@rtrentjones/greenlight 0.2.23 → 0.2.25

package/assets/skills/provider-neon/SKILL.md

@@ -0,0 +1,49 @@
+---
+name: provider-neon
+description: How Neon works in a Greenlight setup — the `data: neon` store (serverless Postgres), git-style branch-per-env, scale-to-zero + auto-resume (so NO keepalive, unlike Supabase), pooled vs direct connection strings, the NEON_API_KEY, and migrations on a branch. Use when wiring a tool's database, choosing Neon vs Supabase, or a Neon apply.
+---
+
+# provider-neon
+
+`data: neon` is the **default Postgres** — for tools that need a SQL database and nothing else
+bundled. One Neon **project** per tool, **a branch per env** (git-style copy-on-write): `prod` is
+the project's default branch; `beta` is a child branch (separate data, instant to create). Compute
+**autosuspends and auto-resumes on the next connection**, so a Neon tool needs **no keepalive** —
+that's the whole reason Neon is preferred over Supabase, which pauses for 7 days and needs a manual
+unpause. Choose `supabase` only when you need bundled auth + storage + realtime together.
+
+## Token — `NEON_API_KEY`
+
+Console → Account settings → API keys. Account-level (configures the `neon` provider for every Neon
+tool, like `CLOUDFLARE_API_TOKEN`) — **not** per-tool. `greenlight add` verifies it against
+`/api/v2/projects` (HTTP 200). There is **no per-tool secret**: the role/password/connection strings
+are module OUTPUTS, not inputs.
+
+## Terraform module — `infra/modules/neon`
+
+Creates the project (default branch = prod) + a `neon_branch` per non-prod env (except `preview`,
+which is ephemeral/per-PR — created by CI, not Terraform). Outputs two per-env maps:
+- **`database_url[env]`** — the **pooled** (pgbouncer) string → `DATABASE_URL` for the serverless app.
+- **`direct_url[env]`** — the **direct** string → `DIRECT_URL` for migrations.
+
+The emitted `<name>.tf` wires `database_url["prod"]`/`["beta"]` into the Vercel env per target, so
+prod and beta hit **different branches**. Pin the provider `kislerdm/neon ~> 0.13`.
+
+## No keepalive
+
+Do **not** add a Neon tool to `module.keepalive.targets_json`. Neon resumes on connect — a request
+just wakes it. (`doctor` does not flag `data: neon` for keepalive; that exemption is intentional.)
+
+## Migrations
+
+Run migrations against the env's **branch** (`DIRECT_URL`). A PR's ephemeral branch is the safe place
+to test a migration before it touches prod. Gate them with `greenlight migrations scan` (the
+dangerous-SQL pre-apply check) in the tool's CI.
+
+## MCP
+
+`.mcp.json` wires `neon` (hosted) with `Authorization: Bearer ${NEON_API_KEY}`. Run `/mcp` to auth.
+
+## Rule
+The **blog must never use a database** that can pause — but Neon's auto-resume makes it safe for
+*tools*; still, the apex blog stays `data: none` (D1/KV/external only). Neon is per-tool Postgres.

package/dist/bin.js

@@ -4,8 +4,9 @@ import {
   allPass,
   loadConfig,
   resolveUrl,
+  scanSqlFiles,
   verifyAll
-} from "./chunk-TFWXR7PP.js";
+} from "./chunk-GPPUZ6Z5.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";
@@ -316,6 +317,37 @@ var PACKS = [
     skill: "provider-supabase",
     tfModules: ["supabase"]
   },
+  {
+    id: "neon",
+    name: "Neon",
+    appliesTo: (t) => t.data === "neon",
+    guide: "docs/provider-tokens.md \u2014 NEON_API_KEY (project + branch management)",
+    setupUrl: "https://console.neon.tech/app/settings/api-keys",
+    tokens: [
+      {
+        // Shared account credential (configures the neon TF provider, like CLOUDFLARE_API_TOKEN) —
+        // NOT per-tool. The role password + connection string are module OUTPUTS, not inputs, so
+        // (unlike Supabase) there is no per-tool password variable to gather.
+        envVar: "NEON_API_KEY",
+        label: "Neon API key (project + branch management)",
+        verify: async (t) => {
+          const r = await fetch("https://console.neon.tech/api/v2/projects", {
+            headers: { Authorization: `Bearer ${t}` }
+          });
+          return { ok: okStatus(r), detail: `HTTP ${r.status}` };
+        }
+      }
+    ],
+    mcp: {
+      neon: {
+        type: "http",
+        url: "https://mcp.neon.tech/mcp",
+        headers: { Authorization: "Bearer ${NEON_API_KEY}" }
+      }
+    },
+    skill: "provider-neon",
+    tfModules: ["neon"]
+  },
   {
     id: "hcp",
     name: "HCP Terraform (remote state)",
@@ -443,7 +475,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.2.23";
+var MODULE_REF = "v0.2.25";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -456,6 +488,7 @@ function emitToolTf(opts) {
   const port = opts.port ?? 8e3;
   const slug = opts.slug ?? `OWNER/${name}`;
   const useSupabase = data === "supabase";
+  const useNeon = data === "neon";
   const useVercel = target === "vercel";
   const useOci = target === "oci";
   const supabaseOverride = opts.tokenOverrides?.SUPABASE_ACCESS_TOKEN;
@@ -466,9 +499,9 @@ function emitToolTf(opts) {
   if (useSupabase) assumes.push("var.supabase_organization_id");
   const ghcrOwner = (slug.split("/")[0] ?? "owner").toLowerCase();
   blocks.push(
-    `# ${name} \u2014 ${lane}/${target}${useSupabase ? "/supabase" : ""}, emitted by \`greenlight add\`.
+    `# ${name} \u2014 ${lane}/${target}${data && data !== "none" ? `/${data}` : ""}, emitted by \`greenlight add\`.
 # Review, then commit + push: the wrapper's infra.yml (HCP-backed) runs \`terraform apply\`.
-# Assumes infra/main.tf declares: ${[useVercel && "vercel", useSupabase && "supabase", useOci && "oci"].filter(Boolean).join(" + ") || "cloudflare + github"} provider(s)
+# Assumes infra/main.tf declares: ${[useVercel && "vercel", useSupabase && "supabase", useNeon && "neon", useOci && "oci"].filter(Boolean).join(" + ") || "cloudflare + github"} provider(s)
 # and the variables ${assumes.join(", ")}.${opts.external ? `
 # External tool: app code + deploy live in ${slug}; this manages only its infra here.` : ""}`
   );
@@ -508,6 +541,19 @@ variable "${name}_supabase_database_password" {
   sensitive = true
   default   = "import-placeholder" # ignored when importing an existing project
 }${overrideBlock}`);
+  }
+  if (useNeon) {
+    blocks.push(`# One Neon project, a branch per env (prod = the project's default branch; beta = a child
+# branch \u2014 copy-on-write, instant). Compute scales to zero and auto-resumes on the next connection,
+# so a Neon tool needs NO keepalive (the reason Neon is the default Postgres). NEON_API_KEY configures
+# the provider in main.tf; the connection strings are module OUTPUTS \u2014 no per-tool secret to gather.
+module "${name}_neon" {
+  source = "${moduleSource("neon", ref)}"
+
+  name   = "${name}"
+  region = "aws-us-east-1" # Neon region id, e.g. aws-us-east-1 / aws-us-west-2
+  envs   = [${envList}]
+}`);
   }
   if (useVercel) {
     const env = useSupabase ? `
@@ -530,6 +576,24 @@ variable "${name}_supabase_database_password" {
     supa_url_beta     = module.${name}_supabase.url
     supa_anon_beta    = module.${name}_supabase.anon_key
     supa_service_beta = module.${name}_supabase.service_role_key
+  }` : useNeon ? `
+  environment = {
+    site_url_prod  = { key = "SITE_URL", target = ["production"], sensitive = false }
+    site_url_beta  = { key = "SITE_URL", target = ["preview"], sensitive = false }
+    db_url_prod    = { key = "DATABASE_URL", target = ["production"], sensitive = true }
+    db_direct_prod = { key = "DIRECT_URL", target = ["production"], sensitive = true }
+    db_url_beta    = { key = "DATABASE_URL", target = ["preview"], sensitive = true }
+    db_direct_beta = { key = "DIRECT_URL", target = ["preview"], sensitive = true }
+  }
+  # Pooled (DATABASE_URL) for the serverless app; direct (DIRECT_URL) for migrations. Prod hits the
+  # project's default branch; beta hits the "beta" branch \u2014 separate data, instant copy-on-write.
+  environment_values = {
+    site_url_prod  = "https://${name}.${domain}"
+    site_url_beta  = "https://beta.${name}.${domain}"
+    db_url_prod    = module.${name}_neon.database_url["prod"]
+    db_direct_prod = module.${name}_neon.direct_url["prod"]
+    db_url_beta    = module.${name}_neon.database_url["beta"]
+    db_direct_beta = module.${name}_neon.direct_url["beta"]
   }` : `
   # No managed data store \u2014 add environment/environment_values if the app needs vars.
   environment        = {}
@@ -639,10 +703,13 @@ function emitWrapperMainTf(opts) {
     req.push('    vercel     = { source = "vercel/vercel", version = "~> 3.0" }');
   if (need.has("supabase"))
     req.push('    supabase   = { source = "supabase/supabase", version = "~> 1.0" }');
+  if (need.has("neon"))
+    req.push('    neon       = { source = "kislerdm/neon", version = "~> 0.13" }');
   if (need.has("oci")) req.push('    oci        = { source = "oracle/oci", version = ">= 5.0" }');
   const providerBlocks = ['provider "cloudflare" {}', `provider "github" { owner = "${owner}" }`];
   if (need.has("vercel")) providerBlocks.push('provider "vercel" {}');
   if (need.has("supabase")) providerBlocks.push('provider "supabase" {}');
+  if (need.has("neon")) providerBlocks.push('provider "neon" { api_key = var.neon_api_key }');
   if (need.has("oci")) {
     providerBlocks.push(`provider "oci" {
   # trimspace guards against a trailing newline/space in a pasted secret (a malformed region
@@ -659,6 +726,9 @@ function emitWrapperMainTf(opts) {
   if (need.has("supabase")) {
     vars.push('variable "supabase_organization_id" { type = string }');
   }
+  if (need.has("neon")) {
+    vars.push('variable "neon_api_key" {\n  type      = string\n  sensitive = true\n}');
+  }
   if (need.has("oci")) {
     vars.push('variable "oci_tenancy_ocid" { type = string }');
     vars.push('variable "oci_user_ocid" { type = string }');
@@ -702,6 +772,7 @@ function providersForTool(tool) {
   const out = ["cloudflare", "github"];
   if (ids.has("vercel")) out.push("vercel");
   if (ids.has("supabase")) out.push("supabase");
+  if (ids.has("neon")) out.push("neon");
   if (ids.has("oci")) out.push("oci");
   return out;
 }
@@ -777,10 +848,22 @@ ${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
 async function agentCommand(args) {
   if (args[0] !== "sync") {
     console.log(
-      "usage: greenlight agent sync   # write the loop skill + .mcp.json + CLAUDE.md block"
+      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
     );
     process.exit(args[0] ? 1 : 0);
   }
+  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
+  if (name) {
+    const { config } = await loadManifest();
+    const entry = resolveEntry(config, name);
+    const dir = resolve3(process.cwd(), entry.dir ?? ".");
+    materializeAgentKit(dir, { target: entry.target, data: entry.data });
+    console.log(
+      `
+Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (target=${entry.target}, data=${entry.data}).`
+    );
+    return;
+  }
   materializeAgentKit(process.cwd());
   console.log(
     "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
@@ -1992,6 +2075,7 @@ async function deployCommand(args) {
 
 // src/commands/doctor.ts
 import { execFileSync as execFileSync4 } from "child_process";
+import { lookup } from "dns/promises";
 import { existsSync as existsSync7, readFileSync as readFileSync5, readdirSync as readdirSync2 } from "fs";
 import { join as join4 } from "path";
 function dirCheck(label, dir) {
@@ -2120,19 +2204,52 @@ function runDoctor(config, root) {
   });
   checks.push(versionDriftCheck(root));
   checks.push(submoduleDriftCheck(root));
-  for (const name of [
-    "DNS propagation",
-    "terraform drift",
-    "Vercel cap headroom",
-    "keepalive health (live)",
-    "OCI PAYG status"
-  ]) {
-    checks.push({ name, status: "skip", detail: "needs provider creds / packages (Phase 5/7/8)" });
+  return checks;
+}
+var errMsg = (e) => e instanceof Error ? e.message : String(e);
+async function livenessCheck(name, url) {
+  try {
+    const res = await fetch(url, { redirect: "manual", signal: AbortSignal.timeout(1e4) });
+    return res.status >= 500 ? { name: `${name}: live`, status: "warn", detail: `${url} \u2192 ${res.status} (degraded)` } : { name: `${name}: live`, status: "ok", detail: `${url} \u2192 ${res.status}` };
+  } catch (e) {
+    return { name: `${name}: live`, status: "fail", detail: `${url} unreachable: ${errMsg(e)}` };
+  }
+}
+async function dnsCheck(name, url) {
+  const host = new URL(url).hostname;
+  try {
+    await lookup(host);
+    return { name: `${name}: DNS`, status: "ok", detail: host };
+  } catch {
+    return { name: `${name}: DNS`, status: "fail", detail: `${host} does not resolve` };
+  }
+}
+async function runDoctorLive(config) {
+  const targets = [];
+  if (config.blog) targets.push({ name: "blog", url: `https://${config.domain}` });
+  for (const t of config.tools) {
+    if (!t.envs?.includes("prod")) continue;
+    targets.push({
+      name: t.name,
+      url: resolveUrl({ domain: config.domain, name: t.name, env: "prod", mcp: t.lane === "mcp" })
+    });
+  }
+  const checks = [];
+  for (const tg of targets) {
+    checks.push(await dnsCheck(tg.name, tg.url));
+    checks.push(await livenessCheck(tg.name, tg.url));
+  }
+  for (const name of ["terraform drift", "Vercel cap headroom", "OCI PAYG status"]) {
+    checks.push({
+      name,
+      status: "skip",
+      detail: "not yet implemented \u2014 needs the provider API + creds"
+    });
   }
   return checks;
 }
 var ICON = { ok: "\u2714", warn: "!", fail: "\u2718", skip: "\xB7" };
-async function doctorCommand() {
+async function doctorCommand(args = []) {
   let config;
   try {
     ({ config } = await loadManifest());
@@ -2141,13 +2258,19 @@ async function doctorCommand() {
     console.error(`\u2718 manifest: ${e instanceof Error ? e.message : String(e)}`);
     process.exit(1);
   }
+  const live = args.includes("--live");
   const checks = runDoctor(config, process.cwd());
+  if (live) {
+    console.log("  (probing live prod URLs\u2026)");
+    checks.push(...await runDoctorLive(config));
+  }
   for (const c of checks) {
     console.log(`  ${ICON[c.status]} ${c.name}${c.detail ? ` \u2014 ${c.detail}` : ""}`);
   }
   const failed = checks.filter((c) => c.status === "fail").length;
   console.log(`
 ${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}`);
+  if (!live) console.log("\xB7 run `greenlight doctor --live` for DNS + reachability probes");
   process.exit(failed === 0 ? 0 : 1);
 }
 
@@ -2403,6 +2526,57 @@ Next:
   4. greenlight verify <name> --env prod   |   greenlight doctor`);
 }
 
+// src/commands/migrations.ts
+import { readFileSync as readFileSync7, readdirSync as readdirSync3 } from "fs";
+import { join as join5 } from "path";
+var DEFAULT_DIR = "supabase/migrations";
+async function migrationsCommand(args) {
+  if (args[0] !== "scan") {
+    console.log(
+      `usage: greenlight migrations scan [<dir>] [--strict]
+  scan SQL migrations for data-destroying / lock-heavy statements (the pre-apply gate).
+  default dir: ${DEFAULT_DIR}. Acknowledge an intentional op with \`-- greenlight:allow\`.`
+    );
+    process.exit(args[0] ? 1 : 0);
+  }
+  const dir = args.slice(1).find((a) => !a.startsWith("-")) ?? DEFAULT_DIR;
+  const strict = args.includes("--strict");
+  let names;
+  try {
+    names = readdirSync3(dir).filter((f) => f.endsWith(".sql")).sort();
+  } catch {
+    console.log(`\xB7 no migrations dir at ${dir} \u2014 nothing to scan`);
+    process.exit(0);
+  }
+  if (names.length === 0) {
+    console.log(`\xB7 no .sql files in ${dir} \u2014 nothing to scan`);
+    process.exit(0);
+  }
+  const files = names.map((f) => ({
+    path: join5(dir, f),
+    content: readFileSync7(join5(dir, f), "utf8")
+  }));
+  const findings = scanSqlFiles(files);
+  if (findings.length === 0) {
+    console.log(`\u2714 migrations scan: ${names.length} file(s) clean (${dir})`);
+    process.exit(0);
+  }
+  for (const f of findings) {
+    console.log(
+      `  ${f.severity === "danger" ? "\u2718" : "!"} ${f.file}:${f.line} [${f.rule}] ${f.detail}
+      ${f.snippet}`
+    );
+  }
+  const dangers = findings.filter((f) => f.severity === "danger");
+  const blocking = strict ? findings : dangers;
+  const verdict = blocking.length === 0 ? "\u2714 no blocking findings" : `\u2718 ${blocking.length} blocking finding(s)`;
+  console.log(
+    `
+${verdict} (${dangers.length} danger, ${findings.length - dangers.length} warn). Acknowledge an intentional op with \`-- greenlight:allow\`.`
+  );
+  process.exit(blocking.length === 0 ? 0 : 1);
+}
+
 // src/commands/preview.ts
 import { execFileSync as execFileSync5, spawn } from "child_process";
 import { resolve as resolve10 } from "path";
@@ -2900,9 +3074,10 @@ var HELP = `greenlight <command>
   status <name>                                 last ship/deploy/verify run for a tool (via gh)
   secrets gather <name> [--repo o/r] [--env e]  guided, link-first token prompts -> GitHub secrets (no disk/logs)
   secrets sync [--repo o/r] [--env <env>]       push .greenlight/secrets.env -> GitHub Actions secrets
-  agent sync                                    write the loop skill + CLAUDE.md block into this repo
+  agent sync [<name>]                           write the loop kit (named \u2192 tool-aware, into its dir)
   adopt <name> --repo <path> --lane --target    onboard an existing tool repo as a thin consumer
-  doctor                                        manifest + repo consistency checks
+  migrations scan [<dir>] [--strict]            dangerous-SQL gate for migrations (pre-apply)
+  doctor [--live]                               consistency checks (--live: DNS + reachability probes)
   help                                          show this message
 
 Real cloud deploys need the target's creds (e.g. CLOUDFLARE_API_TOKEN); see docs/archive/greenlight-v1.md \xA716.`;
@@ -2937,8 +3112,10 @@ async function main() {
       return agentCommand(args);
     case "adopt":
       return adoptCommand(args);
+    case "migrations":
+      return migrationsCommand(args);
     case "doctor":
-      return doctorCommand();
+      return doctorCommand(args);
     default:
       throw new Error(`Unknown command "${cmd}".
 

package/dist/{chunk-TFWXR7PP.js → chunk-GPPUZ6Z5.js}

@@ -15,13 +15,13 @@ import { createJiti } from "jiti";
 import { z } from "zod";
 var LaneEnum = z.enum(["astro", "next", "mcp"]);
 var TargetEnum = z.enum(["workers", "vercel", "oci"]);
-var DataEnum = z.enum(["none", "d1", "kv", "supabase"]);
+var DataEnum = z.enum(["none", "d1", "kv", "supabase", "neon"]);
 var AuthEnum = z.enum(["none", "bearer", "oauth"]);
 var AccessEnum = z.enum(["public", "private"]);
 var EnvEnum = z.enum(["preview", "beta", "prod"]);
 var MATRIX = {
   astro: { targets: ["workers"], data: ["none", "d1", "kv"] },
-  next: { targets: ["vercel"], data: ["none", "supabase"] },
+  next: { targets: ["vercel"], data: ["none", "supabase", "neon"] },
   mcp: { targets: ["workers", "oci"], data: ["none"] }
 };
 var ToolSchema = z.object({
@@ -131,6 +131,105 @@ function resolveUrl({ domain, name, env, mcp }) {
   return `https://${host}${mcp ? "/mcp" : ""}`;
 }
 
+// ../packages/shared/src/sql-scan.ts
+var RULES = [
+  {
+    name: "drop-table",
+    severity: "danger",
+    detail: "DROP TABLE destroys a table and its data",
+    test: /\bDROP\s+TABLE\b/i
+  },
+  {
+    name: "drop-column",
+    severity: "danger",
+    detail: "DROP COLUMN destroys a column and its data",
+    test: /\bDROP\s+COLUMN\b/i
+  },
+  {
+    name: "drop-schema",
+    severity: "danger",
+    detail: "DROP SCHEMA destroys a schema",
+    test: /\bDROP\s+SCHEMA\b/i
+  },
+  {
+    name: "drop-database",
+    severity: "danger",
+    detail: "DROP DATABASE destroys a database",
+    test: /\bDROP\s+DATABASE\b/i
+  },
+  {
+    name: "truncate",
+    severity: "danger",
+    detail: "TRUNCATE empties a table irreversibly",
+    test: /\bTRUNCATE\b/i
+  },
+  {
+    name: "delete-without-where",
+    severity: "danger",
+    detail: "DELETE without WHERE removes every row",
+    test: /\bDELETE\s+FROM\b(?![\s\S]*\bWHERE\b)/i
+  },
+  {
+    name: "update-without-where",
+    severity: "danger",
+    detail: "UPDATE \u2026 SET without WHERE rewrites every row",
+    test: /\bUPDATE\s+[^\s;]+\s+SET\b(?![\s\S]*\bWHERE\b)/i
+  },
+  {
+    name: "non-concurrent-index",
+    severity: "warn",
+    detail: "CREATE INDEX without CONCURRENTLY locks writes (fine on a new/empty table)",
+    test: /\bCREATE\s+(?:UNIQUE\s+)?INDEX\b(?![\s\S]*\bCONCURRENTLY\b)/i
+  },
+  {
+    name: "alter-column-type",
+    severity: "warn",
+    detail: "ALTER COLUMN \u2026 TYPE can rewrite + lock the table",
+    test: /\bALTER\s+COLUMN\b[\s\S]*?\bTYPE\b/i
+  }
+];
+var ALLOW = /greenlight:\s*allow/i;
+function scanSql(content, file = "<sql>") {
+  const allowLines = /* @__PURE__ */ new Set();
+  content.split("\n").forEach((ln, i) => {
+    if (ALLOW.test(ln)) allowLines.add(i + 1);
+  });
+  const stripped = content.replace(/\/\*[\s\S]*?\*\//g, (m) => m.replace(/[^\n]/g, " ")).replace(/--[^\n]*/g, (m) => " ".repeat(m.length));
+  const findings = [];
+  let pos = 0;
+  for (const stmt of stripped.split(";")) {
+    const lead = stmt.length - stmt.trimStart().length;
+    const startLine = content.slice(0, pos + lead).split("\n").length;
+    const endLine = content.slice(0, pos + stmt.length).split("\n").length;
+    pos += stmt.length + 1;
+    if (!stmt.trim()) continue;
+    let allowed = false;
+    for (let l = startLine; l <= endLine; l++) {
+      if (allowLines.has(l)) {
+        allowed = true;
+        break;
+      }
+    }
+    if (allowed) continue;
+    for (const rule of RULES) {
+      if (rule.test.test(stmt)) {
+        findings.push({
+          file,
+          line: startLine,
+          rule: rule.name,
+          severity: rule.severity,
+          detail: rule.detail,
+          snippet: stmt.replace(/\s+/g, " ").trim().slice(0, 100)
+        });
+      }
+    }
+  }
+  return findings;
+}
+function scanSqlFiles(files) {
+  return files.flatMap((f) => scanSql(f.content, f.path));
+}
+
 // ../packages/verify/src/index.ts
 import { setTimeout as sleep } from "timers/promises";
 
@@ -339,6 +438,7 @@ export {
   defineConfig,
   loadConfig,
   resolveUrl,
+  scanSqlFiles,
   defineVerify,
   verifyAll,
   allPass

package/dist/index.js

@@ -2,7 +2,7 @@ import {
   defineConfig,
   defineVerify,
   loadConfig
-} from "./chunk-TFWXR7PP.js";
+} from "./chunk-GPPUZ6Z5.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.2.23",
+  "version": "0.2.25",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -31,10 +31,10 @@
     "@anthropic-ai/sdk": "^0.69.0"
   },
   "devDependencies": {
-    "@rtrentjones/greenlight-loop": "0.2.23",
-    "@rtrentjones/greenlight-shared": "0.2.23",
-    "@rtrentjones/greenlight-adapters": "0.2.23",
-    "@rtrentjones/greenlight-verify": "0.2.23"
+    "@rtrentjones/greenlight-adapters": "0.2.25",
+    "@rtrentjones/greenlight-shared": "0.2.25",
+    "@rtrentjones/greenlight-verify": "0.2.25",
+    "@rtrentjones/greenlight-loop": "0.2.25"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",