision analytics: ${err.message}`));
+                    console.log(chalk.dim(`  Run \`hatchkit add ${config.name} ${analyticsServices.join(",")}\` once providers are reachable.`));
                 }
             }
             // Stripe: walk the user through pasting per-project keys (sk + pk
@@ -1170,6 +1480,7 @@ async function handleCreate() {
                 repoUrl: repoUrl ?? undefined,
                 serverPort: scaffoldResult?.ports.server,
                 clientPort: scaffoldResult?.ports.client,
+                isPrivateRepo: isCreatedGithubRepoPrivate(config),
             });
             // Order matters: rollback iterates the ledger in REVERSE, so we
             // record parent-before-child (project before app). Otherwise
@@ -1223,18 +1534,26 @@ async function handleCreate() {
             if (repoUrl && config.scaffoldRepo) {
                 try {
                     const { findCoolifyAppsForProject } = await import("./deploy/coolify-app.js");
-                    const { repoSlugFromRemote, setCoolifyDeploySecrets } = await import("./deploy/gh-actions-secrets.js");
+                    const { ghSecretExists, repoSlugFromRemote, setCoolifyDeploySecrets } = await import("./deploy/gh-actions-secrets.js");
                     const slug = repoSlugFromRemote(repoUrl);
                     const apps = await findCoolifyAppsForProject(config.name);
-                    if (slug && apps.length > 0) {
-                        await setCoolifyDeploySecrets({
-                            projectDir: appDir,
-                            repoSlug: slug,
-                            apps,
-                        });
-                    }
-                    else if (apps.length === 0) {
-                        console.log(chalk.dim(`  · No Coolify app named "${config.name}" / "${config.name}-server" / "${config.name}-client" / "${config.name}-web" found — skipping Actions secret push.`));
+                    if (slug) {
+                        if (apps.length > 0) {
+                            await setCoolifyDeploySecrets({
+                                projectDir: appDir,
+                                repoSlug: slug,
+                                apps,
+                            });
+                        }
+                        else {
+                            console.log(chalk.dim(`  · No Coolify app named "${config.name}" / "${config.name}-server" / "${config.name}-client" / "${config.name}-web" found — skipping Coolify deploy secret push.`));
+                        }
+                        const secretName = "DOTENV_PRIVATE_KEY_PRODUCTION";
+                        const preExisted = await ghSecretExists(appDir, slug, secretName);
+                        await pushProjectKeyToGh(config.name, slug);
+                        if (!preExisted) {
+                            ledger?.record({ kind: "ghActionsSecret", repo: slug, name: secretName });
+                        }
                     }
                 }
                 catch (err) {
@@ -1305,7 +1624,10 @@ async function handleCreate() {
         // created the repo + `origin` but deliberately skipped the push.
         if (config.scaffoldRepo && config.createGithubRepo && repoUrl) {
             const { pushInitialBranch } = await import("./deploy/github.js");
-            await pushInitialBranch(appDir);
+            const pushed = await pushInitialBranch(appDir);
+            if (pushed && config.deploymentMode === "coolify") {
+                await configureGhcrForCreate(repoUrl, isCreatedGithubRepoPrivate(config), ledger);
+            }
         }
         // Step 6.6: optional email forwarding setup (Cloudflare Email
         // Routing). Opt-in prompt — most projects want it but a scripted
@@ -1470,6 +1792,48 @@ async function handleUpdate() {
         console.log(chalk.yellow("  Run `pnpm install` to pick up @hatchkit/dev-plugin-next, then `hatchkit doctor` to confirm host plumbing."));
     }
 }
+async function handleServer() {
+    const sub = args[1];
+    if (sub !== "add") {
+        console.log("Usage: hatchkit server add [--yes] [--dry-run] [--server-dir <path>]");
+        console.log("Run `hatchkit help server` for details.");
+        process.exit(1);
+    }
+    const { runServerAdd } = await import("./scaffold/server-add.js");
+    const result = await runServerAdd(resolve("."), {
+        yes: args.includes("--yes") || args.includes("-y"),
+        dryRun: args.includes("--dry-run"),
+        serverDir: flagValue("--server-dir"),
+        sharedDir: flagValue("--shared-dir"),
+    });
+    if (args.includes("--json")) {
+        console.log(JSON.stringify(result, null, 2));
+        return;
+    }
+    if (result.dryRun) {
+        console.log(chalk.yellow("  --dry-run — no files were changed."));
+    }
+    if (result.created.length > 0) {
+        console.log(chalk.green(`  ✓ Created: ${result.created.join(", ")}`));
+    }
+    if (result.updated.length > 0) {
+        console.log(chalk.green(`  ✓ Updated: ${result.updated.join(", ")}`));
+    }
+    if (result.reused.length > 0) {
+        console.log(chalk.dim(`  · Reused existing: ${result.reused.join(", ")}`));
+    }
+    for (const warning of result.warnings) {
+        console.log(chalk.yellow(`  ! ${warning}`));
+    }
+    if (result.skipped.length > 0 && !result.changed) {
+        console.log(chalk.dim(`  · ${result.skipped.join(", ")}`));
+    }
+    if (result.nextSteps.length > 0) {
+        console.log(chalk.bold("\n  Next:"));
+        for (const step of result.nextSteps)
+            console.log(`    ${step}`);
+    }
+}
 async function handleConfig() {
     const subcommand = args[1];
     switch (subcommand) {
@@ -1477,7 +1841,7 @@ async function handleConfig() {
             const provider = args[2];
             if (!provider) {
                 console.log("Usage: hatchkit config add <provider>");
-                console.log("Providers: coolify, ghcr, hetzner, dns, s3, modal, runpod, hf, replicate, glitchtip, openpanel, resend, stripe");
+                console.log("Providers: coolify, ghcr, hetzner, dns, s3, modal, runpod, hf, replicate, glitchtip, openpanel, plausible, resend, search-console, stripe");
                 return;
             }
             // Handle provider setup based on name
@@ -1489,7 +1853,9 @@ async function handleConfig() {
                 case "dns":
                 case "glitchtip":
                 case "openpanel":
+                case "plausible":
                 case "resend":
+                case "search-console":
                 case "stripe":
                 case "ghcr":
                     await reconfigureProvider(provider);
@@ -1528,7 +1894,7 @@ async function handleConfig() {
                 default:
                     if (!isGpuPlatform(provider)) {
                         console.log(chalk.red(`  Unknown provider: ${provider}`));
-                        console.log(chalk.dim("  Valid: coolify, ghcr, hetzner, dns, s3, modal, runpod, hf, replicate, glitchtip, openpanel, resend, stripe"));
+                        console.log(chalk.dim("  Valid: coolify, ghcr, hetzner, dns, s3, modal, runpod, hf, replicate, glitchtip, openpanel, plausible, resend, search-console, stripe"));
                         return;
                     }
                     await reconfigureProvider(`gpu.${provider}`);
@@ -1673,6 +2039,37 @@ function printHelp(topic) {
 
   ${chalk.bold("Removal is not supported.")} Removing features could delete
     user code — remove manually + edit the manifest.
+`);
+        return;
+    }
+    if (topic === "server") {
+        console.log(`
+  ${chalk.bold("hatchkit server add")} — retrofit a server into a client-only project
+
+  ${chalk.bold("Usage:")}
+    cd <project-dir> && hatchkit server add
+    cd <project-dir> && hatchkit server add --yes
+
+  ${chalk.bold("What it does:")}
+    Reads .hatchkit.json, copies the Hatchkit server package from the
+    starter, restores shared server types, updates root scripts/workspace
+    files, flips manifest surfaces from ${chalk.cyan("client-only")} to
+    ${chalk.cyan("both")}, and switches gh-pages projects back to coolify.
+
+  ${chalk.bold("What it does not do:")}
+    No provider calls. No Coolify, DNS, GitHub, keychain, or Terraform
+    mutation. To wire deploy infra after the local scaffold:
+
+      hatchkit adopt --resume --regenerate-pipeline
+
+  ${chalk.bold("Options:")}
+    --server-dir <path>   Destination for the server package. Default:
+                          ${chalk.dim("packages/server")}.
+    --shared-dir <path>   Destination for the shared package. Default:
+                          ${chalk.dim("packages/shared")}.
+    --yes, -y             Skip confirmation.
+    --dry-run             Show planned local changes without writing.
+    --json                Machine-readable result.
 `);
         return;
     }
@@ -1792,20 +2189,22 @@ function printHelp(topic) {
     }
     if (topic === "dev-setup") {
         console.log(`
-  ${chalk.bold("hatchkit dev-setup")} — opt-in Tailscale-served dev URLs
+  ${chalk.bold("hatchkit dev-setup")} — Tailscale-served dev URLs
 
   Wires up the host-wide plumbing that makes every scaffolded project
   reachable from any Tailscale peer at:
 
-    ${chalk.cyan("https://<slug>.local.ricoslabs.com/")}
+    ${chalk.cyan("https://<slug>.local.<your-domain>/")}
 
   …without per-project DNS, port juggling, or framework basePath config.
 
   ${chalk.bold("Host-wide subcommands (run once per machine):")}
     dev-setup init [--force]   Auto-write ~/.config/dev/Caddyfile, register
                                a launchd job to run Caddy on a free port
-                               (default 9443, auto-bumps on collision), and
-                               register a tailscale serve TCP=443 bridge.
+                               (default 9443, auto-bumps on collision),
+                               register a tailscale serve TCP=443 bridge,
+                               and auto-upsert the wildcard DNS A record
+                               when Cloudflare credentials are available.
                                Idempotent — safe to re-run.
     dev-setup status           Print the same Local-dev rows that
                                ${chalk.cyan("hatchkit doctor")} would show.
@@ -1825,8 +2224,15 @@ function printHelp(topic) {
                                next.config + dep in place (they're inert
                                without the fragment).
 
-  ${chalk.bold("One-time DNS bit you do yourself (per machine, not per project):")}
-    *.local.ricoslabs.com  CNAME  <your-machine>.<tailnet>.ts.net.
+  ${chalk.bold("DNS:")}
+    ${chalk.cyan("dev-setup init")} auto-upserts a DNS-only A record on a
+    dedicated ${chalk.cyan("local.")} subdomain:
+    *.local.<your-domain>  A  <your-tailnet-ip>  (DNS-only)
+
+    Custom ${chalk.cyan("--domain")} values must use that ${chalk.cyan("local.")} prefix so
+    Hatchkit never overwrites a production wildcard such as *.example.com.
+
+    If Cloudflare credentials are unavailable, add that record manually.
 
   This feature is fully optional: until you run ${chalk.cyan("dev-setup init")},
   ${chalk.cyan("hatchkit doctor")} surfaces zero Local-dev rows. Within a project,
@@ -1864,7 +2270,7 @@ function printHelp(topic) {
       · App fqdn references an apex with no Cloudflare zone
       · R2 bucket follows the \`<project>-<role>\` convention but has no
         matching Coolify app (orphan from a destroyed project)
-      · GlitchTip / OpenPanel project with no Coolify app counterpart
+      · GlitchTip / OpenPanel / Plausible project/site with no Coolify app counterpart
       · Cloudflare zone with no Coolify app pointing into it
 
   ${chalk.bold("Flags:")}
@@ -1940,19 +2346,29 @@ function printHelp(topic) {
 
   ${chalk.bold("Usage:")}
     hatchkit add [<project-name>] [<services>] [flags]
+    hatchkit add [<services>] [flags]   ${chalk.dim("(inside a project with .hatchkit.json)")}
 
   ${chalk.bold("What it does:")}
     · GlitchTip / OpenPanel: ${chalk.bold("one project per product")}, events tagged by
       \`environment\` so dev / staging / prod share the same dashboard.
-      Written to ${chalk.cyan(".env.production")} only — dev noise pollutes real metrics.
+    · Plausible: one site for the public project domain, with browser tracker env.
+      Observability values are written to ${chalk.cyan(".env.production")} only — dev noise pollutes real metrics.
       Pass ${chalk.cyan("--enable-dev-obs")} to populate ${chalk.cyan(".env.development")} too.
     · Resend: separate ${chalk.cyan("-dev")} and ${chalk.cyan("-prod")} API keys (audience
       safety). Written to the server's dev + prod env respectively.
+    · Search Console: verifies the project domain via Cloudflare DNS TXT,
+      then adds the ${chalk.cyan("sc-domain:<domain>")} property to your Google account.
+      No runtime env is written.
     · ${chalk.cyan(".env.production")} is dotenvx-encrypted — commit-safe.
       ${chalk.cyan(".env.development")} is plaintext — gitignored, not encrypted.
     · A 0600 cache of every value is saved under
       ${chalk.dim("<config-dir>/provisioned/<project>.*.env")} for recoverability.
       ${chalk.dim("Secret values never hit stdout.")}
+    · The interactive menu only shows services not already present for the
+      current project, starts with nothing selected, and refuses explicit
+      requests that would recreate known resources.
+    · Before creating provider resources, add runs read-only existence probes
+      for the selected services and stops on conflicts so cleanup stays safe.
 
   ${chalk.bold("Surfaces:")}
     hatchkit asks which surfaces your project has. Options:
@@ -1967,7 +2383,10 @@ function printHelp(topic) {
   ${chalk.bold("Services:")}
     glitchtip   GLITCHTIP_DSN (server) / PUBLIC_GLITCHTIP_DSN (client)
     openpanel   OPENPANEL_* (server) / PUBLIC_OPENPANEL_* (client)
+    plausible   NEXT_PUBLIC_PLAUSIBLE_DOMAIN / *_SCRIPT_URL (client only)
     resend      RESEND_API_KEY (server only)
+    search-console
+                Google Search Console domain property (DNS verification; no env)
     s3          R2_<BUCKET>_ACCESS_KEY_ID / *_SECRET_ACCESS_KEY / *_BUCKET / R2_ENDPOINT
                 — mints a per-bucket scoped Cloudflare R2 API token for every
                   bucket declared in .hatchkit.json (s3Buckets). Single-bucket
@@ -1985,6 +2404,7 @@ function printHelp(topic) {
 
   ${chalk.bold("Examples:")}
     hatchkit add
+    hatchkit add search-console
     hatchkit add raptor-runner
     hatchkit add raptor-runner all --enable-dev-obs
     hatchkit add raptor-runner glitchtip,resend --no-write
@@ -2016,8 +2436,10 @@ function printHelp(topic) {
       · Writes \`.hatchkit.json\` so \`update\`, \`add\`, \`keys\` recognise
         the project.
       · ${chalk.cyan("GitHub remote")} — \`git init\` (if needed),
-        commit, \`gh repo create --private --source=. --push\`. Skipped
-        when an \`origin\` is already set.
+        commit, \`gh repo create --private|--public --source=. --push\`.
+        Visibility is prompted (default private) or set with
+        \`--github-visibility private|public\`. Skipped when an \`origin\`
+        is already set.
       · ${chalk.cyan("Coolify + DNS")} — direct REST-API calls into the
         Coolify and Cloudflare you already configured (no Terraform,
         no submodule). Finds or creates the Coolify project, picks
@@ -2027,7 +2449,7 @@ function printHelp(topic) {
         (DOTENV_PRIVATE_KEY_PRODUCTION + GITHUB_REPO_URL), upserts an
         A record \`<domain> → <server-ip>\` on Cloudflare, and triggers
         the first deploy. Defaults ON when no matching app exists.
-      · Optionally provisions GlitchTip / OpenPanel / Resend clients
+      · Optionally provisions GlitchTip / OpenPanel / Plausible / Resend clients
         (same machinery as \`hatchkit add\`).
       · Optionally pushes the dotenvx private key to Coolify
         (redundant when the Coolify+DNS step ran — it already does).
@@ -2086,7 +2508,11 @@ function printHelp(topic) {
   ${chalk.bold("Services:")}
     glitchtip   Deletes the GlitchTip project
     openpanel   Deletes the OpenPanel project (and clears cached creds)
+    plausible   Deletes the Plausible site cached for this project
     resend      Finds API keys by name and deletes them
+    search-console
+                Removes the Search Console property from your Google account
+                (keeps DNS verification token / ownership state)
     s3          Deletes per-bucket scoped Cloudflare R2 API tokens
                 (clears the keychain entries and DELETEs upstream)
 
@@ -2124,7 +2550,7 @@ function printHelp(topic) {
     create + adopt:
     - GitHub repo                              ${chalk.dim("gh repo delete")}
     - dotenvx private key in keychain          ${chalk.dim("keytar deletePassword")}
-    - GlitchTip / OpenPanel / Resend           ${chalk.dim("DELETE")} per-vendor
+    - GlitchTip / OpenPanel / Plausible / Resend ${chalk.dim("DELETE")} per-vendor
     - Coolify app / project / database         ${chalk.dim("DELETE /api/v1/...")}
 
     adopt-only (fine-grained, never wider than what adopt itself wrote):
@@ -2269,7 +2695,7 @@ function printHelp(topic) {
     config              Show status of every configured provider (alias: \`status\`)
     config add <p>      Configure a provider
                         (coolify, ghcr, hetzner, dns, s3, modal, runpod, hf, replicate,
-                         glitchtip, openpanel, resend, stripe)
+                         glitchtip, openpanel, plausible, resend, search-console, stripe)
     config reset        Clear ALL CLI config (providers, tokens, ML registry, ports)
 `);
         return;
@@ -2302,13 +2728,13 @@ function printHelp(topic) {
     }
     if (topic === "assets") {
         console.log(`
-  ${chalk.bold("hatchkit assets")} — move bytes between local MinIO and prod buckets
+  ${chalk.bold("hatchkit assets")} — move bytes between local S3 and prod buckets
 
   ${chalk.bold("Subcommands:")}
-    assets seed     [--from <dir>]                Local dir → local MinIO bucket.
+    assets seed     [--from <dir>]                Local dir → local S3 bucket.
                                                   Defaults to ./seed/assets.
-    assets push     [--bucket assets|state]       Local MinIO → prod bucket.
-    assets pull     [--bucket assets|state]       Prod bucket → local MinIO.
+    assets push     [--bucket assets|state]       Local S3 → prod bucket.
+    assets pull     [--bucket assets|state]       Prod bucket → local S3.
                                                   Caution: prod data may include PII.
     assets migrate  --from-endpoint=URL           External S3 → prod bucket.
                     --from-bucket=NAME            The adoption escape hatch — copy
@@ -2335,7 +2761,7 @@ function printHelp(topic) {
     the env doesn't carry them (R2's URL-driven assets bucket).
 
   ${chalk.bold("Examples:")}
-    hatchkit assets seed                                # ./seed/assets/ → local MinIO
+    hatchkit assets seed                                # ./seed/assets/ → local S3
     hatchkit assets push --dry-run                      # see what would ship to prod
     hatchkit assets push                                # actually ship it
     hatchkit assets migrate --from-endpoint https://nyc3.digitaloceanspaces.com \\
@@ -2374,8 +2800,9 @@ function printHelp(topic) {
     create          Scaffold a new project (interactive)
     adopt           Bring an existing project under hatchkit management (run in project dir)
     update          Add features to an already-scaffolded project (run in project dir)
-    add             Create GlitchTip / OpenPanel / Resend clients for an existing project
-    assets          Move bytes between local MinIO and prod buckets (seed/push/pull/migrate)
+    server add      Retrofit a server into a client-only project
+    add             Create GlitchTip / OpenPanel / Plausible / Resend clients for an existing project
+    assets          Move bytes between local S3 and prod buckets (seed/push/pull/migrate)
     remove          Delete the -dev/-prod clients created by 'add' (inverse of add)
     destroy         Roll back everything ${chalk.cyan("hatchkit create")} did for a project
     rename-domain   Move a scaffolded project to a new domain (rewrites tfvars/env/manifest)
@@ -2408,7 +2835,12 @@ function printHelp(topic) {
     --yes, -y       (with \`create\`) skip prompts, use defaults / --config values
     --config <path> (with \`create\`) load JSON overrides for ProjectConfig fields
     --name <name>   (with \`create\`) set project name without prompting
+    --local-dev[=<slug>] (with \`create\`) enable Tailscale dev URL, optionally with slug
+    --no-local-dev  (with \`create\`) skip local-dev wiring
     --no-github     (with \`create\`) skip GitHub repo creation
+    --github-visibility {private|public}
+                    (with \`create\`) visibility for a newly-created GitHub repo.
+                    Default: private. Shorthands: \`--private\`, \`--public\`.
     --no-deploy     (with \`create\`) skip Terraform/Coolify/ML deployment
 
   ${chalk.bold("Environment:")}