@rtrentjones/greenlight 0.2.29 → 0.3.1

package/assets/skills/provider-gemini/SKILL.md

@@ -0,0 +1,78 @@
+---
+name: provider-gemini
+description: How the `agent` lane works in Greenlight — an autonomous cron-triggered Cloudflare Worker backed by Google Gemini (free tier). Covers the GEMINI_API_KEY (Google AI Studio, no billing), the gemini-2.5-flash generateContent call, the wrangler deploy (cron + KV + secret + custom_domain), the /, /status, /run surface, api-mode verify, and the free-tier safety envelope. Use when building, deploying, or verifying an agent tool.
+---
+
+# provider-gemini
+
+The `agent` lane is an **autonomous tool**: a Cloudflare Worker that wakes on a **cron trigger**,
+calls **Gemini** (Google's LLM, free tier), does low-stakes work, stores the result in KV, and
+exposes a tiny HTTP surface. It's the keepalive Worker pattern promoted to a user tool — free,
+always-available, immune to repo-inactivity, no OCI box, no new paid account.
+
+`agent` → target **workers**, data **none | kv** (kv holds the last output + run metadata).
+
+## Token — `GEMINI_API_KEY`
+
+Create it at **Google AI Studio** (https://aistudio.google.com/apikey) — **free tier, no billing,
+no card**. `greenlight add` verifies it against `…/v1beta/models?key=…` (HTTP 200). One key serves
+every agent (shared, not per-tool). It is a **Cloudflare Worker secret** (`wrangler secret put
+GEMINI_API_KEY`) — never in the repo.
+
+## The model + call
+
+`gemini-2.5-flash` (fast; generous free limits — ~15 RPM / 1500 req/day, so a daily cron is ~1/day).
+
+```
+POST https://generativelanguage.googleapis.com/v1beta/models/gemini-2.5-flash:generateContent?key=${GEMINI_API_KEY}
+{ "contents": [{ "parts": [{ "text": "<prompt>" }] }] }
+→ candidates[0].content.parts[0].text
+```
+
+## Deploy — emitted CI (push to main)
+
+`greenlight add` resolves the Cloudflare **account id** into `wrangler.toml` (so wrangler skips the
+`/memberships` call a scoped token can't do) and emits **`.github/workflows/deploy-<name>.yml`**. On
+a push to main that touches `tools/<name>`, that workflow: **creates the KV namespace** (find-or-create
+in-CI — no manual step, the id stays a placeholder), deploys the Worker (cron + `custom_domain` from
+`wrangler.toml`), sets the `GEMINI_API_KEY` + `RUN_TOKEN` **Worker secrets** from GitHub secrets, seeds
+the first run, and verifies. So the only setup is **adding those two GitHub secrets**. (Local instead:
+`pnpm exec wrangler deploy --env prod`.)
+
+`wrangler.toml` carries the cron + KV binding + the per-env `custom_domain` route; no Terraform.
+
+```toml
+[triggers]
+crons = ["0 13 * * *"]            # daily; stays far under the free-tier quota
+[[kv_namespaces]]
+binding = "STATE"
+[[routes]]
+pattern = "<name>.<domain>"
+custom_domain = true
+```
+
+## Surface
+
+| route | purpose |
+|---|---|
+| `scheduled()` | the cron: prompt Gemini → `STATE.put(today, text + metadata)` |
+| `GET /` | the latest output (public, read-only) |
+| `GET /status` | `{ ok, lastRun, model, preview }` — the **api-mode verify** target |
+| `POST /run` | force a run — **bearer-gated** (a `RUN_TOKEN` secret) so randoms can't burn the Gemini quota; lets deploy/verify seed the first output |
+
+## Verify — `api` mode on `/status`
+
+`verify.config.ts` hits `/status` and asserts `ok: true` + a recent run. (Output *quality* is a
+future `eval` mode — LLM-judged.) Because the first cron may not have fired at deploy time, the
+deploy step `POST /run`s once to seed, then verifies.
+
+## Safety envelope
+
+- **Low-stakes / read-only** first agents (generate → store → serve; no destructive external actions).
+- **Bearer on `/run`**; the cron frequency stays far under the free-tier daily limit.
+- Key is **secret-only** (a Worker secret), never committed or echoed.
+
+## No keepalive
+
+An agent needs no keepalive — the cron *is* its heartbeat and the Worker is always-available
+(Cloudflare's edge, not a reclaimable box). Don't add it to `module.keepalive.targets_json`.

package/dist/bin.js

@@ -6,7 +6,7 @@ import {
   resolveUrl,
   scanSqlFiles,
   verifyAll
-} from "./chunk-HMU7D7R2.js";
+} from "./chunk-P6FRYOOV.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";
@@ -15,8 +15,97 @@ import "./chunk-XWTOJHLV.js";
 import "./chunk-QFKE5JKC.js";
 
 // src/commands/add.ts
-import { cpSync as cpSync2, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, renameSync, writeFileSync as writeFileSync2 } from "fs";
-import { join, resolve as resolve5 } from "path";
+import { cpSync as cpSync2, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, renameSync, writeFileSync as writeFileSync3 } from "fs";
+import { join, resolve as resolve6 } from "path";
+
+// src/agent-deploy.ts
+function emitAgentDeployWorkflow(name, domain) {
+  return `name: deploy-${name}
+
+# Agent "${name}" \u2014 a cron-triggered Cloudflare Worker (Gemini-backed). Emitted by \`greenlight add\`.
+# On a push to main touching tools/${name}, or manually: deploys the Worker, sets its secrets from
+# GitHub secrets, seeds the first run, and verifies. Creds-guarded (skips if the secrets are absent).
+on:
+  push:
+    branches: [main]
+    paths: ['tools/${name}/**']
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: deploy-${name}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: jdx/mise-action@v2
+      - run: pnpm install --frozen-lockfile
+
+      - name: Check creds
+        id: creds
+        env:
+          CF: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+          GK: \${{ secrets.GEMINI_API_KEY }}
+        run: |
+          if [ -n "$CF" ] && [ -n "$GK" ]; then echo "have=1" >> "$GITHUB_OUTPUT"; else echo "have=0" >> "$GITHUB_OUTPUT"; fi
+
+      - name: Deploy + Worker secrets + seed
+        if: steps.creds.outputs.have == '1'
+        env:
+          CLOUDFLARE_API_TOKEN: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+          GEMINI_API_KEY: \${{ secrets.GEMINI_API_KEY }}
+          RUN_TOKEN: \${{ secrets.RUN_TOKEN }}
+        run: |
+          cd tools/${name}
+          # KV namespace as code: find-or-create the STATE namespace (idempotent), then inject its id
+          # into wrangler.toml for this deploy. The id is non-secret + derived, so the repo keeps the
+          # REPLACE_WITH_KV_NAMESPACE_ID placeholder \u2014 no manual create, no hardcoded id.
+          ID=$(pnpm exec wrangler kv namespace list 2>/dev/null | jq -r '.[] | select(.title | test("${name}.*STATE")) | .id' | head -1)
+          if [ -z "$ID" ] || [ "$ID" = "null" ]; then
+            pnpm exec wrangler kv namespace create STATE || true
+            ID=$(pnpm exec wrangler kv namespace list 2>/dev/null | jq -r '.[] | select(.title | test("${name}.*STATE")) | .id' | head -1)
+          fi
+          if [ -z "$ID" ] || [ "$ID" = "null" ]; then echo "::error::could not resolve the STATE KV namespace id (token needs Workers KV Storage:Edit?)"; exit 1; fi
+          sed -i "s/REPLACE_WITH_KV_NAMESPACE_ID/$ID/g" wrangler.toml
+          pnpm exec wrangler deploy --env prod
+          printf '%s' "$GEMINI_API_KEY" | pnpm exec wrangler secret put GEMINI_API_KEY --env prod
+          printf '%s' "$RUN_TOKEN" | pnpm exec wrangler secret put RUN_TOKEN --env prod
+          cd ../..
+          # Seed the first run (the cron is daily). Retry while the custom domain propagates.
+          for i in $(seq 1 8); do
+            if curl -fsS -XPOST "https://${name}.${domain}/run" -H "Authorization: Bearer $RUN_TOKEN" >/dev/null; then
+              echo "seeded"; break
+            fi
+            echo "seed attempt $i: not ready, retrying in 10s"; sleep 10
+          done
+
+      - name: Verify
+        if: steps.creds.outputs.have == '1'
+        run: pnpm exec greenlight verify ${name} --env prod
+
+      - name: Skip notice
+        if: steps.creds.outputs.have != '1'
+        run: echo "Missing CLOUDFLARE_API_TOKEN or GEMINI_API_KEY \u2014 ${name} deploy skipped."
+`;
+}
+async function resolveCloudflareAccountId(domain, token) {
+  try {
+    const res = await fetch(
+      `https://api.cloudflare.com/client/v4/zones?name=${encodeURIComponent(domain)}`,
+      { headers: { Authorization: `Bearer ${token}` } }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return data.result?.[0]?.account?.id ?? null;
+  } catch {
+    return null;
+  }
+}
 
 // src/asset-paths.ts
 import { existsSync } from "fs";
@@ -351,6 +440,29 @@ var PACKS = [
     skill: "provider-neon",
     tfModules: ["neon"]
   },
+  {
+    id: "gemini",
+    name: "Google Gemini (free tier)",
+    // The LLM behind the `agent` lane. (A future `llm` axis would generalize this beyond agents.)
+    appliesTo: (t) => t.lane === "agent",
+    guide: "docs/provider-tokens.md \u2014 GEMINI_API_KEY (Google AI Studio, free tier, no billing)",
+    setupUrl: "https://aistudio.google.com/apikey",
+    tokens: [
+      {
+        // The agent Worker's LLM credential. Free tier (no billing / no card); set as a Cloudflare
+        // Worker secret, never in the repo. One key serves every agent (shared, not per-tool).
+        envVar: "GEMINI_API_KEY",
+        label: "Google AI Studio API key (Gemini free tier)",
+        verify: async (t) => {
+          const r = await fetch(`https://generativelanguage.googleapis.com/v1beta/models?key=${t}`);
+          return { ok: okStatus(r), detail: `HTTP ${r.status}` };
+        }
+      }
+    ],
+    skill: "provider-gemini"
+    // No tfModules: the agent Worker (cron + KV + secret + custom_domain) deploys via wrangler,
+    // like the astro blog — KV/DNS are wrangler-managed for the workers target.
+  },
   {
     id: "hcp",
     name: "HCP Terraform (remote state)",
@@ -478,7 +590,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.2.29";
+var MODULE_REF = "v0.3.1";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -488,6 +600,14 @@ function moduleSource(module, ref = MODULE_REF) {
 var hcl = (s) => s.replace(/\n{3,}/g, "\n\n").trimEnd();
 function emitToolTf(opts) {
   const { name, domain, lane, target, data, envs, ref = MODULE_REF } = opts;
+  if (lane === "agent") {
+    const suffix = data && data !== "none" ? `/${data}` : "";
+    return `# ${name} \u2014 agent/${target}${suffix}, emitted by \`greenlight add\`.
+# Wrangler-managed: the Worker (cron + KV + custom_domain route + GEMINI_API_KEY/RUN_TOKEN
+# secrets) deploys via \`wrangler deploy\` from tools/${name}/. No Terraform here \u2014 see that
+# wrangler.toml + the provider-gemini skill + docs/agents-plan.md.
+`;
+  }
   const port = opts.port ?? 8e3;
   const slug = opts.slug ?? `OWNER/${name}`;
   const useSupabase = data === "supabase";
@@ -795,103 +915,15 @@ function providersForTool(tool) {
   return out;
 }
 
-// src/commands/agent.ts
-import { cpSync, existsSync as existsSync3, mkdirSync, readFileSync, writeFileSync } from "fs";
-import { resolve as resolve3 } from "path";
-
-// src/agent-kit.ts
-function recommendedMcp(tool) {
-  return mcpForTool(tool);
-}
-function mergeMcpServers(existing, add) {
-  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
-  for (const [name, val] of Object.entries(add)) {
-    if (out.mcpServers[name]) continue;
-    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
-  }
-  return out;
-}
-
-// src/commands/agent.ts
-var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
-
-This repo uses Greenlight. Deliver every change through the ONE model (same shape for web + MCP
-tools \u2014 the deploy-verify-promote skill has the lane\xD7target matrix):
-branch \u2192 change \u2192 \`greenlight preview <name>\` (local gate) \u2192 add it to the tool's verify.config \u2192
-push (CI gates on the tool's own tests) \u2192 deploy \u2192 \`greenlight verify <name> --env prod\`.
-Web tools also get beta + \`greenlight promote\`; oci is direct-to-prod (the local gate is the
-pre-prod safety). \`greenlight status <name>\` shows the run chain; \`greenlight doctor\` flags drift.
-
-Agentic kit:
-- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the one model + the matrix).
-- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
-    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
-- Best-practice skills (one-time, user scope):
-    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
-`;
-function materializeAgentKit(dir, tool) {
-  const src = skillAssetDir();
-  if (!existsSync3(src)) throw new Error(`skill asset not found at ${src}`);
-  const dest = resolve3(dir, ".claude/skills/deploy-verify-promote");
-  mkdirSync(dest, { recursive: true });
-  cpSync(src, dest, { recursive: true });
-  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
-  for (const pack of packsForTool(tool)) {
-    if (!pack.skill) continue;
-    const skillSrc = skillAssetDir(pack.skill);
-    if (!existsSync3(skillSrc)) continue;
-    const skillDest = resolve3(dir, ".claude/skills", pack.skill);
-    mkdirSync(skillDest, { recursive: true });
-    cpSync(skillSrc, skillDest, { recursive: true });
-    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
-  }
-  const mcpPath = resolve3(dir, ".mcp.json");
-  const existingMcp = existsSync3(mcpPath) ? JSON.parse(readFileSync(mcpPath, "utf8")) : null;
-  const servers = recommendedMcp(tool);
-  writeFileSync(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
-`);
-  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
-  const claudePath = resolve3(dir, "CLAUDE.md");
-  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
-  const existing = existsSync3(claudePath) ? readFileSync(claudePath, "utf8") : "";
-  if (existing.includes(marker)) {
-    console.log("\xB7 CLAUDE.md already has the loop block");
-  } else {
-    writeFileSync(claudePath, existing ? `${existing.trimEnd()}
-
-${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
-    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
-  }
-}
-async function agentCommand(args) {
-  if (args[0] !== "sync") {
-    console.log(
-      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
-    );
-    process.exit(args[0] ? 1 : 0);
-  }
-  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
-  if (name) {
-    const { config } = await loadManifest();
-    const entry = resolveEntry(config, name);
-    const dir = resolve3(process.cwd(), entry.dir ?? ".");
-    materializeAgentKit(dir, { target: entry.target, data: entry.data });
-    console.log(
-      `
-Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (target=${entry.target}, data=${entry.data}).`
-    );
-    return;
-  }
-  materializeAgentKit(process.cwd());
-  console.log(
-    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
-  );
-}
+// src/tokens.ts
+import { existsSync as existsSync4, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
+import { resolve as resolve4 } from "path";
+import { createInterface as createInterface2 } from "readline/promises";
 
 // src/commands/secrets.ts
 import { execFileSync } from "child_process";
-import { existsSync as existsSync4, readFileSync as readFileSync2 } from "fs";
-import { resolve as resolve4 } from "path";
+import { existsSync as existsSync3, readFileSync } from "fs";
+import { resolve as resolve3 } from "path";
 import { createInterface } from "readline";
 function parseSecretsEnv(text) {
   const out = [];
@@ -917,7 +949,7 @@ function parseOciConfig(text) {
   return out;
 }
 function ociPrefill(configPath, keyPath) {
-  const cfg = parseOciConfig(readFileSync2(configPath, "utf8"));
+  const cfg = parseOciConfig(readFileSync(configPath, "utf8"));
   const map = /* @__PURE__ */ new Map();
   const set = (k, v) => {
     if (v) map.set(k, v);
@@ -927,8 +959,8 @@ function ociPrefill(configPath, keyPath) {
   set("TF_VAR_OCI_TENANCY_OCID", cfg.tenancy);
   set("TF_VAR_OCI_REGION", cfg.region);
   const pem = keyPath ?? cfg.key_file;
-  if (pem && existsSync4(pem)) {
-    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync2(pem, "utf8"));
+  if (pem && existsSync3(pem)) {
+    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync(pem, "utf8"));
   } else if (pem) {
     console.log(`   ! PEM not found at ${pem} \u2014 set TF_VAR_OCI_PRIVATE_KEY manually (--oci-key)`);
   }
@@ -962,11 +994,11 @@ function syncSecrets(opts) {
       "could not determine the repo \u2014 pass --repo owner/repo (no github.com origin remote)"
     );
   }
-  const path = resolve4(opts.cwd, ".greenlight/secrets.env");
-  if (!existsSync4(path)) {
+  const path = resolve3(opts.cwd, ".greenlight/secrets.env");
+  if (!existsSync3(path)) {
     throw new Error("no .greenlight/secrets.env \u2014 run `greenlight init` with tokens first");
   }
-  const entries = parseSecretsEnv(readFileSync2(path, "utf8"));
+  const entries = parseSecretsEnv(readFileSync(path, "utf8"));
   const target = opts.env ? `env "${opts.env}"` : "repo";
   for (const { key, value } of entries) {
     const ghArgs = ["secret", "set", key, "--repo", repo];
@@ -1035,7 +1067,7 @@ function setGitHubSecret(repo, env, key, value) {
 async function gatherSecrets(name, repo, env, prefill) {
   const { config } = await loadManifest();
   const entry = resolveEntry(config, name);
-  const packs = packsForTool({ target: entry.target, data: entry.data });
+  const packs = packsForTool({ lane: entry.lane, target: entry.target, data: entry.data });
   const dest = env ? `env "${env}" of ${repo}` : repo;
   const existing = listGitHubSecrets(repo, env);
   console.log(`Gathering secrets for "${name}" \u2192 GitHub ${dest}`);
@@ -1107,7 +1139,7 @@ async function secretsCommand(args) {
     if (!repo) throw new Error("could not determine the repo \u2014 pass --repo owner/repo");
     const ociConfig2 = flag(args, "--oci-config");
     const ociKey = flag(args, "--oci-key");
-    const prefill = ociConfig2 ? ociPrefill(resolve4(process.cwd(), ociConfig2), ociKey && resolve4(process.cwd(), ociKey)) : void 0;
+    const prefill = ociConfig2 ? ociPrefill(resolve3(process.cwd(), ociConfig2), ociKey && resolve3(process.cwd(), ociKey)) : void 0;
     await gatherSecrets(name, repo, flag(args, "--env"), prefill);
     return;
   }
@@ -1132,6 +1164,177 @@ ${count} secret(s) synced. (Prefer GitHub OIDC over long-lived tokens where supp
   );
 }
 
+// src/tokens.ts
+var SECRETS_DIR = ".greenlight";
+var SECRETS_FILE = "secrets.env";
+function presentEnv(cwd) {
+  const out = {};
+  const p = resolve4(cwd, SECRETS_DIR, SECRETS_FILE);
+  if (existsSync4(p)) {
+    for (const { key, value } of parseSecretsEnv(readFileSync2(p, "utf8"))) out[key] = value;
+  }
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v !== void 0 && !(k in out)) out[k] = v;
+  }
+  return out;
+}
+function upsertSecret(cwd, key, value) {
+  const dir = resolve4(cwd, SECRETS_DIR);
+  mkdirSync(dir, { recursive: true });
+  const p = resolve4(dir, SECRETS_FILE);
+  const lines = existsSync4(p) ? readFileSync2(p, "utf8").split("\n") : [];
+  const idx = lines.findIndex((l) => l.startsWith(`${key}=`));
+  if (idx >= 0) lines[idx] = `${key}=${value}`;
+  else {
+    while (lines.length && (lines[lines.length - 1] ?? "").trim() === "") lines.pop();
+    lines.push(`${key}=${value}`);
+  }
+  writeFileSync(p, `${lines.join("\n").replace(/\n*$/, "")}
+`, { mode: 384 });
+}
+async function ensureTokensForTool(cwd, tool, opts = {}) {
+  const doVerify = opts.verify !== false;
+  const interactive = Boolean(process.stdin.isTTY);
+  const env = presentEnv(cwd);
+  const results = [];
+  const rl = interactive ? createInterface2({ input: process.stdin, output: process.stdout }) : null;
+  try {
+    for (const spec of tokensForTool(tool)) {
+      let value = env[spec.envVar];
+      if (value) {
+        results.push({ envVar: spec.envVar, outcome: "present" });
+      } else if (rl) {
+        console.log(`
+${spec.envVar} \u2014 ${spec.label}`);
+        if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
+        const entered = (await rl.question(`  paste value${spec.optional ? " (optional, Enter to skip)" : ""}: `)).trim();
+        if (!entered) {
+          results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+          continue;
+        }
+        upsertSecret(cwd, spec.envVar, entered);
+        env[spec.envVar] = entered;
+        value = entered;
+        results.push({ envVar: spec.envVar, outcome: "entered" });
+      } else {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      if (value && doVerify && spec.verify) {
+        let check;
+        try {
+          check = await spec.verify(value, env);
+        } catch (e) {
+          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
+        }
+        const last = results[results.length - 1];
+        if (last) last.verify = check;
+        if (!check.ok && !spec.optional) {
+          throw new Error(
+            `${spec.envVar} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
+          );
+        }
+      }
+    }
+  } finally {
+    rl?.close();
+  }
+  return results;
+}
+
+// src/commands/agent.ts
+import { cpSync, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import { resolve as resolve5 } from "path";
+
+// src/agent-kit.ts
+function recommendedMcp(tool) {
+  return mcpForTool(tool);
+}
+function mergeMcpServers(existing, add) {
+  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
+  for (const [name, val] of Object.entries(add)) {
+    if (out.mcpServers[name]) continue;
+    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
+  }
+  return out;
+}
+
+// src/commands/agent.ts
+var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
+
+This repo uses Greenlight. Deliver every change through the ONE model (same shape for web + MCP
+tools \u2014 the deploy-verify-promote skill has the lane\xD7target matrix):
+branch \u2192 change \u2192 \`greenlight preview <name>\` (local gate) \u2192 add it to the tool's verify.config \u2192
+push (CI gates on the tool's own tests) \u2192 deploy \u2192 \`greenlight verify <name> --env prod\`.
+Web tools also get beta + \`greenlight promote\`; oci is direct-to-prod (the local gate is the
+pre-prod safety). \`greenlight status <name>\` shows the run chain; \`greenlight doctor\` flags drift.
+
+Agentic kit:
+- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the one model + the matrix).
+- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
+    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
+- Best-practice skills (one-time, user scope):
+    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
+`;
+function materializeAgentKit(dir, tool) {
+  const src = skillAssetDir();
+  if (!existsSync5(src)) throw new Error(`skill asset not found at ${src}`);
+  const dest = resolve5(dir, ".claude/skills/deploy-verify-promote");
+  mkdirSync2(dest, { recursive: true });
+  cpSync(src, dest, { recursive: true });
+  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
+  for (const pack of packsForTool(tool)) {
+    if (!pack.skill) continue;
+    const skillSrc = skillAssetDir(pack.skill);
+    if (!existsSync5(skillSrc)) continue;
+    const skillDest = resolve5(dir, ".claude/skills", pack.skill);
+    mkdirSync2(skillDest, { recursive: true });
+    cpSync(skillSrc, skillDest, { recursive: true });
+    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
+  }
+  const mcpPath = resolve5(dir, ".mcp.json");
+  const existingMcp = existsSync5(mcpPath) ? JSON.parse(readFileSync3(mcpPath, "utf8")) : null;
+  const servers = recommendedMcp(tool);
+  writeFileSync2(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
+`);
+  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
+  const claudePath = resolve5(dir, "CLAUDE.md");
+  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
+  const existing = existsSync5(claudePath) ? readFileSync3(claudePath, "utf8") : "";
+  if (existing.includes(marker)) {
+    console.log("\xB7 CLAUDE.md already has the loop block");
+  } else {
+    writeFileSync2(claudePath, existing ? `${existing.trimEnd()}
+
+${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
+    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
+  }
+}
+async function agentCommand(args) {
+  if (args[0] !== "sync") {
+    console.log(
+      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
+    );
+    process.exit(args[0] ? 1 : 0);
+  }
+  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
+  if (name) {
+    const { config } = await loadManifest();
+    const entry = resolveEntry(config, name);
+    const dir = resolve5(process.cwd(), entry.dir ?? ".");
+    materializeAgentKit(dir, { lane: entry.lane, target: entry.target, data: entry.data });
+    console.log(
+      `
+Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (lane=${entry.lane}, target=${entry.target}, data=${entry.data}).`
+    );
+    return;
+  }
+  materializeAgentKit(process.cwd());
+  console.log(
+    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
+  );
+}
+
 // src/commands/add.ts
 function flag2(args, name) {
   const i = args.indexOf(name);
@@ -1143,25 +1346,25 @@ function templateDir(lane, target) {
 }
 function registerWorkspaceMember(cwd, member) {
   const wsPath = join(cwd, "pnpm-workspace.yaml");
-  if (!existsSync5(wsPath)) {
-    writeFileSync2(wsPath, `packages:
+  if (!existsSync6(wsPath)) {
+    writeFileSync3(wsPath, `packages:
   - "${member}"
 `);
     console.log(`\u2714 created pnpm-workspace.yaml (member ${member})`);
     return;
   }
-  const text = readFileSync3(wsPath, "utf8");
+  const text = readFileSync4(wsPath, "utf8");
   if (text.includes(member) || /^\s*-\s*["']?tools\/\*/m.test(text)) return;
   const lines = text.split("\n");
   const pkgIdx = lines.findIndex((l) => /^packages\s*:/.test(l));
   if (pkgIdx === -1) {
-    writeFileSync2(wsPath, `${text.replace(/\s*$/, "")}
+    writeFileSync3(wsPath, `${text.replace(/\s*$/, "")}
 packages:
   - "${member}"
 `);
   } else {
     lines.splice(pkgIdx + 1, 0, `  - "${member}"`);
-    writeFileSync2(wsPath, lines.join("\n"));
+    writeFileSync3(wsPath, lines.join("\n"));
   }
   console.log(`\u2714 registered ${member} in pnpm-workspace.yaml`);
 }
@@ -1194,44 +1397,61 @@ async function addCommand(args) {
   const entry = next.tools.find((t) => t.name === name);
   const data = entry?.data ?? "none";
   const envs = entry?.envs ?? ["beta", "prod"];
-  const toolInfo = { target, data };
-  const dest = resolve5(process.cwd(), "tools", name);
-  if (existsSync5(dest)) throw new Error(`tools/${name} already exists`);
+  const toolInfo = { lane, target, data };
+  const dest = resolve6(process.cwd(), "tools", name);
+  if (existsSync6(dest)) throw new Error(`tools/${name} already exists`);
   const src = templateDir(lane, target);
-  if (existsSync5(src)) {
+  if (existsSync6(src)) {
     cpSync2(src, dest, { recursive: true });
     const pkgPath = join(dest, "package.json");
-    if (existsSync5(pkgPath)) {
-      const pkg = JSON.parse(readFileSync3(pkgPath, "utf8"));
+    if (existsSync6(pkgPath)) {
+      const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
       pkg.name = name;
-      writeFileSync2(pkgPath, `${JSON.stringify(pkg, null, 2)}
+      writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
 `);
     }
     const shippedGitignore = join(dest, "gitignore");
-    if (existsSync5(shippedGitignore)) renameSync(shippedGitignore, join(dest, ".gitignore"));
+    if (existsSync6(shippedGitignore)) renameSync(shippedGitignore, join(dest, ".gitignore"));
+    const wranglerPath = join(dest, "wrangler.toml");
+    if (existsSync6(wranglerPath)) {
+      let wt = readFileSync4(wranglerPath, "utf8").replaceAll("agent-tool", name).replaceAll("example.dev", config.domain);
+      if (wt.includes("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID")) {
+        const token = presentEnv(process.cwd()).CLOUDFLARE_API_TOKEN;
+        const acct = token ? await resolveCloudflareAccountId(config.domain, token) : null;
+        if (acct) {
+          wt = wt.replaceAll("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID", acct);
+          console.log("\u2714 resolved the Cloudflare account id into wrangler.toml");
+        } else {
+          console.log(
+            "\xB7 could not resolve the Cloudflare account id \u2014 set account_id in wrangler.toml"
+          );
+        }
+      }
+      writeFileSync3(wranglerPath, wt);
+    }
     console.log(`\u2714 copied ${src} \u2192 tools/${name}`);
-    if (existsSync5(pkgPath)) registerWorkspaceMember(process.cwd(), `tools/${name}`);
+    if (existsSync6(pkgPath)) registerWorkspaceMember(process.cwd(), `tools/${name}`);
   } else {
     console.log(`! no template at ${src} \u2014 manifest entry added without scaffolding`);
   }
-  writeFileSync2(path, serializeConfig(next));
+  writeFileSync3(path, serializeConfig(next));
   console.log(`\u2714 added "${name}" (${lane}/${target}) to the manifest`);
   const cwd = process.cwd();
   const providers = providersForTool(toolInfo);
-  const infraDir = resolve5(cwd, "infra");
+  const infraDir = resolve6(cwd, "infra");
   const mainTf = join(infraDir, "main.tf");
-  if (!existsSync5(mainTf)) {
-    mkdirSync2(infraDir, { recursive: true });
-    writeFileSync2(mainTf, emitWrapperMainTf({ domain: config.domain, providers }));
+  if (!existsSync6(mainTf)) {
+    mkdirSync3(infraDir, { recursive: true });
+    writeFileSync3(mainTf, emitWrapperMainTf({ domain: config.domain, providers }));
     console.log("\u2714 scaffolded infra/main.tf (providers + HCP backend placeholder)");
   } else if (providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 infra/main.tf exists \u2014 ensure it declares provider(s): ${providers.join(", ")}`);
   }
   const toolTf = join(infraDir, `${name}.tf`);
-  if (existsSync5(toolTf)) {
+  if (existsSync6(toolTf)) {
     console.log(`\xB7 infra/${name}.tf exists \u2014 left as-is`);
   } else {
-    writeFileSync2(
+    writeFileSync3(
       toolTf,
       emitToolTf({
         name,
@@ -1247,6 +1467,17 @@ async function addCommand(args) {
     );
     console.log(`\u2714 wrote infra/${name}.tf (modules: ${providers.join(", ")})`);
   }
+  if (lane === "agent") {
+    const wfDir = resolve6(cwd, ".github/workflows");
+    const wfPath = join(wfDir, `deploy-${name}.yml`);
+    if (existsSync6(wfPath)) {
+      console.log(`\xB7 .github/workflows/deploy-${name}.yml exists \u2014 left as-is`);
+    } else {
+      mkdirSync3(wfDir, { recursive: true });
+      writeFileSync3(wfPath, emitAgentDeployWorkflow(name, config.domain));
+      console.log(`\u2714 wrote .github/workflows/deploy-${name}.yml`);
+    }
+  }
   materializeAgentKit(cwd, toolInfo);
   const repo = flag2(args, "--repo") ?? detectRepo(cwd) ?? "";
   const gather = !args.includes("--no-tokens") && process.stdin.isTTY && repo !== "";
@@ -1269,8 +1500,8 @@ Next:${gather ? "" : `
 
 // src/commands/adopt.ts
 import { execFileSync as execFileSync2 } from "child_process";
-import { cpSync as cpSync3, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, readdirSync, writeFileSync as writeFileSync3 } from "fs";
-import { join as join2, resolve as resolve6 } from "path";
+import { cpSync as cpSync3, existsSync as existsSync7, mkdirSync as mkdirSync4, readFileSync as readFileSync5, readdirSync, writeFileSync as writeFileSync4 } from "fs";
+import { join as join2, resolve as resolve7 } from "path";
 var REF = MODULE_REF;
 function flag3(args, name) {
   const i = args.indexOf(name);
@@ -1286,7 +1517,7 @@ function mergePackageJson(existing, repoName, vendor) {
 }
 function vendorDeps(vendorDir) {
   const out = {};
-  if (!existsSync6(vendorDir)) return out;
+  if (!existsSync7(vendorDir)) return out;
   for (const f of readdirSync(vendorDir)) {
     if (!f.endsWith(".tgz")) continue;
     const base = f.replace(/-\d+\.\d+\.\d+(-[\w.]+)?\.tgz$/, "");
@@ -1741,12 +1972,12 @@ export default [api, ...agentWeb];
 `;
 }
 function writeIfAbsent(path, contents, label) {
-  if (existsSync6(path)) {
+  if (existsSync7(path)) {
     console.log(`\xB7 ${label} exists \u2014 left as-is`);
     return;
   }
-  mkdirSync3(resolve6(path, ".."), { recursive: true });
-  writeFileSync3(path, contents);
+  mkdirSync4(resolve7(path, ".."), { recursive: true });
+  writeFileSync4(path, contents);
   console.log(`\u2714 ${label}`);
 }
 async function adoptCommand(args) {
@@ -1782,10 +2013,10 @@ async function adoptWrapper(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
   const cwd = process.cwd();
   const toolRel = `tools/${name}`;
-  const dest = resolve6(cwd, toolRel);
+  const dest = resolve7(cwd, toolRel);
   console.log(`adopting "${name}" (${lane}/${target}) as the submodule ${toolRel}
 `);
-  if (!existsSync6(dest)) {
+  if (!existsSync7(dest)) {
     try {
       execFileSync2("git", ["submodule", "add", repoArg, toolRel], { cwd, stdio: "inherit" });
       console.log(`\u2714 git submodule add ${repoArg} ${toolRel}`);
@@ -1821,7 +2052,7 @@ async function adoptWrapper(ctx) {
       }
     } : {}
   });
-  writeFileSync3(regPath, serializeConfig(nextReg));
+  writeFileSync4(regPath, serializeConfig(nextReg));
   console.log(
     `\u2714 ${existed ? "updated" : "registered"} "${name}" (external, dir ${toolRel}) in the wrapper manifest`
   );
@@ -1838,11 +2069,11 @@ async function adoptWrapper(ctx) {
       `verify/${name}.config.ts`
     );
   }
-  const providers = providersForTool({ target, data });
-  if (existsSync6(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
+  const providers = providersForTool({ lane, target, data });
+  if (existsSync7(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 ensure infra/main.tf declares provider(s): ${providers.join(", ")}`);
   }
-  materializeAgentKit(dest, { target, data });
+  materializeAgentKit(dest, { lane, target, data });
   addGreenlightScript(dest);
   if (target === "oci") {
     const wrapperSlug = parseRepo(safeGit(cwd, ["remote", "get-url", "origin"])) ?? "OWNER/REPO";
@@ -1891,9 +2122,9 @@ Next:
 }
 async function adoptStandalone(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
-  const repo = resolve6(process.cwd(), repoArg);
-  if (!existsSync6(repo)) throw new Error(`no such repo: ${repo} (--standalone needs a local path)`);
-  const regVendor = resolve6(process.cwd(), "vendor");
+  const repo = resolve7(process.cwd(), repoArg);
+  if (!existsSync7(repo)) throw new Error(`no such repo: ${repo} (--standalone needs a local path)`);
+  const regVendor = resolve7(process.cwd(), "vendor");
   const vendor = vendorDeps(regVendor);
   if (Object.keys(vendor).length === 0) {
     throw new Error(
@@ -1911,15 +2142,15 @@ async function adoptStandalone(ctx) {
   );
   const slug = parseRepo(safeGit(repo, ["remote", "get-url", "origin"])) ?? `OWNER/${name}`;
   const pkgPath = join2(repo, "package.json");
-  const existingPkg = existsSync6(pkgPath) ? JSON.parse(readFileSync4(pkgPath, "utf8")) : null;
-  writeFileSync3(
+  const existingPkg = existsSync7(pkgPath) ? JSON.parse(readFileSync5(pkgPath, "utf8")) : null;
+  writeFileSync4(
     pkgPath,
     `${JSON.stringify(mergePackageJson(existingPkg, name, vendor), null, 2)}
 `
   );
   console.log("\u2714 package.json (merged framework deps + overrides)");
   const repoVendor = join2(repo, "vendor");
-  mkdirSync3(repoVendor, { recursive: true });
+  mkdirSync4(repoVendor, { recursive: true });
   for (const f of readdirSync(regVendor)) {
     if (f.endsWith(".tgz")) cpSync3(join2(regVendor, f), join2(repoVendor, f));
   }
@@ -1940,7 +2171,7 @@ async function adoptStandalone(ctx) {
     ".github/workflows/greenlight-promote.yml"
   );
   writeIfAbsent(join2(repo, "verify.config.ts"), starterVerifyConfig(lane), "verify.config.ts");
-  materializeAgentKit(repo, { target, data });
+  materializeAgentKit(repo, { lane, target, data });
   writeIfAbsent(join2(repo, "mise.toml"), MISE_TOML, "mise.toml");
   writeIfAbsent(join2(repo, ".node-version"), "24\n", ".node-version");
   const nextReg = addTool(reg, {
@@ -1953,7 +2184,7 @@ async function adoptStandalone(ctx) {
     external: true,
     adopted: true
   });
-  writeFileSync3(regPath, serializeConfig(nextReg));
+  writeFileSync4(regPath, serializeConfig(nextReg));
   console.log(`\u2714 registered "${name}" in ${regPath.replace(`${process.cwd()}/`, "")} (external)`);
   console.log(`
 Next (in the adopted repo):
@@ -1966,20 +2197,20 @@ Note: deploying ${target} needs the ${target} adapter (workers is built; oci/ver
 }
 function addGreenlightScript(dir) {
   const pkgPath = join2(dir, "package.json");
-  if (!existsSync6(pkgPath)) {
+  if (!existsSync7(pkgPath)) {
     console.log(
       "\xB7 no package.json (non-Node tool) \u2014 run the loop via `npx @rtrentjones/greenlight`"
     );
     return;
   }
-  const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
+  const pkg = JSON.parse(readFileSync5(pkgPath, "utf8"));
   pkg.scripts = { ...pkg.scripts ?? {} };
   if (pkg.scripts.greenlight) {
     console.log("\xB7 package.json already has a greenlight script");
     return;
   }
   pkg.scripts.greenlight = "npx @rtrentjones/greenlight";
-  writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
+  writeFileSync4(pkgPath, `${JSON.stringify(pkg, null, 2)}
 `);
   console.log("\u2714 package.json (greenlight script \u2014 runnable via npx post-publish)");
 }
@@ -2124,10 +2355,10 @@ async function deployCommand(args) {
 // src/commands/doctor.ts
 import { execFileSync as execFileSync4 } from "child_process";
 import { lookup } from "dns/promises";
-import { existsSync as existsSync7, readFileSync as readFileSync5, readdirSync as readdirSync2 } from "fs";
+import { existsSync as existsSync8, readFileSync as readFileSync6, readdirSync as readdirSync2 } from "fs";
 import { join as join4 } from "path";
 function dirCheck(label, dir) {
-  return existsSync7(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
+  return existsSync8(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
 }
 function conformanceChecks(t, root) {
   const out = [];
@@ -2137,7 +2368,7 @@ function conformanceChecks(t, root) {
     join4(toolDir, `verify/${t.name}.config.ts`),
     join4(toolDir, "verify.config.ts")
   ] : [join4(toolDir, "verify.config.ts")];
-  const found = specCandidates.find((p) => existsSync7(join4(root, p)));
+  const found = specCandidates.find((p) => existsSync8(join4(root, p)));
   out.push({
     name: `${t.name}: in the verify loop`,
     status: found ? "ok" : "warn",
@@ -2163,14 +2394,14 @@ function conformanceChecks(t, root) {
   }
   if (!t.external && t.lane === "next" && t.target === "vercel") {
     const wsPath = join4(root, "pnpm-workspace.yaml");
-    const ws = existsSync7(wsPath) ? readFileSync5(wsPath, "utf8") : "";
+    const ws = existsSync8(wsPath) ? readFileSync6(wsPath, "utf8") : "";
     const member = ws.includes(toolDir) || /^\s*-\s*["']?tools\/\*/m.test(ws);
     out.push({
       name: `${t.name}: pnpm workspace member`,
       status: member ? "ok" : "warn",
       detail: member ? void 0 : `add "${toolDir}" to pnpm-workspace.yaml \u2014 else Vercel's root install skips its deps`
     });
-    const hasVercelJson = existsSync7(join4(root, toolDir, "vercel.json"));
+    const hasVercelJson = existsSync8(join4(root, toolDir, "vercel.json"));
     out.push({
       name: `${t.name}: vercel.json framework`,
       status: hasVercelJson ? "ok" : "warn",
@@ -2184,7 +2415,7 @@ function versionDriftCheck(root) {
   let installed;
   try {
     const pkg = JSON.parse(
-      readFileSync5(join4(root, "node_modules/@rtrentjones/greenlight/package.json"), "utf8")
+      readFileSync6(join4(root, "node_modules/@rtrentjones/greenlight/package.json"), "utf8")
     );
     installed = pkg.version;
   } catch {
@@ -2192,7 +2423,7 @@ function versionDriftCheck(root) {
   const refs = /* @__PURE__ */ new Set();
   try {
     for (const f of readdirSync2(join4(root, "infra")).filter((f2) => f2.endsWith(".tf"))) {
-      const body = readFileSync5(join4(root, "infra", f), "utf8");
+      const body = readFileSync6(join4(root, "infra", f), "utf8");
       for (const m of body.matchAll(/greenlight\.git\/\/infra\/modules\/[^?"]+\?ref=(v[0-9.]+)/g)) {
         if (m[1]) refs.add(m[1]);
       }
@@ -2248,7 +2479,7 @@ function runDoctor(config, root) {
       checks.push({ name: `${t.name}: external (registry)`, status: "ok", detail: url });
       if (t.dir) {
         checks.push(
-          existsSync7(join4(root, t.dir)) ? { name: `${t.name}: dir present`, status: "ok", detail: t.dir } : {
+          existsSync8(join4(root, t.dir)) ? { name: `${t.name}: dir present`, status: "ok", detail: t.dir } : {
             name: `${t.name}: dir present`,
             status: "warn",
             detail: `declared dir "${t.dir}" missing \u2014 run \`git submodule update --init\``
@@ -2342,89 +2573,6 @@ ${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}`);
 import { existsSync as existsSync9, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
 import { resolve as resolve8 } from "path";
 import { createInterface as createInterface3 } from "readline/promises";
-
-// src/tokens.ts
-import { existsSync as existsSync8, mkdirSync as mkdirSync4, readFileSync as readFileSync6, writeFileSync as writeFileSync4 } from "fs";
-import { resolve as resolve7 } from "path";
-import { createInterface as createInterface2 } from "readline/promises";
-var SECRETS_DIR = ".greenlight";
-var SECRETS_FILE = "secrets.env";
-function presentEnv(cwd) {
-  const out = {};
-  const p = resolve7(cwd, SECRETS_DIR, SECRETS_FILE);
-  if (existsSync8(p)) {
-    for (const { key, value } of parseSecretsEnv(readFileSync6(p, "utf8"))) out[key] = value;
-  }
-  for (const [k, v] of Object.entries(process.env)) {
-    if (v !== void 0 && !(k in out)) out[k] = v;
-  }
-  return out;
-}
-function upsertSecret(cwd, key, value) {
-  const dir = resolve7(cwd, SECRETS_DIR);
-  mkdirSync4(dir, { recursive: true });
-  const p = resolve7(dir, SECRETS_FILE);
-  const lines = existsSync8(p) ? readFileSync6(p, "utf8").split("\n") : [];
-  const idx = lines.findIndex((l) => l.startsWith(`${key}=`));
-  if (idx >= 0) lines[idx] = `${key}=${value}`;
-  else {
-    while (lines.length && (lines[lines.length - 1] ?? "").trim() === "") lines.pop();
-    lines.push(`${key}=${value}`);
-  }
-  writeFileSync4(p, `${lines.join("\n").replace(/\n*$/, "")}
-`, { mode: 384 });
-}
-async function ensureTokensForTool(cwd, tool, opts = {}) {
-  const doVerify = opts.verify !== false;
-  const interactive = Boolean(process.stdin.isTTY);
-  const env = presentEnv(cwd);
-  const results = [];
-  const rl = interactive ? createInterface2({ input: process.stdin, output: process.stdout }) : null;
-  try {
-    for (const spec of tokensForTool(tool)) {
-      let value = env[spec.envVar];
-      if (value) {
-        results.push({ envVar: spec.envVar, outcome: "present" });
-      } else if (rl) {
-        console.log(`
-${spec.envVar} \u2014 ${spec.label}`);
-        if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
-        const entered = (await rl.question(`  paste value${spec.optional ? " (optional, Enter to skip)" : ""}: `)).trim();
-        if (!entered) {
-          results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-          continue;
-        }
-        upsertSecret(cwd, spec.envVar, entered);
-        env[spec.envVar] = entered;
-        value = entered;
-        results.push({ envVar: spec.envVar, outcome: "entered" });
-      } else {
-        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-        continue;
-      }
-      if (value && doVerify && spec.verify) {
-        let check;
-        try {
-          check = await spec.verify(value, env);
-        } catch (e) {
-          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
-        }
-        const last = results[results.length - 1];
-        if (last) last.verify = check;
-        if (!check.ok && !spec.optional) {
-          throw new Error(
-            `${spec.envVar} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
-          );
-        }
-      }
-    }
-  } finally {
-    rl?.close();
-  }
-  return results;
-}
-
-// src/commands/init.ts
 function flag5(args, name) {
   const i = args.indexOf(name);
   return i >= 0 ? args[i + 1] : void 0;
@@ -2674,6 +2822,13 @@ function defaultSpec(lane) {
       return { mode: "api", checks: [{ path: "/", status: 200 }] };
     case "mcp":
       return { mode: "mcp", expectTools: [] };
+    case "agent":
+      return {
+        mode: "api",
+        checks: [{ path: "/status", status: 200 }],
+        settleRetries: 6,
+        settleMs: 5e3
+      };
   }
 }
 function printReport(report) {

package/dist/{chunk-HMU7D7R2.js → chunk-P6FRYOOV.js}

@@ -13,7 +13,7 @@ import { createJiti } from "jiti";
 
 // ../packages/shared/src/schema.ts
 import { z } from "zod";
-var LaneEnum = z.enum(["astro", "next", "mcp"]);
+var LaneEnum = z.enum(["astro", "next", "mcp", "agent"]);
 var TargetEnum = z.enum(["workers", "vercel", "oci"]);
 var DataEnum = z.enum(["none", "d1", "kv", "supabase", "neon"]);
 var AuthEnum = z.enum(["none", "bearer", "oauth"]);
@@ -22,7 +22,8 @@ var EnvEnum = z.enum(["preview", "beta", "prod"]);
 var MATRIX = {
   astro: { targets: ["workers"], data: ["none", "d1", "kv"] },
   next: { targets: ["vercel"], data: ["none", "supabase", "neon"] },
-  mcp: { targets: ["workers", "oci"], data: ["none"] }
+  mcp: { targets: ["workers", "oci"], data: ["none"] },
+  agent: { targets: ["workers"], data: ["none", "kv"] }
 };
 var ToolSchema = z.object({
   name: z.string().regex(/^[a-z][a-z0-9-]*$/, "tool name must be kebab-case starting with a letter"),

package/dist/index.js

@@ -2,7 +2,7 @@ import {
   defineConfig,
   defineVerify,
   loadConfig
-} from "./chunk-HMU7D7R2.js";
+} from "./chunk-P6FRYOOV.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.2.29",
+  "version": "0.3.1",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -31,10 +31,10 @@
     "@anthropic-ai/sdk": "^0.69.0"
   },
   "devDependencies": {
-    "@rtrentjones/greenlight-adapters": "0.2.29",
-    "@rtrentjones/greenlight-loop": "0.2.29",
-    "@rtrentjones/greenlight-verify": "0.2.29",
-    "@rtrentjones/greenlight-shared": "0.2.29"
+    "@rtrentjones/greenlight-adapters": "0.3.1",
+    "@rtrentjones/greenlight-loop": "0.3.1",
+    "@rtrentjones/greenlight-shared": "0.3.1",
+    "@rtrentjones/greenlight-verify": "0.3.1"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",

package/templates/_template-agent/README.md

@@ -0,0 +1,33 @@
+# agent — autonomous Gemini-backed Worker
+
+A cron-triggered Cloudflare Worker that calls **Gemini** (free tier), stores the result in **KV**,
+and serves it. Scaffolded by `greenlight add <name> --lane agent --target workers --data kv`.
+
+## What it does
+
+- `scheduled` (cron, daily) → prompt Gemini → store the text + metadata in KV.
+- `GET /` — the latest output (plain text).
+- `GET /status` — `{ ok, lastRun, model, preview }` (the verify target).
+- `POST /run` — force a run; **bearer-gated** (`Authorization: Bearer $RUN_TOKEN`).
+
+## Setup (once)
+
+`greenlight add` already rewrote the worker `name` + route domain in `wrangler.toml`. Then:
+
+1. **KV namespace** — `pnpm exec wrangler kv namespace create STATE`, and paste the id into the
+   three `id = "REPLACE_WITH_KV_NAMESPACE_ID"` slots in `wrangler.toml`.
+2. **Secrets** (per env — the key never goes in the repo):
+   - `pnpm exec wrangler secret put GEMINI_API_KEY --env prod` — your Google AI Studio key (free,
+     `aistudio.google.com/apikey`).
+   - `pnpm exec wrangler secret put RUN_TOKEN --env prod` — any random string.
+3. **Deploy → seed → verify**:
+   - `pnpm greenlight deploy <name>` (or `pnpm exec wrangler deploy --env prod`).
+   - `curl -XPOST https://<name>.<domain>/run -H "Authorization: Bearer $RUN_TOKEN"` (seed the first run).
+   - `pnpm greenlight verify <name> --env prod`.
+
+## Free-tier safety
+
+The daily cron is ~1 Gemini call/day (the free tier allows ~1500/day). `/run` is bearer-gated so it
+can't be used to burn the quota. The key lives **only** as a Worker secret.
+
+See the `provider-gemini` skill + [docs/agents-plan.md](../../docs/agents-plan.md).

package/templates/_template-agent/gitignore

@@ -0,0 +1,5 @@
+# Shipped as `gitignore` (no dot) so it survives the npm tarball; `greenlight add` renames it to
+# `.gitignore` on scaffold.
+node_modules/
+.wrangler/
+dist/

package/templates/_template-agent/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "_template-agent",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "wrangler dev",
+    "deploy": "wrangler deploy"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20250601.0",
+    "typescript": "^5.6.0",
+    "wrangler": "^3.90.0"
+  }
+}

package/templates/_template-agent/src/index.ts

@@ -0,0 +1,99 @@
+/**
+ * Agent Worker — autonomous, cron-triggered, Gemini-backed.
+ *
+ * On the cron (`scheduled`) it asks Gemini for content and stores it in KV. The `fetch` handler
+ * serves the latest output (`GET /`), reports last-run metadata (`GET /status` — the verify
+ * target), and force-runs (`POST /run`, bearer-gated so it can't be used to burn the free-tier
+ * quota; the deploy step uses it to seed the first output before verify).
+ *
+ * GEMINI_API_KEY + RUN_TOKEN are Worker secrets (`wrangler secret put …`), never in wrangler.toml.
+ */
+
+export interface Env {
+  STATE: KVNamespace;
+  GEMINI_API_KEY: string;
+  RUN_TOKEN?: string;
+  MODEL: string;
+  GREENLIGHT_ENV: string;
+}
+
+interface AgentRecord {
+  ok: true;
+  text: string;
+  lastRun: string;
+  model: string;
+}
+
+const PROMPT =
+  'In one or two sentences, share a single concrete, non-obvious tip about deploying software ' +
+  'safely. Vary the topic each time. Plain text, no preamble, no markdown.';
+
+async function callGemini(env: Env): Promise<string> {
+  const url = `https://generativelanguage.googleapis.com/v1beta/models/${env.MODEL}:generateContent?key=${env.GEMINI_API_KEY}`;
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ contents: [{ parts: [{ text: PROMPT }] }] }),
+  });
+  if (!res.ok) throw new Error(`Gemini HTTP ${res.status}`);
+  const data = (await res.json()) as {
+    candidates?: { content?: { parts?: { text?: string }[] } }[];
+  };
+  const text = data.candidates?.[0]?.content?.parts?.[0]?.text?.trim();
+  if (!text) throw new Error('Gemini returned no text');
+  return text;
+}
+
+function key(env: Env): string {
+  return `${env.GREENLIGHT_ENV}:latest`;
+}
+
+async function runOnce(env: Env): Promise<AgentRecord> {
+  const rec: AgentRecord = {
+    ok: true,
+    text: await callGemini(env),
+    lastRun: new Date().toISOString(),
+    model: env.MODEL,
+  };
+  await env.STATE.put(key(env), JSON.stringify(rec));
+  return rec;
+}
+
+async function latest(env: Env): Promise<AgentRecord | null> {
+  const raw = await env.STATE.get(key(env));
+  return raw ? (JSON.parse(raw) as AgentRecord) : null;
+}
+
+export default {
+  async scheduled(_event: ScheduledEvent, env: Env, ctx: ExecutionContext): Promise<void> {
+    ctx.waitUntil(runOnce(env));
+  },
+
+  async fetch(req: Request, env: Env): Promise<Response> {
+    const { pathname } = new URL(req.url);
+
+    if (req.method === 'POST' && pathname === '/run') {
+      const auth = req.headers.get('authorization');
+      if (!env.RUN_TOKEN || auth !== `Bearer ${env.RUN_TOKEN}`) {
+        return new Response('unauthorized', { status: 401 });
+      }
+      return Response.json(await runOnce(env));
+    }
+
+    if (pathname === '/status') {
+      const rec = await latest(env);
+      return Response.json({
+        ok: Boolean(rec),
+        lastRun: rec?.lastRun ?? null,
+        model: env.MODEL,
+        preview: rec ? rec.text.slice(0, 80) : null,
+      });
+    }
+
+    const rec = await latest(env);
+    if (!rec) return new Response('No run yet — POST /run to seed.\n', { status: 200 });
+    return new Response(`${rec.text}\n`, {
+      headers: { 'content-type': 'text/plain; charset=utf-8' },
+    });
+  },
+};

package/templates/_template-agent/tsconfig.json

@@ -0,0 +1,13 @@
+{
+  "compilerOptions": {
+    "target": "es2022",
+    "module": "es2022",
+    "moduleResolution": "bundler",
+    "lib": ["es2022"],
+    "types": ["@cloudflare/workers-types"],
+    "strict": true,
+    "skipLibCheck": true,
+    "noEmit": true
+  },
+  "include": ["src"]
+}

package/templates/_template-agent/verify.config.ts

@@ -0,0 +1,8 @@
+// The agent exposes GET /status with last-run metadata. The deploy step seeds a run (POST /run)
+// before verify, so /status reports ok:true — assert that. settle absorbs Cloudflare propagation.
+export default {
+  mode: 'api',
+  checks: [{ path: '/status', status: 200, contains: '"ok":true' }],
+  settleRetries: 6,
+  settleMs: 5000,
+};

package/templates/_template-agent/wrangler.toml

@@ -0,0 +1,49 @@
+# Agent Worker. `greenlight add` rewrites `name` + the route domain + the account_id, and emits a
+# .github/workflows/deploy-<name>.yml that (on push to main) creates the KV namespace, deploys, sets
+# the GEMINI_API_KEY + RUN_TOKEN Worker secrets from GitHub secrets, seeds, and verifies. So you only
+# add those two GitHub secrets — no manual wrangler.
+name = "agent-tool"
+# Non-secret account id (committed config). `greenlight add` resolves + fills this from your domain's
+# zone; without it wrangler calls /memberships, which a scoped API token can't do.
+account_id = "REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID"
+main = "src/index.ts"
+compatibility_date = "2025-06-01"
+
+# Daily 13:00 UTC — far under the Gemini free-tier quota (~1500 req/day). Edit to taste.
+[triggers]
+crons = ["0 13 * * *"]
+
+[vars]
+MODEL = "gemini-2.5-flash"
+GREENLIGHT_ENV = "prod"
+
+# Output store. `wrangler kv namespace create STATE` → paste the id here (and per-env below).
+[[kv_namespaces]]
+binding = "STATE"
+id = "REPLACE_WITH_KV_NAMESPACE_ID"
+
+# Named environments (the deploy uses `wrangler deploy --env prod|beta`). Wrangler envs do NOT
+# inherit top-level config, so vars + kv + routes are repeated per env.
+[env.prod]
+name = "agent-tool"
+routes = [{ pattern = "agent-tool.example.dev", custom_domain = true }]
+
+[env.prod.vars]
+MODEL = "gemini-2.5-flash"
+GREENLIGHT_ENV = "prod"
+
+[[env.prod.kv_namespaces]]
+binding = "STATE"
+id = "REPLACE_WITH_KV_NAMESPACE_ID"
+
+[env.beta]
+name = "agent-tool-beta"
+routes = [{ pattern = "beta.agent-tool.example.dev", custom_domain = true }]
+
+[env.beta.vars]
+MODEL = "gemini-2.5-flash"
+GREENLIGHT_ENV = "beta"
+
+[[env.beta.kv_namespaces]]
+binding = "STATE"
+id = "REPLACE_WITH_KV_NAMESPACE_ID"