@devosurf/tesser-server 0.1.0-alpha.0

package/src/events/fanout.ts

@@ -0,0 +1,73 @@
+// Event fan-out (ADR-0011): an emitted Project-scoped event creates one independent
+// durable run per subscriber. At-least-once delivery; duplicate fan-out job executions
+// are absorbed by a per-(event, automation) existence check.
+
+import { decodeJournal, type JsonValue } from "@devosurf/tesser-sdk/internal";
+import type { Db } from "../db/db.js";
+import { createRun } from "../engine/runs.js";
+
+export async function fanoutEvent(db: Db, eventId: string): Promise<string[]> {
+  const { rows } = await db.query<{
+    id: string;
+    project_id: string;
+    env: string;
+    name: string;
+    payload: JsonValue | null;
+  }>(`SELECT id, project_id, env, name, payload FROM events WHERE id=$1`, [eventId]);
+  const event = rows[0];
+  if (!event) return [];
+
+  const subs = await db.query<{ automation_id: string }>(
+    `SELECT automation_id FROM event_subscriptions WHERE project_id=$1 AND env=$2 AND event_name=$3`,
+    [event.project_id, event.env, event.name],
+  );
+
+  const created: string[] = [];
+  for (const sub of subs.rows) {
+    const runId = await db.tx(async (c) => {
+      const existing = await c.query(
+        `SELECT 1 FROM runs WHERE automation_id=$1 AND project_id=$2 AND trigger->>'eventId' = $3`,
+        [sub.automation_id, event.project_id, event.id],
+      );
+      if (existing.rows.length > 0) return null;
+
+      const alias = await c.query<{ version_id: string }>(
+        `SELECT version_id FROM aliases WHERE project_id=$1 AND automation_id=$2 AND env=$3`,
+        [event.project_id, sub.automation_id, event.env],
+      );
+      const versionId = alias.rows[0]?.version_id;
+      if (!versionId) return null;
+
+      return createRun(c, {
+        projectId: event.project_id,
+        automationId: sub.automation_id,
+        versionId,
+        env: event.env,
+        trigger: { kind: "event", event: event.name, eventId: event.id },
+        // stored payload is journal-encoded; createRun re-encodes, so decode here
+        input: event.payload === null ? undefined : decodeJournal(event.payload),
+      });
+    });
+    if (runId) created.push(runId);
+  }
+  return created;
+}
+
+/** Sync a project+env's event subscriptions from promoted manifests. */
+export async function syncSubscriptions(
+  db: Db,
+  projectId: string,
+  env: string,
+  subs: Array<{ eventName: string; automationId: string }>,
+): Promise<void> {
+  await db.tx(async (c) => {
+    await c.query(`DELETE FROM event_subscriptions WHERE project_id=$1 AND env=$2`, [projectId, env]);
+    for (const s of subs) {
+      await c.query(
+        `INSERT INTO event_subscriptions (project_id, env, event_name, automation_id)
+         VALUES ($1,$2,$3,$4) ON CONFLICT DO NOTHING`,
+        [projectId, env, s.eventName, s.automationId],
+      );
+    }
+  });
+}

package/src/gitsync/build.ts

@@ -0,0 +1,102 @@
+// Server-side build (ADR-0006): bundle each changed automation into a self-contained
+// immutable artifact (SDK + connectors + deps compiled in) and statically extract its
+// manifest — module evaluation only, the handler never runs (ADR-0010).
+
+import { createHash } from "node:crypto";
+import { mkdirSync, readdirSync, readFileSync, statSync, existsSync } from "node:fs";
+import { join, relative } from "node:path";
+import { pathToFileURL } from "node:url";
+import { build } from "esbuild";
+import type { AutomationDef } from "@devosurf/tesser-sdk";
+import type { ConnectorInstance } from "@devosurf/tesser-sdk/connector";
+import {
+  extractAutomationManifest,
+  extractConnectorManifest,
+  type AutomationManifest,
+  type ConnectorManifest,
+} from "@devosurf/tesser-sdk/internal";
+
+export interface DiscoveredAutomation {
+  automationId: string;
+  dir: string;
+  entry: string;
+  contentHash: string;
+}
+
+const LOCKFILES = ["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "package.json", "tesser.json"];
+
+export function discoverAutomations(repoDir: string): DiscoveredAutomation[] {
+  const root = join(repoDir, "automations");
+  if (!existsSync(root)) return [];
+  const lockHash = createHash("sha256");
+  for (const f of LOCKFILES) {
+    const p = join(repoDir, f);
+    if (existsSync(p)) lockHash.update(f).update(readFileSync(p));
+  }
+  const lock = lockHash.digest("hex");
+
+  const out: DiscoveredAutomation[] = [];
+  for (const name of readdirSync(root).sort()) {
+    const dir = join(root, name);
+    if (!statSync(dir).isDirectory()) continue;
+    const entry = join(dir, "index.ts");
+    if (!existsSync(entry)) continue;
+    out.push({ automationId: name, dir, entry, contentHash: hashDir(dir, lock) });
+  }
+  return out;
+}
+
+function hashDir(dir: string, seed: string): string {
+  const h = createHash("sha256").update(seed);
+  const walk = (d: string) => {
+    for (const entry of readdirSync(d).sort()) {
+      if (entry === "node_modules" || entry.startsWith(".")) continue;
+      const p = join(d, entry);
+      const st = statSync(p);
+      if (st.isDirectory()) walk(p);
+      else h.update(relative(dir, p)).update(readFileSync(p));
+    }
+  };
+  walk(dir);
+  return h.digest("hex").slice(0, 24);
+}
+
+export async function buildAutomationBundle(entry: string, outFile: string): Promise<void> {
+  mkdirSync(join(outFile, ".."), { recursive: true });
+  await build({
+    entryPoints: [entry],
+    outfile: outFile,
+    bundle: true,
+    platform: "node",
+    format: "esm",
+    target: "node20",
+    sourcemap: "inline",
+    // Self-contained: everything (sdk, connectors, zod) is compiled in; only node
+    // builtins stay external. The artifact runs with no node_modules next to it.
+    packages: "bundle",
+    logLevel: "silent",
+  });
+}
+
+export interface ExtractedBundle {
+  manifest: AutomationManifest & { connectors: Record<string, ConnectorManifest> };
+  def: AutomationDef<any, any, any, any, any, any, any>;
+}
+
+/** Import the built artifact and statically extract its manifest (module evaluation
+ *  only; `run` is never called). The cache-busting query keeps re-extraction honest. */
+export async function extractBundle(bundlePath: string): Promise<ExtractedBundle> {
+  const mod = (await import(`${pathToFileURL(bundlePath).href}?t=${Date.now()}`)) as {
+    default?: AutomationDef<any, any, any, any, any, any, any>;
+  };
+  const def = mod.default;
+  if (!def || typeof def !== "object" || typeof def.run !== "function") {
+    throw new Error(`bundle has no default export from defineAutomation: ${bundlePath}`);
+  }
+  const manifest = extractAutomationManifest(def);
+  const connectors: Record<string, ConnectorManifest> = {};
+  for (const conn of Object.values((def.connections ?? {}) as Record<string, ConnectorInstance<any, any>>)) {
+    connectors[conn.id] = extractConnectorManifest(conn);
+  }
+  return { manifest: { ...manifest, connectors }, def };
+}

package/src/gitsync/deploy-keys.ts

@@ -0,0 +1,59 @@
+import { createHash, generateKeyPairSync, randomBytes } from "node:crypto";
+
+export interface DeployKeyPair {
+  publicKey: string;
+  privateKey: string;
+}
+
+interface RsaPublicJwk {
+  kty?: string;
+  n?: string;
+  e?: string;
+}
+
+function sshWireString(value: string | Buffer): Buffer {
+  const bytes = typeof value === "string" ? Buffer.from(value, "utf8") : value;
+  const len = Buffer.alloc(4);
+  len.writeUInt32BE(bytes.length, 0);
+  return Buffer.concat([len, bytes]);
+}
+
+function sshMpint(value: Buffer): Buffer {
+  let bytes = value;
+  while (bytes.length > 1 && bytes[0] === 0) bytes = bytes.subarray(1);
+  if ((bytes[0]! & 0x80) !== 0) bytes = Buffer.concat([Buffer.from([0]), bytes]);
+  return sshWireString(bytes);
+}
+
+function rsaPublicKeyFromJwk(jwk: RsaPublicJwk): string {
+  if (jwk.kty !== "RSA" || typeof jwk.n !== "string" || typeof jwk.e !== "string") {
+    throw new Error("unexpected rsa public key encoding");
+  }
+  const algorithm = "ssh-rsa";
+  const exponent = Buffer.from(jwk.e, "base64url");
+  const modulus = Buffer.from(jwk.n, "base64url");
+  const wire = Buffer.concat([sshWireString(algorithm), sshMpint(exponent), sshMpint(modulus)]).toString("base64");
+  return `${algorithm} ${wire}`;
+}
+
+export function generateDeployKeyPair(): DeployKeyPair {
+  // OpenSSH accepts PKCS#1 RSA private keys for `GIT_SSH_COMMAND=ssh -i ...`.
+  // Keep generation pure-Node so the server does not need `ssh-keygen` at link time.
+  const { publicKey, privateKey } = generateKeyPairSync("rsa", { modulusLength: 3072, publicExponent: 0x10001 });
+  return {
+    publicKey: rsaPublicKeyFromJwk(publicKey.export({ format: "jwk" })),
+    privateKey: privateKey.export({ type: "pkcs1", format: "pem" }).toString(),
+  };
+}
+
+export function mintWebhookSigningSecret(): string {
+  return `whsec_${randomBytes(32).toString("base64url")}`;
+}
+
+export function mintWebhookSetupToken(): string {
+  return `wst_${randomBytes(24).toString("base64url")}`;
+}
+
+export function hashWebhookSetupToken(token: string): string {
+  return createHash("sha256").update(token).digest("hex");
+}

package/src/gitsync/reconciler.ts

@@ -0,0 +1,429 @@
+// The reconciler (ADR-0006): git → instance, one-way. Clone/fetch the commit, content-
+// hash-diff each automation directory, build only the changed ones into immutable staged
+// versions, halt on missing credentials (connect link), gate on tests (auto smoke), and
+// only on green swap aliases — red leaves production untouched. Then wire schedules,
+// event subscriptions, webhook registrations, and polls. Undeployed automations are
+// unaliased and their provider hooks destroyed.
+
+import { execFile } from "node:child_process";
+import { mkdirSync, existsSync, rmSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { promisify } from "node:util";
+import { smokeTest } from "@devosurf/tesser-testing";
+import type { Db } from "../db/db.js";
+import type { Broker } from "../broker/broker.js";
+import {
+  computeMissingRequirements,
+  mintConnectLink,
+  type AutomationRequirementSource,
+  type Requirement,
+} from "../broker/connect.js";
+import { syncSchedules, type ScheduleSpec } from "../scheduler/cron.js";
+import { syncSubscriptions } from "../events/fanout.js";
+import { ensureRegistrations } from "../triggers/registrar.js";
+import { activatePolls } from "../triggers/poll.js";
+import type { TriggerLayerDeps } from "../triggers/shared.js";
+import type { ArtifactLoader } from "../registry/loader.js";
+import { buildAutomationBundle, discoverAutomations, extractBundle } from "./build.js";
+
+const exec = promisify(execFile);
+
+export interface ReconcilerDeps {
+  db: Db;
+  broker: Broker;
+  loader: ArtifactLoader;
+  dataDir: string;
+  baseUrl: string;
+  triggerDeps: TriggerLayerDeps;
+  /** Run colocated project tests as the deploy gate (in addition to auto smoke). */
+  runProjectTests?: boolean;
+}
+
+export interface DeployReport {
+  sha: string;
+  ref: string;
+  env: string;
+  built: string[];
+  unchanged: string[];
+  failed: Array<{ automation: string; stage: "build" | "test"; reason: string }>;
+  removed: string[];
+  connectUrl?: string;
+  requirements?: Requirement[];
+  manual?: Array<{ automation: string; trigger: string }>;
+}
+
+async function git(args: string[], cwd?: string, env?: Record<string, string>): Promise<string> {
+  const { stdout } = await exec("git", args, {
+    ...(cwd !== undefined ? { cwd } : {}),
+    env: { ...process.env, GIT_TERMINAL_PROMPT: "0", ...env },
+    maxBuffer: 16 * 1024 * 1024,
+  });
+  return stdout.trim();
+}
+
+async function syncWorkdir(opts: {
+  dataDir: string;
+  projectId: string;
+  repoUrl: string;
+  ref: string;
+  sshKeyPath?: string | undefined;
+}): Promise<{ dir: string; sha: string }> {
+  const dir = join(opts.dataDir, "repos", opts.projectId);
+  const env: Record<string, string> = {};
+  if (opts.sshKeyPath !== undefined) {
+    env["GIT_SSH_COMMAND"] = `ssh -i ${opts.sshKeyPath} -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new`;
+  }
+  const localRepoPath = localPathForGitSafeDirectory(opts.repoUrl);
+  if (localRepoPath !== undefined) {
+    const gitConfigDir = join(opts.dataDir, "git-config");
+    mkdirSync(gitConfigDir, { recursive: true, mode: 0o700 });
+    const gitConfigPath = join(gitConfigDir, `${opts.projectId}.gitconfig`);
+    writeFileSync(gitConfigPath, `[safe]\n\tdirectory = ${localRepoPath}\n`, { mode: 0o600 });
+    env["GIT_CONFIG_GLOBAL"] = gitConfigPath;
+  }
+  if (!existsSync(join(dir, ".git"))) {
+    rmSync(dir, { recursive: true, force: true });
+    mkdirSync(dir, { recursive: true });
+    await git(["clone", "--no-single-branch", opts.repoUrl, dir], undefined, env);
+  } else {
+    await git(["fetch", "origin", "--prune"], dir, env);
+  }
+  await git(["checkout", "--force", opts.ref], dir, env).catch(async () => {
+    await git(["checkout", "--force", `origin/${opts.ref}`], dir, env);
+  });
+  // fast-forward to remote when the ref is a branch
+  await git(["reset", "--hard", `origin/${opts.ref}`], dir, env).catch(() => {});
+  const sha = await git(["rev-parse", "HEAD"], dir);
+  return { dir, sha };
+}
+
+function localPathForGitSafeDirectory(repoUrl: string): string | undefined {
+  if (repoUrl.startsWith("/")) return repoUrl;
+  if (repoUrl.startsWith("file://")) {
+    try {
+      return new URL(repoUrl).pathname;
+    } catch {
+      return undefined;
+    }
+  }
+  return undefined;
+}
+
+async function installDeps(dir: string): Promise<void> {
+  // Install only when a lockfile pins the dependency graph (reproducible builds,
+  // ADR-0006). Lockfile-less trees resolve from their surroundings (dev/dogfood lane).
+  const runner = existsSync(join(dir, "pnpm-lock.yaml"))
+    ? ["pnpm", ["install", "--ignore-scripts", "--prefer-offline", "--frozen-lockfile"]]
+    : existsSync(join(dir, "package-lock.json"))
+      ? ["npm", ["ci", "--ignore-scripts", "--no-audit", "--no-fund"]]
+      : null;
+  if (!runner) return;
+  await exec(runner[0] as string, runner[1] as string[], {
+    cwd: dir,
+    env: { ...process.env, CI: "1" },
+    maxBuffer: 32 * 1024 * 1024,
+  });
+}
+
+export async function reconcileProject(
+  deps: ReconcilerDeps,
+  projectId: string,
+  opts: { ref?: string | undefined; localPath?: string | undefined } = {},
+): Promise<DeployReport> {
+  const { rows: projects } = await deps.db.query<{
+    id: string;
+    workspace_id: string;
+    name: string;
+    repo_url: string | null;
+    prod_branch: string;
+    deploy_key_private_cipher: string | null;
+  }>(`SELECT * FROM projects WHERE id=$1`, [projectId]);
+  const project = projects[0];
+  if (!project) throw new Error(`no project ${projectId}`);
+
+  await deps.db.query(
+    `INSERT INTO repo_state (project_id, status) VALUES ($1,'syncing')
+     ON CONFLICT (project_id) DO UPDATE SET status='syncing', error=NULL`,
+    [projectId],
+  );
+
+  const finish = async (status: string, report: DeployReport): Promise<DeployReport> => {
+    await deps.db.query(
+      `UPDATE repo_state SET status=$2, report=$3::jsonb, last_sha=$4, branch=$5, last_synced_at=now() WHERE project_id=$1`,
+      [projectId, status, JSON.stringify(report), report.sha, report.ref],
+    );
+    return report;
+  };
+
+  const ref = opts.ref ?? project.prod_branch;
+  const env = ref === project.prod_branch ? "production" : `preview:${ref}`;
+  const report: DeployReport = { sha: "", ref, env, built: [], unchanged: [], failed: [], removed: [] };
+
+  try {
+    // ---- 1. working copy at the requested ref ----
+    let workdir: string;
+    if (opts.localPath !== undefined) {
+      workdir = opts.localPath; // tesser dev / tests: build straight from a local tree
+      report.sha = await git(["rev-parse", "HEAD"], workdir).catch(() => "local");
+    } else {
+      const repoUrl = project.repo_url;
+      if (!repoUrl) throw new Error("project has no repo_url and no localPath was given");
+      let sshKeyPath: string | undefined;
+      if (project.deploy_key_private_cipher) {
+        const key = await deps.broker.decryptValue(project.workspace_id, project.deploy_key_private_cipher, "deploykey");
+        const keyDir = join(deps.dataDir, "keys");
+        mkdirSync(keyDir, { recursive: true, mode: 0o700 });
+        sshKeyPath = join(keyDir, `${projectId}.key`);
+        writeFileSync(sshKeyPath, key + "\n", { mode: 0o600 });
+      }
+      const synced = await syncWorkdir({ dataDir: deps.dataDir, projectId, repoUrl, ref, sshKeyPath });
+      workdir = synced.dir;
+      report.sha = synced.sha;
+    }
+
+    await installDeps(workdir);
+
+    // ---- 2. discover + diff + build changed only ----
+    const discovered = discoverAutomations(workdir);
+    const sources: AutomationRequirementSource[] = [];
+    const schedules: ScheduleSpec[] = [];
+    const subscriptions: Array<{ eventName: string; automationId: string }> = [];
+    const promote: Array<{ automationId: string; versionId: string }> = [];
+    const connectorManifests: Record<string, never> = {};
+
+    for (const auto of discovered) {
+      const { rows: latest } = await deps.db.query<{
+        id: string;
+        version: number;
+        content_hash: string;
+        status: string;
+        manifest: never;
+      }>(
+        `SELECT id, version, content_hash, status, manifest FROM automation_versions
+         WHERE project_id=$1 AND automation_id=$2 ORDER BY version DESC LIMIT 1`,
+        [projectId, auto.automationId],
+      );
+
+      let versionId: string;
+      let manifest: import("./build.js").ExtractedBundle["manifest"];
+
+      if (latest[0] && latest[0].content_hash === auto.contentHash && latest[0].status !== "failed") {
+        versionId = latest[0].id;
+        manifest = latest[0].manifest;
+        report.unchanged.push(auto.automationId);
+      } else {
+        const version = (latest[0]?.version ?? 0) + 1;
+        const bundlePath = join(
+          deps.dataDir,
+          "artifacts",
+          projectId,
+          auto.automationId,
+          `v${version}`,
+          "bundle.mjs",
+        );
+        try {
+          await buildAutomationBundle(auto.entry, bundlePath);
+        } catch (err) {
+          report.failed.push({ automation: auto.automationId, stage: "build", reason: String(err).slice(0, 2000) });
+          continue;
+        }
+        let extracted: import("./build.js").ExtractedBundle;
+        try {
+          extracted = await extractBundle(bundlePath);
+          if (extracted.manifest.id !== auto.automationId) {
+            throw new Error(
+              `automation id "${extracted.manifest.id}" must match its directory "automations/${auto.automationId}"`,
+            );
+          }
+        } catch (err) {
+          report.failed.push({ automation: auto.automationId, stage: "build", reason: String(err).slice(0, 2000) });
+          continue;
+        }
+        manifest = extracted.manifest;
+
+        // ---- 3. test gate (ADR-0008): auto smoke against the REAL bundle ----
+        const smoke = await smokeTest(extracted.def);
+        const { rows: inserted } = await deps.db.query<{ id: string }>(
+          `INSERT INTO automation_versions
+             (project_id, automation_id, version, content_hash, bundle_path, manifest, git_sha, branch, status, test_report)
+           VALUES ($1,$2,$3,$4,$5,$6::jsonb,$7,$8,$9,$10::jsonb)
+           RETURNING id`,
+          [
+            projectId,
+            auto.automationId,
+            version,
+            auto.contentHash,
+            bundlePath,
+            JSON.stringify(manifest),
+            report.sha,
+            ref,
+            smoke.passed ? "staged" : "failed",
+            JSON.stringify({
+              smoke: { passed: smoke.passed, ...(smoke.reason !== undefined ? { reason: smoke.reason } : {}) },
+            }),
+          ],
+        );
+        versionId = inserted[0]!.id;
+        deps.loader.inject(versionId, extracted.def);
+        if (!smoke.passed) {
+          report.failed.push({
+            automation: auto.automationId,
+            stage: "test",
+            reason: smoke.reason ?? "smoke test failed",
+          });
+          continue; // red never promotes (ADR-0006)
+        }
+        report.built.push(auto.automationId);
+      }
+
+      Object.assign(connectorManifests, manifest.connectors ?? {});
+      sources.push({
+        automationId: auto.automationId,
+        connections: (manifest.connections ?? {}) as never,
+        secrets: (manifest.secrets ?? {}) as never,
+      });
+      if (manifest.trigger.kind === "schedule") {
+        schedules.push({
+          automationId: auto.automationId,
+          cron: manifest.trigger.cron,
+          tz: (manifest.trigger as { tz?: string }).tz,
+        });
+      }
+      if (manifest.trigger.kind === "event") {
+        subscriptions.push({ eventName: (manifest.trigger as { event: string }).event, automationId: auto.automationId });
+      }
+      promote.push({ automationId: auto.automationId, versionId });
+    }
+
+    // ---- 4. credential gate: halt BEFORE promotion (ADR-0005) ----
+    const missing = await computeMissingRequirements({
+      db: deps.db,
+      broker: deps.broker,
+      workspaceId: project.workspace_id,
+      projectId,
+      env,
+      automations: sources,
+      connectorManifests: connectorManifests as never,
+    });
+    if (missing.length > 0) {
+      const token = await mintConnectLink({
+        db: deps.db,
+        workspaceId: project.workspace_id,
+        projectId,
+        requirements: missing,
+      });
+      report.connectUrl = `${deps.baseUrl}/connect/${token}`;
+      report.requirements = missing;
+      return finish("halted-credentials", report);
+    }
+
+    // ---- 5. promote green versions: alias swap, instant + atomic per automation ----
+    for (const p of promote) {
+      await deps.db.tx(async (c) => {
+        await c.query(
+          `INSERT INTO aliases (project_id, automation_id, env, version_id) VALUES ($1,$2,$3,$4)
+           ON CONFLICT (project_id, automation_id, env)
+           DO UPDATE SET version_id=EXCLUDED.version_id, updated_at=now()`,
+          [projectId, p.automationId, env, p.versionId],
+        );
+        await c.query(
+          `UPDATE automation_versions SET status='superseded'
+           WHERE project_id=$1 AND automation_id=$2 AND id <> $3 AND status='live'`,
+          [projectId, p.automationId, p.versionId],
+        );
+        await c.query(`UPDATE automation_versions SET status='live' WHERE id=$1`, [p.versionId]);
+      });
+    }
+
+    // ---- 6. undeployed automations: unalias + teardown ----
+    const liveIds = new Set(discovered.map((d) => d.automationId));
+    const { rows: aliased } = await deps.db.query<{ automation_id: string }>(
+      `SELECT automation_id FROM aliases WHERE project_id=$1 AND env=$2`,
+      [projectId, env],
+    );
+    for (const row of aliased) {
+      if (!liveIds.has(row.automation_id)) {
+        await deps.db.query(`DELETE FROM aliases WHERE project_id=$1 AND automation_id=$2 AND env=$3`, [
+          projectId,
+          row.automation_id,
+          env,
+        ]);
+        report.removed.push(row.automation_id);
+      }
+    }
+
+    // ---- 7. wire triggers (production only; previews are trigger-inert, ADR-0013) ----
+    if (env === "production") {
+      await syncSchedules(deps.db, projectId, env, schedules);
+      await syncSubscriptions(deps.db, projectId, env, subscriptions);
+      const regs = await ensureRegistrations(deps.triggerDeps, projectId, env);
+      const manualReqs = regs.flatMap((r) => (r.manualRequirement !== undefined ? [r.manualRequirement] : []));
+      report.manual = regs
+        .filter((r) => r.status === "manual-pending")
+        .map((r) => ({ automation: r.automationId, trigger: r.trigger }));
+      await activatePolls(deps.triggerDeps, projectId, env);
+      if (manualReqs.length > 0) {
+        const token = await mintConnectLink({
+          db: deps.db,
+          workspaceId: project.workspace_id,
+          projectId,
+          requirements: manualReqs,
+        });
+        report.connectUrl = `${deps.baseUrl}/connect/${token}`;
+        report.requirements = manualReqs;
+        return finish("halted-credentials", report);
+      }
+    }
+
+    await gcArtifacts(deps.db, projectId);
+    return finish(report.failed.length > 0 ? "failed" : "synced", report);
+  } catch (err) {
+    report.failed.push({ automation: "*", stage: "build", reason: String(err).slice(0, 2000) });
+    await deps.db.query(
+      `UPDATE repo_state SET status='failed', error=$2, report=$3::jsonb, last_synced_at=now() WHERE project_id=$1`,
+      [projectId, String(err).slice(0, 2000), JSON.stringify(report)],
+    );
+    return report;
+  }
+}
+
+/** Keep the last 10 versions per automation, plus aliased or active-run versions. */
+export async function gcArtifacts(db: Db, projectId: string): Promise<void> {
+  await db.query(
+    `UPDATE automation_versions v SET status='superseded'
+     WHERE v.project_id=$1 AND v.status='staged'
+       AND v.created_at < now() - interval '1 day'`,
+    [projectId],
+  );
+  // row GC only; artifact files are cheap and removed with the data dir
+  await db.query(
+    `DELETE FROM automation_versions v
+     WHERE v.project_id=$1
+       AND NOT EXISTS (
+         SELECT 1 FROM aliases a
+         WHERE a.project_id=$1 AND a.version_id=v.id
+       )
+       AND NOT EXISTS (
+         SELECT 1 FROM runs r
+         WHERE r.project_id=$1
+           AND r.version_id=v.id
+           AND r.status IN ('queued','running','suspended')
+       )
+       AND v.version < COALESCE((
+         SELECT max(v2.version) - 9 FROM automation_versions v2
+         WHERE v2.project_id=v.project_id AND v2.automation_id=v.automation_id
+       ), 0)`,
+    [projectId],
+  );
+}
+
+export async function deployStatus(db: Db, projectId: string, env: string): Promise<unknown> {
+  const { rows: state } = await db.query(`SELECT status, error, report, last_sha, branch, last_synced_at FROM repo_state WHERE project_id=$1`, [projectId]);
+  const { rows: versions } = await db.query(
+    `SELECT a.automation_id, a.env, v.version, v.status, v.test_report
+     FROM aliases a JOIN automation_versions v ON v.id=a.version_id
+     WHERE a.project_id=$1 AND a.env=$2`,
+    [projectId, env],
+  );
+  return { repo: state[0] ?? null, live: versions };
+}