npm - @rtrentjones/greenlight - Versions diffs - 0.2.11 → 0.2.13 - Mend

@rtrentjones/greenlight 0.2.11 → 0.2.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/assets/skills/provider-vercel/SKILL.md +1 -1
package/dist/bin.js +32 -20
package/package.json +4 -4

package/assets/skills/provider-vercel/SKILL.md CHANGED Viewed

@@ -45,7 +45,7 @@ without carrying the wrapper's `greenlight.config.ts` into the tool repo.
 **Deployment Protection gotcha:** `deployment_status.target_url` is the `*.vercel.app` *deployment*
 URL, which Vercel **Deployment Protection** gates (→ **401**) even though the public custom domain
 is 200. To verify the real app, create a **Protection Bypass for Automation** secret (Vercel →
-project → Settings → Deployment Protection) and set it as `VERCEL_AUTOMATION_BYPASS_SECRET` on the
+project → Settings → Deployment Protection) and set it as `VERCEL_AUTOMATION_BYPASS_SECRET_<TOOL>` (per-tool — the bypass value is per Vercel project, so a second vercel tool never collides) on the
 tool repo — the api check sends it as `x-vercel-protection-bypass` and asserts 200. Without it the
 generated spec asserts **401** (the deployment is served + protected), so the gate stays green.

package/dist/bin.js CHANGED Viewed

@@ -276,12 +276,11 @@ var PACKS = [
           });
           return { ok: okStatus(r), detail: `HTTP ${r.status}` };
         }
-      },
-      {
-        envVar: "TF_VAR_supabase_database_password",
-        label: "database password (ignored when importing an existing project)",
-        optional: true
       }
+      // NOTE: the database password is PER-PROJECT, so it's emitted as a per-tool variable
+      // (`<name>_supabase_database_password`) inline in each tool's <name>.tf — like the per-tool
+      // `<name>_vercel_project_id` — not a shared account credential gathered here. Set
+      // TF_VAR_<name>_supabase_database_password only when CREATING a project (ignored on import).
     ],
     mcp: {
       supabase: {
@@ -414,7 +413,7 @@ function tokensForTool(tool) {
 }
 // src/version.ts
-var MODULE_REF = "v0.2.11";
+var MODULE_REF = "v0.2.13";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -433,7 +432,7 @@ function emitToolTf(opts) {
   const blocks = [];
   const assumes = ["var.cloudflare_zone_id"];
   if (useOci) assumes.push("var.cloudflare_account_id", "local.oci_compartment_id");
-  if (useSupabase) assumes.push("var.supabase_organization_id", "var.supabase_database_password");
+  if (useSupabase) assumes.push("var.supabase_organization_id");
   const ghcrOwner = (slug.split("/")[0] ?? "owner").toLowerCase();
   blocks.push(
     `# ${name} \u2014 ${lane}/${target}${useSupabase ? "/supabase" : ""}, emitted by \`greenlight add\`.
@@ -450,8 +449,17 @@ module "${name}_supabase" {
   name              = "${name}"
   project_name      = "${name}-db"
   organization_id   = var.supabase_organization_id
-  database_password = var.supabase_database_password
+  database_password = var.${name}_supabase_database_password
   region            = "us-east-1"
+}
+# Per-tool (the password is per Supabase PROJECT) \u2014 so a second data:supabase tool doesn't collide
+# on a shared variable. Set TF_VAR_${name}_supabase_database_password only when CREATING a project;
+# on import the module ignores it (the default placeholder is fine).
+variable "${name}_supabase_database_password" {
+  type      = string
+  sensitive = true
+  default   = "import-placeholder" # ignored when importing an existing project
 }`);
   }
   if (useVercel) {
@@ -603,9 +611,6 @@ function emitWrapperMainTf(opts) {
   vars.push('variable "cloudflare_account_id" {\n  type    = string\n  default = ""\n}');
   if (need.has("supabase")) {
     vars.push('variable "supabase_organization_id" { type = string }');
-    vars.push(
-      'variable "supabase_database_password" {\n  type      = string\n  sensitive = true\n  default   = "import-placeholder" # ignored when importing an existing project\n}'
-    );
   }
   if (need.has("oci")) {
     vars.push('variable "oci_tenancy_ocid" { type = string }');
@@ -1101,13 +1106,13 @@ function vendorDeps(vendorDir) {
 }
 function starterVerifyConfig(lane, target) {
   const spec = lane === "mcp" ? "mode: 'mcp', expectTools: []" : "mode: 'api', checks: [{ path: '/', status: 200 }]";
-  const logHint = target === "oci" ? "oci logging-search search-logs ...   // the instance/container logs" : target === "vercel" ? "vercel logs <deployment-url> --token $VERCEL_API_TOKEN" : "wrangler tail --once   // workers observability";
+  const logHint = target === "vercel" ? 'vercel logs "$GREENLIGHT_VERIFY_URL" --token "$VERCEL_API_TOKEN" 2>&1 | head -40 || true' : 'curl -sS -i "$GREENLIGHT_VERIFY_URL" 2>&1 | head -30 || true';
   return `// Greenlight verify spec \u2014 edit to assert this tool's real contract.
 export default {
   ${spec},
   // Telemetry-into-verify: a shell command run ONLY when this report FAILS; its last ~50 lines
-  // attach to the report so the agent/CI sees the "why" in-loop. Best-effort (never fails the
-  // gate). Uncomment + adjust:
+  // attach to the report so the agent/CI sees the "why" in-loop. $GREENLIGHT_VERIFY_URL is the
+  // failing URL (no hard-coding). Best-effort (never fails the gate). Uncomment + adjust:
   // logsOnFailure: '${logHint}',
 };
 `;
@@ -1463,7 +1468,9 @@ jobs:
         env:
           # Bypass Vercel Deployment Protection on the deployment URL (Vercel \u2192 project \u2192 Deployment
           # Protection \u2192 Protection Bypass for Automation). Without it the gate asserts 401 (served).
-          VERCEL_AUTOMATION_BYPASS_SECRET: \${{ secrets.VERCEL_AUTOMATION_BYPASS_SECRET }}
+          # The SECRET is per-tool (the bypass value is per Vercel PROJECT) so two vercel tools never
+          # collide; the env var the spec reads stays generic.
+          VERCEL_AUTOMATION_BYPASS_SECRET: \${{ secrets.VERCEL_AUTOMATION_BYPASS_SECRET_${name.toUpperCase().replace(/-/g, "_")} }}
           ANTHROPIC_API_KEY: \${{ secrets.ANTHROPIC_API_KEY }}
         run: npx -y @rtrentjones/greenlight@latest verify --url "\${{ github.event.deployment_status.target_url }}" --spec verify/${name}.config.ts
 `;
@@ -1480,8 +1487,10 @@ function nextVerifyConfig(name) {
 // { mode: 'test', command: 'pnpm test' } + a tolerant deps-install step in greenlight-verify.yml.
 const bypass = process.env.VERCEL_AUTOMATION_BYPASS_SECRET;
 // Telemetry-into-verify: on a FAILED report, fetch the Vercel deployment's runtime logs and attach
-// the tail to the report (best-effort, never fails the gate). Needs VERCEL_API_TOKEN in CI.
-const logsOnFailure = 'vercel logs "$DEPLOYMENT_URL" --token "$VERCEL_API_TOKEN" 2>&1 || true';
+// the tail to the report (best-effort, never fails the gate). $GREENLIGHT_VERIFY_URL is the exact
+// failing deployment URL (injected \u2014 no hard-coding); needs VERCEL_API_TOKEN in CI.
+const logsOnFailure =
+  'vercel logs "$GREENLIGHT_VERIFY_URL" --token "$VERCEL_API_TOKEN" 2>&1 | head -40 || true';
 const api = bypass
   ? {
       mode: 'api',
@@ -1641,8 +1650,9 @@ Next:
                     greenlight secrets gather ${name} --repo ${slug}   # GREENLIGHT_DISPATCH_TOKEN
   The instance OCID is auto-resolved by the deploy workflow (by display name) \u2014 nothing to set.` : target === "vercel" ? `
   Deploy is Vercel's git integration (no wrapper deploy). The tool's greenlight-verify.yml verifies
-  each deployment (deployment_status). Optional: add ANTHROPIC_API_KEY to ${slug} to enable the
-  agent-web scenarios in verify/${name}.config.ts (absent \u2192 api + test gate alone).` : ""}`);
+  each deployment (deployment_status). Optional secrets on ${slug}:
+    \xB7 VERCEL_AUTOMATION_BYPASS_SECRET_${name.toUpperCase().replace(/-/g, "_")}  (Vercel \u2192 project \u2192 Deployment Protection \u2192 Bypass for Automation) \u2192 verify asserts 200, not 401
+    \xB7 ANTHROPIC_API_KEY \u2192 enables the agent-web scenarios in verify/${name}.config.ts (absent \u2192 api gate alone)` : ""}`);
 }
 async function adoptStandalone(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
@@ -2245,7 +2255,9 @@ function attachFailureLogs(reports, specs, toolDir) {
         cwd: toolDir,
         timeout: 3e4,
         encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024
+        maxBuffer: 10 * 1024 * 1024,
+        // Let the command target the exact failing URL without hard-coding it.
+        env: { ...process.env, GREENLIGHT_VERIFY_URL: report.url }
       });
       const out = `${res.stdout ?? ""}${res.stderr ?? ""}`.trimEnd();
       const tail = out.split("\n").slice(-LOG_TAIL_LINES).join("\n");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.2.11",
+  "version": "0.2.13",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -31,10 +31,10 @@
     "@anthropic-ai/sdk": "^0.69.0"
   },
   "devDependencies": {
-    "@rtrentjones/greenlight-loop": "0.2.4",
-    "@rtrentjones/greenlight-shared": "0.2.4",
     "@rtrentjones/greenlight-adapters": "0.2.4",
-    "@rtrentjones/greenlight-verify": "0.2.4"
+    "@rtrentjones/greenlight-shared": "0.2.4",
+    "@rtrentjones/greenlight-verify": "0.2.4",
+    "@rtrentjones/greenlight-loop": "0.2.4"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",