@rtrentjones/greenlight 0.2.20 → 0.2.22

package/README.md

@@ -48,7 +48,8 @@ greenlight <command>
 | `verify <name> --env <beta\|prod>` (or `--url`) | run the shared verify harness |
 | `promote <name>` | gated `develop → main` fast-forward (after beta verify) |
 | `deploy <name>` | target deploy hook (e.g. OCI restart = re-pull) |
-| `doctor` / `config` | health checks / load + validate + print the manifest |
+| `status <name>` | the ship → deploy → verify run chain across repos |
+| `doctor` / `config` | health checks (incl. token-scoping conformance) / load + validate + print the manifest |
 
 ## The loop
 
@@ -70,7 +71,8 @@ import { defineConfig, defineVerify } from '@rtrentjones/greenlight';
 
 export default defineConfig({
   domain: 'you.dev',
-  tools: { notes: { lane: 'mcp', target: 'oci', data: 'none', auth: 'bearer' } },
+  alerts: { sink: 'github-issue' },
+  tools: [{ name: 'notes', lane: 'mcp', target: 'oci', data: 'none', auth: 'bearer', envs: ['prod'] }],
 });
 ```
 
@@ -80,6 +82,7 @@ Also exported: `loadConfig`, and the `GreenlightConfig` / `VerifySpec` types.
 
 - **Repo + full docs:** <https://github.com/RTrentJones/greenlight>
 - **Architecture:** [docs/architecture.md](https://github.com/RTrentJones/greenlight/blob/main/docs/architecture.md)
-- **Spec:** [greenlight-v1.md](https://github.com/RTrentJones/greenlight/blob/main/greenlight-v1.md)
+- **Spec:** [greenlight-v2.md](https://github.com/RTrentJones/greenlight/blob/main/greenlight-v2.md)
+- **Add a provider type:** [docs/adding-a-provider.md](https://github.com/RTrentJones/greenlight/blob/main/docs/adding-a-provider.md)
 
 MIT

package/assets/skills/provider-hcp/SKILL.md

@@ -42,5 +42,5 @@ Migrate local → HCP with a plain `terraform init` (answer `yes` to copy state)
 plan -out → apply. This is the deploy half — the CLI only edits the `.tf`; CI applies.
 
 ## Alternatives
-See `docs/terraform-state-r2.md` for the full backend chooser (HCP no-CC · OCI S3-compat ·
+See `docs/terraform-state.md` for the full backend chooser (HCP no-CC · OCI S3-compat ·
 R2 card-required · AWS · local).

package/dist/bin.js

@@ -5,7 +5,7 @@ import {
   loadConfig,
   resolveUrl,
   verifyAll
-} from "./chunk-PSNO7F4Q.js";
+} from "./chunk-GO2RVNOP.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";
@@ -322,7 +322,7 @@ var PACKS = [
     always: true,
     // remote state backs every wrapper's infra
     appliesTo: () => true,
-    guide: "docs/terraform-state-r2.md \u2014 HCP Terraform free tier (no credit card)",
+    guide: "docs/terraform-state.md \u2014 HCP Terraform free tier (no credit card)",
     setupUrl: "https://app.terraform.io/app/settings/tokens",
     tokens: [
       {
@@ -443,7 +443,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.2.20";
+var MODULE_REF = "v0.2.22";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -677,7 +677,7 @@ locals {
 ` : "";
   return `# Wrapper infra (singleton): providers + remote-state backend + shared variables.
 # \`greenlight add\` appends per-tool module blocks as infra/<name>.tf. Apply is CI/CD's job
-# (infra.yml). Fill in the HCP backend below before the first apply (docs/terraform-state-r2.md).
+# (infra.yml). Fill in the HCP backend below before the first apply (docs/terraform-state.md).
 
 terraform {
   required_version = ">= 1.7"
@@ -2332,7 +2332,7 @@ async function initCommand(args) {
 Next:
   1. greenlight add <name> --lane <lane> --target <target>   # scaffold a tool, emit infra, and
                                                              # gather THAT tool's keys \u2192 GitHub${pushed ? "" : "\n  (run `greenlight secrets sync` if base tokens were not pushed)"}
-  2. set the HCP backend (cloud{} org + workspace) in infra/main.tf   # docs/terraform-state-r2.md
+  2. set the HCP backend (cloud{} org + workspace) in infra/main.tf   # docs/terraform-state.md
   3. commit + push \u2192 CI (.github/workflows/infra.yml) runs \`terraform apply\`
   4. greenlight verify <name> --env prod   |   greenlight doctor`);
 }
@@ -2348,7 +2348,13 @@ import { resolve as resolve9 } from "path";
 function defaultSpec(lane) {
   switch (lane) {
     case "astro":
-      return { mode: "api", checks: [{ path: "/", status: 200 }], noBrokenInternalLinks: true };
+      return {
+        mode: "api",
+        checks: [{ path: "/", status: 200 }],
+        noBrokenInternalLinks: true,
+        settleRetries: 8,
+        settleMs: 5e3
+      };
     case "next":
       return { mode: "api", checks: [{ path: "/", status: 200 }] };
     case "mcp":
@@ -2601,8 +2607,21 @@ function git(repoDir, args) {
 function gitOut(repoDir, args) {
   return execFileSync5("git", args, { cwd: repoDir, encoding: "utf8" }).trim();
 }
+function tryRev(repoDir, ref) {
+  try {
+    return gitOut(repoDir, ["rev-parse", "--verify", "--quiet", ref]);
+  } catch {
+    return null;
+  }
+}
+function fetchRefs(repoDir, branches) {
+  try {
+    git(repoDir, ["fetch", "--no-tags", "origin", ...branches]);
+  } catch {
+  }
+}
 function resolveRef(repoDir, branch) {
-  for (const ref of [branch, `origin/${branch}`]) {
+  for (const ref of [`origin/${branch}`, branch]) {
     try {
       git(repoDir, ["rev-parse", "--verify", "--quiet", ref]);
       return ref;
@@ -2611,19 +2630,35 @@ function resolveRef(repoDir, branch) {
   }
   return null;
 }
+function staleLocalWarnings(repoDir, branches) {
+  const warnings = [];
+  for (const branch of branches) {
+    const local = tryRev(repoDir, branch);
+    const origin = tryRev(repoDir, `origin/${branch}`);
+    if (local && origin && local !== origin) {
+      warnings.push(
+        `local "${branch}" (${local.slice(0, 7)}) differs from origin/${branch} (${origin.slice(0, 7)}) \u2014 promoting the origin (verified) state. Sync with \`git fetch && git branch -f ${branch} origin/${branch}\`.`
+      );
+    }
+  }
+  return warnings;
+}
 function canPromote(repoDir, from = "develop", to = "main") {
+  fetchRefs(repoDir, [from, to]);
   const fromRef = resolveRef(repoDir, from);
   const toRef = resolveRef(repoDir, to);
   if (!fromRef || !toRef) {
     return { canPromote: false, reason: `branch "${from}" or "${to}" not found in ${repoDir}` };
   }
+  const warnings = staleLocalWarnings(repoDir, [from, to]);
   try {
     git(repoDir, ["merge-base", "--is-ancestor", toRef, fromRef]);
-    return { canPromote: true, reason: `"${to}" can fast-forward to "${from}"` };
+    return { canPromote: true, reason: `"${to}" can fast-forward to "${from}"`, warnings };
   } catch {
     return {
       canPromote: false,
-      reason: `"${to}" has diverged from "${from}" \u2014 fast-forward refused. Reconcile first (rebase "${from}" onto "${to}", or merge "${to}" into "${from}") before promoting.`
+      reason: `"${to}" has diverged from "${from}" \u2014 fast-forward refused. Reconcile first (rebase "${from}" onto "${to}", or merge "${to}" into "${from}") before promoting.`,
+      warnings
     };
   }
 }
@@ -2631,7 +2666,10 @@ function promote(repoDir, opts = {}) {
   const from = opts.from ?? "develop";
   const to = opts.to ?? "main";
   const check = canPromote(repoDir, from, to);
-  if (!check.canPromote) return { promoted: false, from, to, reason: check.reason };
+  if (!check.canPromote) {
+    return { promoted: false, from, to, reason: check.reason, warnings: check.warnings };
+  }
+  const warnings = check.warnings;
   const fromRef = resolveRef(repoDir, from);
   const fromCommit = gitOut(repoDir, ["rev-parse", fromRef]);
   const current = gitOut(repoDir, ["rev-parse", "--abbrev-ref", "HEAD"]);
@@ -2643,14 +2681,20 @@ function promote(repoDir, opts = {}) {
       } catch {
       }
     }
-    return { promoted: true, from, to, reason: `"${to}" fast-forwarded to "${from}" and pushed` };
+    return {
+      promoted: true,
+      from,
+      to,
+      reason: `"${to}" fast-forwarded to "${from}" and pushed`,
+      warnings
+    };
   }
   if (current === to) {
     git(repoDir, ["merge", "--ff-only", fromRef]);
   } else {
     git(repoDir, ["update-ref", `refs/heads/${to}`, fromCommit]);
   }
-  return { promoted: true, from, to, reason: `"${to}" fast-forwarded to "${from}"` };
+  return { promoted: true, from, to, reason: `"${to}" fast-forwarded to "${from}"`, warnings };
 }
 
 // src/commands/promote.ts
@@ -2660,11 +2704,13 @@ async function promoteCommand(args) {
   const cwd = process.cwd();
   if (!perform) {
     const check = canPromote(cwd);
+    for (const w of check.warnings ?? []) console.warn(`\u26A0 ${w}`);
     console.log(`${check.canPromote ? "\u2714" : "\u2718"} ${check.reason}`);
     if (check.canPromote) console.log("\nEligible. Re-run with --perform (and --push) to promote.");
     process.exit(check.canPromote ? 0 : 1);
   }
   const result = promote(cwd, { push });
+  for (const w of result.warnings ?? []) console.warn(`\u26A0 ${w}`);
   console.log(`${result.promoted ? "\u2714" : "\u2718"} ${result.reason}`);
   process.exit(result.promoted ? 0 : 1);
 }
@@ -2767,7 +2813,7 @@ var HELP = `greenlight <command>
   doctor                                        manifest + repo consistency checks
   help                                          show this message
 
-Real cloud deploys need the target's creds (e.g. CLOUDFLARE_API_TOKEN); see greenlight-v1.md \xA716.`;
+Real cloud deploys need the target's creds (e.g. CLOUDFLARE_API_TOKEN); see docs/archive/greenlight-v1.md \xA716.`;
 async function main() {
   const [cmd, ...args] = process.argv.slice(2);
   switch (cmd) {

package/dist/{chunk-PSNO7F4Q.js → chunk-GO2RVNOP.js}

@@ -41,7 +41,7 @@ var ToolSchema = z.object({
   // (poly-repo) tool sets '.' (the repo root).
   dir: z.string().optional(),
   // The tool's code lives in another repo — this entry is a registry pointer only,
-  // not built/deployed here (greenlight-v1.md §15.5 poly-repo).
+  // not built/deployed here (docs/archive/greenlight-v1.md §15.5 poly-repo).
   external: z.boolean().default(false),
   // How `greenlight preview` spins the tool up LOCALLY for the pre-deploy gate. Optional — node
   // lanes (astro/next/mcp→workers) use the built-in build+serve path. Set it for targets with no
@@ -206,8 +206,7 @@ async function checkInternalLinks(base, max = 25) {
     return { name: "no broken internal links", pass: false, detail: msg(e) };
   }
 }
-async function verifyApi(baseUrl, spec) {
-  const base = trimSlash(baseUrl);
+async function runChecks(base, spec) {
   const checks = [];
   for (const c of spec.checks ?? []) checks.push(await checkRoute(base, c));
   if (spec.rssValid) {
@@ -226,6 +225,17 @@ async function verifyApi(baseUrl, spec) {
     );
   }
   if (spec.noBrokenInternalLinks) checks.push(await checkInternalLinks(base));
+  return checks;
+}
+async function verifyApi(baseUrl, spec) {
+  const base = trimSlash(baseUrl);
+  const retries = Math.max(0, spec.settleRetries ?? 0);
+  const delayMs = spec.settleMs ?? 5e3;
+  let checks = await runChecks(base, spec);
+  for (let i = 0; i < retries && !checks.every((c) => c.pass); i++) {
+    if (delayMs > 0) await new Promise((resolve) => setTimeout(resolve, delayMs));
+    checks = await runChecks(base, spec);
+  }
   return report("api", baseUrl, checks);
 }
 

package/dist/index.js

@@ -2,7 +2,7 @@ import {
   defineConfig,
   defineVerify,
   loadConfig
-} from "./chunk-PSNO7F4Q.js";
+} from "./chunk-GO2RVNOP.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.2.20",
+  "version": "0.2.22",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -31,10 +31,10 @@
     "@anthropic-ai/sdk": "^0.69.0"
   },
   "devDependencies": {
-    "@rtrentjones/greenlight-adapters": "0.2.4",
-    "@rtrentjones/greenlight-loop": "0.2.4",
-    "@rtrentjones/greenlight-shared": "0.2.4",
-    "@rtrentjones/greenlight-verify": "0.2.4"
+    "@rtrentjones/greenlight-adapters": "0.2.22",
+    "@rtrentjones/greenlight-verify": "0.2.22",
+    "@rtrentjones/greenlight-loop": "0.2.22",
+    "@rtrentjones/greenlight-shared": "0.2.22"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",

package/templates/_template-mcp/README.md

@@ -25,4 +25,4 @@ export default { mode: 'mcp', expectTools: ['<tool>'], call: { name: '<tool>' }
 
 ## Auth
 
-`auth: none` only for public read-only servers. Mutating/private servers default to `bearer`/`oauth` (greenlight-v1.md §6/§14).
+`auth: none` only for public read-only servers. Mutating/private servers default to `bearer`/`oauth` (docs/archive/greenlight-v1.md §6/§14).

package/templates/_template-next/README.md

@@ -2,4 +2,4 @@
 
 Lane template for **Next.js on Vercel** with Supabase — verify mode `api + playwright`.
 
-> **Phase 0:** placeholder only. Real template content arrives when the `next` lane is exercised (HeistMind migration, **Phase 9** — greenlight-v1.md §16). Materialized into a tool by `greenlight add` / `greenlight adopt`.
+> **Phase 0:** placeholder only. Real template content arrives when the `next` lane is exercised (HeistMind migration, **Phase 9** — docs/archive/greenlight-v1.md §16). Materialized into a tool by `greenlight add` / `greenlight adopt`.