@rtrentjones/greenlight 0.2.4

package/dist/bin.js

@@ -0,0 +1,1951 @@
+#!/usr/bin/env node
+import {
+  ConfigSchema,
+  allPass,
+  loadConfig,
+  resolveUrl,
+  verifyAll
+} from "./chunk-KFKYLGFX.js";
+import "./chunk-XBDQJVAX.js";
+import "./chunk-WFZTRXBF.js";
+import "./chunk-KP3Y6WRU.js";
+import "./chunk-UXHHLEYO.js";
+import "./chunk-6N7MD6FR.js";
+import "./chunk-QFKE5JKC.js";
+
+// src/commands/add.ts
+import { cpSync as cpSync2, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
+import { join, resolve as resolve6 } from "path";
+
+// src/asset-paths.ts
+import { existsSync } from "fs";
+import { dirname, resolve } from "path";
+import { fileURLToPath } from "url";
+var here = dirname(fileURLToPath(import.meta.url));
+var packageRoot = resolve(here, "..");
+function templatesRoot() {
+  const packaged = resolve(packageRoot, "templates");
+  if (existsSync(packaged)) return packaged;
+  return resolve(process.cwd(), "tools");
+}
+function skillAssetDir(name = "deploy-verify-promote") {
+  const packaged = resolve(packageRoot, "assets", "skills", name);
+  if (existsSync(packaged)) return packaged;
+  return resolve(packageRoot, "..", ".claude", "skills", name);
+}
+
+// src/config-io.ts
+var q = (s) => `'${s}'`;
+function serializeTool(t) {
+  const parts = [
+    `name: ${q(t.name)}`,
+    `lane: ${q(t.lane)}`,
+    `target: ${q(t.target)}`,
+    `data: ${q(t.data)}`,
+    `auth: ${q(t.auth)}`,
+    `access: ${q(t.access)}`,
+    `envs: [${t.envs.map(q).join(", ")}]`
+  ];
+  if (t.dir !== void 0) parts.push(`dir: ${q(t.dir)}`);
+  if (t.adopted) parts.push("adopted: true");
+  if (t.external) parts.push("external: true");
+  return `    { ${parts.join(", ")} },`;
+}
+function serializeConfig(c) {
+  const tools = c.tools.length ? `
+${c.tools.map(serializeTool).join("\n")}
+  ` : "";
+  const blog = c.blog ? `
+  blog: { lane: ${q(c.blog.lane)}, target: ${q(c.blog.target)}, data: ${q(c.blog.data)} },` : "";
+  return `import { defineConfig } from '@rtrentjones/greenlight';
+
+export default defineConfig({
+  domain: ${q(c.domain)},
+  alerts: { sink: ${q(c.alerts.sink)} },${blog}
+  tools: [${tools}],
+});
+`;
+}
+function scaffoldConfig(domain) {
+  return serializeConfig({
+    domain,
+    alerts: { sink: "github-issue" },
+    blog: { lane: "astro", target: "workers", data: "none" },
+    tools: []
+  });
+}
+function addTool(config, t) {
+  if (t.name === "blog" || config.tools.some((x) => x.name === t.name)) {
+    throw new Error(`entry "${t.name}" already exists in the manifest`);
+  }
+  const candidate = {
+    ...config,
+    tools: [
+      ...config.tools,
+      {
+        name: t.name,
+        lane: t.lane,
+        target: t.target,
+        data: t.data ?? "none",
+        auth: t.auth ?? "none",
+        access: t.access ?? "public",
+        envs: t.envs ?? ["beta", "prod"],
+        ...t.dir !== void 0 ? { dir: t.dir } : {},
+        ...t.adopted ? { adopted: true } : {},
+        ...t.external ? { external: true } : {}
+      }
+    ]
+  };
+  const result = ConfigSchema.safeParse(candidate);
+  if (!result.success) {
+    throw new Error(
+      result.error.issues.map((i) => `${i.path.join(".") || "(root)"}: ${i.message}`).join("; ")
+    );
+  }
+  return result.data;
+}
+
+// src/manifest.ts
+import { existsSync as existsSync2 } from "fs";
+import { resolve as resolve2 } from "path";
+import { createJiti } from "jiti";
+function findManifestPath(cwd = process.cwd()) {
+  for (const name of ["greenlight.config.ts", "greenlight.config.example.ts"]) {
+    const p = resolve2(cwd, name);
+    if (existsSync2(p)) return p;
+  }
+  return null;
+}
+async function loadManifest(cwd = process.cwd()) {
+  const path = findManifestPath(cwd);
+  if (!path) {
+    throw new Error(
+      "No greenlight.config.ts (or greenlight.config.example.ts) found in this directory."
+    );
+  }
+  return { path, config: await loadConfig(path) };
+}
+function resolveEntry(config, name) {
+  if (name === "blog") {
+    if (!config.blog) throw new Error("this manifest has no blog");
+    return {
+      name: void 0,
+      lane: config.blog.lane,
+      target: config.blog.target,
+      dir: "apps/blog",
+      external: false
+    };
+  }
+  const tool = config.tools.find((t) => t.name === name);
+  if (!tool) {
+    const known = [...config.blog ? ["blog"] : [], ...config.tools.map((t) => t.name)].join(", ");
+    throw new Error(`no entry "${name}" in manifest (known: ${known})`);
+  }
+  return {
+    name: tool.name,
+    lane: tool.lane,
+    target: tool.target,
+    dir: tool.dir ?? `tools/${tool.name}`,
+    external: tool.external
+  };
+}
+var VERIFY_MODES = /* @__PURE__ */ new Set(["api", "mcp", "playwright", "test", "agent-web", "eval"]);
+function asSpec(relPath, spec) {
+  if (typeof spec?.mode !== "string" || !VERIFY_MODES.has(spec.mode)) {
+    throw new Error(
+      `${relPath} must export a spec (or array of specs) with mode ${[...VERIFY_MODES].join("|")}`
+    );
+  }
+  return spec;
+}
+async function loadVerifySpecAt(relPath) {
+  const path = resolve2(process.cwd(), relPath);
+  if (!existsSync2(path)) return null;
+  const jiti = createJiti(import.meta.url);
+  const mod = await jiti.import(path);
+  const def = "default" in mod ? mod.default : mod;
+  if (Array.isArray(def)) return def.map((s) => asSpec(relPath, s));
+  return asSpec(relPath, def);
+}
+function loadVerifySpec(dir) {
+  return loadVerifySpecAt(`${dir}/verify.config.ts`);
+}
+function loadExternalVerifySpec(name) {
+  return loadVerifySpecAt(`verify/${name}.config.ts`);
+}
+
+// src/providers.ts
+var okStatus = (r) => r.ok;
+var PACKS = [
+  {
+    id: "cloudflare",
+    name: "Cloudflare",
+    always: true,
+    // the zone/DNS provider + Workers (keepalive) for every Greenlight setup
+    appliesTo: () => true,
+    guide: "docs/provider-tokens.md \u2014 CLOUDFLARE_API_TOKEN (Workers Scripts:Edit + Zone DNS:Edit)",
+    tokens: [
+      {
+        envVar: "CLOUDFLARE_API_TOKEN",
+        label: "API token \u2014 Workers Scripts:Edit + Zone DNS:Edit",
+        scopes: [
+          "Account \xB7 Workers Scripts \xB7 Edit",
+          "Zone \xB7 DNS \xB7 Edit",
+          "Account \xB7 Account Settings \xB7 Read"
+        ],
+        verify: async (t) => {
+          const r = await fetch("https://api.cloudflare.com/client/v4/user/tokens/verify", {
+            headers: { Authorization: `Bearer ${t}` }
+          });
+          const j = await r.json().catch(() => ({}));
+          return { ok: r.ok && j.result?.status === "active", detail: j.result?.status };
+        }
+      }
+    ],
+    mcp: {
+      cloudflare: { type: "http", url: "https://mcp.cloudflare.com/mcp" },
+      "cloudflare-docs": { type: "http", url: "https://docs.mcp.cloudflare.com/mcp" }
+    },
+    skill: "provider-cloudflare",
+    tfModules: ["tool", "keepalive"]
+  },
+  {
+    id: "vercel",
+    name: "Vercel",
+    appliesTo: (t) => t.target === "vercel",
+    guide: "docs/provider-tokens.md \u2014 VERCEL_API_TOKEN (team-scoped)",
+    tokens: [
+      {
+        envVar: "VERCEL_API_TOKEN",
+        label: "API token (scope to your team)",
+        verify: async (t) => {
+          const r = await fetch("https://api.vercel.com/v2/user", {
+            headers: { Authorization: `Bearer ${t}` }
+          });
+          return { ok: okStatus(r), detail: `HTTP ${r.status}` };
+        }
+      }
+    ],
+    mcp: { vercel: { type: "http", url: "https://mcp.vercel.com" } },
+    skill: "provider-vercel",
+    tfModules: ["vercel"]
+  },
+  {
+    id: "supabase",
+    name: "Supabase",
+    appliesTo: (t) => t.data === "supabase",
+    guide: "docs/provider-tokens.md \u2014 SUPABASE_ACCESS_TOKEN (Management API)",
+    tokens: [
+      {
+        envVar: "SUPABASE_ACCESS_TOKEN",
+        label: "Management API access token",
+        verify: async (t) => {
+          const r = await fetch("https://api.supabase.com/v1/projects", {
+            headers: { Authorization: `Bearer ${t}` }
+          });
+          return { ok: okStatus(r), detail: `HTTP ${r.status}` };
+        }
+      },
+      {
+        envVar: "TF_VAR_supabase_database_password",
+        label: "database password (ignored when importing an existing project)",
+        optional: true
+      }
+    ],
+    mcp: {
+      supabase: {
+        type: "http",
+        url: "https://mcp.supabase.com/mcp?project_ref=${SUPABASE_PROJECT_REF}&read_only=true",
+        headers: { Authorization: "Bearer ${SUPABASE_ACCESS_TOKEN}" }
+      }
+    },
+    skill: "provider-supabase",
+    tfModules: ["supabase"]
+  },
+  {
+    id: "hcp",
+    name: "HCP Terraform (remote state)",
+    always: true,
+    // remote state backs every wrapper's infra
+    appliesTo: () => true,
+    guide: "docs/terraform-state-r2.md \u2014 HCP Terraform free tier (no credit card)",
+    tokens: [
+      {
+        envVar: "TF_API_TOKEN",
+        label: "HCP Terraform user API token (state backend auth)",
+        verify: async (t) => {
+          const r = await fetch("https://app.terraform.io/api/v2/organizations", {
+            headers: { Authorization: `Bearer ${t}`, "Content-Type": "application/vnd.api+json" }
+          });
+          return { ok: okStatus(r), detail: `HTTP ${r.status}` };
+        }
+      }
+    ],
+    skill: "provider-hcp"
+  },
+  {
+    id: "github",
+    name: "GitHub",
+    always: true,
+    // secrets sync + repo/branch infra
+    appliesTo: () => true,
+    guide: "docs/provider-tokens.md \u2014 GitHub (gh auth, or a fine-grained PAT)",
+    tokens: [
+      {
+        envVar: "GITHUB_TOKEN",
+        label: "GitHub token (gh-provided in CI; PAT for cross-repo)",
+        optional: true
+        // usually provided by `gh` / the Actions built-in token
+      }
+    ],
+    skill: "provider-github",
+    tfModules: ["repo"]
+  },
+  {
+    id: "oci",
+    name: "Oracle Cloud (OCI)",
+    appliesTo: (t) => t.target === "oci",
+    guide: "docs/oci-payg-runbook.md \u2014 Always-Free A1 Container Instance + tunnel (PAYG to stop reclaim)",
+    tokens: [
+      // OCI provider auth = API-key request signing (no bearer → no cheap fetch verify). These
+      // flow to the `oci` Terraform provider as TF_VAR_oci_* (the wrapper apply uses them).
+      { envVar: "TF_VAR_oci_tenancy_ocid", label: "OCI tenancy OCID", optional: true },
+      { envVar: "TF_VAR_oci_user_ocid", label: "OCI user OCID", optional: true },
+      { envVar: "TF_VAR_oci_fingerprint", label: "OCI API key fingerprint", optional: true },
+      {
+        envVar: "TF_VAR_oci_private_key",
+        label: "OCI API private key (PEM content)",
+        optional: true
+      },
+      { envVar: "TF_VAR_oci_region", label: "OCI region, e.g. us-ashburn-1", optional: true },
+      // Container Instance placement (your Always-Free compartment / AD / a public subnet).
+      { envVar: "TF_VAR_oci_compartment_id", label: "OCI compartment OCID", optional: true },
+      {
+        envVar: "TF_VAR_oci_availability_domain",
+        label: "OCI availability domain",
+        optional: true
+      },
+      {
+        envVar: "TF_VAR_oci_subnet_id",
+        label: "OCI subnet OCID (public, for egress)",
+        optional: true
+      },
+      // Deploy (restart the instance → re-pull). Set from the Terraform output.
+      {
+        envVar: "OCI_CONTAINER_INSTANCE_OCID",
+        label: "container instance OCID (TF output) \u2014 `greenlight deploy` restarts it",
+        optional: true
+      }
+    ],
+    skill: "provider-oci",
+    tfModules: ["tool", "tunnel", "oci-container-instance"]
+    // DNS + tunnel + compute; deploy = restart
+  }
+];
+function packsForTool(tool) {
+  return PACKS.filter((p) => p.always || (tool ? p.appliesTo(tool) : false));
+}
+function mcpForTool(tool) {
+  const out = {};
+  for (const pack of packsForTool(tool)) {
+    if (pack.mcp) Object.assign(out, pack.mcp);
+  }
+  return out;
+}
+function tokensForTool(tool) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const pack of packsForTool(tool)) {
+    for (const tok of pack.tokens) {
+      if (!seen.has(tok.envVar)) {
+        seen.add(tok.envVar);
+        out.push(tok);
+      }
+    }
+  }
+  return out;
+}
+
+// src/version.ts
+var MODULE_REF = "v0.2.4";
+var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
+function moduleSource(module, ref = MODULE_REF) {
+  return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
+}
+
+// src/tf-emit.ts
+var hcl = (s) => s.replace(/\n{3,}/g, "\n\n").trimEnd();
+function emitToolTf(opts) {
+  const { name, domain, lane, target, data, envs, ref = MODULE_REF } = opts;
+  const slug = opts.slug ?? `OWNER/${name}`;
+  const useSupabase = data === "supabase";
+  const useVercel = target === "vercel";
+  const useOci = target === "oci";
+  const envList = envs.map((e) => `"${e}"`).join(", ");
+  const blocks = [];
+  const assumes = ["var.cloudflare_zone_id"];
+  if (useOci)
+    assumes.push(
+      "var.cloudflare_account_id",
+      "var.oci_compartment_id",
+      "var.oci_availability_domain",
+      "var.oci_subnet_id"
+    );
+  if (useSupabase) assumes.push("var.supabase_organization_id", "var.supabase_database_password");
+  const ghcrOwner = (slug.split("/")[0] ?? "owner").toLowerCase();
+  blocks.push(
+    `# ${name} \u2014 ${lane}/${target}${useSupabase ? "/supabase" : ""}, emitted by \`greenlight add\`.
+# Review, then commit + push: the wrapper's infra.yml (HCP-backed) runs \`terraform apply\`.
+# Assumes infra/main.tf declares: ${[useVercel && "vercel", useSupabase && "supabase", useOci && "oci"].filter(Boolean).join(" + ") || "cloudflare + github"} provider(s)
+# and the variables ${assumes.join(", ")}.${opts.external ? `
+# External tool: app code + deploy live in ${slug}; this manages only its infra here.` : ""}`
+  );
+  if (useSupabase) {
+    blocks.push(`# One Supabase project (schema-per-env), kept declarative + recreatable + kept alive.
+module "${name}_supabase" {
+  source = "${moduleSource("supabase", ref)}"
+
+  name              = "${name}"
+  project_name      = "${name}-db"
+  organization_id   = var.supabase_organization_id
+  database_password = var.supabase_database_password
+  region            = "us-east-1"
+}`);
+  }
+  if (useVercel) {
+    const env = useSupabase ? `
+  environment = {
+    site_url_prod     = { key = "SITE_URL", target = ["production"], sensitive = false }
+    site_url_beta     = { key = "SITE_URL", target = ["preview"], sensitive = false }
+    supa_url_prod     = { key = "NEXT_PUBLIC_SUPABASE_URL", target = ["production"], sensitive = false }
+    supa_anon_prod    = { key = "NEXT_PUBLIC_SUPABASE_ANON_KEY", target = ["production"], sensitive = false }
+    supa_service_prod = { key = "SUPABASE_SERVICE_ROLE_KEY", target = ["production"], sensitive = true }
+    supa_url_beta     = { key = "NEXT_PUBLIC_SUPABASE_URL", target = ["preview"], sensitive = false }
+    supa_anon_beta    = { key = "NEXT_PUBLIC_SUPABASE_ANON_KEY", target = ["preview"], sensitive = false }
+    supa_service_beta = { key = "SUPABASE_SERVICE_ROLE_KEY", target = ["preview"], sensitive = true }
+  }
+  environment_values = {
+    site_url_prod     = "https://${name}.${domain}"
+    site_url_beta     = "https://beta.${name}.${domain}"
+    supa_url_prod     = module.${name}_supabase.url
+    supa_anon_prod    = module.${name}_supabase.anon_key
+    supa_service_prod = module.${name}_supabase.service_role_key
+    supa_url_beta     = module.${name}_supabase.url
+    supa_anon_beta    = module.${name}_supabase.anon_key
+    supa_service_beta = module.${name}_supabase.service_role_key
+  }` : `
+  # No managed data store \u2014 add environment/environment_values if the app needs vars.
+  environment        = {}
+  environment_values = {}`;
+    blocks.push(`# Configure the EXISTING Vercel project (domains + env vars). Deploys ride git integration.
+module "${name}_vercel" {
+  source = "${moduleSource("vercel", ref)}"
+
+  project_id  = var.${name}_vercel_project_id
+  name        = "${name}"
+  domain      = "${domain}"
+  beta_branch = "develop"
+${env}
+}
+
+variable "${name}_vercel_project_id" {
+  type        = string
+  description = "Vercel project id for ${name} (prj_\u2026); the project must already exist."
+}`);
+  }
+  if (useOci) {
+    blocks.push(`# OCI Container Instance (Always-Free Ampere A1) running the tool's GHCR image + a cloudflared
+# sidecar; the tunnel routes ${name}.${domain} \u2192 the container at localhost:8000. The tool's OWN
+# CI builds + pushes the image (provider-agnostic); deploy = restart the instance (re-pull).
+# beta would be a second instance + tunnel route \u2014 mind the free 2-OCPU / 12-GB A1 cap.
+module "${name}_tunnel" {
+  source = "${moduleSource("tunnel", ref)}"
+
+  account_id = var.cloudflare_account_id
+  name       = "${name}-tunnel"
+  ingress = [
+    { hostname = "${name}.${domain}", service = "http://localhost:8000" },
+  ]
+}
+
+module "${name}_instance" {
+  source = "${moduleSource("oci-container-instance", ref)}"
+
+  name                = "${name}"
+  compartment_id      = var.oci_compartment_id
+  availability_domain = var.oci_availability_domain
+  subnet_id           = var.oci_subnet_id
+  image_url           = var.${name}_image
+  tunnel_token        = module.${name}_tunnel.token
+
+  # Tool runtime env \u2014 fill in (e.g. PORT/listen settings, auth). The container must listen on 8000.
+  environment = {}
+}
+
+variable "${name}_image" {
+  type        = string
+  default     = "ghcr.io/${ghcrOwner}/${name}:prod"
+  description = "GHCR image for ${name} (built + pushed by ${slug}'s own CI)."
+}`);
+  }
+  blocks.push(`# Subdomain DNS \u2014 CNAME ${name}/beta.${name} \u2192 ${useVercel ? "cname.vercel-dns.com" : useOci ? "the tunnel" : "the target"}.
+module "${name}_dns" {
+  source = "${moduleSource("tool", ref)}"
+
+  name        = "${name}"
+  domain      = "${domain}"
+  zone_id     = var.cloudflare_zone_id
+  github_repo = "${slug}"
+  lane        = "${lane}"
+  target      = "${target}"
+  data        = "${data}"
+  envs        = [${envList}]${useOci ? `
+  cname_target = module.${name}_tunnel.cname_target` : ""}${opts.external ? "\n  # External repo managed elsewhere; no GitHub envs here so CI stays single-repo.\n  manage_github_environments = false" : ""}
+}`);
+  if (useSupabase) {
+    blocks.push(`# Keepalive: add this tool to the aggregated keepalive worker so its Supabase DB
+# never idle-pauses. In infra/keepalive.tf, append to module.keepalive.targets_json:
+#   { name = "${name}", env = "prod", url = module.${name}_supabase.url, anonKey = module.${name}_supabase.anon_key }`);
+  }
+  const outputs = useVercel ? `output "${name}_prod_url" { value = module.${name}_vercel.prod_url }
+output "${name}_beta_url" { value = module.${name}_vercel.beta_url }` : `output "${name}_prod_url" { value = module.${name}_dns.prod_url }`;
+  blocks.push(
+    useOci ? `${outputs}
+output "${name}_tunnel_token" {
+  value     = module.${name}_tunnel.token
+  sensitive = true
+}
+output "${name}_container_instance_id" {
+  value       = module.${name}_instance.container_instance_id
+  description = "Set as OCI_CONTAINER_INSTANCE_OCID so \`greenlight deploy ${name}\` restarts it."
+}` : outputs
+  );
+  return `${hcl(blocks.join("\n\n"))}
+`;
+}
+function emitWrapperMainTf(opts) {
+  const owner = opts.owner ?? "OWNER";
+  const need = new Set(opts.providers);
+  const req = [
+    '    cloudflare = { source = "cloudflare/cloudflare", version = "~> 5.0" }',
+    '    github     = { source = "integrations/github", version = "~> 6.0" }'
+  ];
+  if (need.has("vercel"))
+    req.push('    vercel     = { source = "vercel/vercel", version = "~> 3.0" }');
+  if (need.has("supabase"))
+    req.push('    supabase   = { source = "supabase/supabase", version = "~> 1.0" }');
+  if (need.has("oci")) req.push('    oci        = { source = "oracle/oci", version = ">= 5.0" }');
+  const providerBlocks = ['provider "cloudflare" {}', `provider "github" { owner = "${owner}" }`];
+  if (need.has("vercel")) providerBlocks.push('provider "vercel" {}');
+  if (need.has("supabase")) providerBlocks.push('provider "supabase" {}');
+  if (need.has("oci")) {
+    providerBlocks.push(`provider "oci" {
+  tenancy_ocid = var.oci_tenancy_ocid
+  user_ocid    = var.oci_user_ocid
+  fingerprint  = var.oci_fingerprint
+  private_key  = var.oci_private_key
+  region       = var.oci_region
+}`);
+  }
+  const vars = ['variable "cloudflare_zone_id" { type = string }'];
+  vars.push('variable "cloudflare_account_id" {\n  type    = string\n  default = ""\n}');
+  if (need.has("supabase")) {
+    vars.push('variable "supabase_organization_id" { type = string }');
+    vars.push(
+      'variable "supabase_database_password" {\n  type      = string\n  sensitive = true\n  default   = "import-placeholder" # ignored when importing an existing project\n}'
+    );
+  }
+  if (need.has("oci")) {
+    vars.push('variable "oci_tenancy_ocid" { type = string }');
+    vars.push('variable "oci_user_ocid" { type = string }');
+    vars.push('variable "oci_fingerprint" { type = string }');
+    vars.push('variable "oci_private_key" {\n  type      = string\n  sensitive = true\n}');
+    vars.push('variable "oci_region" { type = string }');
+    vars.push('variable "oci_compartment_id" { type = string }');
+    vars.push('variable "oci_availability_domain" { type = string }');
+    vars.push('variable "oci_subnet_id" { type = string }');
+  }
+  return `# Wrapper infra (singleton): providers + remote-state backend + shared variables.
+# \`greenlight add\` appends per-tool module blocks as infra/<name>.tf. Apply is CI/CD's job
+# (infra.yml). Fill in the HCP backend below before the first apply (docs/terraform-state-r2.md).
+
+terraform {
+  required_version = ">= 1.7"
+  required_providers {
+${req.join("\n")}
+  }
+
+  # Remote state \u2014 HCP Terraform free tier (no credit card). Uncomment + set org/workspace:
+  # cloud {
+  #   organization = "YOUR_ORG"
+  #   workspaces { name = "${opts.domain.replace(/\./g, "-")}" }
+  # }
+}
+
+${providerBlocks.join("\n")}
+
+${vars.join("\n")}
+`;
+}
+function providersForTool(tool) {
+  const ids = new Set(packsForTool(tool).map((p) => p.id));
+  const out = ["cloudflare", "github"];
+  if (ids.has("vercel")) out.push("vercel");
+  if (ids.has("supabase")) out.push("supabase");
+  if (ids.has("oci")) out.push("oci");
+  return out;
+}
+
+// src/tokens.ts
+import { existsSync as existsSync4, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
+import { resolve as resolve4 } from "path";
+import { createInterface } from "readline/promises";
+
+// src/commands/secrets.ts
+import { execFileSync } from "child_process";
+import { existsSync as existsSync3, readFileSync } from "fs";
+import { resolve as resolve3 } from "path";
+function parseSecretsEnv(text) {
+  const out = [];
+  for (const raw of text.split("\n")) {
+    const line = raw.trim();
+    if (line === "" || line.startsWith("#")) continue;
+    const eq = line.indexOf("=");
+    if (eq <= 0) continue;
+    out.push({ key: line.slice(0, eq).trim(), value: line.slice(eq + 1) });
+  }
+  return out;
+}
+function parseRepo(remoteUrl) {
+  const m = remoteUrl.trim().match(/github\.com[/:]([^/]+)\/(.+?)(?:\.git)?$/);
+  return m ? `${m[1]}/${m[2]}` : null;
+}
+function flag(args, name) {
+  const i = args.indexOf(name);
+  return i >= 0 ? args[i + 1] : void 0;
+}
+function detectRepo(cwd) {
+  try {
+    const url = execFileSync("git", ["remote", "get-url", "origin"], {
+      cwd,
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "ignore"]
+      // don't leak git's stderr
+    });
+    return parseRepo(url);
+  } catch {
+    return null;
+  }
+}
+function syncSecrets(opts) {
+  const repo = opts.repo ?? detectRepo(opts.cwd);
+  if (!repo) {
+    throw new Error(
+      "could not determine the repo \u2014 pass --repo owner/repo (no github.com origin remote)"
+    );
+  }
+  const path = resolve3(opts.cwd, ".greenlight/secrets.env");
+  if (!existsSync3(path)) {
+    throw new Error("no .greenlight/secrets.env \u2014 run `greenlight init` with tokens first");
+  }
+  const entries = parseSecretsEnv(readFileSync(path, "utf8"));
+  const target = opts.env ? `env "${opts.env}"` : "repo";
+  for (const { key, value } of entries) {
+    const ghArgs = ["secret", "set", key, "--repo", repo];
+    if (opts.env) ghArgs.push("--env", opts.env);
+    try {
+      execFileSync("gh", ghArgs, { input: value });
+    } catch (e) {
+      const err = e;
+      if (err.code === "ENOENT") {
+        throw new Error("the GitHub CLI `gh` is required \u2014 install it and run `gh auth login`");
+      }
+      const detail = err.stderr?.toString().trim();
+      throw new Error(
+        `failed to set ${key}${detail ? `: ${detail}` : " (check `gh auth status`)"}`
+      );
+    }
+    console.log(`\u2714 set ${key} \u2192 ${repo} ${target}`);
+  }
+  return { repo, count: entries.length };
+}
+async function secretsCommand(args) {
+  if (args[0] !== "sync") {
+    console.log(
+      "usage: greenlight secrets sync [--repo owner/repo] [--env <env>]   # push .greenlight/secrets.env to GitHub Actions secrets"
+    );
+    process.exit(args[0] ? 1 : 0);
+  }
+  const { count } = syncSecrets({
+    cwd: process.cwd(),
+    repo: flag(args, "--repo"),
+    env: flag(args, "--env")
+  });
+  if (count === 0) {
+    console.log("no secrets to sync");
+    return;
+  }
+  console.log(
+    `
+${count} secret(s) synced. (Prefer GitHub OIDC over long-lived tokens where supported.)`
+  );
+}
+
+// src/tokens.ts
+var SECRETS_DIR = ".greenlight";
+var SECRETS_FILE = "secrets.env";
+function presentEnv(cwd) {
+  const out = {};
+  const p = resolve4(cwd, SECRETS_DIR, SECRETS_FILE);
+  if (existsSync4(p)) {
+    for (const { key, value } of parseSecretsEnv(readFileSync2(p, "utf8"))) out[key] = value;
+  }
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v !== void 0 && !(k in out)) out[k] = v;
+  }
+  return out;
+}
+function upsertSecret(cwd, key, value) {
+  const dir = resolve4(cwd, SECRETS_DIR);
+  mkdirSync(dir, { recursive: true });
+  const p = resolve4(dir, SECRETS_FILE);
+  const lines = existsSync4(p) ? readFileSync2(p, "utf8").split("\n") : [];
+  const idx = lines.findIndex((l) => l.startsWith(`${key}=`));
+  if (idx >= 0) lines[idx] = `${key}=${value}`;
+  else {
+    while (lines.length && (lines[lines.length - 1] ?? "").trim() === "") lines.pop();
+    lines.push(`${key}=${value}`);
+  }
+  writeFileSync(p, `${lines.join("\n").replace(/\n*$/, "")}
+`, { mode: 384 });
+}
+async function ensureTokensForTool(cwd, tool, opts = {}) {
+  const doVerify = opts.verify !== false;
+  const interactive = Boolean(process.stdin.isTTY);
+  const env = presentEnv(cwd);
+  const results = [];
+  const rl = interactive ? createInterface({ input: process.stdin, output: process.stdout }) : null;
+  try {
+    for (const spec of tokensForTool(tool)) {
+      let value = env[spec.envVar];
+      if (value) {
+        results.push({ envVar: spec.envVar, outcome: "present" });
+      } else if (rl) {
+        console.log(`
+${spec.envVar} \u2014 ${spec.label}`);
+        if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
+        const entered = (await rl.question(`  paste value${spec.optional ? " (optional, Enter to skip)" : ""}: `)).trim();
+        if (!entered) {
+          results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+          continue;
+        }
+        upsertSecret(cwd, spec.envVar, entered);
+        env[spec.envVar] = entered;
+        value = entered;
+        results.push({ envVar: spec.envVar, outcome: "entered" });
+      } else {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      if (value && doVerify && spec.verify) {
+        let check;
+        try {
+          check = await spec.verify(value, env);
+        } catch (e) {
+          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
+        }
+        const last = results[results.length - 1];
+        if (last) last.verify = check;
+        if (!check.ok && !spec.optional) {
+          throw new Error(
+            `${spec.envVar} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
+          );
+        }
+      }
+    }
+  } finally {
+    rl?.close();
+  }
+  return results;
+}
+
+// src/commands/agent.ts
+import { cpSync, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import { resolve as resolve5 } from "path";
+
+// src/agent-kit.ts
+function recommendedMcp(tool) {
+  return mcpForTool(tool);
+}
+function mergeMcpServers(existing, add) {
+  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
+  for (const [name, val] of Object.entries(add)) {
+    if (out.mcpServers[name]) continue;
+    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
+  }
+  return out;
+}
+
+// src/commands/agent.ts
+var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
+
+This repo uses Greenlight. Ship changes through the deploy-verify-promote skill:
+branch \u2192 change \u2192 deploy preview \u2192 \`greenlight verify\` \u2192 beta \u2192 verify \u2192 \`greenlight promote\` \u2192 prod \u2192 verify.
+
+Agentic kit:
+- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the loop).
+- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
+    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
+- Best-practice skills (one-time, user scope):
+    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
+`;
+function materializeAgentKit(dir, tool) {
+  const src = skillAssetDir();
+  if (!existsSync5(src)) throw new Error(`skill asset not found at ${src}`);
+  const dest = resolve5(dir, ".claude/skills/deploy-verify-promote");
+  mkdirSync2(dest, { recursive: true });
+  cpSync(src, dest, { recursive: true });
+  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
+  for (const pack of packsForTool(tool)) {
+    if (!pack.skill) continue;
+    const skillSrc = skillAssetDir(pack.skill);
+    if (!existsSync5(skillSrc)) continue;
+    const skillDest = resolve5(dir, ".claude/skills", pack.skill);
+    mkdirSync2(skillDest, { recursive: true });
+    cpSync(skillSrc, skillDest, { recursive: true });
+    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
+  }
+  const mcpPath = resolve5(dir, ".mcp.json");
+  const existingMcp = existsSync5(mcpPath) ? JSON.parse(readFileSync3(mcpPath, "utf8")) : null;
+  const servers = recommendedMcp(tool);
+  writeFileSync2(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
+`);
+  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
+  const claudePath = resolve5(dir, "CLAUDE.md");
+  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
+  const existing = existsSync5(claudePath) ? readFileSync3(claudePath, "utf8") : "";
+  if (existing.includes(marker)) {
+    console.log("\xB7 CLAUDE.md already has the loop block");
+  } else {
+    writeFileSync2(claudePath, existing ? `${existing.trimEnd()}
+
+${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
+    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
+  }
+}
+async function agentCommand(args) {
+  if (args[0] !== "sync") {
+    console.log(
+      "usage: greenlight agent sync   # write the loop skill + .mcp.json + CLAUDE.md block"
+    );
+    process.exit(args[0] ? 1 : 0);
+  }
+  materializeAgentKit(process.cwd());
+  console.log(
+    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
+  );
+}
+
+// src/commands/add.ts
+function flag2(args, name) {
+  const i = args.indexOf(name);
+  return i >= 0 ? args[i + 1] : void 0;
+}
+function templateDir(lane, target) {
+  const base = join(templatesRoot(), `_template-${lane}`);
+  return lane === "mcp" ? join(base, target) : base;
+}
+async function addCommand(args) {
+  const name = args[0];
+  if (!name || name.startsWith("-")) {
+    throw new Error(
+      "usage: greenlight add <name> --lane <lane> --target <target> [--data <d>] [--auth <a>] [--envs beta,prod]"
+    );
+  }
+  const lane = flag2(args, "--lane");
+  const target = flag2(args, "--target");
+  if (!lane || !target) throw new Error("add needs --lane and --target");
+  const { config, path } = await loadManifest();
+  if (path.endsWith(".example.ts")) {
+    throw new Error("no greenlight.config.ts \u2014 run `greenlight init` first");
+  }
+  const next = addTool(config, {
+    name,
+    lane,
+    target,
+    data: flag2(args, "--data"),
+    auth: flag2(args, "--auth"),
+    envs: flag2(args, "--envs")?.split(",")
+  });
+  const entry = next.tools.find((t) => t.name === name);
+  const data = entry?.data ?? "none";
+  const envs = entry?.envs ?? ["beta", "prod"];
+  const toolInfo = { target, data };
+  const dest = resolve6(process.cwd(), "tools", name);
+  if (existsSync6(dest)) throw new Error(`tools/${name} already exists`);
+  const src = templateDir(lane, target);
+  if (existsSync6(src)) {
+    cpSync2(src, dest, { recursive: true });
+    const pkgPath = join(dest, "package.json");
+    if (existsSync6(pkgPath)) {
+      const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
+      pkg.name = name;
+      writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
+`);
+    }
+    console.log(`\u2714 copied ${src} \u2192 tools/${name}`);
+  } else {
+    console.log(`! no template at ${src} \u2014 manifest entry added without scaffolding`);
+  }
+  writeFileSync3(path, serializeConfig(next));
+  console.log(`\u2714 added "${name}" (${lane}/${target}) to the manifest`);
+  const cwd = process.cwd();
+  const providers = providersForTool(toolInfo);
+  const infraDir = resolve6(cwd, "infra");
+  const mainTf = join(infraDir, "main.tf");
+  if (!existsSync6(mainTf)) {
+    mkdirSync3(infraDir, { recursive: true });
+    writeFileSync3(mainTf, emitWrapperMainTf({ domain: config.domain, providers }));
+    console.log("\u2714 scaffolded infra/main.tf (providers + HCP backend placeholder)");
+  } else if (providers.some((p) => p !== "cloudflare" && p !== "github")) {
+    console.log(`\xB7 infra/main.tf exists \u2014 ensure it declares provider(s): ${providers.join(", ")}`);
+  }
+  const toolTf = join(infraDir, `${name}.tf`);
+  if (existsSync6(toolTf)) {
+    console.log(`\xB7 infra/${name}.tf exists \u2014 left as-is`);
+  } else {
+    writeFileSync3(toolTf, emitToolTf({ name, domain: config.domain, lane, target, data, envs }));
+    console.log(`\u2714 wrote infra/${name}.tf (modules: ${providers.join(", ")})`);
+  }
+  if (!args.includes("--no-tokens")) {
+    try {
+      const outcomes = await ensureTokensForTool(cwd, toolInfo, {
+        verify: !args.includes("--no-verify")
+      });
+      const missing = outcomes.filter((o) => o.outcome === "missing").map((o) => o.envVar);
+      if (missing.length) {
+        console.log(
+          `! missing token(s): ${missing.join(", ")} \u2014 set in .greenlight/secrets.env, then \`greenlight secrets sync\``
+        );
+      }
+    } catch (e) {
+      console.log(`\u2716 ${e instanceof Error ? e.message : String(e)}`);
+    }
+  }
+  materializeAgentKit(cwd, toolInfo);
+  console.log(`
+Next:
+  review infra/${name}.tf, then commit + push \u2192 CI (infra.yml) runs \`terraform apply\`
+  greenlight preview ${name}        # local build + serve + verify`);
+}
+
+// src/commands/adopt.ts
+import { execFileSync as execFileSync2 } from "child_process";
+import { cpSync as cpSync3, existsSync as existsSync7, mkdirSync as mkdirSync4, readFileSync as readFileSync5, readdirSync, writeFileSync as writeFileSync4 } from "fs";
+import { join as join2, resolve as resolve7 } from "path";
+var REF = MODULE_REF;
+function flag3(args, name) {
+  const i = args.indexOf(name);
+  return i >= 0 ? args[i + 1] : void 0;
+}
+function mergePackageJson(existing, repoName, vendor) {
+  const pkg = existing ? { ...existing } : { name: repoName, version: "0.0.0", private: true, type: "module" };
+  pkg.dependencies = { ...pkg.dependencies ?? {}, ...vendor };
+  pkg.scripts = { ...pkg.scripts ?? {} };
+  if (!pkg.scripts.greenlight) pkg.scripts.greenlight = "greenlight";
+  pkg.pnpm = { ...pkg.pnpm ?? {}, overrides: { ...pkg.pnpm?.overrides ?? {}, ...vendor } };
+  return pkg;
+}
+function vendorDeps(vendorDir) {
+  const out = {};
+  if (!existsSync7(vendorDir)) return out;
+  for (const f of readdirSync(vendorDir)) {
+    if (!f.endsWith(".tgz")) continue;
+    const base = f.replace(/-\d+\.\d+\.\d+(-[\w.]+)?\.tgz$/, "");
+    out[`@${base.replace("-", "/")}`] = `file:vendor/${f}`;
+  }
+  return out;
+}
+function starterVerifyConfig(lane) {
+  const spec = lane === "mcp" ? "{ mode: 'mcp', expectTools: [] }" : "{ mode: 'api', checks: [{ path: '/', status: 200 }] }";
+  return `// Greenlight verify spec \u2014 edit to assert this tool's real contract.
+export default ${spec};
+`;
+}
+function infraTf(name, domain, lane, target, data, envs, slug) {
+  const owner = slug.includes("/") ? slug.split("/")[0] : "OWNER";
+  const repo = slug.includes("/") ? slug.split("/")[1] : "REPO";
+  const e = envs.map((x) => `"${x}"`).join(", ");
+  return `terraform {
+  required_version = ">= 1.7"
+  required_providers {
+    cloudflare = { source = "cloudflare/cloudflare", version = "~> 5.0" }
+    github     = { source = "integrations/github", version = "~> 6.0" }
+  }
+}
+
+provider "cloudflare" {}
+provider "github" { owner = "${owner}" }
+
+variable "cloudflare_zone_id" { type = string }
+
+module "tool" {
+  source      = "git::https://github.com/RTrentJones/greenlight.git//infra/modules/tool?ref=${REF}"
+  name        = "${name}"
+  domain      = "${domain}"
+  zone_id     = var.cloudflare_zone_id
+  github_repo = "${slug}"
+  lane        = "${lane}"
+  target      = "${target}"
+  data        = "${data}"
+  envs        = [${e}]
+}
+
+module "repo" {
+  source          = "git::https://github.com/RTrentJones/greenlight.git//infra/modules/repo?ref=${REF}"
+  repository      = "${repo}"
+  required_checks = ["deploy"]
+}
+
+output "prod_url" { value = module.tool.prod_url }
+`;
+}
+function deployYml(name) {
+  return `name: deploy
+
+# develop -> beta, main -> prod. Creds-guarded; calls the Greenlight CLI.
+on:
+  push:
+    branches: [develop, main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: deploy-\${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: jdx/mise-action@v2
+      - run: pnpm install --frozen-lockfile
+      - name: Resolve target env
+        id: env
+        run: |
+          if [ "\${{ github.ref }}" = "refs/heads/main" ]; then
+            echo "env=prod" >> "$GITHUB_OUTPUT"
+          else
+            echo "env=beta" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Check Cloudflare creds
+        id: creds
+        env:
+          CF: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+        run: if [ -n "$CF" ]; then echo "have=1" >> "$GITHUB_OUTPUT"; else echo "have=0" >> "$GITHUB_OUTPUT"; fi
+      - name: Deploy + verify
+        if: steps.creds.outputs.have == '1'
+        env:
+          CLOUDFLARE_API_TOKEN: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+        run: |
+          pnpm exec greenlight deploy ${name} --env "\${{ steps.env.outputs.env }}"
+          pnpm exec greenlight verify ${name} --env "\${{ steps.env.outputs.env }}"
+      - name: Skip notice
+        if: steps.creds.outputs.have != '1'
+        run: echo "No CLOUDFLARE_API_TOKEN secret \u2014 deploy/verify skipped."
+`;
+}
+function promoteYml(name) {
+  return `name: promote
+
+# Gated develop -> main fast-forward: verify beta -> FF -> deploy + verify prod.
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  promote:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: jdx/mise-action@v2
+      - run: pnpm install --frozen-lockfile
+      - run: git fetch --no-tags origin main develop
+      - name: Check Cloudflare creds
+        id: creds
+        env:
+          CF: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+        run: if [ -n "$CF" ]; then echo "have=1" >> "$GITHUB_OUTPUT"; else echo "have=0" >> "$GITHUB_OUTPUT"; fi
+      - name: Verify beta (gate)
+        if: steps.creds.outputs.have == '1'
+        env:
+          CLOUDFLARE_API_TOKEN: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+        run: pnpm exec greenlight verify ${name} --env beta
+      - name: Promote (gated fast-forward)
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          pnpm exec greenlight promote ${name} --perform --push
+      - name: Deploy + verify prod
+        if: steps.creds.outputs.have == '1'
+        env:
+          CLOUDFLARE_API_TOKEN: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+        run: |
+          pnpm exec greenlight deploy ${name} --env prod
+          pnpm exec greenlight verify ${name} --env prod
+`;
+}
+var MISE_TOML = `# Toolchain, managed by mise. \`mise install\` to set up.
+[tools]
+node = "24"
+pnpm = "10.12.1"
+`;
+function containerBuildYml(name, wrapperRepo) {
+  return `name: greenlight-build
+
+# Provider-agnostic: build the container -> push to GHCR -> notify the wrapper to deploy.
+# The wrapper owns the OCI infra + creds; this repo only needs GREENLIGHT_DISPATCH_TOKEN
+# (a fine-grained PAT with "Contents: write" on ${wrapperRepo}) to fire the dispatch.
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+concurrency:
+  group: build-\${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Resolve image ref (GHCR namespaces are lowercase)
+        id: img
+        run: echo "ref=ghcr.io/\${GITHUB_REPOSITORY_OWNER,,}/${name}:prod" >> "$GITHUB_OUTPUT"
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: \${{ github.actor }}
+          password: \${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/arm64
+          push: true
+          tags: \${{ steps.img.outputs.ref }}
+      - name: Notify wrapper to deploy
+        env:
+          GH_TOKEN: \${{ secrets.GREENLIGHT_DISPATCH_TOKEN }}
+        if: \${{ env.GH_TOKEN != '' }}
+        run: |
+          gh api repos/${wrapperRepo}/dispatches \\
+            -f event_type=deploy-${name} \\
+            -F client_payload[sha]=\${{ github.sha }}
+`;
+}
+function deployListenerYml(name, toolRepo) {
+  const SECRET = `${name.toUpperCase().replace(/-/g, "_")}_OCI_CONTAINER_INSTANCE_OCID`;
+  return `name: greenlight-deploy-${name}
+
+# Option B: ${toolRepo} fires repository_dispatch(deploy-${name}) after pushing a new image.
+on:
+  repository_dispatch:
+    types: [deploy-${name}]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: jdx/mise-action@v2
+      - run: pnpm install --frozen-lockfile
+      - run: pip install --quiet oci-cli
+      - name: Deploy (restart container instance -> re-pull GHCR image)
+        env:
+          OCI_CLI_USER: \${{ secrets.OCI_CLI_USER }}
+          OCI_CLI_TENANCY: \${{ secrets.OCI_CLI_TENANCY }}
+          OCI_CLI_FINGERPRINT: \${{ secrets.OCI_CLI_FINGERPRINT }}
+          OCI_CLI_KEY_CONTENT: \${{ secrets.OCI_CLI_KEY_CONTENT }}
+          OCI_CLI_REGION: \${{ secrets.OCI_CLI_REGION }}
+          OCI_CONTAINER_INSTANCE_OCID: \${{ secrets.${SECRET} }}
+        run: pnpm exec greenlight deploy ${name} --env prod
+      - name: Report status back to ${toolRepo}
+        if: \${{ always() && github.event.client_payload.sha != '' }}
+        env:
+          GH_TOKEN: \${{ secrets.GREENLIGHT_STATUS_TOKEN }}
+        run: |
+          [ -z "$GH_TOKEN" ] && exit 0
+          gh api repos/${toolRepo}/statuses/\${{ github.event.client_payload.sha }} \\
+            -f state="\${{ job.status == 'success' && 'success' || 'failure' }}" \\
+            -f context="greenlight/deploy-${name}" \\
+            -f description="\${{ job.status }}"
+`;
+}
+function writeIfAbsent(path, contents, label) {
+  if (existsSync7(path)) {
+    console.log(`\xB7 ${label} exists \u2014 left as-is`);
+    return;
+  }
+  mkdirSync4(resolve7(path, ".."), { recursive: true });
+  writeFileSync4(path, contents);
+  console.log(`\u2714 ${label}`);
+}
+async function adoptCommand(args) {
+  const name = args[0];
+  if (!name || name.startsWith("-")) {
+    throw new Error(
+      "usage: greenlight adopt <name> --repo <url|path> --lane <l> --target <t> [--data --auth --envs] [--standalone]\n  default: wrap <repo> as a tools/<name> submodule + edit infra in this wrapper + push the loop kit into the tool repo.\n  --standalone: scaffold a full self-contained consumer into the tool repo (it owns its whole stack)."
+    );
+  }
+  const repoArg = flag3(args, "--repo");
+  if (!repoArg) throw new Error("adopt needs --repo <url|path> (the existing tool repo to adopt)");
+  const lane = flag3(args, "--lane");
+  const target = flag3(args, "--target");
+  if (!lane || !target) throw new Error("adopt needs --lane and --target");
+  const data = flag3(args, "--data") ?? "none";
+  const auth = flag3(args, "--auth") ?? "none";
+  const envs = flag3(args, "--envs")?.split(",") ?? ["beta", "prod"];
+  const { path: regPath, config: reg } = await loadManifest();
+  if (regPath.endsWith(".example.ts")) {
+    throw new Error(
+      "run adopt from your site repo (needs a real greenlight.config.ts; run `greenlight init` first)"
+    );
+  }
+  if (reg.tools.some((t) => t.name === name) || name === "blog") {
+    throw new Error(`"${name}" already in the registry`);
+  }
+  const domain = flag3(args, "--domain") ?? reg.domain;
+  const ctx = { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath };
+  if (args.includes("--standalone")) return adoptStandalone(ctx);
+  return adoptWrapper(ctx);
+}
+async function adoptWrapper(ctx) {
+  const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
+  const cwd = process.cwd();
+  const toolRel = `tools/${name}`;
+  const dest = resolve7(cwd, toolRel);
+  console.log(`adopting "${name}" (${lane}/${target}) as the submodule ${toolRel}
+`);
+  if (!existsSync7(dest)) {
+    try {
+      execFileSync2("git", ["submodule", "add", repoArg, toolRel], { cwd, stdio: "inherit" });
+      console.log(`\u2714 git submodule add ${repoArg} ${toolRel}`);
+    } catch (e) {
+      const detail = e instanceof Error ? e.message : String(e);
+      throw new Error(
+        `git submodule add failed (${detail}). Ensure this wrapper is a git repo and <repo> is reachable.`
+      );
+    }
+  } else {
+    console.log(`\xB7 ${toolRel} exists \u2014 skipping submodule add`);
+  }
+  const nextReg = addTool(reg, {
+    name,
+    lane,
+    target,
+    data,
+    auth,
+    envs,
+    dir: toolRel,
+    external: true,
+    adopted: true
+  });
+  writeFileSync4(regPath, serializeConfig(nextReg));
+  console.log(`\u2714 registered "${name}" (external, dir ${toolRel}) in the wrapper manifest`);
+  const slug = parseRepo(repoArg) ?? parseRepo(safeGit(dest, ["remote", "get-url", "origin"])) ?? `OWNER/${name}`;
+  writeIfAbsent(
+    join2(cwd, `infra/${name}.tf`),
+    emitToolTf({ name, domain, lane, target, data, envs, slug, external: true }),
+    `infra/${name}.tf`
+  );
+  writeIfAbsent(
+    join2(cwd, `verify/${name}.config.ts`),
+    starterVerifyConfig(lane),
+    `verify/${name}.config.ts`
+  );
+  const providers = providersForTool({ target, data });
+  if (existsSync7(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
+    console.log(`\xB7 ensure infra/main.tf declares provider(s): ${providers.join(", ")}`);
+  }
+  materializeAgentKit(dest, { target, data });
+  addGreenlightScript(dest);
+  if (target === "oci") {
+    const wrapperSlug = parseRepo(safeGit(cwd, ["remote", "get-url", "origin"])) ?? "OWNER/REPO";
+    writeIfAbsent(
+      join2(cwd, `.github/workflows/greenlight-deploy-${name}.yml`),
+      deployListenerYml(name, slug),
+      `.github/workflows/greenlight-deploy-${name}.yml (wrapper deploy listener)`
+    );
+    writeIfAbsent(
+      join2(dest, ".github/workflows/greenlight-build.yml"),
+      containerBuildYml(name, wrapperSlug),
+      `${toolRel}/.github/workflows/greenlight-build.yml (provider-agnostic build \u2192 GHCR \u2192 dispatch)`
+    );
+  }
+  console.log(`
+Next:
+  (in the tool repo) commit the Greenlight kit + build workflow so they travel with the submodule:
+    cd ${toolRel} && git add .claude .mcp.json CLAUDE.md .github && git commit -m "chore: greenlight loop kit + build"
+  (in the wrapper) review infra/${name}.tf, then commit the submodule + infra + listener:
+    git add .gitmodules ${toolRel} infra/${name}.tf verify/${name}.config.ts greenlight.config.ts .github
+    git commit && git push      # CI (infra.yml) applies. Tool's CI builds; wrapper deploys.${target === "oci" ? `
+  Secrets: in ${slug} set GREENLIGHT_DISPATCH_TOKEN; in this wrapper set the OCI_CLI_* creds +
+  ${name.toUpperCase().replace(/-/g, "_")}_OCI_CONTAINER_INSTANCE_OCID (from the TF output) + GREENLIGHT_STATUS_TOKEN.` : ""}`);
+}
+async function adoptStandalone(ctx) {
+  const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
+  const repo = resolve7(process.cwd(), repoArg);
+  if (!existsSync7(repo)) throw new Error(`no such repo: ${repo} (--standalone needs a local path)`);
+  const regVendor = resolve7(process.cwd(), "vendor");
+  const vendor = vendorDeps(regVendor);
+  if (Object.keys(vendor).length === 0) {
+    throw new Error(
+      "no vendor/*.tgz in this repo \u2014 --standalone bootstraps the tool from the registry repo's vendored tarballs (or publish to npm first)"
+    );
+  }
+  console.log(`adopting "${name}" (${lane}/${target}) into ${repo} (standalone)
+`);
+  const toolEntry = { name, lane, target, data, auth, envs, dir: ".", adopted: true };
+  const toolConfig = addTool({ domain, alerts: { sink: "github-issue" }, tools: [] }, toolEntry);
+  writeIfAbsent(
+    join2(repo, "greenlight.config.ts"),
+    serializeConfig(toolConfig),
+    "greenlight.config.ts"
+  );
+  const slug = parseRepo(safeGit(repo, ["remote", "get-url", "origin"])) ?? `OWNER/${name}`;
+  const pkgPath = join2(repo, "package.json");
+  const existingPkg = existsSync7(pkgPath) ? JSON.parse(readFileSync5(pkgPath, "utf8")) : null;
+  writeFileSync4(
+    pkgPath,
+    `${JSON.stringify(mergePackageJson(existingPkg, name, vendor), null, 2)}
+`
+  );
+  console.log("\u2714 package.json (merged framework deps + overrides)");
+  const repoVendor = join2(repo, "vendor");
+  mkdirSync4(repoVendor, { recursive: true });
+  for (const f of readdirSync(regVendor)) {
+    if (f.endsWith(".tgz")) cpSync3(join2(regVendor, f), join2(repoVendor, f));
+  }
+  console.log(`\u2714 vendor/ (${Object.keys(vendor).length} tarballs)`);
+  writeIfAbsent(
+    join2(repo, "infra/main.tf"),
+    infraTf(name, domain, lane, target, data, envs, slug),
+    "infra/main.tf"
+  );
+  writeIfAbsent(
+    join2(repo, ".github/workflows/greenlight-deploy.yml"),
+    deployYml(name),
+    ".github/workflows/greenlight-deploy.yml"
+  );
+  writeIfAbsent(
+    join2(repo, ".github/workflows/greenlight-promote.yml"),
+    promoteYml(name),
+    ".github/workflows/greenlight-promote.yml"
+  );
+  writeIfAbsent(join2(repo, "verify.config.ts"), starterVerifyConfig(lane), "verify.config.ts");
+  materializeAgentKit(repo, { target, data });
+  writeIfAbsent(join2(repo, "mise.toml"), MISE_TOML, "mise.toml");
+  writeIfAbsent(join2(repo, ".node-version"), "24\n", ".node-version");
+  const nextReg = addTool(reg, {
+    name,
+    lane,
+    target,
+    data,
+    auth,
+    envs,
+    external: true,
+    adopted: true
+  });
+  writeFileSync4(regPath, serializeConfig(nextReg));
+  console.log(`\u2714 registered "${name}" in ${regPath.replace(`${process.cwd()}/`, "")} (external)`);
+  console.log(`
+Next (in the adopted repo):
+  cd ${repoArg}
+  pnpm install
+  echo -n "$CLOUDFLARE_API_TOKEN" | gh secret set CLOUDFLARE_API_TOKEN
+  git checkout -b develop && git push -u origin develop
+  greenlight preview ${name}        # local; or deploy --env beta once creds are set
+Note: deploying ${target} needs the ${target} adapter (workers is built; oci/vercel are follow-ups).`);
+}
+function addGreenlightScript(dir) {
+  const pkgPath = join2(dir, "package.json");
+  if (!existsSync7(pkgPath)) {
+    console.log(
+      "\xB7 no package.json (non-Node tool) \u2014 run the loop via `npx @rtrentjones/greenlight`"
+    );
+    return;
+  }
+  const pkg = JSON.parse(readFileSync5(pkgPath, "utf8"));
+  pkg.scripts = { ...pkg.scripts ?? {} };
+  if (pkg.scripts.greenlight) {
+    console.log("\xB7 package.json already has a greenlight script");
+    return;
+  }
+  pkg.scripts.greenlight = "npx @rtrentjones/greenlight";
+  writeFileSync4(pkgPath, `${JSON.stringify(pkg, null, 2)}
+`);
+  console.log("\u2714 package.json (greenlight script \u2014 runnable via npx post-publish)");
+}
+function safeGit(cwd, gitArgs) {
+  try {
+    return execFileSync2("git", gitArgs, {
+      cwd,
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+  } catch {
+    return "";
+  }
+}
+
+// src/commands/config.ts
+import { relative } from "path";
+async function configCommand() {
+  const { path, config } = await loadManifest();
+  console.log(`\u2714 Loaded & validated ${relative(process.cwd(), path)}
+`);
+  console.log(JSON.stringify(config, null, 2));
+}
+
+// ../packages/adapters/src/index.ts
+import { execFileSync as execFileSync3 } from "child_process";
+import { join as join3 } from "path";
+function run(cmd, args, cwd, extraEnv) {
+  execFileSync3(cmd, args, { cwd, stdio: "inherit", env: { ...process.env, ...extraEnv } });
+}
+function workersAdapter(ctx) {
+  const url = (env) => resolveUrl({ domain: ctx.domain, name: ctx.name, env });
+  return {
+    target: "workers",
+    async build(toolDir, env) {
+      let siteEnv;
+      try {
+        siteEnv = { SITE_URL: url(env) };
+      } catch {
+        siteEnv = void 0;
+      }
+      run("pnpm", ["run", "build"], toolDir, siteEnv);
+      return { artifactDir: join3(toolDir, "dist") };
+    },
+    async deploy(toolDir, env) {
+      run("pnpm", ["exec", "wrangler", "deploy", "--env", env], toolDir);
+      return { url: url(env) };
+    },
+    url,
+    async teardown() {
+      throw new Error("workers teardown is not wired yet (later phase).");
+    }
+  };
+}
+function ociConfig(source = process.env) {
+  return { containerInstanceId: source.OCI_CONTAINER_INSTANCE_OCID };
+}
+function ociRestartArgs(containerInstanceId) {
+  return [
+    "container-instances",
+    "container-instance",
+    "restart",
+    "--container-instance-id",
+    containerInstanceId
+  ];
+}
+function ociAdapter(ctx) {
+  const url = (env) => resolveUrl({ domain: ctx.domain, name: ctx.name, env });
+  return {
+    target: "oci",
+    async build() {
+      return { artifactDir: "." };
+    },
+    async deploy(_toolDir, env) {
+      const { containerInstanceId } = ociConfig();
+      if (!containerInstanceId) {
+        throw new Error("oci deploy needs OCI_CONTAINER_INSTANCE_OCID (the Terraform output)");
+      }
+      run("oci", ociRestartArgs(containerInstanceId), ".");
+      return { url: url(env) };
+    },
+    url,
+    async teardown() {
+      throw new Error("oci teardown is Terraform \u2014 `terraform destroy` the oci-instance module.");
+    }
+  };
+}
+function vercelSkeletonAdapter(ctx) {
+  const url = (env) => resolveUrl({ domain: ctx.domain, name: ctx.name, env });
+  const notWired = () => {
+    throw new Error(
+      "vercel deploy rides Vercel git-integration \u2014 Greenlight manages its infra, not a push-deploy."
+    );
+  };
+  return {
+    target: "vercel",
+    build: async () => notWired(),
+    deploy: async () => notWired(),
+    url,
+    teardown: async () => notWired()
+  };
+}
+function createAdapter(target, ctx) {
+  switch (target) {
+    case "workers":
+      return workersAdapter(ctx);
+    case "oci":
+      return ociAdapter(ctx);
+    case "vercel":
+      return vercelSkeletonAdapter(ctx);
+  }
+}
+
+// src/commands/deploy.ts
+function flag4(args, name) {
+  const i = args.indexOf(name);
+  return i >= 0 ? args[i + 1] : void 0;
+}
+async function deployCommand(args) {
+  const name = args[0];
+  if (!name || name.startsWith("-")) {
+    throw new Error("usage: greenlight deploy <name> --env <preview|beta|prod>");
+  }
+  const env = flag4(args, "--env");
+  if (env !== "preview" && env !== "beta" && env !== "prod") {
+    throw new Error("deploy needs --env preview|beta|prod");
+  }
+  const { config } = await loadManifest();
+  const entry = resolveEntry(config, name);
+  if (entry.external) {
+    throw new Error(`"${name}" is external (registry pointer) \u2014 deploy it from its own repo`);
+  }
+  const adapter = createAdapter(entry.target, { domain: config.domain, name: entry.name });
+  console.log(`build ${name} (${entry.lane}/${entry.target}) in ${entry.dir}`);
+  await adapter.build(entry.dir, env);
+  console.log(`deploy ${name} \u2192 ${env}`);
+  const { url } = await adapter.deploy(entry.dir, env);
+  console.log(`\u2714 deployed: ${url}`);
+  if (entry.lane === "mcp") console.log(`  connect: ${url}/mcp`);
+}
+
+// src/commands/doctor.ts
+import { existsSync as existsSync8 } from "fs";
+import { join as join4 } from "path";
+function dirCheck(label, dir) {
+  return existsSync8(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
+}
+function runDoctor(config, root) {
+  const checks = [];
+  if (config.blog) checks.push(dirCheck("blog", join4(root, "apps/blog")));
+  for (const t of config.tools) {
+    if (t.external) {
+      const url = resolveUrl({
+        domain: config.domain,
+        name: t.name,
+        env: "prod",
+        mcp: t.lane === "mcp"
+      });
+      checks.push({ name: `${t.name}: external (registry)`, status: "ok", detail: url });
+      continue;
+    }
+    const dir = join4(root, t.dir ?? join4("tools", t.name));
+    checks.push(dirCheck(t.name, dir));
+    if (t.lane === "mcp") {
+      const vc = join4(dir, "verify.config.ts");
+      checks.push({
+        name: `${t.name}: verify.config.ts`,
+        status: existsSync8(vc) ? "ok" : "warn",
+        detail: existsSync8(vc) ? void 0 : "missing \u2014 verify will use the lane default"
+      });
+    }
+  }
+  const needsKeepalive = config.tools.filter((t) => t.data === "supabase" || t.target === "oci");
+  checks.push({
+    name: "keepalive coverage",
+    status: needsKeepalive.length > 0 ? "ok" : "skip",
+    detail: needsKeepalive.length > 0 ? needsKeepalive.map((t) => `${t.name} (${t.data === "supabase" ? "supabase" : "oci"})`).join(", ") : "no data:supabase / target:oci tools"
+  });
+  for (const name of [
+    "DNS propagation",
+    "terraform drift",
+    "Vercel cap headroom",
+    "keepalive health (live)",
+    "OCI PAYG status",
+    "framework version drift"
+  ]) {
+    checks.push({ name, status: "skip", detail: "needs provider creds / packages (Phase 5/7/8)" });
+  }
+  return checks;
+}
+var ICON = { ok: "\u2714", warn: "!", fail: "\u2718", skip: "\xB7" };
+async function doctorCommand() {
+  let config;
+  try {
+    ({ config } = await loadManifest());
+    console.log("\u2714 manifest: loaded & valid\n");
+  } catch (e) {
+    console.error(`\u2718 manifest: ${e instanceof Error ? e.message : String(e)}`);
+    process.exit(1);
+  }
+  const checks = runDoctor(config, process.cwd());
+  for (const c of checks) {
+    console.log(`  ${ICON[c.status]} ${c.name}${c.detail ? ` \u2014 ${c.detail}` : ""}`);
+  }
+  const failed = checks.filter((c) => c.status === "fail").length;
+  console.log(`
+${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}`);
+  process.exit(failed === 0 ? 0 : 1);
+}
+
+// src/commands/init.ts
+import { existsSync as existsSync9, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
+import { resolve as resolve8 } from "path";
+import { createInterface as createInterface2 } from "readline/promises";
+function flag5(args, name) {
+  const i = args.indexOf(name);
+  return i >= 0 ? args[i + 1] : void 0;
+}
+var TOKEN_FLAGS = {
+  "--cf-token": "CLOUDFLARE_API_TOKEN",
+  "--github-token": "GITHUB_TOKEN",
+  "--vercel-token": "VERCEL_TOKEN",
+  "--supabase-url": "SUPABASE_URL",
+  "--supabase-key": "SUPABASE_SERVICE_ROLE_KEY"
+};
+async function initCommand(args) {
+  const force = args.includes("--force");
+  let domain = flag5(args, "--domain");
+  if (!domain) {
+    if (!process.stdin.isTTY) throw new Error("init needs --domain <domain> (no TTY for prompts)");
+    const rl = createInterface2({ input: process.stdin, output: process.stdout });
+    domain = (await rl.question("Domain (e.g. example.dev): ")).trim();
+    rl.close();
+  }
+  if (!domain) throw new Error("a domain is required");
+  const cwd = process.cwd();
+  const configPath = resolve8(cwd, "greenlight.config.ts");
+  if (existsSync9(configPath) && !force) {
+    throw new Error("greenlight.config.ts already exists \u2014 pass --force to overwrite");
+  }
+  writeFileSync5(configPath, scaffoldConfig(domain));
+  console.log(`\u2714 wrote greenlight.config.ts (domain: ${domain})`);
+  const secrets = [];
+  for (const [f, key] of Object.entries(TOKEN_FLAGS)) {
+    const v = flag5(args, f);
+    if (v) secrets.push(`${key}=${v}`);
+  }
+  if (secrets.length > 0) {
+    mkdirSync5(resolve8(cwd, ".greenlight"), { recursive: true });
+    writeFileSync5(resolve8(cwd, ".greenlight/secrets.env"), `${secrets.join("\n")}
+`, {
+      mode: 384
+    });
+    console.log(`\u2714 wrote .greenlight/secrets.env (${secrets.length} token(s), gitignored)`);
+  }
+  if (process.stdin.isTTY && !args.includes("--no-tokens")) {
+    try {
+      await ensureTokensForTool(cwd, {}, { verify: !args.includes("--no-verify") });
+    } catch (e) {
+      console.log(`\u2716 ${e instanceof Error ? e.message : String(e)}`);
+    }
+  }
+  let pushed = false;
+  if (existsSync9(resolve8(cwd, ".greenlight/secrets.env")) && !args.includes("--no-push")) {
+    try {
+      const { repo, count } = syncSecrets({ cwd, repo: flag5(args, "--repo") });
+      console.log(`\u2714 pushed ${count} secret(s) to ${repo} (GitHub Actions)`);
+      pushed = true;
+    } catch (e) {
+      console.log(`! skipped pushing secrets: ${e instanceof Error ? e.message : String(e)}`);
+      console.log("  run `greenlight secrets sync` once `gh` is authenticated.");
+    }
+  }
+  console.log(`
+Next:
+  greenlight add <name> --lane mcp --target oci   # scaffold a tool${pushed ? "" : "\n  greenlight secrets sync                         # push tokens to GitHub Actions"}
+  greenlight doctor                               # check consistency
+  terraform -chdir=infra apply                    # branches/protection/DNS (module "repo"/"tool")
+  greenlight deploy blog --env prod               # first live deploy`);
+}
+
+// src/commands/preview.ts
+import { execFileSync as execFileSync4, spawn } from "child_process";
+import { resolve as resolve10 } from "path";
+import { setTimeout as sleep } from "timers/promises";
+
+// src/commands/verify.ts
+import { resolve as resolve9 } from "path";
+function defaultSpec(lane) {
+  switch (lane) {
+    case "astro":
+      return { mode: "api", checks: [{ path: "/", status: 200 }], noBrokenInternalLinks: true };
+    case "next":
+      return { mode: "api", checks: [{ path: "/", status: 200 }] };
+    case "mcp":
+      return { mode: "mcp", expectTools: [] };
+  }
+}
+function printReport(report) {
+  console.log(`verify ${report.mode} ${report.url}
+`);
+  for (const c of report.checks) {
+    console.log(`  ${c.pass ? "\u2714" : "\u2718"} ${c.name}${c.detail ? ` \u2014 ${c.detail}` : ""}`);
+  }
+  console.log(`
+${report.pass ? "\u2714 PASS" : "\u2718 FAIL"}`);
+}
+function flag6(args, name) {
+  const i = args.indexOf(name);
+  return i >= 0 ? args[i + 1] : void 0;
+}
+async function verifyCommand(args) {
+  const name = args[0];
+  if (!name || name.startsWith("-")) {
+    throw new Error("usage: greenlight verify <name> [--env <beta|prod> | --url <url>]");
+  }
+  const { config } = await loadManifest();
+  const entry = resolveEntry(config, name);
+  const override = flag6(args, "--url");
+  let url;
+  if (override) {
+    url = entry.lane === "mcp" && !override.endsWith("/mcp") ? `${override}/mcp` : override;
+  } else {
+    const env = flag6(args, "--env");
+    if (env !== "beta" && env !== "prod") {
+      throw new Error(
+        "verify needs --env beta|prod (or --url <url>). preview URLs come from the adapter deploy."
+      );
+    }
+    url = resolveUrl({ domain: config.domain, name: entry.name, env, mcp: entry.lane === "mcp" });
+  }
+  const loaded = (entry.external ? await loadExternalVerifySpec(name) : await loadVerifySpec(entry.dir)) ?? defaultSpec(entry.lane);
+  const specs = Array.isArray(loaded) ? loaded : [loaded];
+  const waitFlag = flag6(args, "--wait");
+  const reachableTimeoutMs = (waitFlag !== void 0 ? Number(waitFlag) : override ? 0 : 90) * 1e3;
+  if (reachableTimeoutMs > 0) {
+    console.log(`waiting up to ${reachableTimeoutMs / 1e3}s for ${url} to become reachable\u2026`);
+  }
+  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
+  const reports = await verifyAll(url, specs, { reachableTimeoutMs, toolDir });
+  for (const report of reports) printReport(report);
+  const pass = allPass(reports);
+  if (reports.length > 1)
+    console.log(`
+${pass ? "\u2714 ALL PASS" : "\u2718 FAIL"} (${reports.length} specs)`);
+  process.exit(pass ? 0 : 1);
+}
+
+// src/commands/preview.ts
+function servePlan(lane, port) {
+  switch (lane) {
+    case "mcp":
+      return { build: false, script: "start", port: port ?? 8787, path: "/mcp" };
+    default:
+      return { build: true, script: "preview", port: port ?? 4321, path: "" };
+  }
+}
+function flag7(args, name) {
+  const i = args.indexOf(name);
+  return i >= 0 ? args[i + 1] : void 0;
+}
+async function waitForServer(url, timeoutMs = 3e4) {
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    try {
+      await fetch(url, { signal: AbortSignal.timeout(2e3) });
+      return true;
+    } catch {
+      await sleep(400);
+    }
+  }
+  return false;
+}
+async function previewCommand(args) {
+  const name = args[0];
+  if (!name || name.startsWith("-")) {
+    throw new Error("usage: greenlight preview <name> [--port <n>]");
+  }
+  const portArg = flag7(args, "--port");
+  const { config } = await loadManifest();
+  const entry = resolveEntry(config, name);
+  if (entry.external) {
+    throw new Error(`"${name}" is external (registry pointer) \u2014 preview it from its own repo`);
+  }
+  const plan = servePlan(entry.lane, portArg ? Number(portArg) : void 0);
+  if (plan.build) {
+    console.log(`build ${name} (${entry.dir})`);
+    execFileSync4("pnpm", ["-C", entry.dir, "run", "build"], { stdio: "inherit" });
+  }
+  console.log(`serve ${name} on :${plan.port}`);
+  const runArgs = ["-C", entry.dir, "run", plan.script];
+  if (plan.script === "preview") runArgs.push("--", "--port", String(plan.port));
+  const child = spawn("pnpm", runArgs, {
+    env: { ...process.env, PORT: String(plan.port) },
+    stdio: "ignore",
+    detached: true
+  });
+  let pass = false;
+  try {
+    const base = `http://localhost:${plan.port}`;
+    if (!await waitForServer(base)) {
+      throw new Error(
+        `server did not start on :${plan.port} (check the tool's ${plan.script} script)`
+      );
+    }
+    const loaded = await loadVerifySpec(entry.dir) ?? defaultSpec(entry.lane);
+    const specs = Array.isArray(loaded) ? loaded : [loaded];
+    const toolDir = resolve10(process.cwd(), entry.dir ?? ".");
+    const reports = await verifyAll(base + plan.path, specs, { toolDir });
+    for (const report of reports) printReport(report);
+    pass = allPass(reports);
+  } finally {
+    if (child.pid) {
+      try {
+        process.kill(-child.pid, "SIGTERM");
+      } catch {
+        child.kill("SIGTERM");
+      }
+    }
+  }
+  process.exit(pass ? 0 : 1);
+}
+
+// ../packages/loop/src/promote.ts
+import { execFileSync as execFileSync5 } from "child_process";
+function git(repoDir, args) {
+  execFileSync5("git", args, { cwd: repoDir, stdio: "ignore" });
+}
+function gitOut(repoDir, args) {
+  return execFileSync5("git", args, { cwd: repoDir, encoding: "utf8" }).trim();
+}
+function canPromote(repoDir, from = "develop", to = "main") {
+  const run2 = (args) => git(repoDir, args);
+  try {
+    run2(["rev-parse", "--verify", "--quiet", from]);
+    run2(["rev-parse", "--verify", "--quiet", to]);
+  } catch {
+    return { canPromote: false, reason: `branch "${from}" or "${to}" not found in ${repoDir}` };
+  }
+  try {
+    run2(["merge-base", "--is-ancestor", to, from]);
+    return { canPromote: true, reason: `"${to}" can fast-forward to "${from}"` };
+  } catch {
+    return {
+      canPromote: false,
+      reason: `"${to}" has diverged from "${from}" \u2014 fast-forward refused. Reconcile first (rebase "${from}" onto "${to}", or merge "${to}" into "${from}") before promoting.`
+    };
+  }
+}
+function promote(repoDir, opts = {}) {
+  const from = opts.from ?? "develop";
+  const to = opts.to ?? "main";
+  const check = canPromote(repoDir, from, to);
+  if (!check.canPromote) return { promoted: false, from, to, reason: check.reason };
+  const original = gitOut(repoDir, ["rev-parse", "--abbrev-ref", "HEAD"]);
+  try {
+    git(repoDir, ["checkout", to]);
+    git(repoDir, ["merge", "--ff-only", from]);
+    if (opts.push) git(repoDir, ["push", "origin", to]);
+  } finally {
+    if (original && original !== "HEAD" && original !== to) {
+      try {
+        git(repoDir, ["checkout", original]);
+      } catch {
+      }
+    }
+  }
+  return {
+    promoted: true,
+    from,
+    to,
+    reason: `"${to}" fast-forwarded to "${from}"${opts.push ? " and pushed" : ""}`
+  };
+}
+
+// src/commands/promote.ts
+async function promoteCommand(args) {
+  const push = args.includes("--push");
+  const perform = push || args.includes("--perform");
+  const cwd = process.cwd();
+  if (!perform) {
+    const check = canPromote(cwd);
+    console.log(`${check.canPromote ? "\u2714" : "\u2718"} ${check.reason}`);
+    if (check.canPromote) console.log("\nEligible. Re-run with --perform (and --push) to promote.");
+    process.exit(check.canPromote ? 0 : 1);
+  }
+  const result = promote(cwd, { push });
+  console.log(`${result.promoted ? "\u2714" : "\u2718"} ${result.reason}`);
+  process.exit(result.promoted ? 0 : 1);
+}
+
+// src/bin.ts
+var HELP = `greenlight <command>
+
+  init --domain <d> [--cf-token ..] [--force]   scaffold manifest + secrets, push to GitHub Actions
+  add <name> --lane <l> --target <t> [..]       scaffold a tool from a lane template + manifest entry
+  config                                        load & validate the manifest, then print it
+  deploy <name> --env <env>                     build + deploy an entry via its target adapter
+  preview <name> [--port <n>]                   build + serve locally + verify (one command)
+  verify <name> [--env <env> | --url <url>]     run the verify harness against the URL
+  promote <name> [--perform] [--push]           gated develop -> main fast-forward
+  secrets sync [--repo o/r] [--env <env>]       push .greenlight/secrets.env -> GitHub Actions secrets
+  agent sync                                    write the loop skill + CLAUDE.md block into this repo
+  adopt <name> --repo <path> --lane --target    onboard an existing tool repo as a thin consumer
+  doctor                                        manifest + repo consistency checks
+  help                                          show this message
+
+Real cloud deploys need the target's creds (e.g. CLOUDFLARE_API_TOKEN); see greenlight-v1.md \xA716.`;
+async function main() {
+  const [cmd, ...args] = process.argv.slice(2);
+  switch (cmd) {
+    case void 0:
+    case "help":
+    case "--help":
+    case "-h":
+      console.log(HELP);
+      return;
+    case "init":
+      return initCommand(args);
+    case "add":
+      return addCommand(args);
+    case "config":
+      return configCommand();
+    case "deploy":
+      return deployCommand(args);
+    case "preview":
+      return previewCommand(args);
+    case "verify":
+      return verifyCommand(args);
+    case "promote":
+      return promoteCommand(args);
+    case "secrets":
+      return secretsCommand(args);
+    case "agent":
+      return agentCommand(args);
+    case "adopt":
+      return adoptCommand(args);
+    case "doctor":
+      return doctorCommand();
+    default:
+      throw new Error(`Unknown command "${cmd}".
+
+${HELP}`);
+  }
+}
+main().catch((err) => {
+  console.error(err instanceof Error ? err.message : String(err));
+  process.exit(1);
+});