feat: real list+delete for Volume/Network/NIC/SecurityGroup + post-run summary

- ComputeVolume, Network, SecurityGroup wired against iaas/v2api
  (previously stubs)
- New NetworkInterface resource type (ListNics scoped per Network)
- DependsOn graph: NIC after Server; Network after NIC; SG after NIC
- Compact log formatter strips libnuke property dump; --log-verbose
  restores the full output
- Post-run summary prints a grouped list of nuked resources with an
  ASCII art banner (only on --no-dry-run)
- dev-infra/nuke.yaml(.example) companion config covering the 5
  implemented resource types; filters out the project default SG
- README: Concepts section, sample summary output, updated coverage
  table (5/20 working)
- CHANGELOG: 0.0.2 entry

Author: qaiser42

CHANGELOG.md

@@ -6,13 +6,28 @@ to [Semantic Versioning](https://semver.org/).
 
 ## [Unreleased]
 
+## [0.0.2] - 2026-05-14
+
+### Added
+- Real list + delete via STACKIT IaaS v2 SDK for: ComputeVolume,
+  Network, NetworkInterface, SecurityGroup
+- New `NetworkInterface` resource type
+- `dev-infra/` Pulumi (Go) stack for round-trip create + nuke testing,
+  plus `dev-infra/nuke.yaml(.example)` companion config
+- Post-run summary: grouped list of nuked resources + ASCII art banner
+- Compact log formatter (strips libnuke property dump);
+  `--log-verbose` restores full output
+
+## [0.0.1]
+
 ### Added
 - Initial scaffold: CLI, libnuke wiring, STACKIT auth, config loader
 - Resource registrations (placeholder Listers): ComputeServer, ComputeVolume,
   ComputeSnapshot, ComputeKeypair, Network, Subnet, Router, SecurityGroup,
   FloatingIP, ObjectStorageBucket, ObjectStorageObject, SKECluster,
   PostgresFlexInstance, MongoDBFlexInstance, RedisInstance,
   OpenSearchInstance, RabbitMQInstance, LoadBalancer, DNSZone
+- Real list + delete via STACKIT IaaS v2 SDK for ComputeServer
 - CI: lint, test, build (GitHub Actions, Go 1.25)
 - Release: GoReleaser cross-compile, ko distroless multi-arch, Cosign signing
 - Docs: MkDocs Material site published to GitHub Pages

README.md

@@ -60,8 +60,51 @@ stackit-nuke run --config config.yaml                 # dry run
 stackit-nuke run --config config.yaml --no-dry-run    # real
 ```
 
+After a real run, you get a summary of everything deleted:
+
+```
+                  _ _.-'`-._
+              .-'`           '-.
+            .'      _ . - = - . _   '.
+           /    .-'             '-.   \
+          /   .'                   '.  \
+         |   /                       \  |
+         |  |          BOOM           | |
+         |  |                         | |
+          \  '.                     .'  /
+           \   '-.                .-'  /
+            '.    '-._        _.-'   .'
+              '-.     `'----'`    .-'
+                 `'-..__________..-'`
+
+9 resource(s) nuked:
+
+  ComputeServer
+    - dev-server-0 (2bd1a04d)
+    - dev-server-1 (6adb84a9)
+  ComputeVolume
+    - stackit-nuke-dev-extra (bb668c22)
+  Network
+    - dev-net (6f452480)
+  NetworkInterface
+    - dev-nic-0-b7856b3 (605f8edd)
+    - dev-nic-1-cf66680 (3958de73)
+```
+
 Full docs: <https://qaiser42.io/stackit-nuke>
 
+## Concepts
+
+- **Project allow-list** — `project-ids` is the universe of what may be nuked. The CLI may *narrow* it (`--project-id`); it cannot widen. Without it, the tool refuses to start.
+- **Blocklist** — `blocklist` is a hard veto. If any blocked ID also appears in `project-ids`, startup fails. Belt-and-suspenders against fat-fingering.
+- **Dry-run default** — `run` lists what would be deleted. Real deletion requires `--no-dry-run` *and* (unless `--force`) typing the project ID back at a prompt.
+- **Filters mark resources as ineligible** — counter-intuitive: a filter is a *keep-list*, not a kill-list. Anything matched by a filter survives; everything else gets deleted. Filter by `Name`, `tag:*`, etc.
+- **Presets** — reusable named filter sets, attached to accounts via `presets: [...]`. Same shape as filters; just deduped at one site.
+- **Resource type include/exclude** — `resource-types.includes` narrows the registered set; `excludes` always wins. Empty `includes` means all registered types.
+- **Scopes** — every resource is `ProjectScope` today (region-aware, scoped to one STACKIT project). Engine also supports an `OrganizationScope` we have not yet used.
+- **Dependency order** — each `Resource` declares `DependsOn`. libnuke topologically sorts and only deletes a resource once everything it depends on has finished. E.g. `Network` depends on `NetworkInterface` so NICs detach first.
+- **Settings & feature-flags** — per-resource toggles (e.g. `EmptyBeforeDelete: true` for buckets) live under `settings:`. Engine behaviors (`wait-on-dependencies`, `filter-groups`) live under `feature-flags:`.
+
 ## How it works (101)
 
 `stackit-nuke` is a thin CLI shell over [`libnuke`](https://github.com/ekristen/libnuke). We write the STACKIT-specific bits; libnuke does the engine work.
@@ -71,7 +114,7 @@ Full docs: <https://qaiser42.io/stackit-nuke>
 `main.go` blank-imports `pkg/commands/...` and `resources/...`. Their `init()` functions:
 
 - register CLI subcommands (`run`, `resource-types`)
-- register **19 resource types** with `libnuke/pkg/registry` — each entry pairs a `Lister` (discover) with a `Resource` (delete) and optional `DependsOn` (ordering)
+- register **20 resource types** with `libnuke/pkg/registry` — each entry pairs a `Lister` (discover) with a `Resource` (delete) and optional `DependsOn` (ordering)
 
 No reflection, no plugin loader — pure compile-time wiring.
 
@@ -151,13 +194,14 @@ Legend: ✅ list + delete via real STACKIT SDK · 🟡 registered, lister return
 | Service | Resource | Status | SDK package |
 |---|---|---|---|
 | IaaS / compute | `ComputeServer` | ✅ | `stackit-sdk-go/services/iaas/v2api` |
-| IaaS / compute | `ComputeVolume` | 🟡 | `iaas/v2api` |
+| IaaS / compute | `ComputeVolume` | ✅ | `iaas/v2api` |
 | IaaS / compute | `ComputeSnapshot` | 🟡 | `iaas/v2api` |
 | IaaS / compute | `ComputeKeypair` | 🟡 | `iaas/v2api` |
-| IaaS / network | `Network` | 🟡 | `iaas/v2api` |
+| IaaS / network | `Network` | ✅ | `iaas/v2api` |
+| IaaS / network | `NetworkInterface` | ✅ | `iaas/v2api` |
 | IaaS / network | `Subnet` | 🟡 | `iaas/v2api` |
 | IaaS / network | `Router` | 🟡 | `iaas/v2api` |
-| IaaS / network | `SecurityGroup` | 🟡 | `iaas/v2api` |
+| IaaS / network | `SecurityGroup` | ✅ | `iaas/v2api` |
 | IaaS / network | `FloatingIP` | 🟡 | `iaas/v2api` |
 | Object Storage | `ObjectStorageBucket` | 🟡 | `services/objectstorage` |
 | Object Storage | `ObjectStorageObject` | 🟡 | `services/objectstorage` |
@@ -170,7 +214,7 @@ Legend: ✅ list + delete via real STACKIT SDK · 🟡 registered, lister return
 | LoadBalancer | `LoadBalancer` | 🟡 | `services/loadbalancer` |
 | DNS | `DNSZone` | 🟡 | `services/dns` |
 
-**1 of 19 resources fully working.** The CLI / config / auth / libnuke engine are functional; the per-resource SDK wiring lands incrementally. Pick one above and follow [`resources/compute-server.go`](resources/compute-server.go) as the reference pattern — see [Contributing](docs/contributing.md).
+**5 of 20 resources fully working.** The CLI / config / auth / libnuke engine are functional; the per-resource SDK wiring lands incrementally. Pick one above and follow [`resources/compute-server.go`](resources/compute-server.go) as the reference pattern — see [Contributing](docs/contributing.md).
 
 ## Development
 
@@ -189,8 +233,8 @@ Requires Go 1.25+.
 [`dev-infra/`](dev-infra/) is a Pulumi project ([`@stackitcloud/pulumi-stackit`](https://www.pulumi.com/registry/packages/stackit/)) that spins up a small STACKIT footprint (network, NICs, servers, volume) you can repeatedly create + nuke + recreate while developing new resource implementations.
 
 ```bash
-cd dev-infra && npm install && pulumi up
-cd .. && ./stackit-nuke run --config examples/compute-only.yaml --no-dry-run
+cd dev-infra && go mod download && pulumi up
+cd .. && ./stackit-nuke run --config dev-infra/nuke.yaml --no-dry-run
 ```
 
 See [`dev-infra/README.md`](dev-infra/README.md).

dev-infra/.gitignore

@@ -4,4 +4,6 @@ Pulumi.dev.yaml
 Pulumi.*.yaml
 !Pulumi.yaml
 !Pulumi.dev.yaml.example
+nuke.yaml
+!nuke.yaml.example
 *.log

dev-infra/README.md

@@ -2,7 +2,7 @@
 
 Throwaway STACKIT infrastructure for testing `stackit-nuke` locally.
 
-Uses the **official Pulumi STACKIT provider** ([`@stackitcloud/pulumi-stackit`](https://www.pulumi.com/registry/packages/stackit/)) — currently alpha, IaaS + Resource Manager only.
+Uses the **official Pulumi STACKIT provider** ([`pulumi-stackit`](https://www.pulumi.com/registry/packages/stackit/)) via its Go SDK — currently alpha, IaaS + Resource Manager only.
 
 ## What it deploys
 
@@ -16,18 +16,20 @@ All resources are labelled `managed-by=pulumi`, `purpose=stackit-nuke-dev` so yo
 ## Prerequisites
 
 - Pulumi CLI (`brew install pulumi`)
-- Node.js 20+
+- Go 1.23+
 - A STACKIT service-account key — same one `stackit-nuke` uses
 
 ## One-time setup
 
 ```bash
 cd dev-infra
-npm install
+go mod download
 pulumi login --local                      # or your usual backend
 pulumi stack init dev
 cp Pulumi.dev.yaml.example Pulumi.dev.yaml
 $EDITOR Pulumi.dev.yaml                   # paste your project ID
+cp nuke.yaml.example nuke.yaml
+$EDITOR nuke.yaml                         # paste same project ID + sa-key path
 export STACKIT_SERVICE_ACCOUNT_KEY_PATH=~/.stackit/sa.json
 ```
 
@@ -38,15 +40,15 @@ export STACKIT_SERVICE_ACCOUNT_KEY_PATH=~/.stackit/sa.json
 pulumi up
 
 # Confirm stackit-nuke sees it (dry run)
-cd .. && ./stackit-nuke run --config examples/compute-only.yaml
+cd .. && ./stackit-nuke run --config dev-infra/nuke.yaml
 
 # Nuke it
-./stackit-nuke run --config examples/compute-only.yaml --no-dry-run
+./stackit-nuke run --config dev-infra/nuke.yaml --no-dry-run
 
-# Verify the nuker did its job — Pulumi will show the servers as "missing"
+# Verify the nuker did its job — Pulumi will show resources as "missing"
 cd dev-infra && pulumi refresh
 
-# Clean residual state (volumes, network — stubs in stackit-nuke don't delete these yet)
+# Clear Pulumi state — the cloud resources are already gone
 pulumi destroy
 ```
 

dev-infra/nuke.yaml.example

@@ -0,0 +1,38 @@
+# stackit-nuke config for the dev-infra Pulumi stack.
+#
+# Copy to nuke.yaml and fill in your project ID + sa-key path.
+#
+# Targets every resource type that has a real SDK implementation today —
+# the same set dev-infra creates: servers, NICs, volumes.
+#
+# Round trip:
+#   pulumi up
+#   cd .. && ./stackit-nuke run --config dev-infra/nuke.yaml --no-dry-run
+#   cd dev-infra && pulumi refresh && pulumi destroy
+
+regions:
+  - eu01
+
+# Match the projectId set in Pulumi.dev.yaml.
+project-ids:
+  - 00000000-0000-0000-0000-000000000000
+
+auth:
+  service-account-key-path: ~/.stackit/sa.json
+
+resource-types:
+  includes:
+    - ComputeServer
+    - ComputeVolume
+    - NetworkInterface
+    - Network
+    - SecurityGroup
+
+# STACKIT auto-creates a "default" SG per project that resists deletion.
+# Skip it so the run doesn't surface a permanent failure.
+accounts:
+  "00000000-0000-0000-0000-000000000000":
+    filters:
+      SecurityGroup:
+        - property: Name
+          value: default

pkg/commands/global/global.go

@@ -21,6 +21,7 @@ func Flags() []cli.Flag {
 		&cli.BoolFlag{Name: "log-caller", Usage: "log caller (file:line)"},
 		&cli.BoolFlag{Name: "log-disable-color", Usage: "disable log coloring"},
 		&cli.BoolFlag{Name: "log-full-timestamp", Usage: "always show full timestamp"},
+		&cli.BoolFlag{Name: "log-verbose", Usage: "show every libnuke property in log lines (default: compact)"},
 	}
 }
 
@@ -37,6 +38,10 @@ func Before(c *cli.Context) error {
 	}
 	logrus.SetFormatter(formatter)
 
+	if !c.Bool("log-verbose") {
+		logrus.AddHook(compactHook{})
+	}
+
 	switch c.String("log-level") {
 	case "trace":
 		logrus.SetLevel(logrus.TraceLevel)

pkg/commands/global/log_compact.go

@@ -0,0 +1,53 @@
+package global
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+)
+
+// compactHook strips libnuke's per-resource property dump from log entries.
+// libnuke emits one INFO line per resource per state with every property as
+// prop:<Field>=<value>, which gets unreadable fast. We keep only the fields
+// that identify the resource (type, state, name, short ID) and drop the rest.
+type compactHook struct{}
+
+func (compactHook) Levels() []logrus.Level { return logrus.AllLevels }
+
+func (compactHook) Fire(e *logrus.Entry) error {
+	if len(e.Data) == 0 {
+		return nil
+	}
+	out := logrus.Fields{}
+	for k, v := range e.Data {
+		switch k {
+		case "_handler", "component", "owner", "state_code":
+			continue
+		case "type", "state", "name":
+			out[k] = v
+			continue
+		}
+		if !strings.HasPrefix(k, "prop:") {
+			out[k] = v
+			continue
+		}
+		switch strings.TrimPrefix(k, "prop:") {
+		case "ID":
+			out["id"] = shortID(fmt.Sprint(v))
+		case "Name":
+			if s := fmt.Sprint(v); s != "" {
+				out["name"] = s
+			}
+		}
+	}
+	e.Data = out
+	return nil
+}
+
+func shortID(s string) string {
+	if i := strings.Index(s, "-"); i > 0 {
+		return s[:i]
+	}
+	return s
+}

pkg/commands/run/command.go

@@ -140,8 +140,15 @@ func execute(c *cli.Context) error {
 		}
 	}
 
+	hook := &nukedHook{}
+	logrus.AddHook(hook)
+
 	logger.Debug("running ...")
-	return n.Run(ctx)
+	runErr := n.Run(ctx)
+	if params.NoDryRun {
+		printSummary(logger, hook.entries)
+	}
+	return runErr
 }
 
 func firstNonEmpty(vals ...string) string {