@hobocode/thought-layer 0.5.0 → 0.6.1

package/core/index.ts

@@ -16,6 +16,7 @@ export * from "./stage-map.ts";
 export * from "./state-file.ts";
 export * from "./state-ops.ts";
 export * from "./backend.ts";
+export * from "./backend-io.ts";
 export * from "./scaffold.ts";
 export * from "./scaffold-io.ts";
 export * from "./deploy.ts";

package/dist/tl.js

@@ -671,10 +671,10 @@ function runScaffold(opts, ctx) {
 }
 
 // core/deploy-io.ts
-import { spawnSync } from "child_process";
+import { spawnSync as spawnSync2 } from "child_process";
 import { randomBytes } from "crypto";
-import { existsSync as existsSync2, mkdirSync as mkdirSync3, readFileSync as readFileSync2, readdirSync as readdirSync2, statSync, writeFileSync as writeFileSync3 } from "fs";
-import { dirname as dirname3, join as join3, relative, resolve as resolve3 } from "path";
+import { existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync2, readdirSync as readdirSync2, statSync, writeFileSync as writeFileSync4 } from "fs";
+import { dirname as dirname3, join as join4, relative, resolve as resolve3 } from "path";
 
 // core/deploy.ts
 import { createHash } from "crypto";
@@ -715,12 +715,243 @@ function deployRecord(input) {
   return { app: "thought-layer", kind: "deploy", version: 1, provider: "netlify", ...input };
 }
 
-// core/deploy-io.ts
+// core/backend.ts
+function envName(raw) {
+  const cleaned = String(raw || "").trim().toUpperCase().replace(/[^A-Z0-9_]+/g, "_").replace(/^_+|_+$/g, "");
+  return cleaned || "VAR";
+}
+function dedupeSortEnv(envVars) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const v of envVars || []) {
+    const name = envName(v?.name ?? "");
+    if (seen.has(name)) continue;
+    seen.add(name);
+    out.push({ name, required: v?.required !== false, description: String(v?.description ?? "") });
+  }
+  return out.sort((a, b) => a.name.localeCompare(b.name));
+}
+function normalizeDatabase(raw) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return null;
+  const r = raw;
+  const str = (v, fb) => typeof v === "string" && v.trim() ? v.trim() : fb;
+  return {
+    provider: str(r["provider"], "neon"),
+    schemaFile: str(r["schemaFile"], "schema.sql"),
+    envVar: str(r["envVar"], "DATABASE_URL")
+  };
+}
+function normalizeEnvVars(raw) {
+  if (!Array.isArray(raw)) return [];
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const item of raw) {
+    if (!item || typeof item !== "object") continue;
+    const r = item;
+    const name = typeof r["name"] === "string" ? r["name"].trim() : "";
+    if (!name) continue;
+    if (seen.has(name)) continue;
+    seen.add(name);
+    out.push({
+      name,
+      required: typeof r["required"] === "boolean" ? r["required"] : true,
+      description: typeof r["description"] === "string" ? r["description"] : ""
+    });
+  }
+  return out;
+}
+function normalizeBackendMeta(raw) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return null;
+  const r = raw;
+  const kindRaw = r["backendKind"];
+  const kind = kindRaw === "server" ? "server" : kindRaw === "serverless" ? "serverless" : null;
+  const envVars = normalizeEnvVars(r["envVars"]);
+  const database = normalizeDatabase(r["database"]);
+  const hasFunctionsDir = typeof r["functionsDir"] === "string" && r["functionsDir"].trim().length > 0;
+  if (kind === null && envVars.length === 0 && database === null && !hasFunctionsDir) return null;
+  const str = (v, fb) => typeof v === "string" && v.trim() ? v.trim() : fb;
+  return {
+    backendKind: kind ?? "serverless",
+    functionsDir: str(r["functionsDir"], "netlify/functions"),
+    runtime: str(r["runtime"], "nodejs20.x"),
+    nodeVersion: str(r["nodeVersion"], "20"),
+    envVars,
+    database,
+    guide: str(r["guide"], "BACKEND.md")
+  };
+}
+var SECRET_NAME_RE = /(KEY|SECRET|TOKEN|PASSWORD|PASSWD|DATABASE_URL|DB_URL|CONN|DSN|CREDENTIAL|PRIVATE|AUTH)/;
+function looksSecret(name) {
+  return SECRET_NAME_RE.test(name.toUpperCase());
+}
+function planEnvVars(backend) {
+  const dbVar = backend.database?.envVar ? backend.database.envVar : "";
+  const merged = [
+    ...backend.envVars || [],
+    ...dbVar ? [{ name: dbVar, required: true, description: "" }] : []
+  ];
+  return dedupeSortEnv(merged).map((v) => ({
+    name: v.name,
+    scopes: ["builds", "functions"],
+    isSecret: looksSecret(v.name),
+    context: "all"
+  }));
+}
+
+// core/backend-io.ts
+import { spawnSync } from "child_process";
+import { mkdtempSync, writeFileSync as writeFileSync3, unlinkSync, existsSync as existsSync2 } from "fs";
+import { tmpdir } from "os";
+import { join as join3 } from "path";
 var NETLIFY_API = "https://api.netlify.com/api/v1";
+var NEON_API = "https://console.neon.tech/api/v2";
+async function pushEnvVarsApi(siteId, token, plan, env, accountSlug) {
+  const set = [];
+  const missing = [];
+  const body = plan.filter((p) => {
+    const has = typeof env[p.name] === "string" && env[p.name] !== "";
+    (has ? set : missing).push(p.name);
+    return has;
+  }).map((p) => ({
+    key: p.name,
+    scopes: p.scopes,
+    is_secret: p.isSecret,
+    values: [{ value: env[p.name], context: p.context }]
+  }));
+  if (body.length === 0) {
+    return { method: "api", set, missing, note: "no declared env var had a value in the deploy environment; nothing pushed" };
+  }
+  const slug = accountSlug || await getAccountSlug(siteId, token);
+  const res = await fetch(`${NETLIFY_API}/accounts/${encodeURIComponent(slug)}/env?site_id=${encodeURIComponent(siteId)}`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${token}`, "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (!res.ok) {
+    throw new Error(`Netlify env API ${res.status} ${res.statusText} when setting ${set.join(", ")}`);
+  }
+  return { method: "api", set, missing, note: "set via the Netlify API (secret-capable, scoped to builds and functions)" };
+}
+async function getAccountSlug(siteId, token) {
+  const res = await fetch(`${NETLIFY_API}/sites/${encodeURIComponent(siteId)}`, {
+    headers: { Authorization: `Bearer ${token}` }
+  });
+  if (!res.ok) throw new Error(`Netlify site lookup ${res.status} for env push`);
+  const site = await res.json();
+  const slug = String(site["account_slug"] || site["account_id"] || "");
+  if (!slug) throw new Error("could not resolve the account for env push");
+  return slug;
+}
+function cliImportEnv(plan, env, siteId) {
+  const set = [];
+  const missing = [];
+  const lines = [];
+  for (const p of plan) {
+    const v = env[p.name];
+    if (typeof v === "string" && v !== "") {
+      set.push(p.name);
+      lines.push(`${p.name}=${v}`);
+    } else {
+      missing.push(p.name);
+    }
+  }
+  if (lines.length === 0) {
+    return { method: "cli", set, missing, note: "no declared env var had a value in the deploy environment; nothing imported" };
+  }
+  const dir = mkdtempSync(join3(tmpdir(), "tl-env-"));
+  const file = join3(dir, ".env.import");
+  try {
+    writeFileSync3(file, lines.join("\n") + "\n", { mode: 384 });
+    const args = ["env:import", "--force", file, ...siteId ? ["--site", siteId] : []];
+    const r = spawnSync("netlify", args, { encoding: "utf8", timeout: 6e4 });
+    if (r.status !== 0) {
+      throw new Error(`netlify env:import failed (exit ${r.status}) for ${set.join(", ")}`);
+    }
+    return { method: "cli", set, missing, note: "imported via the Netlify CLI (applies all scopes; cannot mark secret)" };
+  } finally {
+    try {
+      unlinkSync(file);
+    } catch {
+    }
+  }
+}
+function resolveDbUrl(env) {
+  for (const name of ["DATABASE_URL", "NETLIFY_DATABASE_URL", "NETLIFY_DATABASE_URL_UNPOOLED"]) {
+    const v = env[name];
+    if (typeof v === "string" && v !== "") return { name, value: v };
+  }
+  return { name: null, value: null };
+}
+async function provisionNeon(env) {
+  const key = env["NEON_API_KEY"] || "";
+  if (!key) {
+    return { provisioned: false, url: null, note: "set NEON_API_KEY to provision, or set DATABASE_URL to bring your own database" };
+  }
+  try {
+    const res = await fetch(`${NEON_API}/projects`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${key}`, "Content-Type": "application/json", Accept: "application/json" },
+      body: JSON.stringify({ project: {} })
+    });
+    if (!res.ok) {
+      return { provisioned: false, url: null, note: `Neon API ${res.status} ${res.statusText} when creating the project` };
+    }
+    const data = await res.json();
+    const uris = Array.isArray(data["connection_uris"]) ? data["connection_uris"] : [];
+    const uri = uris.length ? String(uris[0]?.["connection_uri"] || "") : "";
+    if (!uri) return { provisioned: false, url: null, note: "Neon created the project but returned no connection string" };
+    return { provisioned: true, url: uri, note: "provisioned a Neon project in your account (connection string set for this deploy only)" };
+  } catch (e) {
+    return { provisioned: false, url: null, note: `Neon provisioning error: ${e.message}` };
+  }
+}
+function applySchema(schemaPath, dbUrl, env) {
+  if (!existsSync2(schemaPath)) {
+    return { applied: false, note: `schema file not found at ${schemaPath}` };
+  }
+  if (!dbUrl) {
+    return { applied: false, note: "no database connection string available; set DATABASE_URL or use --provision-db" };
+  }
+  const probe = spawnSync("psql", ["--version"], { encoding: "utf8", timeout: 15e3 });
+  if (probe.status !== 0) {
+    return { applied: false, note: `psql is not installed; apply it manually: psql "$DATABASE_URL" -f ${schemaPath}` };
+  }
+  let pg;
+  try {
+    pg = libpqEnv(dbUrl);
+  } catch {
+    return { applied: false, note: "could not parse the database connection string" };
+  }
+  const r = spawnSync("psql", ["-v", "ON_ERROR_STOP=1", "-f", schemaPath], {
+    encoding: "utf8",
+    timeout: 12e4,
+    env: { ...env, ...pg }
+  });
+  if (r.status !== 0) {
+    return { applied: false, note: `psql exited ${r.status} applying the schema` };
+  }
+  return { applied: true, note: "applied schema.sql with psql" };
+}
+function libpqEnv(dbUrl) {
+  const u = new URL(dbUrl);
+  const pg = {
+    PGHOST: u.hostname,
+    PGPORT: u.port || "5432",
+    PGDATABASE: decodeURIComponent(u.pathname.replace(/^\//, "")) || "neondb"
+  };
+  if (u.username) pg["PGUSER"] = decodeURIComponent(u.username);
+  if (u.password) pg["PGPASSWORD"] = decodeURIComponent(u.password);
+  const sslmode = u.searchParams.get("sslmode");
+  pg["PGSSLMODE"] = sslmode || "require";
+  return pg;
+}
+
+// core/deploy-io.ts
+var NETLIFY_API2 = "https://api.netlify.com/api/v1";
 function readBuild(target) {
   const statePath = resolveStatePath(target);
-  const manifestPath = join3(dirname3(statePath), "build.json");
-  if (!existsSync2(manifestPath)) {
+  const manifestPath = join4(dirname3(statePath), "build.json");
+  if (!existsSync3(manifestPath)) {
     throw new Error(
       `No build.json found at ${manifestPath}. Run the build first: the thought-layer-build skill (/tl-build) or the tl_scaffold tool (\`tl scaffold\`) writes the manifest the deploy reads.`
     );
@@ -732,7 +963,7 @@ function readBuild(target) {
 }
 function resolvePublishDir(publishDir, projectRoot) {
   const candidates = [resolve3(projectRoot, publishDir), resolve3(process.cwd(), publishDir)];
-  for (const c of candidates) if (existsSync2(c)) return c;
+  for (const c of candidates) if (existsSync3(c)) return c;
   throw new Error(
     `Publish dir "${publishDir}" from build.json does not exist (looked in ${candidates.join(" and ")}). Re-run the build, or fix publishDir in build.json.`
   );
@@ -741,7 +972,7 @@ function walkPublishDir(dir) {
   const files = {};
   const walk = (d) => {
     for (const name of readdirSync2(d)) {
-      const full = join3(d, name);
+      const full = join4(d, name);
       const st = statSync(full);
       if (st.isDirectory()) walk(full);
       else if (st.isFile()) {
@@ -770,14 +1001,14 @@ async function digestDeploy(files, opts) {
   let siteUrl = "";
   if (!siteId) {
     const body = opts.siteName ? JSON.stringify({ name: sanitizeSiteName(opts.siteName) }) : JSON.stringify({});
-    const site = await netlifyJson(`${NETLIFY_API}/sites`, { method: "POST", headers: { "Content-Type": "application/json" }, body }, opts.token);
+    const site = await netlifyJson(`${NETLIFY_API2}/sites`, { method: "POST", headers: { "Content-Type": "application/json" }, body }, opts.token);
     siteId = String(site["id"] || "");
     adminUrl = String(site["admin_url"] || "");
     siteUrl = String(site["ssl_url"] || site["url"] || "");
   }
   const { digests, pathForDigest } = buildFileDigests(files);
   const deploy = await netlifyJson(
-    `${NETLIFY_API}/sites/${siteId}/deploys`,
+    `${NETLIFY_API2}/sites/${siteId}/deploys`,
     { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ files: digests }) },
     opts.token
   );
@@ -789,7 +1020,7 @@ async function digestDeploy(files, opts) {
     const key = pathForDigest[sha];
     const buf = key ? files[key] : void 0;
     if (!key || !buf) continue;
-    const r = await fetch(`${NETLIFY_API}/deploys/${deployId}/files/${uploadPath(key)}`, {
+    const r = await fetch(`${NETLIFY_API2}/deploys/${deployId}/files/${uploadPath(key)}`, {
       method: "PUT",
       headers: { Authorization: `Bearer ${opts.token}`, "Content-Type": "application/octet-stream" },
       body: new Uint8Array(buf)
@@ -801,7 +1032,7 @@ async function digestDeploy(files, opts) {
   let state = String(deploy["state"] || "");
   for (let i = 0; i < 30 && state !== "ready" && state !== "error"; i++) {
     await new Promise((r) => setTimeout(r, 1e3));
-    const d = await netlifyJson(`${NETLIFY_API}/deploys/${deployId}`, { method: "GET" }, opts.token);
+    const d = await netlifyJson(`${NETLIFY_API2}/deploys/${deployId}`, { method: "GET" }, opts.token);
     state = String(d["state"] || "");
     if (!siteUrl) siteUrl = String(d["ssl_url"] || d["deploy_ssl_url"] || "");
   }
@@ -810,7 +1041,7 @@ async function digestDeploy(files, opts) {
 }
 function hasNetlifyCli() {
   try {
-    const r = spawnSync("netlify", ["--version"], { encoding: "utf8", timeout: 15e3 });
+    const r = spawnSync2("netlify", ["--version"], { encoding: "utf8", timeout: 15e3 });
     return r.status === 0;
   } catch {
     return false;
@@ -818,7 +1049,7 @@ function hasNetlifyCli() {
 }
 function cliSupportsAnonymous() {
   try {
-    const r = spawnSync("netlify", ["deploy", "--help"], { encoding: "utf8", timeout: 15e3 });
+    const r = spawnSync2("netlify", ["deploy", "--help"], { encoding: "utf8", timeout: 15e3 });
     return `${r.stdout || ""}${r.stderr || ""}`.includes("--allow-anonymous");
   } catch {
     return false;
@@ -826,7 +1057,7 @@ function cliSupportsAnonymous() {
 }
 function cliLoggedIn() {
   try {
-    const r = spawnSync("netlify", ["api", "getCurrentUser", "--data", "{}"], { encoding: "utf8", timeout: 2e4 });
+    const r = spawnSync2("netlify", ["api", "getCurrentUser", "--data", "{}"], { encoding: "utf8", timeout: 2e4 });
     return r.status === 0 && (r.stdout || "").trim().startsWith("{");
   } catch {
     return false;
@@ -845,7 +1076,7 @@ function cliDeploy(publishDirAbs, opts, loggedIn) {
   } else {
     args = [...base, "--allow-anonymous"];
   }
-  const r = spawnSync("netlify", args, { encoding: "utf8", timeout: 18e4 });
+  const r = spawnSync2("netlify", args, { encoding: "utf8", timeout: 18e4 });
   const raw = `${r.stdout || ""}
 ${r.stderr || ""}`.trim();
   if (r.status !== 0) {
@@ -855,6 +1086,63 @@ ${raw.slice(0, 800)}`);
   const parsed = parseCliDeployOutput(raw);
   return { url: parsed.url, claimUrl: loggedIn ? null : parsed.claimUrl, owned: loggedIn, siteName, raw };
 }
+function resolveFunctionsDir(functionsDir, projectRoot) {
+  const candidates = [resolve3(projectRoot, functionsDir), resolve3(process.cwd(), functionsDir)];
+  for (const c of candidates) if (existsSync3(c)) return c;
+  return null;
+}
+function countFunctionFiles(dir) {
+  try {
+    return readdirSync2(dir).filter((n) => !n.startsWith(".")).length;
+  } catch {
+    return 0;
+  }
+}
+async function createSiteApi(token, name) {
+  const body = name ? JSON.stringify({ name: sanitizeSiteName(name) }) : JSON.stringify({});
+  const site = await netlifyJson(`${NETLIFY_API2}/sites`, { method: "POST", headers: { "Content-Type": "application/json" }, body }, token);
+  return {
+    id: String(site["id"] || ""),
+    slug: String(site["account_slug"] || site["account_id"] || ""),
+    adminUrl: String(site["admin_url"] || ""),
+    url: String(site["ssl_url"] || site["url"] || "")
+  };
+}
+function createSiteCli(name) {
+  const payload = JSON.stringify(name ? { name: sanitizeSiteName(name) } : {});
+  const r = spawnSync2("netlify", ["api", "createSite", "--data", payload], { encoding: "utf8", timeout: 6e4 });
+  if (r.status !== 0) {
+    throw new Error(`netlify api createSite failed (exit ${r.status}): ${(r.stderr || r.stdout || "").slice(0, 300)}`);
+  }
+  let id = "";
+  try {
+    id = String(JSON.parse(r.stdout || "{}")["id"] || "");
+  } catch {
+  }
+  if (!id) throw new Error("could not parse the new site id from the Netlify CLI");
+  return { id };
+}
+function cliDeployWithFunctions(publishDirAbs, functionsDirAbs, siteId, token) {
+  const args = [
+    "deploy",
+    "--prod",
+    "--dir",
+    publishDirAbs,
+    "--no-build",
+    ...functionsDirAbs ? ["--functions", functionsDirAbs] : [],
+    "--site",
+    siteId
+  ];
+  const childEnv = token ? { ...process.env, NETLIFY_AUTH_TOKEN: token } : process.env;
+  const r = spawnSync2("netlify", args, { encoding: "utf8", timeout: 3e5, env: childEnv });
+  const raw = `${r.stdout || ""}
+${r.stderr || ""}`.trim();
+  if (r.status !== 0) {
+    throw new Error(`netlify ${args.join(" ")} failed (exit ${r.status}). Output:
+${raw.slice(0, 800)}`);
+  }
+  return { url: parseCliDeployOutput(raw).url, raw };
+}
 async function runDeploy(opts, ctx) {
   let build;
   try {
@@ -868,32 +1156,59 @@ async function runDeploy(opts, ctx) {
   if (fileCount === 0) {
     return { ok: false, message: `Publish dir ${publishDirAbs} is empty - nothing to deploy.`, details: {} };
   }
-  const backend = manifest.backend ?? null;
-  const backendWarn = manifest.hasBackend ? (() => {
+  const backend = normalizeBackendMeta(manifest.backend);
+  const shipBackend = manifest.hasBackend && backend?.backendKind === "serverless" && !opts.staticOnly;
+  const backendWarn = manifest.hasBackend && !shipBackend ? (() => {
     const guide = backend?.guide || "BACKEND.md";
     const dbEnv = backend?.database?.envVar || "DATABASE_URL";
     const names = (backend?.envVars || []).map((v) => v.name).filter(Boolean);
     const others = names.filter((n) => n !== dbEnv);
     const envList = others.length ? `${dbEnv} plus ${others.join(", ")}` : dbEnv;
-    return `
+    const lead = opts.staticOnly ? `
 
-Static deploy: the front end goes live now. This project also has a backend (build.json hasBackend is true${manifest.backendNote ? `: ${manifest.backendNote}` : ""}). The backend artifact (serverless functions, schema.sql, a names-only .env.example) is built but not auto-deployed yet; backend deploy automation is a follow-up. To run it yourself, follow ${guide}: provision Neon Postgres, set ${envList} in your host environment, then run netlify deploy with the functions present.`;
+Static only: the front end is live, the backend was not shipped (you passed --static-only). Re-run without it to ship the backend.` : `
+
+Static deploy: the front end is live. This build also declares a backend that this deploy cannot ship automatically.`;
+    return `${lead} To run the backend, follow ${guide}: provision Neon Postgres, set ${envList} in your host environment, then run netlify deploy with the functions present.`;
   })() : "";
   const token = process.env.NETLIFY_AUTH_TOKEN || process.env.NETLIFY_TOKEN || "";
   const writeRecord = (rec) => {
-    const recPath = join3(dirname3(stateFile), "deploy.json");
+    const recPath = join4(dirname3(stateFile), "deploy.json");
     mkdirSync3(dirname3(recPath), { recursive: true });
-    writeFileSync3(recPath, JSON.stringify(rec, null, 2) + "\n");
+    writeFileSync4(recPath, JSON.stringify(rec, null, 2) + "\n");
     return recPath;
   };
   if (opts.dryRun) {
     const { digests } = buildFileDigests(files);
+    let backendPlanMsg = backendWarn;
+    let backendPlan = null;
+    if (shipBackend && backend) {
+      const fnDir = resolveFunctionsDir(backend.functionsDir, dirname3(dirname3(stateFile)));
+      const fnCount = fnDir ? countFunctionFiles(fnDir) : 0;
+      const plan = planEnvVars(backend);
+      const names = plan.map((p) => p.name);
+      const missing = names.filter((n) => !(typeof process.env[n] === "string" && process.env[n] !== ""));
+      const db = resolveDbUrl(process.env);
+      const path = token ? "Netlify CLI for functions plus the token API for env" : "Netlify CLI (logged in) for functions and env import";
+      backendPlanMsg = `
+
+Backend plan: ship ${fnCount} function${fnCount === 1 ? "" : "s"} from ${backend.functionsDir} via the ${path}. Env var names (${names.length}): ${names.join(", ") || "none"}.${missing.length ? ` Missing from this environment: ${missing.join(", ")}.` : ""}${db.name ? ` Database url from ${db.name}.` : " No database url found (set DATABASE_URL, or use --provision-db)."}${opts.provisionDb ? " Would provision Neon (--provision-db)." : ""}${opts.applySchema ? " Would apply schema.sql (--apply-schema)." : ""}`;
+      backendPlan = { functionsDir: backend.functionsDir, functionCount: fnCount, envVarNames: names, envVarsMissing: missing, dbUrlFrom: db.name, provisionDb: !!opts.provisionDb, applySchema: !!opts.applySchema };
+    }
     return {
       ok: true,
-      message: `Dry run: would deploy ${fileCount} files from ${publishDirAbs} (entry ${manifest.entry}) to Netlify via the ${token && !opts.anonymous ? "BYO-token digest" : "Netlify CLI (logged in -> a site in your account; logged out -> an anonymous claimable site)"} path.${backendWarn}`,
-      details: { dryRun: true, publishDir: publishDirAbs, entry: manifest.entry, fileCount, files: Object.keys(digests), hasBackend: manifest.hasBackend }
+      message: `Dry run: would deploy ${fileCount} files from ${publishDirAbs} (entry ${manifest.entry}) to Netlify via the ${token && !opts.anonymous ? "BYO-token digest" : "Netlify CLI (logged in -> a site in your account; logged out -> an anonymous claimable site)"} path.${backendPlanMsg}`,
+      details: { dryRun: true, publishDir: publishDirAbs, entry: manifest.entry, fileCount, files: Object.keys(digests), hasBackend: manifest.hasBackend, shipBackend, backendPlan }
     };
   }
+  if (shipBackend && backend) {
+    return runBackendDeploy(
+      { manifest, backend, publishDirAbs, stateFile, fileCount, files },
+      opts,
+      ctx,
+      { token, writeRecord }
+    );
+  }
   const wantCli = opts.anonymous || !token;
   if (wantCli) {
     const guide = (lead, needs) => ({
@@ -986,6 +1301,151 @@ Recorded ${recPath}.${backendWarn}`,
     return { ok: false, message: `Deploy failed: ${e.message}`, details: { mode: "token" } };
   }
 }
+async function runBackendDeploy(build, opts, ctx, io) {
+  const { manifest, backend, publishDirAbs, stateFile, fileCount, files } = build;
+  const { token, writeRecord } = io;
+  const projectRoot = dirname3(dirname3(stateFile));
+  const plan = planEnvVars(backend);
+  const guide = backend.guide || "BACKEND.md";
+  const notes = [];
+  let dbUrl = resolveDbUrl(process.env).value;
+  let dbProvisioned = false;
+  if (opts.provisionDb) {
+    const pr = await provisionNeon(process.env);
+    notes.push(pr.note);
+    if (pr.provisioned && pr.url) {
+      dbUrl = pr.url;
+      dbProvisioned = true;
+    }
+  }
+  const functionsDirAbs = resolveFunctionsDir(backend.functionsDir, projectRoot);
+  if (!hasNetlifyCli()) {
+    if (!token) {
+      return {
+        ok: false,
+        message: `This build has a backend, which needs the Netlify CLI to bundle and ship the functions, and the CLI is not installed. Install it (npm i -g netlify-cli@latest) and re-run, or set NETLIFY_AUTH_TOKEN to at least take the front end live, or follow ${guide}.`,
+        details: { backendMode: "static-only-fallback", functionsShipped: false, needs: "netlify-cli" }
+      };
+    }
+    try {
+      const r = await digestDeploy(files, { token, siteName: opts.siteName, siteId: opts.siteId });
+      let env2 = null;
+      try {
+        env2 = await pushEnvVarsApi(r.siteId, token, plan, process.env);
+      } catch (e) {
+        notes.push(`env push failed: ${e.message}`);
+      }
+      const recPath2 = writeRecord(deployRecord({
+        deployedAt: ctx.deployedAt,
+        mode: "token",
+        publishDir: manifest.publishDir,
+        fileCount,
+        url: r.url || null,
+        adminUrl: r.adminUrl || null,
+        claimUrl: null,
+        siteId: r.siteId,
+        deployId: r.deployId,
+        hasBackend: true,
+        backendNote: manifest.backendNote,
+        backendKind: backend.backendKind,
+        backendMode: "static-only-fallback",
+        functionsShipped: false,
+        functionsDir: backend.functionsDir,
+        envVarsSet: env2?.set ?? [],
+        envVarsMissing: env2?.missing ?? plan.map((p) => p.name),
+        dbProvisioned,
+        schemaApplied: false,
+        buildProducer: manifest.producer,
+        stateFile
+      }));
+      return {
+        ok: true,
+        message: `Deployed the static front end to your Netlify account${r.url ? ` (live: ${r.url})` : ""}. The functions were NOT shipped: the Netlify CLI bundles them and it is not installed. Install it (npm i -g netlify-cli@latest) and re-run to ship the backend, or follow ${guide}.` + (env2?.set.length ? `
+Set env var names: ${env2.set.join(", ")}.` : "") + (env2?.missing.length ? `
+Declared but missing from this environment: ${env2.missing.join(", ")}.` : "") + `
+Recorded ${recPath2}.${notes.length ? `
+${notes.join("\n")}` : ""}`,
+        details: { mode: "token", backendMode: "static-only-fallback", functionsShipped: false, url: r.url, siteId: r.siteId, envVarsSet: env2?.set, envVarsMissing: env2?.missing }
+      };
+    } catch (e) {
+      return { ok: false, message: `Static front end deploy failed: ${e.message}`, details: { backendMode: "static-only-fallback" } };
+    }
+  }
+  if (!functionsDirAbs) {
+    notes.push(`functions dir "${backend.functionsDir}" was not found on disk; shipping the front end only`);
+  }
+  let siteId = opts.siteId || "";
+  let accountSlug;
+  try {
+    if (!siteId) {
+      if (token) {
+        const s = await createSiteApi(token, opts.siteName);
+        siteId = s.id;
+        accountSlug = s.slug;
+      } else {
+        siteId = createSiteCli(opts.siteName).id;
+      }
+    }
+  } catch (e) {
+    return { ok: false, message: `Could not create the Netlify site for the backend deploy: ${e.message}`, details: {} };
+  }
+  let env;
+  try {
+    env = token ? await pushEnvVarsApi(siteId, token, plan, process.env, accountSlug) : cliImportEnv(plan, process.env, siteId);
+  } catch (e) {
+    env = { method: token ? "api" : "cli", set: [], missing: plan.map((p) => p.name), note: `env push failed: ${e.message}` };
+    notes.push(env.note);
+  }
+  let schemaApplied = false;
+  if (opts.applySchema) {
+    const schemaPath = resolve3(projectRoot, backend.database?.schemaFile || "schema.sql");
+    const sr = applySchema(schemaPath, dbUrl, process.env);
+    schemaApplied = sr.applied;
+    notes.push(sr.note);
+  }
+  let url = null;
+  try {
+    const d = cliDeployWithFunctions(publishDirAbs, functionsDirAbs, siteId, token);
+    url = d.url;
+  } catch (e) {
+    return { ok: false, message: `Backend deploy failed: ${e.message}${notes.length ? `
+${notes.join("\n")}` : ""}`, details: { siteId, envVarsSet: env.set } };
+  }
+  const functionsShipped = !!functionsDirAbs;
+  const recPath = writeRecord(deployRecord({
+    deployedAt: ctx.deployedAt,
+    mode: "cli",
+    publishDir: manifest.publishDir,
+    fileCount,
+    url,
+    adminUrl: null,
+    claimUrl: null,
+    siteId,
+    deployId: null,
+    hasBackend: true,
+    backendNote: manifest.backendNote,
+    backendKind: backend.backendKind,
+    backendMode: "cli",
+    functionsShipped,
+    functionsDir: backend.functionsDir,
+    envVarsSet: env.set,
+    envVarsMissing: env.missing,
+    dbProvisioned,
+    schemaApplied,
+    buildProducer: manifest.producer,
+    stateFile
+  }));
+  return {
+    ok: true,
+    message: `Deployed your backend to your Netlify account via the CLI${url ? ` (live: ${url})` : ""}. ${functionsShipped ? `Functions shipped from ${backend.functionsDir}.` : `No functions were found on disk (${backend.functionsDir}); front end only.`} It is owned by your account, no claim needed. Re-deploy to the same site with --site ${siteId}.` + (env.set.length ? `
+Set env var names (${env.method}): ${env.set.join(", ")}.` : "") + (env.missing.length ? `
+Declared but missing from this environment (set them, then re-run): ${env.missing.join(", ")}.` : "") + `
+Recorded ${recPath}.${notes.length ? `
+${notes.join("\n")}` : ""}` + (!url ? `
+(Could not parse a live URL from the CLI output; re-run to confirm.)` : ""),
+    details: { mode: "cli", backendMode: "cli", url, siteId, functionsShipped, functionsDir: backend.functionsDir, envVarsSet: env.set, envVarsMissing: env.missing, dbProvisioned, schemaApplied }
+  };
+}
 
 // bin/tl.ts
 var HELP = `tl - read/write a portable Thought Layer state file (default: .thought-layer/state.json)
@@ -994,6 +1454,7 @@ var HELP = `tl - read/write a portable Thought Layer state file (default: .thoug
   tl list [dir]                      list the state files under .thought-layer/ (juggle several ideas)
   tl scaffold [--out dist] [--domain x.com] [--founder "Name"]  deterministic deployable static site from the spec + brand
   tl deploy [--dry-run] [--anonymous] [--name x] [--site id]  take build.json's publish dir live to a user-owned Netlify URL
+            [--static-only] [--provision-db] [--apply-schema]   when build.json has a backend: ships functions+env by default; flags opt out or add Neon provision/schema
   tl export [path]                   handoff check
   tl answer <qId> <value> [path]     record an answer
   tl feedback --data '<json>'        record a panel verdict ({qId,mode,personas,endState,round})
@@ -1089,7 +1550,10 @@ function main() {
         dryRun: flags["dry-run"] === true,
         anonymous: flags["anonymous"] === true,
         siteName: typeof flags["name"] === "string" ? flags["name"] : void 0,
-        siteId: typeof flags["site"] === "string" ? flags["site"] : void 0
+        siteId: typeof flags["site"] === "string" ? flags["site"] : void 0,
+        staticOnly: flags["static-only"] === true,
+        provisionDb: flags["provision-db"] === true,
+        applySchema: flags["apply-schema"] === true
       },
       { deployedAt: (/* @__PURE__ */ new Date()).toISOString() }
     ).then((r2) => {