relight-cli 0.1.0 → 0.3.0

package/src/commands/deploy.js

@@ -0,0 +1,264 @@
+import { createInterface } from "readline";
+import { phase, status, success, hint, fatal, fmt, generateAppName } from "../lib/output.js";
+import { readLink, linkApp, resolveAppName } from "../lib/link.js";
+import { resolveTarget } from "../lib/providers/resolve.js";
+import { dockerBuild, dockerTag, dockerPush, dockerLogin } from "../lib/docker.js";
+
+export async function deploy(nameOrPath, path, options) {
+  var target = await resolveTarget(options);
+  var cfg = target.cfg;
+
+  // Smart arg parsing: if first arg looks like a path, shift args
+  var name;
+  var dockerPath;
+  if (!nameOrPath) {
+    name = readLink()?.app || generateAppName();
+    dockerPath = ".";
+  } else if (nameOrPath.startsWith(".") || nameOrPath.startsWith("/") || nameOrPath.startsWith("~")) {
+    name = readLink()?.app || generateAppName();
+    dockerPath = nameOrPath;
+  } else {
+    name = nameOrPath;
+    dockerPath = path || ".";
+  }
+
+  var tag = options.tag || `${Date.now()}`;
+
+  // Get registry credentials and image tag
+  var registry = await target.provider("registry");
+  var remoteTag = await registry.getImageTag(cfg, name, tag);
+  var localTag = `relight-${name}:${tag}`;
+
+  // Load existing config from deployed worker (null on first deploy)
+  var appProvider = await target.provider("app");
+  var appConfig;
+  try {
+    appConfig = await appProvider.getAppConfig(cfg, name);
+  } catch {
+    appConfig = null;
+  }
+
+  var isFirstDeploy = !appConfig;
+
+  // Get valid regions for this cloud/service
+  var validRegions = appProvider.getRegions();
+  var validCodes = validRegions.map((r) => r.code);
+
+  if (appConfig) {
+    // Existing app - update image, merge any flags
+    appConfig.image = remoteTag;
+    appConfig.deployedAt = new Date().toISOString();
+
+    if (options.env) {
+      if (!appConfig.envKeys) appConfig.envKeys = [];
+      if (!appConfig.secretKeys) appConfig.secretKeys = [];
+      if (!appConfig.env) appConfig.env = {};
+      for (var v of options.env) {
+        var eq = v.indexOf("=");
+        if (eq !== -1) {
+          var k = v.substring(0, eq);
+          appConfig.env[k] = v.substring(eq + 1);
+          appConfig.secretKeys = appConfig.secretKeys.filter((s) => s !== k);
+          if (!appConfig.envKeys.includes(k)) appConfig.envKeys.push(k);
+        }
+      }
+    }
+    if (options.regions)
+      appConfig.regions = options.regions.split(",").map((r) => r.trim());
+    if (options.instances) appConfig.instances = options.instances;
+    if (options.port) appConfig.port = options.port;
+    if (options.sleep) appConfig.sleepAfter = options.sleep;
+    if (options.instanceType) appConfig.instanceType = options.instanceType;
+    if (options.vcpu) appConfig.vcpu = options.vcpu;
+    if (options.memory) appConfig.memory = options.memory;
+    if (options.disk) appConfig.disk = options.disk;
+    if (options.observability === false) appConfig.observability = false;
+  } else {
+    // First deploy - build config from flags + defaults
+    var env = {};
+    var envKeys = [];
+    if (options.env) {
+      for (var v of options.env) {
+        var eq = v.indexOf("=");
+        if (eq !== -1) {
+          var k = v.substring(0, eq);
+          env[k] = v.substring(eq + 1);
+          envKeys.push(k);
+        }
+      }
+    }
+
+    var isService = target.kind === "service";
+    var defaultRegion = isService ? "self-hosted" : target.type === "gcp" ? "us-central1" : target.type === "aws" ? "us-east-1" : "enam";
+    var regions;
+
+    if (options.regions) {
+      regions = options.regions.split(",").map((r) => r.trim());
+    } else if (!isService && (target.type === "gcp" || target.type === "aws") && process.stdin.isTTY) {
+      // Interactive region picker for GCP/AWS first deploy
+      var { createInterface: createRL } = await import("readline");
+      var rl = createRL({ input: process.stdin, output: process.stderr });
+      process.stderr.write(`\n${fmt.bold("Select a region:")}\n\n`);
+      for (var i = 0; i < validRegions.length; i++) {
+        process.stderr.write(
+          `  ${fmt.bold(`[${i + 1}]`)} ${validRegions[i].code} ${fmt.dim(`(${validRegions[i].name})`)}\n`
+        );
+      }
+      process.stderr.write("\n");
+      var choice = await new Promise((resolve) =>
+        rl.question(`Region [1-${validRegions.length}] (default: 1): `, resolve)
+      );
+      rl.close();
+      var idx = choice.trim() ? parseInt(choice, 10) - 1 : 0;
+      if (isNaN(idx) || idx < 0 || idx >= validRegions.length) {
+        fatal("Invalid region selection.");
+      }
+      regions = [validRegions[idx].code];
+    } else {
+      regions = [defaultRegion];
+    }
+
+    for (var r of regions) {
+      if (!validCodes.includes(r)) {
+        fatal(
+          `Invalid region '${r}'.`,
+          `Valid regions: ${validCodes.join(", ")}`
+        );
+      }
+    }
+
+    appConfig = {
+      name,
+      regions,
+      instances: options.instances || (isService ? 1 : 2),
+      port: options.port || 8080,
+      sleepAfter: options.sleep || "30s",
+      instanceType: options.instanceType || (isService || target.type === "gcp" || target.type === "aws" ? undefined : "lite"),
+      vcpu: options.vcpu || undefined,
+      memory: options.memory || undefined,
+      disk: options.disk || undefined,
+      env,
+      envKeys,
+      secretKeys: [],
+      domains: [],
+      image: remoteTag,
+      createdAt: new Date().toISOString(),
+      deployedAt: new Date().toISOString(),
+    };
+  }
+
+  var newSecrets = {};
+
+  // --- Summary & confirmation ---
+  var instanceDesc = appConfig.vcpu
+    ? `${appConfig.vcpu} vCPU, ${appConfig.memory || "default"} MiB`
+    : appConfig.instanceType || "lite";
+
+  process.stderr.write(`\n${fmt.bold("Deploy summary")}\n`);
+  process.stderr.write(`${fmt.dim("-".repeat(40))}\n`);
+  process.stderr.write(`  ${fmt.bold("App:")}        ${fmt.app(name)}${isFirstDeploy ? fmt.dim(" (new)") : ""}\n`);
+  if (target.kind === "service") {
+    process.stderr.write(`  ${fmt.bold("Service:")}    ${fmt.cloud(target.id)} ${fmt.dim(`(${target.type})`)}\n`);
+  } else {
+    process.stderr.write(`  ${fmt.bold("Cloud:")}      ${fmt.cloud(target.id)}\n`);
+  }
+  process.stderr.write(`  ${fmt.bold("Path:")}       ${dockerPath}\n`);
+  process.stderr.write(`  ${fmt.bold("Image:")}      ${remoteTag}\n`);
+  process.stderr.write(`  ${fmt.bold("Regions:")}    ${appConfig.regions.join(", ")}\n`);
+  process.stderr.write(`  ${fmt.bold("Instances:")}  ${appConfig.instances || 2} per region\n`);
+  process.stderr.write(`  ${fmt.bold("Type:")}       ${instanceDesc}\n`);
+  process.stderr.write(`  ${fmt.bold("Port:")}       ${appConfig.port || 8080}\n`);
+  process.stderr.write(`  ${fmt.bold("Sleep:")}      ${appConfig.sleepAfter || "30s"}\n`);
+  if (appConfig.dbId) {
+    process.stderr.write(`  ${fmt.bold("Database:")}   ${appConfig.dbName}\n`);
+  }
+  process.stderr.write(`${fmt.dim("-".repeat(40))}\n`);
+
+  if (!options.yes) {
+    var rl = createInterface({ input: process.stdin, output: process.stderr });
+    var answer = await new Promise((resolve) =>
+      rl.question("\nProceed? [Y/n] ", resolve)
+    );
+    rl.close();
+    if (answer && !answer.match(/^y(es)?$/i)) {
+      process.stderr.write("Deploy cancelled.\n");
+      process.exit(0);
+    }
+  }
+
+  // 1. Build Docker image
+  var platform = "linux/amd64";
+  if (target.type === "slicervm") {
+    // Match VM architecture
+    var { listNodes } = await import("../lib/clouds/slicervm.js");
+    var nodes = await listNodes(cfg);
+    var vmArch = nodes[0]?.arch;
+    if (vmArch === "arm64" || vmArch === "aarch64") platform = "linux/arm64";
+  }
+  phase("Building image");
+  status(`${localTag} for ${platform}`);
+  dockerBuild(dockerPath, localTag, { platform });
+
+  if (target.kind === "service") {
+    // Service: skip registry push - deploy extracts and uploads the image directly
+    phase("Deploying");
+    await appProvider.deploy(cfg, name, localTag, {
+      appConfig,
+      isFirstDeploy,
+      newSecrets,
+    });
+  } else {
+    // 2. Push to registry
+    phase("Pushing to registry");
+    status("Authenticating...");
+    var creds = await registry.getCredentials(cfg);
+    dockerLogin(creds.registry, creds.username, creds.password);
+    if (registry.ensureRepository) await registry.ensureRepository(cfg, name);
+    status(`Pushing ${remoteTag}...`);
+    dockerTag(localTag, remoteTag);
+    dockerPush(remoteTag);
+
+    // 3. Deploy via provider
+    phase("Deploying");
+    await appProvider.deploy(cfg, name, remoteTag, {
+      appConfig,
+      isFirstDeploy,
+      newSecrets,
+    });
+  }
+
+  // 4. Resolve URL and report
+  var url = await appProvider.getAppUrl(cfg, name);
+
+  if (options.json) {
+    var result = {
+      name,
+      image: remoteTag,
+      url,
+      regions: appConfig.regions,
+      instances: appConfig.instances,
+      firstDeploy: isFirstDeploy,
+    };
+    if (target.kind === "service") {
+      result.service = target.id;
+    } else {
+      result.cloud = target.id;
+    }
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    success(`App ${fmt.app(name)} deployed!`);
+    process.stderr.write(`  ${fmt.bold("Name:")}  ${fmt.app(name)}\n`);
+    process.stderr.write(`  ${fmt.bold("Image:")} ${remoteTag}\n`);
+    process.stderr.write(
+      `  ${fmt.bold("URL:")}   ${url ? fmt.url(url) : fmt.dim("(configure workers.dev subdomain to see URL)")}\n`
+    );
+    hint("Next", `relight open ${name}`);
+  }
+
+  // Link this directory to the app
+  if (target.kind === "service") {
+    linkApp(name, null, options.dns, null, target.id);
+  } else {
+    linkApp(name, target.id, options.dns);
+  }
+}

package/src/commands/doctor.js

@@ -4,10 +4,14 @@ import {
   tryGetConfig,
   CONFIG_PATH,
   CLOUD_NAMES,
+  SERVICE_TYPES,
+  getRegisteredServices,
+  normalizeServiceConfig,
 } from "../lib/config.js";
 import { verifyToken as cfVerify, getWorkersSubdomain } from "../lib/clouds/cf.js";
-import { mintAccessToken, verifyProject as gcpVerifyProject, listRegions as gcpListRegions } from "../lib/clouds/gcp.js";
-import { verifyCredentials as awsVerify, checkAppRunner } from "../lib/clouds/aws.js";
+import { mintAccessToken, verifyProject as gcpVerifyProject, listRegions as gcpListRegions, gcpApi, AR_API, SQLADMIN_API, DNS_API } from "../lib/clouds/gcp.js";
+import { verifyCredentials as awsVerify, checkAppRunner, awsJsonApi, awsQueryApi, awsRestXmlApi } from "../lib/clouds/aws.js";
+import { verifyConnection as slicerVerify } from "../lib/clouds/slicervm.js";
 import kleur from "kleur";
 
 var PASS = kleur.green("[ok]");
@@ -16,7 +20,7 @@ var SKIP = kleur.yellow("[--]");
 
 export async function doctor() {
   process.stderr.write(`\n${kleur.bold("relight doctor")}\n`);
-  process.stderr.write(`${kleur.dim("─".repeat(50))}\n\n`);
+  process.stderr.write(`${kleur.dim("-".repeat(50))}\n\n`);
   var allGood = true;
 
   // --- General checks ---
@@ -73,9 +77,29 @@ export async function doctor() {
     }
   }
 
+  // --- Services ---
+
+  var services = getRegisteredServices();
+  if (services.length > 0) {
+    process.stderr.write(`\n${kleur.bold("  Services")}\n`);
+
+    for (var service of services) {
+      var typeName = SERVICE_TYPES[service.type]?.name || service.type;
+      var endpoint = service.socketPath || service.apiUrl || "unknown";
+
+      allGood =
+        (await asyncCheck(`${service.name} (${typeName} - ${endpoint})`, async () => {
+          if (service.type === "slicervm") {
+            var cfg = normalizeServiceConfig(service);
+            await slicerVerify(cfg);
+          }
+        })) && allGood;
+    }
+  }
+
   // --- Summary ---
 
-  process.stderr.write(`\n${kleur.dim("─".repeat(50))}\n`);
+  process.stderr.write(`\n${kleur.dim("-".repeat(50))}\n`);
   if (allGood) {
     process.stderr.write(kleur.green("All checks passed.\n\n"));
   } else {
@@ -134,6 +158,21 @@ async function checkGCP(cfg) {
       (await asyncCheck("Cloud Run API reachable", async () => {
         await gcpListRegions(token, cfg.project);
       })) && ok;
+
+    ok =
+      (await asyncCheck("Artifact Registry API reachable", async () => {
+        await gcpApi("GET", `${AR_API}/projects/${cfg.project}/locations/us/repositories`, null, token);
+      })) && ok;
+
+    ok =
+      (await asyncCheck("Cloud SQL Admin API reachable", async () => {
+        await gcpApi("GET", `${SQLADMIN_API}/projects/${cfg.project}/instances`, null, token);
+      })) && ok;
+
+    ok =
+      (await asyncCheck("Cloud DNS API reachable", async () => {
+        await gcpApi("GET", `${DNS_API}/projects/${cfg.project}/managedZones`, null, token);
+      })) && ok;
   }
 
   return ok;
@@ -143,23 +182,40 @@ async function checkGCP(cfg) {
 
 async function checkAWS(cfg) {
   var ok = true;
+  var cr = { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey };
 
   ok =
     (await asyncCheck("Credentials valid (STS)", async () => {
-      await awsVerify(
-        { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey },
-        cfg.region
-      );
+      await awsVerify(cr, cfg.region);
     })) && ok;
 
   ok =
     (await asyncCheck("App Runner accessible", async () => {
-      await checkAppRunner(
-        { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey },
-        cfg.region
+      await checkAppRunner(cr, cfg.region);
+    })) && ok;
+
+  ok =
+    (await asyncCheck("ECR accessible", async () => {
+      await awsJsonApi(
+        "AmazonEC2ContainerRegistry_V20150921.DescribeRepositories",
+        {},
+        "ecr",
+        cr,
+        cfg.region,
+        `api.ecr.${cfg.region}.amazonaws.com`
       );
     })) && ok;
 
+  ok =
+    (await asyncCheck("RDS accessible", async () => {
+      await awsQueryApi("DescribeDBInstances", {}, "rds", cr, cfg.region);
+    })) && ok;
+
+  ok =
+    (await asyncCheck("Route 53 accessible", async () => {
+      await awsRestXmlApi("GET", "/2013-04-01/hostedzone", null, cr);
+    })) && ok;
+
   return ok;
 }
 
@@ -172,7 +228,7 @@ function check(label, fn) {
     return true;
   } catch (e) {
     process.stderr.write(`  ${FAIL}  ${label}`);
-    if (e.message) process.stderr.write(kleur.dim(` — ${e.message}`));
+    if (e.message) process.stderr.write(kleur.dim(` - ${e.message}`));
     process.stderr.write("\n");
     return false;
   }
@@ -185,7 +241,7 @@ async function asyncCheck(label, fn) {
     return true;
   } catch (e) {
     process.stderr.write(`  ${FAIL}  ${label}`);
-    if (e.message) process.stderr.write(kleur.dim(` — ${truncate(e.message, 80)}`));
+    if (e.message) process.stderr.write(kleur.dim(` - ${truncate(e.message, 80)}`));
     process.stderr.write("\n");
     return false;
   }

package/src/commands/domains.js

@@ -0,0 +1,223 @@
+import { createInterface } from "readline";
+import { phase, status, success, fatal, hint, fmt } from "../lib/output.js";
+import { resolveAppName, resolveDns, readLink, linkApp } from "../lib/link.js";
+import { resolveTarget, resolveCloudId, getCloudCfg, getProvider } from "../lib/providers/resolve.js";
+import kleur from "kleur";
+
+function prompt(rl, question) {
+  return new Promise((resolve) => rl.question(question, resolve));
+}
+
+export async function domainsList(name, options) {
+  name = resolveAppName(name);
+  var target = await resolveTarget(options);
+  var cfg = target.cfg;
+  var dnsProvider = await target.provider("dns");
+
+  var result = await dnsProvider.listDomains(cfg, name);
+
+  if (options.json) {
+    console.log(JSON.stringify(result, null, 2));
+    return;
+  }
+
+  if (result.default) {
+    console.log(
+      `\n${fmt.bold("Default:")} ${fmt.url(`https://${result.default}`)}`
+    );
+  }
+
+  if (result.custom.length === 0) {
+    console.log(`${fmt.bold("Custom:")}  ${fmt.dim("(none)")}`);
+    hint("Add", `relight domains add ${name}`);
+    return;
+  }
+
+  console.log(`\n${fmt.bold("Custom domains:")}`);
+  for (var d of result.custom) {
+    console.log(`  ${d}`);
+  }
+}
+
+export async function domainsAdd(args, options) {
+  var name, domain;
+
+  if (args.length === 2) {
+    name = args[0];
+    domain = args[1];
+  } else if (args.length === 1) {
+    if (args[0].includes(".")) {
+      name = resolveAppName(null);
+      domain = args[0];
+    } else {
+      name = args[0];
+      domain = null;
+    }
+  } else {
+    name = resolveAppName(null);
+    domain = null;
+  }
+
+  var target = await resolveTarget(options);
+  var appCfg = target.cfg;
+  var appProvider = await target.provider("app");
+
+  // Cross-cloud DNS: --dns flag or .relight dns field specifies a different cloud for DNS records
+  var dnsFlag = options.dns || resolveDns();
+  var crossCloud = dnsFlag && (target.kind === "service" || resolveCloudId(dnsFlag) !== target.id);
+  var dnsCloud = crossCloud ? resolveCloudId(dnsFlag) : (target.kind === "cloud" ? target.id : null);
+  var dnsCfg = crossCloud ? getCloudCfg(dnsCloud) : appCfg;
+  var dnsProvider = crossCloud ? await getProvider(dnsCloud, "dns") : await target.provider("dns");
+
+  var appConfig = await appProvider.getAppConfig(appCfg, name);
+  if (!appConfig) {
+    fatal(
+      `App ${fmt.app(name)} not found.`,
+      `Run ${fmt.cmd(`relight deploy ${name} .`)} first.`
+    );
+  }
+
+  // Fetch zones from the DNS provider
+  status("Loading zones...");
+  var zones = await dnsProvider.getZones(dnsCfg);
+
+  if (zones.length === 0) {
+    fatal(
+      "No active zones found in the DNS account.",
+      "Add a domain to your DNS provider first."
+    );
+  }
+
+  var rl = createInterface({ input: process.stdin, output: process.stderr });
+  var zone;
+
+  if (domain) {
+    zone = dnsProvider.findZoneForHostname(zones, domain);
+    if (!zone) {
+      rl.close();
+      var zoneList = zones.map((z) => `  ${z.name}`).join("\n");
+      fatal(
+        `No zone found for '${domain}'.`,
+        `Available zones:\n${zoneList}`
+      );
+    }
+  } else {
+    process.stderr.write(`\n${kleur.bold("Available zones:")}\n\n`);
+    for (var i = 0; i < zones.length; i++) {
+      process.stderr.write(
+        `  ${kleur.bold(`[${i + 1}]`)} ${zones[i].name}\n`
+      );
+    }
+    process.stderr.write("\n");
+
+    var zoneChoice = await prompt(rl, `Select zone [1-${zones.length}]: `);
+    var zoneIdx = parseInt(zoneChoice, 10) - 1;
+    if (isNaN(zoneIdx) || zoneIdx < 0 || zoneIdx >= zones.length) {
+      rl.close();
+      fatal("Invalid selection.");
+    }
+    zone = zones[zoneIdx];
+
+    process.stderr.write(`\n${kleur.bold("Route type:")}\n\n`);
+    process.stderr.write(`  ${kleur.bold("[1]")} Root domain (${zone.name})\n`);
+    process.stderr.write(`  ${kleur.bold("[2]")} Subdomain (*.${zone.name})\n`);
+    process.stderr.write("\n");
+
+    var routeChoice = await prompt(rl, "Select [1-2]: ");
+
+    if (routeChoice.trim() === "1") {
+      domain = zone.name;
+    } else if (routeChoice.trim() === "2") {
+      var sub = await prompt(rl, `Subdomain: ${fmt.dim("___." + zone.name + " -> ")} `);
+      sub = (sub || "").trim();
+      if (!sub) {
+        rl.close();
+        fatal("No subdomain provided.");
+      }
+      domain = `${sub}.${zone.name}`;
+    } else {
+      rl.close();
+      fatal("Invalid selection.");
+    }
+  }
+
+  rl.close();
+
+  if (crossCloud) {
+    // Cross-cloud: DNS record on one cloud, app config on another
+    status(`Creating DNS record for ${domain}...`);
+    var appUrl = await appProvider.getAppUrl(appCfg, name);
+    var dnsTarget = new URL(appUrl).hostname;
+    try {
+      await dnsProvider.addDnsRecord(dnsCfg, domain, dnsTarget, zone);
+    } catch (e) {
+      fatal(e.message);
+    }
+
+    // Update app config on the app cloud/service
+    status(`Updating app config...`);
+    if (!appConfig.domains) appConfig.domains = [];
+    if (!appConfig.domains.includes(domain)) {
+      appConfig.domains.push(domain);
+      await appProvider.pushAppConfig(appCfg, name, appConfig);
+    }
+
+    // Persist dns cloud in .relight so future commands don't need --dns
+    var linked = readLink();
+    if (linked && !linked.dns) {
+      linkApp(linked.app, linked.cloud, dnsCloud, undefined, linked.compute);
+    }
+  } else {
+    // Same-cloud: existing flow
+    status(`Attaching ${domain} to relight-${name}...`);
+    try {
+      await dnsProvider.addDomain(dnsCfg, name, domain, { zone, zones });
+    } catch (e) {
+      fatal(e.message);
+    }
+  }
+
+  success(`Domain ${fmt.bold(domain)} added to ${fmt.app(name)}.`);
+  process.stderr.write(`  ${fmt.url(`https://${domain}`)}\n`);
+}
+
+export async function domainsRemove(args, options) {
+  var name, domain;
+  if (args.length === 2) {
+    name = args[0];
+    domain = args[1];
+  } else if (args.length === 1) {
+    name = resolveAppName(null);
+    domain = args[0];
+  } else {
+    fatal("Usage: relight domains remove [name] <domain>");
+  }
+
+  var target = await resolveTarget(options);
+  var appCfg = target.cfg;
+
+  var dnsFlag = options.dns || resolveDns();
+  var crossCloud = dnsFlag && (target.kind === "service" || resolveCloudId(dnsFlag) !== target.id);
+  var dnsCloud = crossCloud ? resolveCloudId(dnsFlag) : (target.kind === "cloud" ? target.id : null);
+  var dnsCfg = crossCloud ? getCloudCfg(dnsCloud) : appCfg;
+  var dnsProvider = crossCloud ? await getProvider(dnsCloud, "dns") : await target.provider("dns");
+
+  status(`Removing ${domain}...`);
+
+  if (crossCloud) {
+    // Cross-cloud: remove DNS record from dns cloud, update app config on app cloud/service
+    await dnsProvider.removeDnsRecord(dnsCfg, domain);
+
+    var appProvider = await target.provider("app");
+    var appConfig = await appProvider.getAppConfig(appCfg, name);
+    if (appConfig) {
+      appConfig.domains = (appConfig.domains || []).filter((d) => d !== domain);
+      await appProvider.pushAppConfig(appCfg, name, appConfig);
+    }
+  } else {
+    // Same-cloud: existing flow
+    await dnsProvider.removeDomain(dnsCfg, name, domain);
+  }
+
+  success(`Domain ${fmt.bold(domain)} removed from ${fmt.app(name)}.`);
+}