@rtrentjones/greenlight 0.2.22 → 0.2.24

package/dist/{agent-web-I4LXW4SR.js → agent-web-3FTO2TLJ.js}

@@ -1,6 +1,6 @@
 import {
   verifyAgentWeb
-} from "./chunk-UXHHLEYO.js";
+} from "./chunk-KVOI4UL2.js";
 import "./chunk-QFKE5JKC.js";
 export {
   verifyAgentWeb

package/dist/bin.js

@@ -4,13 +4,14 @@ import {
   allPass,
   loadConfig,
   resolveUrl,
+  scanSqlFiles,
   verifyAll
-} from "./chunk-GO2RVNOP.js";
+} from "./chunk-2A7ZBBYN.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";
-import "./chunk-UXHHLEYO.js";
-import "./chunk-6N7MD6FR.js";
+import "./chunk-KVOI4UL2.js";
+import "./chunk-XWTOJHLV.js";
 import "./chunk-QFKE5JKC.js";
 
 // src/commands/add.ts
@@ -443,7 +444,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.2.22";
+var MODULE_REF = "v0.2.24";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -777,10 +778,22 @@ ${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
 async function agentCommand(args) {
   if (args[0] !== "sync") {
     console.log(
-      "usage: greenlight agent sync   # write the loop skill + .mcp.json + CLAUDE.md block"
+      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
     );
     process.exit(args[0] ? 1 : 0);
   }
+  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
+  if (name) {
+    const { config } = await loadManifest();
+    const entry = resolveEntry(config, name);
+    const dir = resolve3(process.cwd(), entry.dir ?? ".");
+    materializeAgentKit(dir, { target: entry.target, data: entry.data });
+    console.log(
+      `
+Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (target=${entry.target}, data=${entry.data}).`
+    );
+    return;
+  }
   materializeAgentKit(process.cwd());
   console.log(
     "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
@@ -1991,7 +2004,9 @@ async function deployCommand(args) {
 }
 
 // src/commands/doctor.ts
-import { existsSync as existsSync7 } from "fs";
+import { execFileSync as execFileSync4 } from "child_process";
+import { lookup } from "dns/promises";
+import { existsSync as existsSync7, readFileSync as readFileSync5, readdirSync as readdirSync2 } from "fs";
 import { join as join4 } from "path";
 function dirCheck(label, dir) {
   return existsSync7(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
@@ -2030,6 +2045,61 @@ function conformanceChecks(t, root) {
   }
   return out;
 }
+function versionDriftCheck(root) {
+  const name = "framework version drift";
+  let installed;
+  try {
+    const pkg = JSON.parse(
+      readFileSync5(join4(root, "node_modules/@rtrentjones/greenlight/package.json"), "utf8")
+    );
+    installed = pkg.version;
+  } catch {
+  }
+  const refs = /* @__PURE__ */ new Set();
+  try {
+    for (const f of readdirSync2(join4(root, "infra")).filter((f2) => f2.endsWith(".tf"))) {
+      const body = readFileSync5(join4(root, "infra", f), "utf8");
+      for (const m of body.matchAll(/greenlight\.git\/\/infra\/modules\/[^?"]+\?ref=(v[0-9.]+)/g)) {
+        if (m[1]) refs.add(m[1]);
+      }
+    }
+  } catch {
+  }
+  if (!installed && refs.size === 0) {
+    return {
+      name,
+      status: "skip",
+      detail: "no installed @rtrentjones/greenlight or infra pins here"
+    };
+  }
+  const refList = [...refs];
+  if (installed) {
+    const want = `v${installed}`;
+    const bad = refList.filter((r) => r !== want);
+    return bad.length === 0 ? { name, status: "ok", detail: `infra pins == installed ${want}` } : {
+      name,
+      status: "warn",
+      detail: `installed ${want}, but infra pins ${bad.join(", ")} \u2014 bump ?ref to ${want}`
+    };
+  }
+  return refList.length <= 1 ? { name, status: "ok", detail: `infra pins uniform (${refList[0] ?? "none"})` } : { name, status: "warn", detail: `infra ?ref pins not uniform: ${refList.join(", ")}` };
+}
+function submoduleDriftCheck(root) {
+  const name = "submodule drift";
+  let out;
+  try {
+    out = execFileSync4("git", ["submodule", "status"], {
+      cwd: root,
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "ignore"]
+    }).trim();
+  } catch {
+    return { name, status: "skip", detail: "no git / not a repo" };
+  }
+  if (!out) return { name, status: "skip", detail: "no submodules" };
+  const dirty = out.split("\n").filter((l) => /^[+\-U]/.test(l));
+  return dirty.length === 0 ? { name, status: "ok", detail: "all submodules match their recorded commit" } : { name, status: "warn", detail: dirty.map((l) => l.trim()).join("; ") };
+}
 function runDoctor(config, root) {
   const checks = [];
   if (config.blog) checks.push(dirCheck("blog", join4(root, "apps/blog")));
@@ -2042,6 +2112,15 @@ function runDoctor(config, root) {
         mcp: t.lane === "mcp"
       });
       checks.push({ name: `${t.name}: external (registry)`, status: "ok", detail: url });
+      if (t.dir) {
+        checks.push(
+          existsSync7(join4(root, t.dir)) ? { name: `${t.name}: dir present`, status: "ok", detail: t.dir } : {
+            name: `${t.name}: dir present`,
+            status: "warn",
+            detail: `declared dir "${t.dir}" missing \u2014 run \`git submodule update --init\``
+          }
+        );
+      }
     } else {
       checks.push(dirCheck(t.name, join4(root, t.dir ?? join4("tools", t.name))));
     }
@@ -2053,20 +2132,54 @@ function runDoctor(config, root) {
     status: needsKeepalive.length > 0 ? "ok" : "skip",
     detail: needsKeepalive.length > 0 ? needsKeepalive.map((t) => `${t.name} (${t.data === "supabase" ? "supabase" : "oci"})`).join(", ") : "no data:supabase / target:oci tools"
   });
-  for (const name of [
-    "DNS propagation",
-    "terraform drift",
-    "Vercel cap headroom",
-    "keepalive health (live)",
-    "OCI PAYG status",
-    "framework version drift"
-  ]) {
-    checks.push({ name, status: "skip", detail: "needs provider creds / packages (Phase 5/7/8)" });
+  checks.push(versionDriftCheck(root));
+  checks.push(submoduleDriftCheck(root));
+  return checks;
+}
+var errMsg = (e) => e instanceof Error ? e.message : String(e);
+async function livenessCheck(name, url) {
+  try {
+    const res = await fetch(url, { redirect: "manual", signal: AbortSignal.timeout(1e4) });
+    return res.status >= 500 ? { name: `${name}: live`, status: "warn", detail: `${url} \u2192 ${res.status} (degraded)` } : { name: `${name}: live`, status: "ok", detail: `${url} \u2192 ${res.status}` };
+  } catch (e) {
+    return { name: `${name}: live`, status: "fail", detail: `${url} unreachable: ${errMsg(e)}` };
+  }
+}
+async function dnsCheck(name, url) {
+  const host = new URL(url).hostname;
+  try {
+    await lookup(host);
+    return { name: `${name}: DNS`, status: "ok", detail: host };
+  } catch {
+    return { name: `${name}: DNS`, status: "fail", detail: `${host} does not resolve` };
+  }
+}
+async function runDoctorLive(config) {
+  const targets = [];
+  if (config.blog) targets.push({ name: "blog", url: `https://${config.domain}` });
+  for (const t of config.tools) {
+    if (!t.envs?.includes("prod")) continue;
+    targets.push({
+      name: t.name,
+      url: resolveUrl({ domain: config.domain, name: t.name, env: "prod", mcp: t.lane === "mcp" })
+    });
+  }
+  const checks = [];
+  for (const tg of targets) {
+    checks.push(await dnsCheck(tg.name, tg.url));
+    checks.push(await livenessCheck(tg.name, tg.url));
+  }
+  for (const name of ["terraform drift", "Vercel cap headroom", "OCI PAYG status"]) {
+    checks.push({
+      name,
+      status: "skip",
+      detail: "not yet implemented \u2014 needs the provider API + creds"
+    });
   }
   return checks;
 }
 var ICON = { ok: "\u2714", warn: "!", fail: "\u2718", skip: "\xB7" };
-async function doctorCommand() {
+async function doctorCommand(args = []) {
   let config;
   try {
     ({ config } = await loadManifest());
@@ -2075,13 +2188,19 @@ async function doctorCommand() {
     console.error(`\u2718 manifest: ${e instanceof Error ? e.message : String(e)}`);
     process.exit(1);
   }
+  const live = args.includes("--live");
   const checks = runDoctor(config, process.cwd());
+  if (live) {
+    console.log("  (probing live prod URLs\u2026)");
+    checks.push(...await runDoctorLive(config));
+  }
   for (const c of checks) {
     console.log(`  ${ICON[c.status]} ${c.name}${c.detail ? ` \u2014 ${c.detail}` : ""}`);
   }
   const failed = checks.filter((c) => c.status === "fail").length;
   console.log(`
 ${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}`);
+  if (!live) console.log("\xB7 run `greenlight doctor --live` for DNS + reachability probes");
   process.exit(failed === 0 ? 0 : 1);
 }
 
@@ -2091,7 +2210,7 @@ import { resolve as resolve8 } from "path";
 import { createInterface as createInterface3 } from "readline/promises";
 
 // src/tokens.ts
-import { existsSync as existsSync8, mkdirSync as mkdirSync4, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
+import { existsSync as existsSync8, mkdirSync as mkdirSync4, readFileSync as readFileSync6, writeFileSync as writeFileSync4 } from "fs";
 import { resolve as resolve7 } from "path";
 import { createInterface as createInterface2 } from "readline/promises";
 var SECRETS_DIR = ".greenlight";
@@ -2100,7 +2219,7 @@ function presentEnv(cwd) {
   const out = {};
   const p = resolve7(cwd, SECRETS_DIR, SECRETS_FILE);
   if (existsSync8(p)) {
-    for (const { key, value } of parseSecretsEnv(readFileSync5(p, "utf8"))) out[key] = value;
+    for (const { key, value } of parseSecretsEnv(readFileSync6(p, "utf8"))) out[key] = value;
   }
   for (const [k, v] of Object.entries(process.env)) {
     if (v !== void 0 && !(k in out)) out[k] = v;
@@ -2111,7 +2230,7 @@ function upsertSecret(cwd, key, value) {
   const dir = resolve7(cwd, SECRETS_DIR);
   mkdirSync4(dir, { recursive: true });
   const p = resolve7(dir, SECRETS_FILE);
-  const lines = existsSync8(p) ? readFileSync5(p, "utf8").split("\n") : [];
+  const lines = existsSync8(p) ? readFileSync6(p, "utf8").split("\n") : [];
   const idx = lines.findIndex((l) => l.startsWith(`${key}=`));
   if (idx >= 0) lines[idx] = `${key}=${value}`;
   else {
@@ -2337,8 +2456,59 @@ Next:
   4. greenlight verify <name> --env prod   |   greenlight doctor`);
 }
 
+// src/commands/migrations.ts
+import { readFileSync as readFileSync7, readdirSync as readdirSync3 } from "fs";
+import { join as join5 } from "path";
+var DEFAULT_DIR = "supabase/migrations";
+async function migrationsCommand(args) {
+  if (args[0] !== "scan") {
+    console.log(
+      `usage: greenlight migrations scan [<dir>] [--strict]
+  scan SQL migrations for data-destroying / lock-heavy statements (the pre-apply gate).
+  default dir: ${DEFAULT_DIR}. Acknowledge an intentional op with \`-- greenlight:allow\`.`
+    );
+    process.exit(args[0] ? 1 : 0);
+  }
+  const dir = args.slice(1).find((a) => !a.startsWith("-")) ?? DEFAULT_DIR;
+  const strict = args.includes("--strict");
+  let names;
+  try {
+    names = readdirSync3(dir).filter((f) => f.endsWith(".sql")).sort();
+  } catch {
+    console.log(`\xB7 no migrations dir at ${dir} \u2014 nothing to scan`);
+    process.exit(0);
+  }
+  if (names.length === 0) {
+    console.log(`\xB7 no .sql files in ${dir} \u2014 nothing to scan`);
+    process.exit(0);
+  }
+  const files = names.map((f) => ({
+    path: join5(dir, f),
+    content: readFileSync7(join5(dir, f), "utf8")
+  }));
+  const findings = scanSqlFiles(files);
+  if (findings.length === 0) {
+    console.log(`\u2714 migrations scan: ${names.length} file(s) clean (${dir})`);
+    process.exit(0);
+  }
+  for (const f of findings) {
+    console.log(
+      `  ${f.severity === "danger" ? "\u2718" : "!"} ${f.file}:${f.line} [${f.rule}] ${f.detail}
+      ${f.snippet}`
+    );
+  }
+  const dangers = findings.filter((f) => f.severity === "danger");
+  const blocking = strict ? findings : dangers;
+  const verdict = blocking.length === 0 ? "\u2714 no blocking findings" : `\u2718 ${blocking.length} blocking finding(s)`;
+  console.log(
+    `
+${verdict} (${dangers.length} danger, ${findings.length - dangers.length} warn). Acknowledge an intentional op with \`-- greenlight:allow\`.`
+  );
+  process.exit(blocking.length === 0 ? 0 : 1);
+}
+
 // src/commands/preview.ts
-import { execFileSync as execFileSync4, spawn } from "child_process";
+import { execFileSync as execFileSync5, spawn } from "child_process";
 import { resolve as resolve10 } from "path";
 import { setTimeout as sleep } from "timers/promises";
 
@@ -2377,6 +2547,15 @@ ${report.logs}
   }
 }
 var LOG_TAIL_LINES = 50;
+function redactSecrets(text, env = process.env) {
+  let out = text;
+  for (const [k, v] of Object.entries(env)) {
+    if (!v || v.length < 6) continue;
+    if (!/TOKEN|KEY|SECRET|PASSWORD|PWD/i.test(k)) continue;
+    out = out.split(v).join("***");
+  }
+  return out;
+}
 function attachFailureLogs(reports, specs, toolDir) {
   reports.forEach((report, i) => {
     if (report.pass) return;
@@ -2395,7 +2574,7 @@ function attachFailureLogs(reports, specs, toolDir) {
         // Let the command target the exact failing URL without hard-coding it.
         env: { ...process.env, GREENLIGHT_VERIFY_URL: report.url }
       });
-      const out = `${res.stdout ?? ""}${res.stderr ?? ""}`.trimEnd();
+      const out = redactSecrets(`${res.stdout ?? ""}${res.stderr ?? ""}`.trimEnd());
       const tail = out.split("\n").slice(-LOG_TAIL_LINES).join("\n");
       report.logs = tail || `(logsOnFailure produced no output${res.error ? `: ${res.error.message}` : ""})`;
     } catch (e) {
@@ -2528,7 +2707,7 @@ async function previewViaDescriptor(entry, name, portOverride) {
   } finally {
     if (pv.teardown) {
       try {
-        execFileSync4(pv.teardown, { cwd: toolDir, shell: true, stdio: "inherit" });
+        execFileSync5(pv.teardown, { cwd: toolDir, shell: true, stdio: "inherit" });
       } catch {
       }
     }
@@ -2545,7 +2724,7 @@ async function previewViaBuiltIn(entry, name, portOverride) {
   const plan = servePlan(entry.lane, portOverride);
   if (plan.build) {
     console.log(`build ${name} (${entry.dir})`);
-    execFileSync4("pnpm", ["-C", entry.dir, "run", "build"], { stdio: "inherit" });
+    execFileSync5("pnpm", ["-C", entry.dir, "run", "build"], { stdio: "inherit" });
   }
   console.log(`serve ${name} on :${plan.port}`);
   const runArgs = ["-C", entry.dir, "run", plan.script];
@@ -2600,12 +2779,12 @@ async function previewCommand(args) {
 }
 
 // ../packages/loop/src/promote.ts
-import { execFileSync as execFileSync5 } from "child_process";
+import { execFileSync as execFileSync6 } from "child_process";
 function git(repoDir, args) {
-  execFileSync5("git", args, { cwd: repoDir, stdio: "ignore" });
+  execFileSync6("git", args, { cwd: repoDir, stdio: "ignore" });
 }
 function gitOut(repoDir, args) {
-  return execFileSync5("git", args, { cwd: repoDir, encoding: "utf8" }).trim();
+  return execFileSync6("git", args, { cwd: repoDir, encoding: "utf8" }).trim();
 }
 function tryRev(repoDir, ref) {
   try {
@@ -2615,9 +2794,16 @@ function tryRev(repoDir, ref) {
   }
 }
 function fetchRefs(repoDir, branches) {
+  try {
+    git(repoDir, ["remote", "get-url", "origin"]);
+  } catch {
+    return { ok: false, hasOrigin: false };
+  }
   try {
     git(repoDir, ["fetch", "--no-tags", "origin", ...branches]);
+    return { ok: true, hasOrigin: true };
   } catch {
+    return { ok: false, hasOrigin: true };
   }
 }
 function resolveRef(repoDir, branch) {
@@ -2644,13 +2830,23 @@ function staleLocalWarnings(repoDir, branches) {
   return warnings;
 }
 function canPromote(repoDir, from = "develop", to = "main") {
-  fetchRefs(repoDir, [from, to]);
+  const warnings = [];
+  const fetched = fetchRefs(repoDir, [from, to]);
+  if (fetched.hasOrigin && !fetched.ok) {
+    warnings.push(
+      "could not `git fetch origin` \u2014 eligibility may be based on stale remote-tracking refs (offline / auth?). Re-run after a successful fetch."
+    );
+  }
   const fromRef = resolveRef(repoDir, from);
   const toRef = resolveRef(repoDir, to);
   if (!fromRef || !toRef) {
-    return { canPromote: false, reason: `branch "${from}" or "${to}" not found in ${repoDir}` };
+    return {
+      canPromote: false,
+      reason: `branch "${from}" or "${to}" not found in ${repoDir}`,
+      warnings: warnings.length ? warnings : void 0
+    };
   }
-  const warnings = staleLocalWarnings(repoDir, [from, to]);
+  warnings.push(...staleLocalWarnings(repoDir, [from, to]));
   try {
     git(repoDir, ["merge-base", "--is-ancestor", toRef, fromRef]);
     return { canPromote: true, reason: `"${to}" can fast-forward to "${from}"`, warnings };
@@ -2716,10 +2912,10 @@ async function promoteCommand(args) {
 }
 
 // src/commands/status.ts
-import { execFileSync as execFileSync6 } from "child_process";
+import { execFileSync as execFileSync7 } from "child_process";
 function repoSlug(dir) {
   try {
-    const url = execFileSync6("git", ["-C", dir, "remote", "get-url", "origin"], {
+    const url = execFileSync7("git", ["-C", dir, "remote", "get-url", "origin"], {
       encoding: "utf8"
     }).trim();
     const m = url.match(/[:/]([^/]+\/[^/]+?)(?:\.git)?$/);
@@ -2752,7 +2948,7 @@ function workflowsFor(entry, name, wrapper, toolRepo) {
 }
 function lastRun(repo, workflow) {
   try {
-    const out = execFileSync6(
+    const out = execFileSync7(
       "gh",
       [
         "run",
@@ -2808,9 +3004,10 @@ var HELP = `greenlight <command>
   status <name>                                 last ship/deploy/verify run for a tool (via gh)
   secrets gather <name> [--repo o/r] [--env e]  guided, link-first token prompts -> GitHub secrets (no disk/logs)
   secrets sync [--repo o/r] [--env <env>]       push .greenlight/secrets.env -> GitHub Actions secrets
-  agent sync                                    write the loop skill + CLAUDE.md block into this repo
+  agent sync [<name>]                           write the loop kit (named \u2192 tool-aware, into its dir)
   adopt <name> --repo <path> --lane --target    onboard an existing tool repo as a thin consumer
-  doctor                                        manifest + repo consistency checks
+  migrations scan [<dir>] [--strict]            dangerous-SQL gate for migrations (pre-apply)
+  doctor [--live]                               consistency checks (--live: DNS + reachability probes)
   help                                          show this message
 
 Real cloud deploys need the target's creds (e.g. CLOUDFLARE_API_TOKEN); see docs/archive/greenlight-v1.md \xA716.`;
@@ -2845,8 +3042,10 @@ async function main() {
       return agentCommand(args);
     case "adopt":
       return adoptCommand(args);
+    case "migrations":
+      return migrationsCommand(args);
     case "doctor":
-      return doctorCommand();
+      return doctorCommand(args);
     default:
       throw new Error(`Unknown command "${cmd}".
 

package/dist/{chunk-GO2RVNOP.js → chunk-2A7ZBBYN.js}

@@ -131,15 +131,119 @@ function resolveUrl({ domain, name, env, mcp }) {
   return `https://${host}${mcp ? "/mcp" : ""}`;
 }
 
+// ../packages/shared/src/sql-scan.ts
+var RULES = [
+  {
+    name: "drop-table",
+    severity: "danger",
+    detail: "DROP TABLE destroys a table and its data",
+    test: /\bDROP\s+TABLE\b/i
+  },
+  {
+    name: "drop-column",
+    severity: "danger",
+    detail: "DROP COLUMN destroys a column and its data",
+    test: /\bDROP\s+COLUMN\b/i
+  },
+  {
+    name: "drop-schema",
+    severity: "danger",
+    detail: "DROP SCHEMA destroys a schema",
+    test: /\bDROP\s+SCHEMA\b/i
+  },
+  {
+    name: "drop-database",
+    severity: "danger",
+    detail: "DROP DATABASE destroys a database",
+    test: /\bDROP\s+DATABASE\b/i
+  },
+  {
+    name: "truncate",
+    severity: "danger",
+    detail: "TRUNCATE empties a table irreversibly",
+    test: /\bTRUNCATE\b/i
+  },
+  {
+    name: "delete-without-where",
+    severity: "danger",
+    detail: "DELETE without WHERE removes every row",
+    test: /\bDELETE\s+FROM\b(?![\s\S]*\bWHERE\b)/i
+  },
+  {
+    name: "update-without-where",
+    severity: "danger",
+    detail: "UPDATE \u2026 SET without WHERE rewrites every row",
+    test: /\bUPDATE\s+[^\s;]+\s+SET\b(?![\s\S]*\bWHERE\b)/i
+  },
+  {
+    name: "non-concurrent-index",
+    severity: "warn",
+    detail: "CREATE INDEX without CONCURRENTLY locks writes (fine on a new/empty table)",
+    test: /\bCREATE\s+(?:UNIQUE\s+)?INDEX\b(?![\s\S]*\bCONCURRENTLY\b)/i
+  },
+  {
+    name: "alter-column-type",
+    severity: "warn",
+    detail: "ALTER COLUMN \u2026 TYPE can rewrite + lock the table",
+    test: /\bALTER\s+COLUMN\b[\s\S]*?\bTYPE\b/i
+  }
+];
+var ALLOW = /greenlight:\s*allow/i;
+function scanSql(content, file = "<sql>") {
+  const allowLines = /* @__PURE__ */ new Set();
+  content.split("\n").forEach((ln, i) => {
+    if (ALLOW.test(ln)) allowLines.add(i + 1);
+  });
+  const stripped = content.replace(/\/\*[\s\S]*?\*\//g, (m) => m.replace(/[^\n]/g, " ")).replace(/--[^\n]*/g, (m) => " ".repeat(m.length));
+  const findings = [];
+  let pos = 0;
+  for (const stmt of stripped.split(";")) {
+    const lead = stmt.length - stmt.trimStart().length;
+    const startLine = content.slice(0, pos + lead).split("\n").length;
+    const endLine = content.slice(0, pos + stmt.length).split("\n").length;
+    pos += stmt.length + 1;
+    if (!stmt.trim()) continue;
+    let allowed = false;
+    for (let l = startLine; l <= endLine; l++) {
+      if (allowLines.has(l)) {
+        allowed = true;
+        break;
+      }
+    }
+    if (allowed) continue;
+    for (const rule of RULES) {
+      if (rule.test.test(stmt)) {
+        findings.push({
+          file,
+          line: startLine,
+          rule: rule.name,
+          severity: rule.severity,
+          detail: rule.detail,
+          snippet: stmt.replace(/\s+/g, " ").trim().slice(0, 100)
+        });
+      }
+    }
+  }
+  return findings;
+}
+function scanSqlFiles(files) {
+  return files.flatMap((f) => scanSql(f.content, f.path));
+}
+
 // ../packages/verify/src/index.ts
 import { setTimeout as sleep } from "timers/promises";
 
 // ../packages/verify/src/api.ts
 var trimSlash = (s) => s.replace(/\/+$/, "");
-async function checkRoute(base, c) {
+var DEFAULT_TIMEOUT_MS = 1e4;
+var DEFAULT_MAX_LINKS = 50;
+function timedFetch(url, timeoutMs, init) {
+  return fetch(url, { redirect: "manual", ...init, signal: AbortSignal.timeout(timeoutMs) });
+}
+async function checkRoute(base, c, timeoutMs) {
   const name = `GET ${c.path}`;
   try {
-    const res = await fetch(base + c.path, { redirect: "manual", headers: c.requestHeaders });
+    const res = await timedFetch(base + c.path, timeoutMs, { headers: c.requestHeaders });
     const reasons = [];
     if (c.status !== void 0 && res.status !== c.status) {
       reasons.push(`status ${res.status} != ${c.status}`);
@@ -160,10 +264,10 @@ async function checkRoute(base, c) {
     return { name, pass: false, detail: msg(e) };
   }
 }
-async function checkXml(base, candidates, label, marker) {
+async function checkXml(base, candidates, label, marker, timeoutMs) {
   for (const path of candidates) {
     try {
-      const res = await fetch(base + path, { redirect: "manual" });
+      const res = await timedFetch(base + path, timeoutMs);
       if (res.status === 200) {
         const body = await res.text();
         const ok = marker.test(body);
@@ -178,65 +282,97 @@ async function checkXml(base, candidates, label, marker) {
   }
   return { name: label, pass: false, detail: `none of ${candidates.join(", ")} returned 200` };
 }
-async function checkInternalLinks(base, max = 25) {
+async function checkInternalLinks(base, timeoutMs, max = DEFAULT_MAX_LINKS) {
   try {
-    const res = await fetch(`${base}/`, { redirect: "manual" });
+    const res = await timedFetch(`${base}/`, timeoutMs);
     const html = await res.text();
     const hrefs = /* @__PURE__ */ new Set();
+    let capped = false;
     for (const m of html.matchAll(/href="(\/[^"#?]*)"/g)) {
       const href = m[1];
       if (href && !href.startsWith("//")) hrefs.add(href);
-      if (hrefs.size >= max) break;
+      if (hrefs.size >= max) {
+        capped = true;
+        break;
+      }
+    }
+    if (hrefs.size === 0) {
+      return {
+        name: "no broken internal links",
+        pass: false,
+        detail: `no internal links found on ${base}/ (status ${res.status}) \u2014 page empty or unparseable`
+      };
     }
     const broken = [];
     for (const href of hrefs) {
       try {
-        const r = await fetch(base + href, { redirect: "manual" });
+        const r = await timedFetch(base + href, timeoutMs);
         if (r.status >= 400) broken.push(`${href} (${r.status})`);
       } catch {
         broken.push(`${href} (unreachable)`);
       }
     }
+    const capNote = capped ? `; capped at first ${max} \u2014 raise maxLinks to check more` : "";
     return {
-      name: `no broken internal links (${hrefs.size} checked)`,
+      name: `no broken internal links (${hrefs.size} checked${capped ? `, capped at ${max}` : ""})`,
       pass: broken.length === 0,
-      detail: broken.length ? `broken: ${broken.join(", ")}` : void 0
+      detail: broken.length ? `broken: ${broken.join(", ")}${capNote}` : capNote || void 0
     };
   } catch (e) {
     return { name: "no broken internal links", pass: false, detail: msg(e) };
   }
 }
-async function runChecks(base, spec) {
-  const checks = [];
-  for (const c of spec.checks ?? []) checks.push(await checkRoute(base, c));
+function buildTasks(base, spec) {
+  const timeoutMs = spec.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const tasks = [];
+  for (const c of spec.checks ?? []) tasks.push(() => checkRoute(base, c, timeoutMs));
   if (spec.rssValid) {
-    checks.push(
-      await checkXml(base, ["/rss.xml", "/feed.xml", "/index.xml"], "rss", /<(rss|feed)[\s>]/i)
+    tasks.push(
+      () => checkXml(
+        base,
+        ["/rss.xml", "/feed.xml", "/index.xml"],
+        "rss",
+        /<(rss|feed)[\s>]/i,
+        timeoutMs
+      )
     );
   }
   if (spec.sitemapValid) {
-    checks.push(
-      await checkXml(
+    tasks.push(
+      () => checkXml(
         base,
         ["/sitemap.xml", "/sitemap-index.xml"],
         "sitemap",
-        /<(urlset|sitemapindex)[\s>]/i
+        /<(urlset|sitemapindex)[\s>]/i,
+        timeoutMs
       )
     );
   }
-  if (spec.noBrokenInternalLinks) checks.push(await checkInternalLinks(base));
-  return checks;
+  if (spec.noBrokenInternalLinks) {
+    tasks.push(() => checkInternalLinks(base, timeoutMs, spec.maxLinks));
+  }
+  return tasks;
 }
 async function verifyApi(baseUrl, spec) {
   const base = trimSlash(baseUrl);
   const retries = Math.max(0, spec.settleRetries ?? 0);
   const delayMs = spec.settleMs ?? 5e3;
-  let checks = await runChecks(base, spec);
-  for (let i = 0; i < retries && !checks.every((c) => c.pass); i++) {
+  const state = await Promise.all(
+    buildTasks(base, spec).map(async (task) => ({ task, check: await task() }))
+  );
+  for (let i = 0; i < retries && !state.every((s) => s.check.pass); i++) {
     if (delayMs > 0) await new Promise((resolve) => setTimeout(resolve, delayMs));
-    checks = await runChecks(base, spec);
+    await Promise.all(
+      state.filter((s) => !s.check.pass).map(async (s) => {
+        s.check = await s.task();
+      })
+    );
   }
-  return report("api", baseUrl, checks);
+  return report(
+    "api",
+    baseUrl,
+    state.map((s) => s.check)
+  );
 }
 
 // ../packages/verify/src/index.ts
@@ -274,11 +410,11 @@ async function verify(baseUrl, spec, opts) {
       return verifyTest2(spec, opts?.toolDir ?? process.cwd());
     }
     case "agent-web": {
-      const { verifyAgentWeb: verifyAgentWeb2 } = await import("./agent-web-I4LXW4SR.js");
+      const { verifyAgentWeb: verifyAgentWeb2 } = await import("./agent-web-3FTO2TLJ.js");
       return verifyAgentWeb2(baseUrl, spec);
     }
     case "eval": {
-      const { verifyEval: verifyEval2 } = await import("./eval-LLQPOEQX.js");
+      const { verifyEval: verifyEval2 } = await import("./eval-44S2BATV.js");
       return verifyEval2(baseUrl, spec);
     }
   }
@@ -302,6 +438,7 @@ export {
   defineConfig,
   loadConfig,
   resolveUrl,
+  scanSqlFiles,
   defineVerify,
   verifyAll,
   allPass

package/dist/{chunk-UXHHLEYO.js → chunk-KVOI4UL2.js}

@@ -195,7 +195,11 @@ async function verifyAgentWeb(baseUrl, spec) {
       { name: "@anthropic-ai/sdk available", pass: false, detail: "pnpm add @anthropic-ai/sdk" }
     ]);
   }
-  const client = new Anthropic({ apiKey: process.env.ANTHROPIC_API_KEY });
+  const client = new Anthropic({
+    apiKey: process.env.ANTHROPIC_API_KEY,
+    timeout: 6e4,
+    maxRetries: 1
+  });
   let browser;
   try {
     browser = await chromium.launch({ headless: !spec.headed });

package/dist/{chunk-6N7MD6FR.js → chunk-XWTOJHLV.js}

@@ -19,7 +19,11 @@ function llmJudge(model) {
     if (!process.env.ANTHROPIC_API_KEY) throw new Error("ANTHROPIC_API_KEY not set");
     const sdkName = "@anthropic-ai/sdk";
     const Anthropic = (await import(sdkName)).default;
-    const client = new Anthropic({ apiKey: process.env.ANTHROPIC_API_KEY });
+    const client = new Anthropic({
+      apiKey: process.env.ANTHROPIC_API_KEY,
+      timeout: 6e4,
+      maxRetries: 1
+    });
     const resp = await client.messages.create({
       model,
       max_tokens: 512,

package/dist/{eval-LLQPOEQX.js → eval-44S2BATV.js}

@@ -1,7 +1,7 @@
 import {
   llmJudge,
   verifyEval
-} from "./chunk-6N7MD6FR.js";
+} from "./chunk-XWTOJHLV.js";
 import "./chunk-QFKE5JKC.js";
 export {
   llmJudge,

package/dist/index.js

@@ -2,12 +2,12 @@ import {
   defineConfig,
   defineVerify,
   loadConfig
-} from "./chunk-GO2RVNOP.js";
+} from "./chunk-2A7ZBBYN.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";
-import "./chunk-UXHHLEYO.js";
-import "./chunk-6N7MD6FR.js";
+import "./chunk-KVOI4UL2.js";
+import "./chunk-XWTOJHLV.js";
 import "./chunk-QFKE5JKC.js";
 export {
   defineConfig,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.2.22",
+  "version": "0.2.24",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -31,10 +31,10 @@
     "@anthropic-ai/sdk": "^0.69.0"
   },
   "devDependencies": {
-    "@rtrentjones/greenlight-adapters": "0.2.22",
-    "@rtrentjones/greenlight-verify": "0.2.22",
-    "@rtrentjones/greenlight-loop": "0.2.22",
-    "@rtrentjones/greenlight-shared": "0.2.22"
+    "@rtrentjones/greenlight-adapters": "0.2.24",
+    "@rtrentjones/greenlight-loop": "0.2.24",
+    "@rtrentjones/greenlight-verify": "0.2.24",
+    "@rtrentjones/greenlight-shared": "0.2.24"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",