@hobocode/thought-layer 0.4.0 → 0.4.1

package/README.md

@@ -64,7 +64,7 @@ The hosted version of the rigor lives at [weareallproductmanagersnow.com](https:
 
 - **Done:** the rigor as portable skills; a Pi package with deterministic tools + slash commands; the portable progress file (`tl_state` / the `tl` CLI) shared with the web app; and the speedrun.
 - **Phase 3 (done):** a `build` step that turns the hardened PRD into a deploy-ready artifact, built by your own agent (`/tl-build`), with a deterministic `tl_scaffold` tool that writes an instantly-deployable branded static site as the floor.
-- **Phase 4 (done):** a `deploy` step (`/tl-deploy`, the `deploy` tool, or `tl deploy`) that takes the build live to a URL you own, closing the loop. With a Netlify token it deploys into your own account (owned immediately, no claim step); with no account it uses the Netlify CLI's `--allow-anonymous` flow for an instant URL plus a one-hour claim link. BYOK, no central account, no lock-in. `--dry-run` shows the plan first.
+- **Phase 4 (done):** a `deploy` step (`/tl-deploy`, the `deploy` tool, or `tl deploy`) that takes the build live to a URL you own, closing the loop. With a Netlify token it deploys into your own account via the file-digest API (owned immediately, no claim step); with no token it delegates to your Netlify CLI - logged in it creates a site in your account, logged out it deploys anonymously with a one-hour claim link. BYOK, no central account, no lock-in. `--dry-run` shows the plan first.
 
 ## Notes for contributors
 

package/core/deploy-io.ts

@@ -15,13 +15,14 @@
 //               handshake; we use the vendor tool when it is installed.
 
 import { spawnSync } from "node:child_process";
+import { randomBytes } from "node:crypto";
 import { existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
 import { dirname, join, relative, resolve } from "node:path";
 import { resolveStatePath } from "./state-file.ts";
 import type { BuildManifest } from "./scaffold.ts";
 import type { StateOpResult } from "./state-ops.ts";
 import {
-  buildFileDigests, uploadPath, sanitizeSiteName, parseAnonymousOutput, deployRecord,
+  buildFileDigests, uploadPath, sanitizeSiteName, parseCliDeployOutput, deployRecord,
   type FileMap, type DeployRecord,
 } from "./deploy.ts";
 
@@ -166,7 +167,7 @@ async function digestDeploy(
   return { url: siteUrl, adminUrl, siteId: String(siteId), deployId, uploaded, state: state || "uploaded" };
 }
 
-// ---- the anonymous path: delegate to the Netlify CLI -------------------------
+// ---- the no-env-token path: delegate to the Netlify CLI ----------------------
 
 export function hasNetlifyCli(): boolean {
   try {
@@ -189,17 +190,55 @@ export function cliSupportsAnonymous(): boolean {
   }
 }
 
-function anonymousDeploy(publishDirAbs: string): { url: string | null; claimUrl: string | null; raw: string } {
-  const r = spawnSync(
-    "netlify",
-    ["deploy", "--dir", publishDirAbs, "--prod", "--allow-anonymous"],
-    { encoding: "utf8", timeout: 180000 },
-  );
+// Is the CLI logged in via its OWN stored config (independent of our env)? This
+// matters because --allow-anonymous is a no-op when logged in, and a plain
+// deploy then needs a target site - so a logged-in CLI must create a site in the
+// user's account instead. getCurrentUser exits 0 with JSON when logged in.
+export function cliLoggedIn(): boolean {
+  try {
+    const r = spawnSync("netlify", ["api", "getCurrentUser", "--data", "{}"], { encoding: "utf8", timeout: 20000 });
+    return r.status === 0 && (r.stdout || "").trim().startsWith("{");
+  } catch {
+    return false;
+  }
+}
+
+export interface CliDeployResult {
+  url: string | null;
+  claimUrl: string | null;
+  owned: boolean;
+  siteName: string | null;
+  raw: string;
+}
+
+// Deploy via the Netlify CLI, picking flags from the CLI's own login state:
+//   logged in  -> create (or, with siteId, reuse) a site in the user's account,
+//                 owned immediately, no claim step.
+//   logged out -> an anonymous, claimable site (one-hour window).
+// --no-build forces a plain publish of our already-built static dir (no
+// framework detection / build step). The caller has decided the CLI path is
+// wanted and that the CLI exists + supports what is needed.
+function cliDeploy(publishDirAbs: string, opts: { siteName?: string; siteId?: string }, loggedIn: boolean): CliDeployResult {
+  const base = ["deploy", "--dir", publishDirAbs, "--prod", "--no-build"];
+  let args: string[];
+  let siteName: string | null = null;
+  if (loggedIn) {
+    if (opts.siteId) args = [...base, "--site", opts.siteId];
+    else {
+      siteName = sanitizeSiteName(opts.siteName || "") || `thought-layer-${randomBytes(4).toString("hex")}`;
+      args = [...base, "--create-site", siteName];
+    }
+  } else {
+    args = [...base, "--allow-anonymous"];
+  }
+  const r = spawnSync("netlify", args, { encoding: "utf8", timeout: 180000 });
   const raw = `${r.stdout || ""}\n${r.stderr || ""}`.trim();
   if (r.status !== 0) {
-    throw new Error(`netlify deploy --allow-anonymous failed (exit ${r.status}). Output:\n${raw.slice(0, 800)}`);
+    throw new Error(`netlify ${args.join(" ")} failed (exit ${r.status}). Output:\n${raw.slice(0, 800)}`);
   }
-  return { ...parseAnonymousOutput(raw), raw };
+  const parsed = parseCliDeployOutput(raw);
+  // A claim link only applies to the anonymous (logged-out) site.
+  return { url: parsed.url, claimUrl: loggedIn ? null : parsed.claimUrl, owned: loggedIn, siteName, raw };
 }
 
 // ---- the orchestrator (mirrors runScaffold's result shape) -------------------
@@ -239,58 +278,67 @@ export async function runDeploy(opts: DeployRunOptions, ctx: { deployedAt: strin
       ok: true,
       message:
         `Dry run: would deploy ${fileCount} files from ${publishDirAbs} (entry ${manifest.entry}) to Netlify ` +
-        `via the ${opts.anonymous ? "anonymous CLI" : token ? "BYO-token digest" : "(no token set - would use the anonymous CLI or guide you)"} path.${backendWarn}`,
+        `via the ${token && !opts.anonymous ? "BYO-token digest" : "Netlify CLI (logged in -> a site in your account; logged out -> an anonymous claimable site)"} path.${backendWarn}`,
       details: { dryRun: true, publishDir: publishDirAbs, entry: manifest.entry, fileCount, files: Object.keys(digests), hasBackend: manifest.hasBackend },
     };
   }
 
-  // --- anonymous path: explicit, or the fallback when no token is set ---
-  const wantAnonymous = opts.anonymous || !token;
-  if (wantAnonymous) {
-    // The three honest ways to go live, shown whenever we cannot run anonymous.
+  // --- CLI path: explicit (--anonymous), or the fallback when no env token ---
+  const wantCli = opts.anonymous || !token;
+  if (wantCli) {
+    // The three honest ways to go live, shown whenever the CLI path cannot run.
     const guide = (lead: string, needs: string): StateOpResult => ({
       ok: false,
       message:
         lead +
         `To go live, choose one:\n` +
         `  1. BYO token (deploys into your own account, owned immediately): set NETLIFY_AUTH_TOKEN and re-run.\n` +
-        `  2. No account: a current Netlify CLI (\`npm i -g netlify-cli@latest\`) then re-run - uses netlify deploy --allow-anonymous for a 1-hour claimable URL.\n` +
+        `  2. Netlify CLI (\`npm i -g netlify-cli@latest\`) then re-run - logged in it creates a site in your account; logged out it deploys anonymously with a one-hour claim link.\n` +
         `  3. Manual: drag ${publishDirAbs} onto https://app.netlify.com/drop.`,
       details: { publishDir: publishDirAbs, needs },
     });
     if (!hasNetlifyCli()) {
       return guide(
         opts.anonymous
-          ? "Anonymous deploy needs the Netlify CLI, which is not installed. "
+          ? "A CLI deploy needs the Netlify CLI, which is not installed. "
           : "No NETLIFY_AUTH_TOKEN is set and the Netlify CLI is not installed. ",
         "token-or-cli",
       );
     }
-    if (!cliSupportsAnonymous()) {
+    const loggedIn = cliLoggedIn();
+    if (!loggedIn && !cliSupportsAnonymous()) {
       return guide(
-        "Your Netlify CLI is too old for --allow-anonymous (it shipped 2026-03). ",
-        "newer-cli-or-token",
+        "You are not logged into the Netlify CLI and it is too old for --allow-anonymous (that shipped 2026-03). ",
+        "newer-cli-or-login-or-token",
       );
     }
     try {
-      const { url, claimUrl, raw } = anonymousDeploy(publishDirAbs);
+      const { url, claimUrl, owned, siteName, raw } = cliDeploy(publishDirAbs, { siteName: opts.siteName, siteId: opts.siteId }, loggedIn);
       const recPath = writeRecord(
         deployRecord({
-          deployedAt: ctx.deployedAt, mode: "anonymous", publishDir: manifest.publishDir, fileCount,
+          deployedAt: ctx.deployedAt, mode: owned ? "cli" : "anonymous", publishDir: manifest.publishDir, fileCount,
           url, adminUrl: null, claimUrl, siteId: null, deployId: null,
           hasBackend: manifest.hasBackend, backendNote: manifest.backendNote, buildProducer: manifest.producer, stateFile,
         }),
       );
+      // If anonymity was explicitly asked for but the CLI is logged in, it went
+      // to the account instead - say so rather than implying it was anonymous.
+      const anonNote = opts.anonymous && owned
+        ? `\n(Note: you asked for an anonymous deploy, but the Netlify CLI is logged in, so this went to your account. Run \`netlify logout\` first for a truly anonymous, claimable deploy.)`
+        : "";
       return {
         ok: true,
-        message:
-          `Deployed anonymously.${url ? ` Live: ${url}` : ""}${claimUrl ? `\nClaim it within 1 hour (transfers ownership to your account): ${claimUrl}` : ""}` +
-          `\nRecorded ${recPath}.${backendWarn}` +
-          (!url || !claimUrl ? `\n(Could not parse a URL from the CLI output - see details.raw.)` : ""),
-        details: { mode: "anonymous", url, claimUrl, fileCount, raw },
+        message: owned
+          ? `Deployed to your Netlify account via the CLI${siteName ? ` (new site ${siteName})` : ""}.${url ? ` Live: ${url}` : ""}` +
+            `\nIt is owned by your account - no claim needed.\nRecorded ${recPath}.${anonNote}${backendWarn}` +
+            (!url ? `\n(Could not parse a URL from the CLI output - see details.raw.)` : "")
+          : `Deployed anonymously.${url ? ` Live: ${url}` : ""}${claimUrl ? `\nClaim it within 1 hour (transfers ownership to your account): ${claimUrl}` : ""}` +
+            `\nRecorded ${recPath}.${backendWarn}` +
+            (!url || !claimUrl ? `\n(Could not parse a URL/claim link from the CLI output - see details.raw.)` : ""),
+        details: { mode: owned ? "cli" : "anonymous", url, claimUrl, owned, siteName, fileCount, raw },
       };
     } catch (e) {
-      return { ok: false, message: (e as Error).message, details: { mode: "anonymous" } };
+      return { ok: false, message: (e as Error).message, details: { mode: "cli" } };
     }
   }
 

package/core/deploy.ts

@@ -68,20 +68,25 @@ export function sanitizeSiteName(raw: string): string {
     .replace(/-+$/g, "");
 }
 
-// Pull the live URL and the claim URL out of `netlify deploy --allow-anonymous`
-// output. The CLI prints a one-hour claim link for the unclaimed site; we never
-// synthesize it ourselves (the anonymous handshake is Netlify's, not ours).
-export function parseAnonymousOutput(output: string): { url: string | null; claimUrl: string | null } {
-  const claim = output.match(/https:\/\/app\.netlify\.com\/claim\S*/);
-  // The live site URL: prefer a *.netlify.app that is not the admin/app host.
-  const live = output.match(/https:\/\/[a-z0-9-]+\.netlify\.app\S*/i);
+// Pull the live URL and (anonymous only) the claim link out of `netlify deploy`
+// output. The CLI prints several *.netlify.app URLs - the production site URL
+// and a unique per-deploy URL (whose host carries a "--" prefix); prefer the
+// production one. The claim link only appears for an anonymous, unclaimed site;
+// we never synthesize it ourselves (the handshake is Netlify's, not ours).
+export function parseCliDeployOutput(output: string): { url: string | null; claimUrl: string | null } {
+  // Stop the URL at whitespace OR a wrapping bracket/quote: the CLI sometimes
+  // prints links as <url> or in a box, and a greedy \S* would swallow the ">".
+  const claim = output.match(/https:\/\/app\.netlify\.com\/claim[^\s<>"')\]]*/);
+  const all = (output.match(/https:\/\/[a-z0-9-]+\.netlify\.app[^\s<>"')\]]*/gi) || []).map(stripTrailingPunctuation);
+  const host = (u: string): string => u.replace(/^https:\/\//, "").split("/")[0]!;
+  const prod = all.find((u) => !host(u).includes("--")); // skip the per-deploy URL
   return {
-    url: live ? stripTrailingPunctuation(live[0]) : null,
+    url: prod || all[0] || null,
     claimUrl: claim ? stripTrailingPunctuation(claim[0]) : null,
   };
 }
 
-const stripTrailingPunctuation = (s: string): string => s.replace(/[).,]+$/, "");
+const stripTrailingPunctuation = (s: string): string => s.replace(/[)\]>.,'"<]+$/, "");
 
 // The deploy record written next to build.json / the state file. Pure provenance
 // so a re-deploy can target the same site and the user can find their URLs.
@@ -90,7 +95,7 @@ export interface DeployRecord {
   kind: "deploy";
   version: 1;
   deployedAt: string;
-  mode: "token" | "anonymous" | "dry-run";
+  mode: "token" | "cli" | "anonymous" | "dry-run";
   provider: "netlify";
   publishDir: string;
   fileCount: number;

package/dist/tl.js

@@ -671,6 +671,7 @@ function runScaffold(opts, ctx) {
 
 // core/deploy-io.ts
 import { spawnSync } from "child_process";
+import { randomBytes } from "crypto";
 import { existsSync as existsSync2, mkdirSync as mkdirSync3, readFileSync as readFileSync2, readdirSync as readdirSync2, statSync, writeFileSync as writeFileSync3 } from "fs";
 import { dirname as dirname3, join as join3, relative, resolve as resolve3 } from "path";
 
@@ -698,15 +699,17 @@ function uploadPath(key) {
 function sanitizeSiteName(raw) {
   return String(raw || "").toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 40).replace(/-+$/g, "");
 }
-function parseAnonymousOutput(output) {
-  const claim = output.match(/https:\/\/app\.netlify\.com\/claim\S*/);
-  const live = output.match(/https:\/\/[a-z0-9-]+\.netlify\.app\S*/i);
+function parseCliDeployOutput(output) {
+  const claim = output.match(/https:\/\/app\.netlify\.com\/claim[^\s<>"')\]]*/);
+  const all = (output.match(/https:\/\/[a-z0-9-]+\.netlify\.app[^\s<>"')\]]*/gi) || []).map(stripTrailingPunctuation);
+  const host = (u) => u.replace(/^https:\/\//, "").split("/")[0];
+  const prod = all.find((u) => !host(u).includes("--"));
   return {
-    url: live ? stripTrailingPunctuation(live[0]) : null,
+    url: prod || all[0] || null,
     claimUrl: claim ? stripTrailingPunctuation(claim[0]) : null
   };
 }
-var stripTrailingPunctuation = (s) => s.replace(/[).,]+$/, "");
+var stripTrailingPunctuation = (s) => s.replace(/[)\]>.,'"<]+$/, "");
 function deployRecord(input) {
   return { app: "thought-layer", kind: "deploy", version: 1, provider: "netlify", ...input };
 }
@@ -820,19 +823,36 @@ function cliSupportsAnonymous() {
     return false;
   }
 }
-function anonymousDeploy(publishDirAbs) {
-  const r = spawnSync(
-    "netlify",
-    ["deploy", "--dir", publishDirAbs, "--prod", "--allow-anonymous"],
-    { encoding: "utf8", timeout: 18e4 }
-  );
+function cliLoggedIn() {
+  try {
+    const r = spawnSync("netlify", ["api", "getCurrentUser", "--data", "{}"], { encoding: "utf8", timeout: 2e4 });
+    return r.status === 0 && (r.stdout || "").trim().startsWith("{");
+  } catch {
+    return false;
+  }
+}
+function cliDeploy(publishDirAbs, opts, loggedIn) {
+  const base = ["deploy", "--dir", publishDirAbs, "--prod", "--no-build"];
+  let args;
+  let siteName = null;
+  if (loggedIn) {
+    if (opts.siteId) args = [...base, "--site", opts.siteId];
+    else {
+      siteName = sanitizeSiteName(opts.siteName || "") || `thought-layer-${randomBytes(4).toString("hex")}`;
+      args = [...base, "--create-site", siteName];
+    }
+  } else {
+    args = [...base, "--allow-anonymous"];
+  }
+  const r = spawnSync("netlify", args, { encoding: "utf8", timeout: 18e4 });
   const raw = `${r.stdout || ""}
 ${r.stderr || ""}`.trim();
   if (r.status !== 0) {
-    throw new Error(`netlify deploy --allow-anonymous failed (exit ${r.status}). Output:
+    throw new Error(`netlify ${args.join(" ")} failed (exit ${r.status}). Output:
 ${raw.slice(0, 800)}`);
   }
-  return { ...parseAnonymousOutput(raw), raw };
+  const parsed = parseCliDeployOutput(raw);
+  return { url: parsed.url, claimUrl: loggedIn ? null : parsed.claimUrl, owned: loggedIn, siteName, raw };
 }
 async function runDeploy(opts, ctx) {
   let build;
@@ -859,38 +879,39 @@ async function runDeploy(opts, ctx) {
     const { digests } = buildFileDigests(files);
     return {
       ok: true,
-      message: `Dry run: would deploy ${fileCount} files from ${publishDirAbs} (entry ${manifest.entry}) to Netlify via the ${opts.anonymous ? "anonymous CLI" : token ? "BYO-token digest" : "(no token set - would use the anonymous CLI or guide you)"} path.${backendWarn}`,
+      message: `Dry run: would deploy ${fileCount} files from ${publishDirAbs} (entry ${manifest.entry}) to Netlify via the ${token && !opts.anonymous ? "BYO-token digest" : "Netlify CLI (logged in -> a site in your account; logged out -> an anonymous claimable site)"} path.${backendWarn}`,
       details: { dryRun: true, publishDir: publishDirAbs, entry: manifest.entry, fileCount, files: Object.keys(digests), hasBackend: manifest.hasBackend }
     };
   }
-  const wantAnonymous = opts.anonymous || !token;
-  if (wantAnonymous) {
+  const wantCli = opts.anonymous || !token;
+  if (wantCli) {
     const guide = (lead, needs) => ({
       ok: false,
       message: lead + `To go live, choose one:
   1. BYO token (deploys into your own account, owned immediately): set NETLIFY_AUTH_TOKEN and re-run.
-  2. No account: a current Netlify CLI (\`npm i -g netlify-cli@latest\`) then re-run - uses netlify deploy --allow-anonymous for a 1-hour claimable URL.
+  2. Netlify CLI (\`npm i -g netlify-cli@latest\`) then re-run - logged in it creates a site in your account; logged out it deploys anonymously with a one-hour claim link.
   3. Manual: drag ${publishDirAbs} onto https://app.netlify.com/drop.`,
       details: { publishDir: publishDirAbs, needs }
     });
     if (!hasNetlifyCli()) {
       return guide(
-        opts.anonymous ? "Anonymous deploy needs the Netlify CLI, which is not installed. " : "No NETLIFY_AUTH_TOKEN is set and the Netlify CLI is not installed. ",
+        opts.anonymous ? "A CLI deploy needs the Netlify CLI, which is not installed. " : "No NETLIFY_AUTH_TOKEN is set and the Netlify CLI is not installed. ",
         "token-or-cli"
       );
     }
-    if (!cliSupportsAnonymous()) {
+    const loggedIn = cliLoggedIn();
+    if (!loggedIn && !cliSupportsAnonymous()) {
       return guide(
-        "Your Netlify CLI is too old for --allow-anonymous (it shipped 2026-03). ",
-        "newer-cli-or-token"
+        "You are not logged into the Netlify CLI and it is too old for --allow-anonymous (that shipped 2026-03). ",
+        "newer-cli-or-login-or-token"
       );
     }
     try {
-      const { url, claimUrl, raw } = anonymousDeploy(publishDirAbs);
+      const { url, claimUrl, owned, siteName, raw } = cliDeploy(publishDirAbs, { siteName: opts.siteName, siteId: opts.siteId }, loggedIn);
       const recPath = writeRecord(
         deployRecord({
           deployedAt: ctx.deployedAt,
-          mode: "anonymous",
+          mode: owned ? "cli" : "anonymous",
           publishDir: manifest.publishDir,
           fileCount,
           url,
@@ -904,16 +925,21 @@ async function runDeploy(opts, ctx) {
           stateFile
         })
       );
+      const anonNote = opts.anonymous && owned ? `
+(Note: you asked for an anonymous deploy, but the Netlify CLI is logged in, so this went to your account. Run \`netlify logout\` first for a truly anonymous, claimable deploy.)` : "";
       return {
         ok: true,
-        message: `Deployed anonymously.${url ? ` Live: ${url}` : ""}${claimUrl ? `
+        message: owned ? `Deployed to your Netlify account via the CLI${siteName ? ` (new site ${siteName})` : ""}.${url ? ` Live: ${url}` : ""}
+It is owned by your account - no claim needed.
+Recorded ${recPath}.${anonNote}${backendWarn}` + (!url ? `
+(Could not parse a URL from the CLI output - see details.raw.)` : "") : `Deployed anonymously.${url ? ` Live: ${url}` : ""}${claimUrl ? `
 Claim it within 1 hour (transfers ownership to your account): ${claimUrl}` : ""}
 Recorded ${recPath}.${backendWarn}` + (!url || !claimUrl ? `
-(Could not parse a URL from the CLI output - see details.raw.)` : ""),
-        details: { mode: "anonymous", url, claimUrl, fileCount, raw }
+(Could not parse a URL/claim link from the CLI output - see details.raw.)` : ""),
+        details: { mode: owned ? "cli" : "anonymous", url, claimUrl, owned, siteName, fileCount, raw }
       };
     } catch (e) {
-      return { ok: false, message: e.message, details: { mode: "anonymous" } };
+      return { ok: false, message: e.message, details: { mode: "cli" } };
     }
   }
   try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hobocode/thought-layer",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "description": "The Thought Layer: rigor for building. Validate an idea, grill it into a buildable spec, then build and deploy it, inside the agent you already use. BYOK, no telemetry.",
   "license": "MIT",
   "author": "Hobocode LLC <jerm@hobocode.net>",

package/prompts/tl-deploy.md

@@ -2,6 +2,6 @@ Apply the **thought-layer-deploy** skill. Take the built site live to a URL I ow
 
 Read `.thought-layer/build.json` (next to the state file; honor `--path` / `THOUGHT_LAYER_STATE` if a named file is in use) for the publish directory and entry. If there is no `build.json`, say so and point me to `/tl-build` (or the `tl_scaffold` tool) rather than guessing - the build has to run first.
 
-Default to a dry run first so I can see exactly which files would ship and where. Then deploy: if `NETLIFY_AUTH_TOKEN` is set, deploy into my own Netlify account (owned immediately); otherwise use the Netlify CLI's `--allow-anonymous` flow for an instant live URL plus a one-hour claim link. Read the token only from the environment, never ask me to paste it. If `build.json` says `hasBackend: true`, warn me clearly that this static deploy publishes only the front end.
+Default to a dry run first so I can see exactly which files would ship and where. Then deploy: if `NETLIFY_AUTH_TOKEN` is set, deploy into my own Netlify account (owned immediately); otherwise delegate to my Netlify CLI - logged in it creates a site in my account, logged out it deploys anonymously with a one-hour claim link. Read the token only from the environment, never ask me to paste it. If `build.json` says `hasBackend: true`, warn me clearly that this static deploy publishes only the front end.
 
 After it is live, tell me the URL and (anonymous only) the claim link, and that a `.thought-layer/deploy.json` record was written.

package/skills/thought-layer-deploy/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: thought-layer-deploy
-description: "Take the built site live to a user-owned URL with no lock-in, the last step after the build. Reads .thought-layer/build.json (the publish dir + entry) next to the state file, then deploys to Netlify by one of two BYOK models: with NETLIFY_AUTH_TOKEN set it deploys into the user's OWN account via the file-digest API (owned immediately, no claim), and with no token it uses the Netlify CLI's own --allow-anonymous flow for an instant live URL plus a one-hour claim link. Static-first: if build.json says hasBackend it warns that only the front end ships this way. Prefers the deploy tool (Pi) or the tl deploy CLI (any shell agent) so the deploy is one mechanical, honest step, never hand-rolled. Run it after thought-layer-build (or tl_scaffold) has produced build.json."
+description: "Take the built site live to a user-owned URL with no lock-in, the last step after the build. Reads .thought-layer/build.json (the publish dir + entry) next to the state file, then deploys to Netlify by one of two BYOK models: with NETLIFY_AUTH_TOKEN set it deploys into the user's OWN account via the file-digest API (owned immediately, no claim), and with no token it delegates to the user's Netlify CLI (logged in: a new site in their account; logged out: an anonymous, claimable URL with a one-hour claim link). Static-first: if build.json says hasBackend it warns that only the front end ships this way. Prefers the deploy tool (Pi) or the tl deploy CLI (any shell agent) so the deploy is one mechanical, honest step, never hand-rolled. Run it after thought-layer-build (or tl_scaffold) has produced build.json."
 ---
 
 # Deploy it: the build goes live to a URL you own
@@ -27,9 +27,11 @@ Always **dry-run first** and show the user the file list and the target, then de
 The tool picks automatically; explain which one ran.
 
 - **BYO token (the default when `NETLIFY_AUTH_TOKEN` is set).** Deploys straight into the user's own Netlify account via the file-digest API (no zip, no extra dependency). The site is theirs from the first second - **no claim step**. Re-deploy to the same site with `--site <id>` (the id is in the deploy output and `deploy.json`). The token is read **only from the environment** - never ask the user to paste it into the chat, and never put it in a tool parameter or a file.
-- **Anonymous (when no token is set).** Delegates to the Netlify CLI's `netlify deploy --allow-anonymous` (Netlify's own supported flow) for an instant live URL plus a **one-hour claim link** that transfers ownership to whatever account the user logs into. We never reverse-engineer that handshake. It needs a current Netlify CLI (`npm i -g netlify-cli@latest`; the flag shipped 2026-03); if the CLI is missing or too old, the tool says exactly what to do (set a token, update the CLI, or drag the publish dir onto https://app.netlify.com/drop).
+- **Netlify CLI (when no token is set).** Delegates to the user's installed Netlify CLI, and branches on the CLI's own login state (a logged-in CLI ignores `--allow-anonymous`, so the tool checks):
+  - **logged in** -> creates a new site in the user's own account (`--create-site`, owned immediately, **no claim**), or re-deploys to `--site <id>`.
+  - **logged out** -> an **anonymous, claimable** site (`--allow-anonymous`) with a **one-hour claim link** that transfers ownership to whatever account the user logs into. We never reverse-engineer that handshake; it needs a current CLI (`npm i -g netlify-cli@latest`; the flag shipped 2026-03).
 
-If neither a token nor a usable CLI is available, relay the tool's guidance honestly instead of pretending it deployed.
+If neither a token nor a usable CLI is available, relay the tool's guidance honestly (set a token, install/update the CLI, or drag the publish dir onto https://app.netlify.com/drop) instead of pretending it deployed. If the user explicitly asked for an anonymous deploy but the CLI is logged in, the tool says it went to their account instead and that `netlify logout` first would make it anonymous - pass that on.
 
 ## Static-first honesty