@rtrentjones/greenlight 0.2.25 → 0.2.27

package/assets/skills/provider-neon/SKILL.md

@@ -34,11 +34,27 @@ prod and beta hit **different branches**. Pin the provider `kislerdm/neon ~> 0.1
 Do **not** add a Neon tool to `module.keepalive.targets_json`. Neon resumes on connect — a request
 just wakes it. (`doctor` does not flag `data: neon` for keepalive; that exemption is intentional.)
 
-## Migrations
+## Schema as code / migrations
 
-Run migrations against the env's **branch** (`DIRECT_URL`). A PR's ephemeral branch is the safe place
-to test a migration before it touches prod. Gate them with `greenlight migrations scan` (the
-dangerous-SQL pre-apply check) in the tool's CI.
+**Greenlight does NOT run migrations — by design.** The split:
+- **Schema** lives in the tool (an ORM — Drizzle/Prisma — or plain `.sql` migrations).
+- **Branch-per-env**: the TF module owns stable `prod`/`beta`; the **native Neon↔Vercel integration**
+  owns ephemeral per-PR preview branches (+ auto-injects `DATABASE_URL`). Don't put ephemeral branches
+  in Terraform.
+- **Execution**: the app's own build runs its migrate (`drizzle-kit migrate` / `prisma migrate deploy`)
+  against the wired **`DIRECT_URL`** — prod build → prod branch, preview build → preview branch. A
+  failed migrate fails the build = a natural gate.
+- **Greenlight's role**: the **dangerous-SQL gate**. Run `greenlight migrations scan` (no `<dir>` →
+  it auto-detects `supabase/migrations | migrations | drizzle/migrations | …`) in CI before the migrate.
+
+See [docs/migrations.md](../../../docs/migrations.md).
+
+## Sharing one DB + multi-account
+
+- **One DB, many services**: a second tool sets `dataShareWith: '<owner>'` (or `add … --share <owner>`)
+  — it creates no project and wires the owner's connection strings.
+- **A second Neon account**: `tokenOverrides: { NEON_API_KEY: 'NEON_API_KEY_X' }` → an aliased `neon`
+  provider authenticates that account. (A sharer can't also override — it uses the owner's account.)
 
 ## MCP
 

package/dist/bin.js

@@ -6,7 +6,7 @@ import {
   resolveUrl,
   scanSqlFiles,
   verifyAll
-} from "./chunk-GPPUZ6Z5.js";
+} from "./chunk-HMU7D7R2.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";
@@ -64,6 +64,7 @@ function serializeTool(t) {
     const ov = Object.entries(t.tokenOverrides).map(([k, v]) => `${k}: ${q(v)}`).join(", ");
     parts.push(`tokenOverrides: { ${ov} }`);
   }
+  if (t.dataShareWith !== void 0) parts.push(`dataShareWith: ${q(t.dataShareWith)}`);
   return `    { ${parts.join(", ")} },`;
 }
 function serializeConfig(c) {
@@ -111,7 +112,8 @@ function addTool(config, t) {
         ...t.port !== void 0 ? { port: t.port } : {},
         ...t.preview ? { preview: t.preview } : {},
         ...t.tokens?.length ? { tokens: t.tokens } : {},
-        ...t.tokenOverrides && Object.keys(t.tokenOverrides).length ? { tokenOverrides: t.tokenOverrides } : {}
+        ...t.tokenOverrides && Object.keys(t.tokenOverrides).length ? { tokenOverrides: t.tokenOverrides } : {},
+        ...t.dataShareWith ? { dataShareWith: t.dataShareWith } : {}
       }
     ]
   };
@@ -139,7 +141,8 @@ function upsertTool(config, t) {
     ...t.port !== void 0 ? { port: t.port } : {},
     ...t.preview ? { preview: t.preview } : {},
     ...t.tokens?.length ? { tokens: t.tokens } : {},
-    ...t.tokenOverrides && Object.keys(t.tokenOverrides).length ? { tokenOverrides: t.tokenOverrides } : {}
+    ...t.tokenOverrides && Object.keys(t.tokenOverrides).length ? { tokenOverrides: t.tokenOverrides } : {},
+    ...t.dataShareWith ? { dataShareWith: t.dataShareWith } : {}
   };
   const tools = config.tools.some((x) => x.name === t.name) ? config.tools.map((x) => x.name === t.name ? entry : x) : [...config.tools, entry];
   const result = ConfigSchema.safeParse({ ...config, tools });
@@ -475,7 +478,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.2.25";
+var MODULE_REF = "v0.2.27";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -492,6 +495,8 @@ function emitToolTf(opts) {
   const useVercel = target === "vercel";
   const useOci = target === "oci";
   const supabaseOverride = opts.tokenOverrides?.SUPABASE_ACCESS_TOKEN;
+  const neonOverride = opts.tokenOverrides?.NEON_API_KEY;
+  const neonOwner = opts.dataShareWith ?? name;
   const envList = envs.map((e) => `"${e}"`).join(", ");
   const blocks = [];
   const assumes = ["var.cloudflare_zone_id"];
@@ -542,18 +547,37 @@ variable "${name}_supabase_database_password" {
   default   = "import-placeholder" # ignored when importing an existing project
 }${overrideBlock}`);
   }
-  if (useNeon) {
+  if (useNeon && opts.dataShareWith) {
+    blocks.push(`# Shares the Neon project owned by "${opts.dataShareWith}" (one DB, many services).
+# No neon module here \u2014 the env wiring below reads module.${neonOwner}_neon.* (its prod/beta branches).`);
+  } else if (useNeon) {
+    const providersLine = neonOverride ? `
+  providers = { neon = neon.${name} }` : "";
+    const overrideBlock = neonOverride ? `
+
+# Multi-account: ${name}'s Neon lives in a SECOND account \u2014 an aliased provider authenticates with
+# its own token. In infra.yml: TF_VAR_${name}_neon_api_key: \${{ secrets.${neonOverride} }}
+provider "neon" {
+  alias   = "${name}"
+  api_key = var.${name}_neon_api_key
+}
+
+variable "${name}_neon_api_key" {
+  type        = string
+  sensitive   = true
+  description = "Neon API key for ${name}'s account (scoped secret ${neonOverride})."
+}` : "";
     blocks.push(`# One Neon project, a branch per env (prod = the project's default branch; beta = a child
 # branch \u2014 copy-on-write, instant). Compute scales to zero and auto-resumes on the next connection,
 # so a Neon tool needs NO keepalive (the reason Neon is the default Postgres). NEON_API_KEY configures
 # the provider in main.tf; the connection strings are module OUTPUTS \u2014 no per-tool secret to gather.
 module "${name}_neon" {
-  source = "${moduleSource("neon", ref)}"
+  source = "${moduleSource("neon", ref)}"${providersLine}
 
   name   = "${name}"
   region = "aws-us-east-1" # Neon region id, e.g. aws-us-east-1 / aws-us-west-2
   envs   = [${envList}]
-}`);
+}${overrideBlock}`);
   }
   if (useVercel) {
     const env = useSupabase ? `
@@ -590,10 +614,10 @@ module "${name}_neon" {
   environment_values = {
     site_url_prod  = "https://${name}.${domain}"
     site_url_beta  = "https://beta.${name}.${domain}"
-    db_url_prod    = module.${name}_neon.database_url["prod"]
-    db_direct_prod = module.${name}_neon.direct_url["prod"]
-    db_url_beta    = module.${name}_neon.database_url["beta"]
-    db_direct_beta = module.${name}_neon.direct_url["beta"]
+    db_url_prod    = module.${neonOwner}_neon.database_url["prod"]
+    db_direct_prod = module.${neonOwner}_neon.direct_url["prod"]
+    db_url_beta    = module.${neonOwner}_neon.database_url["beta"]
+    db_direct_beta = module.${neonOwner}_neon.direct_url["beta"]
   }` : `
   # No managed data store \u2014 add environment/environment_values if the app needs vars.
   environment        = {}
@@ -1127,7 +1151,7 @@ async function addCommand(args) {
   const name = args[0];
   if (!name || name.startsWith("-")) {
     throw new Error(
-      "usage: greenlight add <name> --lane <lane> --target <target> [--data <d>] [--auth <a>] [--envs beta,prod] [--port 8000]"
+      "usage: greenlight add <name> --lane <lane> --target <target> [--data <d>] [--auth <a>] [--envs beta,prod] [--port 8000] [--share <owner>]"
     );
   }
   const lane = flag2(args, "--lane");
@@ -1145,7 +1169,9 @@ async function addCommand(args) {
     data: flag2(args, "--data"),
     auth: flag2(args, "--auth"),
     envs: flag2(args, "--envs")?.split(","),
-    port: portFlag ? Number(portFlag) : void 0
+    port: portFlag ? Number(portFlag) : void 0,
+    // --share <owner>: this tool reads the owner's Neon DB instead of creating its own (one DB, many services).
+    dataShareWith: flag2(args, "--share")
   });
   const entry = next.tools.find((t) => t.name === name);
   const data = entry?.data ?? "none";
@@ -1194,7 +1220,8 @@ async function addCommand(args) {
         data,
         envs,
         port: entry?.port,
-        tokenOverrides: entry?.tokenOverrides
+        tokenOverrides: entry?.tokenOverrides,
+        dataShareWith: entry?.dataShareWith
       })
     );
     console.log(`\u2714 wrote infra/${name}.tf (modules: ${providers.join(", ")})`);
@@ -2527,19 +2554,30 @@ Next:
 }
 
 // src/commands/migrations.ts
-import { readFileSync as readFileSync7, readdirSync as readdirSync3 } from "fs";
+import { existsSync as existsSync10, readFileSync as readFileSync7, readdirSync as readdirSync3 } from "fs";
 import { join as join5 } from "path";
 var DEFAULT_DIR = "supabase/migrations";
+var CANDIDATE_DIRS = [
+  DEFAULT_DIR,
+  "migrations",
+  "drizzle/migrations",
+  "drizzle",
+  "db/migrations"
+];
+function resolveMigrationsDir(explicit, root = process.cwd()) {
+  if (explicit) return explicit;
+  return CANDIDATE_DIRS.find((d) => existsSync10(join5(root, d))) ?? DEFAULT_DIR;
+}
 async function migrationsCommand(args) {
   if (args[0] !== "scan") {
     console.log(
       `usage: greenlight migrations scan [<dir>] [--strict]
   scan SQL migrations for data-destroying / lock-heavy statements (the pre-apply gate).
-  default dir: ${DEFAULT_DIR}. Acknowledge an intentional op with \`-- greenlight:allow\`.`
+  no <dir> \u2192 auto-detects ${CANDIDATE_DIRS.join(" | ")}. Acknowledge an intentional op with \`-- greenlight:allow\`.`
     );
     process.exit(args[0] ? 1 : 0);
   }
-  const dir = args.slice(1).find((a) => !a.startsWith("-")) ?? DEFAULT_DIR;
+  const dir = resolveMigrationsDir(args.slice(1).find((a) => !a.startsWith("-")));
   const strict = args.includes("--strict");
   let names;
   try {

package/dist/{chunk-GPPUZ6Z5.js → chunk-HMU7D7R2.js}

@@ -65,7 +65,12 @@ var ToolSchema = z.object({
   // var to an alternate secret name, so this tool authenticates that provider with a SECOND account
   // — e.g. { SUPABASE_ACCESS_TOKEN: 'SUPABASE_ACCESS_TOKEN_HEISTMIND' }. Absent ⇒ unchanged (the
   // default token). `add`/`adopt` emit an aliased provider + scoped var/secret for an overridden token.
-  tokenOverrides: z.record(z.string(), z.string()).optional()
+  tokenOverrides: z.record(z.string(), z.string()).optional(),
+  // Share another tool's data store instead of creating one (multiple services on one Neon DB).
+  // The value is the OWNER tool's name; this tool emits no data module and wires the owner's
+  // connection strings. Cross-tool validity (owner exists, same data, no chains) is checked on
+  // the whole config below.
+  dataShareWith: z.string().optional()
 }).superRefine((tool, ctx) => {
   const rule = MATRIX[tool.lane];
   if (!rule.targets.includes(tool.target)) {
@@ -89,6 +94,13 @@ var ToolSchema = z.object({
       message: 'private tools must set auth to "bearer" or "oauth", never "none"'
     });
   }
+  if (tool.dataShareWith && tool.data !== "neon") {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      path: ["dataShareWith"],
+      message: 'dataShareWith currently supports data: "neon" only'
+    });
+  }
 });
 var BlogSchema = z.object({
   lane: z.literal("astro"),
@@ -104,6 +116,35 @@ var ConfigSchema = z.object({
   // Optional: a tool-only repo (a poly-repo consumer) has no blog.
   blog: BlogSchema.optional(),
   tools: z.array(ToolSchema).default([])
+}).superRefine((config, ctx) => {
+  for (const [i, tool] of config.tools.entries()) {
+    if (!tool.dataShareWith) continue;
+    const issue = (message) => ctx.addIssue({ code: z.ZodIssueCode.custom, path: ["tools", i, "dataShareWith"], message });
+    if (tool.dataShareWith === tool.name) {
+      issue(`"${tool.name}" cannot share a data store with itself`);
+      continue;
+    }
+    const owner = config.tools.find((t) => t.name === tool.dataShareWith);
+    if (!owner) {
+      issue(`dataShareWith "${tool.dataShareWith}" is not a tool in this manifest`);
+      continue;
+    }
+    if (owner.data !== tool.data) {
+      issue(
+        `"${tool.name}" (data: ${tool.data}) must share a tool with the same data \u2014 "${owner.name}" is ${owner.data}`
+      );
+    }
+    if (owner.dataShareWith) {
+      issue(
+        `cannot share with "${owner.name}" \u2014 it is itself a sharer (no chains); point at the owner`
+      );
+    }
+    if (tool.tokenOverrides?.NEON_API_KEY) {
+      issue(
+        `a sharer uses the owner's Neon account \u2014 remove the NEON_API_KEY override from "${tool.name}"`
+      );
+    }
+  }
 });
 
 // ../packages/shared/src/load.ts

package/dist/index.js

@@ -2,7 +2,7 @@ import {
   defineConfig,
   defineVerify,
   loadConfig
-} from "./chunk-GPPUZ6Z5.js";
+} from "./chunk-HMU7D7R2.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.2.25",
+  "version": "0.2.27",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -31,10 +31,10 @@
     "@anthropic-ai/sdk": "^0.69.0"
   },
   "devDependencies": {
-    "@rtrentjones/greenlight-adapters": "0.2.25",
-    "@rtrentjones/greenlight-shared": "0.2.25",
-    "@rtrentjones/greenlight-verify": "0.2.25",
-    "@rtrentjones/greenlight-loop": "0.2.25"
+    "@rtrentjones/greenlight-adapters": "0.2.27",
+    "@rtrentjones/greenlight-loop": "0.2.27",
+    "@rtrentjones/greenlight-shared": "0.2.27",
+    "@rtrentjones/greenlight-verify": "0.2.27"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",

package/templates/_template-next/README.md

@@ -1,5 +1,27 @@
-# `_template-next` (placeholder)
+# `_template-next` — Next.js on Vercel + Neon
 
-Lane template for **Next.js on Vercel** with Supabase — verify mode `api + playwright`.
+The lane template `greenlight add <name> --lane next --target vercel --data neon` scaffolds. A minimal
+real app that **reads Neon at request time** and **migrates its schema on deploy** — the Greenlight
+Neon convention end to end. Verify mode: `api` (the page runs a live query, so a broken DB 500s).
 
-> **Phase 0:** placeholder only. Real template content arrives when the `next` lane is exercised (HeistMind migration, **Phase 9** — docs/archive/greenlight-v1.md §16). Materialized into a tool by `greenlight add` / `greenlight adopt`.
+## How it maps to Greenlight
+
+- **Connection strings** come from the env, wired by the `neon` Terraform module per Vercel target:
+  `DATABASE_URL` (pooled) for runtime reads ([lib/db.ts](lib/db.ts)), `DIRECT_URL` (direct) for
+  migrations. Prod build → prod branch, preview build → its own branch — same code, different data.
+- **Schema as code** lives in [migrations/](migrations) (plain `.sql`). The app's build runs
+  [scripts/migrate.mjs](scripts/migrate.mjs) (`package.json` `build` = `node scripts/migrate.mjs &&
+  next build`), so a deploy creates/edits tables. A failed migration fails the build → never goes live.
+- **Greenlight's gate**: run `greenlight migrations scan` in CI before the migrate (the dangerous-SQL
+  check). See [docs/migrations.md](../../docs/migrations.md). Greenlight does **not** run migrations.
+
+## Make it yours
+
+- Prefer an ORM? Swap the plain-SQL migrations for Drizzle/Prisma — keep the build running *your*
+  migrate against `DIRECT_URL`, and keep `migrations scan` pointed at the generated SQL.
+- Ephemeral per-PR preview branches: connect the native **Neon↔Vercel** integration (it creates a
+  branch + injects `DATABASE_URL` per preview); the stable prod/beta branches stay in Terraform.
+
+## Local dev
+
+Set `DATABASE_URL` + `DIRECT_URL` to a Neon branch, then `pnpm migrate && pnpm dev`.

package/templates/_template-next/app/layout.tsx

@@ -0,0 +1,14 @@
+import type { ReactNode } from 'react';
+
+export const metadata = {
+  title: 'Neon probe',
+  description: 'A minimal Next-on-Neon Greenlight tool.',
+};
+
+export default function RootLayout({ children }: { children: ReactNode }) {
+  return (
+    <html lang="en">
+      <body>{children}</body>
+    </html>
+  );
+}

package/templates/_template-next/app/page.tsx

@@ -0,0 +1,27 @@
+import { sql } from '../lib/db';
+
+// Read fresh each request so the page reflects the DB (and so the verify gate exercises a live query —
+// a broken connection / missing table would 500, not 200).
+export const dynamic = 'force-dynamic';
+
+export default async function Page() {
+  const rows = await sql`SELECT id, body FROM notes ORDER BY id DESC LIMIT 20`;
+  return (
+    <main
+      style={{
+        fontFamily: 'system-ui, sans-serif',
+        maxWidth: 640,
+        margin: '3rem auto',
+        padding: '0 1rem',
+      }}
+    >
+      <h1>Notes</h1>
+      <p>{rows.length} note(s) from Neon.</p>
+      <ul>
+        {rows.map((r) => (
+          <li key={String(r.id)}>{String(r.body)}</li>
+        ))}
+      </ul>
+    </main>
+  );
+}

package/templates/_template-next/lib/db.ts

@@ -0,0 +1,7 @@
+import { neon } from '@neondatabase/serverless';
+
+// Runtime reads use the POOLED connection (DATABASE_URL) over Neon's serverless HTTP driver — ideal
+// for Vercel's per-request functions. Migrations use the DIRECT connection instead (scripts/migrate.mjs).
+// Both are wired into the Vercel env per target by the Greenlight `neon` module, so prod hits the
+// prod branch and preview hits its own branch.
+export const sql = neon(process.env.DATABASE_URL ?? '');

package/templates/_template-next/migrations/0001_init.sql

@@ -0,0 +1,10 @@
+-- Plain SQL migrations are the app's source of truth for the schema, applied by scripts/migrate.mjs
+-- on each build (against DIRECT_URL → the env's branch). They compose with `greenlight migrations
+-- scan` (the dangerous-SQL gate). Swap in Drizzle/Prisma migrations if you prefer — same convention.
+CREATE TABLE IF NOT EXISTS notes (
+  id         serial PRIMARY KEY,
+  body       text NOT NULL,
+  created_at timestamptz NOT NULL DEFAULT now()
+);
+
+INSERT INTO notes (body) VALUES ('hello from Neon');

package/templates/_template-next/next.config.mjs

@@ -0,0 +1,4 @@
+/** @type {import('next').NextConfig} */
+const nextConfig = {};
+
+export default nextConfig;

package/templates/_template-next/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "_template-next",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "next dev",
+    "build": "node scripts/migrate.mjs && next build",
+    "start": "next start",
+    "migrate": "node scripts/migrate.mjs"
+  },
+  "dependencies": {
+    "@neondatabase/serverless": "^0.10.0",
+    "next": "^15.0.0",
+    "pg": "^8.13.0",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "@types/pg": "^8.11.0",
+    "@types/react": "^19.0.0",
+    "typescript": "^5.6.0"
+  }
+}

package/templates/_template-next/scripts/migrate.mjs

@@ -0,0 +1,43 @@
+// The app's OWN migrate — Greenlight does not run migrations. The build runs this (see package.json
+// `build`) against DIRECT_URL, so a deploy creates/edits tables on the env's Neon branch; a failed
+// migration fails the build, so a broken schema never goes live. Gate it in CI with `greenlight
+// migrations scan` first. Plain `pg` (TCP, transactional) for DDL; the app reads via lib/db.ts.
+import { readFileSync, readdirSync } from 'node:fs';
+import { join } from 'node:path';
+import pg from 'pg';
+
+const url = process.env.DIRECT_URL ?? process.env.DATABASE_URL;
+if (!url) {
+  console.error('migrate: set DIRECT_URL (the direct Neon connection string)');
+  process.exit(1);
+}
+
+const client = new pg.Client({ connectionString: url });
+await client.connect();
+try {
+  await client.query(
+    'CREATE TABLE IF NOT EXISTS _migrations (name text PRIMARY KEY, applied_at timestamptz DEFAULT now())',
+  );
+  const { rows } = await client.query('SELECT name FROM _migrations');
+  const applied = new Set(rows.map((r) => r.name));
+  const files = readdirSync('migrations')
+    .filter((f) => f.endsWith('.sql'))
+    .sort();
+
+  for (const file of files) {
+    if (applied.has(file)) continue;
+    console.log(`applying ${file}`);
+    await client.query('BEGIN');
+    try {
+      await client.query(readFileSync(join('migrations', file), 'utf8'));
+      await client.query('INSERT INTO _migrations (name) VALUES ($1)', [file]);
+      await client.query('COMMIT');
+    } catch (err) {
+      await client.query('ROLLBACK');
+      throw err;
+    }
+  }
+  console.log('migrations up to date');
+} finally {
+  await client.end();
+}

package/templates/_template-next/tsconfig.json

@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "lib": ["dom", "dom.iterable", "esnext"],
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "jsx": "preserve",
+    "strict": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "incremental": true,
+    "plugins": [{ "name": "next" }]
+  },
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx"],
+  "exclude": ["node_modules"]
+}

package/templates/_template-next/verify.config.ts

@@ -0,0 +1,8 @@
+// Verify the deployed app renders AND reads Neon: the page runs a live SELECT, so a missing table or
+// a bad connection 500s instead of returning the marker text. The settle absorbs Vercel propagation.
+export default {
+  mode: 'api',
+  checks: [{ path: '/', status: 200, contains: 'note(s) from Neon' }],
+  settleRetries: 6,
+  settleMs: 5000,
+};