@rtrentjones/greenlight 0.2.19 → 0.2.21

package/README.md

@@ -48,7 +48,8 @@ greenlight <command>
 | `verify <name> --env <beta\|prod>` (or `--url`) | run the shared verify harness |
 | `promote <name>` | gated `develop → main` fast-forward (after beta verify) |
 | `deploy <name>` | target deploy hook (e.g. OCI restart = re-pull) |
-| `doctor` / `config` | health checks / load + validate + print the manifest |
+| `status <name>` | the ship → deploy → verify run chain across repos |
+| `doctor` / `config` | health checks (incl. token-scoping conformance) / load + validate + print the manifest |
 
 ## The loop
 
@@ -70,7 +71,8 @@ import { defineConfig, defineVerify } from '@rtrentjones/greenlight';
 
 export default defineConfig({
   domain: 'you.dev',
-  tools: { notes: { lane: 'mcp', target: 'oci', data: 'none', auth: 'bearer' } },
+  alerts: { sink: 'github-issue' },
+  tools: [{ name: 'notes', lane: 'mcp', target: 'oci', data: 'none', auth: 'bearer', envs: ['prod'] }],
 });
 ```
 
@@ -80,6 +82,7 @@ Also exported: `loadConfig`, and the `GreenlightConfig` / `VerifySpec` types.
 
 - **Repo + full docs:** <https://github.com/RTrentJones/greenlight>
 - **Architecture:** [docs/architecture.md](https://github.com/RTrentJones/greenlight/blob/main/docs/architecture.md)
-- **Spec:** [greenlight-v1.md](https://github.com/RTrentJones/greenlight/blob/main/greenlight-v1.md)
+- **Spec:** [greenlight-v2.md](https://github.com/RTrentJones/greenlight/blob/main/greenlight-v2.md)
+- **Add a provider type:** [docs/adding-a-provider.md](https://github.com/RTrentJones/greenlight/blob/main/docs/adding-a-provider.md)
 
 MIT

package/assets/skills/provider-hcp/SKILL.md

@@ -42,5 +42,5 @@ Migrate local → HCP with a plain `terraform init` (answer `yes` to copy state)
 plan -out → apply. This is the deploy half — the CLI only edits the `.tf`; CI applies.
 
 ## Alternatives
-See `docs/terraform-state-r2.md` for the full backend chooser (HCP no-CC · OCI S3-compat ·
+See `docs/terraform-state.md` for the full backend chooser (HCP no-CC · OCI S3-compat ·
 R2 card-required · AWS · local).

package/dist/bin.js

@@ -5,7 +5,7 @@ import {
   loadConfig,
   resolveUrl,
   verifyAll
-} from "./chunk-6USV5AQV.js";
+} from "./chunk-GO2RVNOP.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";
@@ -58,6 +58,11 @@ function serializeTool(t) {
     if (pv.path !== void 0) pvParts.push(`path: ${q(pv.path)}`);
     parts.push(`preview: { ${pvParts.join(", ")} }`);
   }
+  if (t.tokens?.length) parts.push(`tokens: [${t.tokens.map(q).join(", ")}]`);
+  if (t.tokenOverrides && Object.keys(t.tokenOverrides).length) {
+    const ov = Object.entries(t.tokenOverrides).map(([k, v]) => `${k}: ${q(v)}`).join(", ");
+    parts.push(`tokenOverrides: { ${ov} }`);
+  }
   return `    { ${parts.join(", ")} },`;
 }
 function serializeConfig(c) {
@@ -103,7 +108,9 @@ function addTool(config, t) {
         ...t.adopted ? { adopted: true } : {},
         ...t.external ? { external: true } : {},
         ...t.port !== void 0 ? { port: t.port } : {},
-        ...t.preview ? { preview: t.preview } : {}
+        ...t.preview ? { preview: t.preview } : {},
+        ...t.tokens?.length ? { tokens: t.tokens } : {},
+        ...t.tokenOverrides && Object.keys(t.tokenOverrides).length ? { tokenOverrides: t.tokenOverrides } : {}
       }
     ]
   };
@@ -129,7 +136,9 @@ function upsertTool(config, t) {
     ...t.adopted ? { adopted: true } : {},
     ...t.external ? { external: true } : {},
     ...t.port !== void 0 ? { port: t.port } : {},
-    ...t.preview ? { preview: t.preview } : {}
+    ...t.preview ? { preview: t.preview } : {},
+    ...t.tokens?.length ? { tokens: t.tokens } : {},
+    ...t.tokenOverrides && Object.keys(t.tokenOverrides).length ? { tokenOverrides: t.tokenOverrides } : {}
   };
   const tools = config.tools.some((x) => x.name === t.name) ? config.tools.map((x) => x.name === t.name ? entry : x) : [...config.tools, entry];
   const result = ConfigSchema.safeParse({ ...config, tools });
@@ -186,7 +195,9 @@ function resolveEntry(config, name) {
     dir: tool.dir ?? `tools/${tool.name}`,
     external: tool.external,
     port: tool.port,
-    preview: tool.preview
+    preview: tool.preview,
+    tokens: tool.tokens,
+    tokenOverrides: tool.tokenOverrides
   };
 }
 var VERIFY_MODES = /* @__PURE__ */ new Set(["api", "mcp", "playwright", "test", "agent-web", "eval"]);
@@ -311,7 +322,7 @@ var PACKS = [
     always: true,
     // remote state backs every wrapper's infra
     appliesTo: () => true,
-    guide: "docs/terraform-state-r2.md \u2014 HCP Terraform free tier (no credit card)",
+    guide: "docs/terraform-state.md \u2014 HCP Terraform free tier (no credit card)",
     setupUrl: "https://app.terraform.io/app/settings/tokens",
     tokens: [
       {
@@ -401,6 +412,12 @@ var PACKS = [
     tfModules: ["tool", "tunnel", "oci-network", "oci-container-instance"]
   }
 ];
+function secretKeyFor(tok, toolName, overrides) {
+  const override = overrides?.[tok.envVar];
+  if (override) return override;
+  const suffix = `_${toolName.toUpperCase().replace(/-/g, "_")}`;
+  return tok.envVar.toUpperCase() + (tok.perTool ? suffix : "");
+}
 function packsForTool(tool) {
   return PACKS.filter((p) => p.always || (tool ? p.appliesTo(tool) : false));
 }
@@ -426,7 +443,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.2.19";
+var MODULE_REF = "v0.2.21";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -441,6 +458,7 @@ function emitToolTf(opts) {
   const useSupabase = data === "supabase";
   const useVercel = target === "vercel";
   const useOci = target === "oci";
+  const supabaseOverride = opts.tokenOverrides?.SUPABASE_ACCESS_TOKEN;
   const envList = envs.map((e) => `"${e}"`).join(", ");
   const blocks = [];
   const assumes = ["var.cloudflare_zone_id"];
@@ -455,9 +473,25 @@ function emitToolTf(opts) {
 # External tool: app code + deploy live in ${slug}; this manages only its infra here.` : ""}`
   );
   if (useSupabase) {
+    const providersLine = supabaseOverride ? `
+  providers = { supabase = supabase.${name} }` : "";
+    const overrideBlock = supabaseOverride ? `
+
+# Multi-account: ${name}'s Supabase lives in a SECOND account \u2014 an aliased provider authenticates
+# with its own token. In infra.yml: TF_VAR_${name}_supabase_access_token: \${{ secrets.${supabaseOverride} }}
+provider "supabase" {
+  alias        = "${name}"
+  access_token = var.${name}_supabase_access_token
+}
+
+variable "${name}_supabase_access_token" {
+  type        = string
+  sensitive   = true
+  description = "Supabase Management API token for ${name}'s account (scoped secret ${supabaseOverride})."
+}` : "";
     blocks.push(`# One Supabase project (schema-per-env), kept declarative + recreatable + kept alive.
 module "${name}_supabase" {
-  source = "${moduleSource("supabase", ref)}"
+  source = "${moduleSource("supabase", ref)}"${providersLine}
 
   name              = "${name}"
   project_name      = "${name}-db"
@@ -473,7 +507,7 @@ variable "${name}_supabase_database_password" {
   type      = string
   sensitive = true
   default   = "import-placeholder" # ignored when importing an existing project
-}`);
+}${overrideBlock}`);
   }
   if (useVercel) {
     const env = useSupabase ? `
@@ -643,7 +677,7 @@ locals {
 ` : "";
   return `# Wrapper infra (singleton): providers + remote-state backend + shared variables.
 # \`greenlight add\` appends per-tool module blocks as infra/<name>.tf. Apply is CI/CD's job
-# (infra.yml). Fill in the HCP backend below before the first apply (docs/terraform-state-r2.md).
+# (infra.yml). Fill in the HCP backend below before the first apply (docs/terraform-state.md).
 
 terraform {
   required_version = ">= 1.7"
@@ -918,8 +952,7 @@ async function gatherSecrets(name, repo, env, prefill) {
     for (const pack of packs) {
       console.log(`\u2500\u2500 ${pack.name}${pack.setupUrl ? `  \u2192  ${pack.setupUrl}` : ""}`);
       for (const tok of pack.tokens) {
-        const suffix = `_${name.toUpperCase().replace(/-/g, "_")}`;
-        const key = tok.envVar.toUpperCase() + (tok.perTool ? suffix : "");
+        const key = secretKeyFor(tok, name, entry.tokenOverrides);
         if (key === "GITHUB_TOKEN") {
           console.log("   \xB7 GITHUB_TOKEN \u2014 provided automatically by Actions; skipping");
           continue;
@@ -1070,7 +1103,16 @@ async function addCommand(args) {
   } else {
     writeFileSync2(
       toolTf,
-      emitToolTf({ name, domain: config.domain, lane, target, data, envs, port: entry?.port })
+      emitToolTf({
+        name,
+        domain: config.domain,
+        lane,
+        target,
+        data,
+        envs,
+        port: entry?.port,
+        tokenOverrides: entry?.tokenOverrides
+      })
     );
     console.log(`\u2714 wrote infra/${name}.tf (modules: ${providers.join(", ")})`);
   }
@@ -1976,6 +2018,16 @@ function conformanceChecks(t, root) {
     status: gateable ? "ok" : "warn",
     detail: platformPreview ? "vercel per-PR preview + deployment_status verify" : gateable ? void 0 : `no built-in serve for ${t.external ? "an external " : ""}${t.target} tool \u2014 add preview:{ command, \u2026 } so \`greenlight preview ${t.name}\` works`
   });
+  const declared = [...t.tokens ?? [], ...Object.values(t.tokenOverrides ?? {})];
+  if (declared.length) {
+    const tag = t.name.toUpperCase().replace(/-/g, "_");
+    const generic = declared.filter((s) => !s.toUpperCase().includes(tag));
+    out.push({
+      name: `${t.name}: token scoping`,
+      status: generic.length ? "warn" : "ok",
+      detail: generic.length ? `not tool-scoped (should contain ${tag}): ${generic.join(", ")}` : `${declared.length} scoped secret name(s)`
+    });
+  }
   return out;
 }
 function runDoctor(config, root) {
@@ -2280,7 +2332,7 @@ async function initCommand(args) {
 Next:
   1. greenlight add <name> --lane <lane> --target <target>   # scaffold a tool, emit infra, and
                                                              # gather THAT tool's keys \u2192 GitHub${pushed ? "" : "\n  (run `greenlight secrets sync` if base tokens were not pushed)"}
-  2. set the HCP backend (cloud{} org + workspace) in infra/main.tf   # docs/terraform-state-r2.md
+  2. set the HCP backend (cloud{} org + workspace) in infra/main.tf   # docs/terraform-state.md
   3. commit + push \u2192 CI (.github/workflows/infra.yml) runs \`terraform apply\`
   4. greenlight verify <name> --env prod   |   greenlight doctor`);
 }
@@ -2296,7 +2348,13 @@ import { resolve as resolve9 } from "path";
 function defaultSpec(lane) {
   switch (lane) {
     case "astro":
-      return { mode: "api", checks: [{ path: "/", status: 200 }], noBrokenInternalLinks: true };
+      return {
+        mode: "api",
+        checks: [{ path: "/", status: 200 }],
+        noBrokenInternalLinks: true,
+        settleRetries: 8,
+        settleMs: 5e3
+      };
     case "next":
       return { mode: "api", checks: [{ path: "/", status: 200 }] };
     case "mcp":
@@ -2715,7 +2773,7 @@ var HELP = `greenlight <command>
   doctor                                        manifest + repo consistency checks
   help                                          show this message
 
-Real cloud deploys need the target's creds (e.g. CLOUDFLARE_API_TOKEN); see greenlight-v1.md \xA716.`;
+Real cloud deploys need the target's creds (e.g. CLOUDFLARE_API_TOKEN); see docs/archive/greenlight-v1.md \xA716.`;
 async function main() {
   const [cmd, ...args] = process.argv.slice(2);
   switch (cmd) {

package/dist/{chunk-6USV5AQV.js → chunk-GO2RVNOP.js}

@@ -41,7 +41,7 @@ var ToolSchema = z.object({
   // (poly-repo) tool sets '.' (the repo root).
   dir: z.string().optional(),
   // The tool's code lives in another repo — this entry is a registry pointer only,
-  // not built/deployed here (greenlight-v1.md §15.5 poly-repo).
+  // not built/deployed here (docs/archive/greenlight-v1.md §15.5 poly-repo).
   external: z.boolean().default(false),
   // How `greenlight preview` spins the tool up LOCALLY for the pre-deploy gate. Optional — node
   // lanes (astro/next/mcp→workers) use the built-in build+serve path. Set it for targets with no
@@ -56,7 +56,16 @@ var ToolSchema = z.object({
     // local port (default: tool.port ?? lane default)
     path: z.string().optional()
     // connect path (default: lane default, e.g. `/mcp`)
-  }).optional()
+  }).optional(),
+  // The project-scoped secret names this tool needs (e.g. ['TF_VAR_HEISTMIND_GITHUB_ADMIN_TOKEN']).
+  // The convention (docs/tokens-reference.md): a project-scoped secret carries the uppercased tool name.
+  // `doctor` warns on a name that doesn't — documentation + conformance, no behavior.
+  tokens: z.array(z.string()).optional(),
+  // Opt-in per-tool provider-token OVERRIDES (multi-account). Maps a provider's default token env
+  // var to an alternate secret name, so this tool authenticates that provider with a SECOND account
+  // — e.g. { SUPABASE_ACCESS_TOKEN: 'SUPABASE_ACCESS_TOKEN_HEISTMIND' }. Absent ⇒ unchanged (the
+  // default token). `add`/`adopt` emit an aliased provider + scoped var/secret for an overridden token.
+  tokenOverrides: z.record(z.string(), z.string()).optional()
 }).superRefine((tool, ctx) => {
   const rule = MATRIX[tool.lane];
   if (!rule.targets.includes(tool.target)) {
@@ -197,8 +206,7 @@ async function checkInternalLinks(base, max = 25) {
     return { name: "no broken internal links", pass: false, detail: msg(e) };
   }
 }
-async function verifyApi(baseUrl, spec) {
-  const base = trimSlash(baseUrl);
+async function runChecks(base, spec) {
   const checks = [];
   for (const c of spec.checks ?? []) checks.push(await checkRoute(base, c));
   if (spec.rssValid) {
@@ -217,6 +225,17 @@ async function verifyApi(baseUrl, spec) {
     );
   }
   if (spec.noBrokenInternalLinks) checks.push(await checkInternalLinks(base));
+  return checks;
+}
+async function verifyApi(baseUrl, spec) {
+  const base = trimSlash(baseUrl);
+  const retries = Math.max(0, spec.settleRetries ?? 0);
+  const delayMs = spec.settleMs ?? 5e3;
+  let checks = await runChecks(base, spec);
+  for (let i = 0; i < retries && !checks.every((c) => c.pass); i++) {
+    if (delayMs > 0) await new Promise((resolve) => setTimeout(resolve, delayMs));
+    checks = await runChecks(base, spec);
+  }
   return report("api", baseUrl, checks);
 }
 

package/dist/index.js

@@ -2,7 +2,7 @@ import {
   defineConfig,
   defineVerify,
   loadConfig
-} from "./chunk-6USV5AQV.js";
+} from "./chunk-GO2RVNOP.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.2.19",
+  "version": "0.2.21",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -32,9 +32,9 @@
   },
   "devDependencies": {
     "@rtrentjones/greenlight-adapters": "0.2.4",
-    "@rtrentjones/greenlight-loop": "0.2.4",
     "@rtrentjones/greenlight-shared": "0.2.4",
-    "@rtrentjones/greenlight-verify": "0.2.4"
+    "@rtrentjones/greenlight-verify": "0.2.4",
+    "@rtrentjones/greenlight-loop": "0.2.4"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",

package/templates/_template-mcp/README.md

@@ -25,4 +25,4 @@ export default { mode: 'mcp', expectTools: ['<tool>'], call: { name: '<tool>' }
 
 ## Auth
 
-`auth: none` only for public read-only servers. Mutating/private servers default to `bearer`/`oauth` (greenlight-v1.md §6/§14).
+`auth: none` only for public read-only servers. Mutating/private servers default to `bearer`/`oauth` (docs/archive/greenlight-v1.md §6/§14).

package/templates/_template-next/README.md

@@ -2,4 +2,4 @@
 
 Lane template for **Next.js on Vercel** with Supabase — verify mode `api + playwright`.
 
-> **Phase 0:** placeholder only. Real template content arrives when the `next` lane is exercised (HeistMind migration, **Phase 9** — greenlight-v1.md §16). Materialized into a tool by `greenlight add` / `greenlight adopt`.
+> **Phase 0:** placeholder only. Real template content arrives when the `next` lane is exercised (HeistMind migration, **Phase 9** — docs/archive/greenlight-v1.md §16). Materialized into a tool by `greenlight add` / `greenlight adopt`.