@rtrentjones/greenlight 0.2.4

package/dist/chunk-XBDQJVAX.js

@@ -0,0 +1,94 @@
+import {
+  msg,
+  report
+} from "./chunk-QFKE5JKC.js";
+
+// ../packages/verify/src/mcp.ts
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+async function verifyMcp(baseUrl, spec) {
+  const checks = [];
+  const client = new Client({ name: "greenlight-verify", version: "0.0.0" });
+  const transport = new StreamableHTTPClientTransport(new URL(baseUrl));
+  try {
+    await client.connect(transport);
+    checks.push({ name: "initialize handshake", pass: true });
+  } catch (e) {
+    checks.push({ name: "initialize handshake", pass: false, detail: msg(e) });
+    return report("mcp", baseUrl, checks);
+  }
+  try {
+    const { tools } = await client.listTools();
+    const names = tools.map((t) => t.name);
+    checks.push({ name: `tools/list responded (${names.length} tools)`, pass: true });
+    for (const t of spec.expectTools) {
+      const has = names.includes(t);
+      checks.push({
+        name: `tools/list includes "${t}"`,
+        pass: has,
+        detail: has ? void 0 : `got [${names.join(", ")}]`
+      });
+    }
+  } catch (e) {
+    checks.push({ name: "tools/list", pass: false, detail: msg(e) });
+  }
+  if (spec.call) {
+    const label = `tools/call ${spec.call.name}`;
+    try {
+      const res = await client.callTool({
+        name: spec.call.name,
+        arguments: spec.call.args ?? {}
+      });
+      const reasons = [];
+      if (res.isError) reasons.push("result.isError = true");
+      for (const k of spec.call.expectKeys ?? []) {
+        if (!res.structuredContent || !(k in res.structuredContent)) {
+          reasons.push(`structuredContent missing "${k}"`);
+        }
+      }
+      checks.push({
+        name: label,
+        pass: reasons.length === 0,
+        detail: reasons.join("; ") || void 0
+      });
+    } catch (e) {
+      checks.push({ name: label, pass: false, detail: msg(e) });
+    }
+  }
+  await client.close();
+  if (spec.requireAuthRejection) checks.push(await checkAuthRejection(baseUrl));
+  return report("mcp", baseUrl, checks);
+}
+async function checkAuthRejection(baseUrl) {
+  try {
+    const res = await fetch(baseUrl, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json, text/event-stream"
+      },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: 1,
+        method: "initialize",
+        params: {
+          protocolVersion: "2025-06-18",
+          capabilities: {},
+          clientInfo: { name: "greenlight-verify-probe", version: "0.0.0" }
+        }
+      })
+    });
+    const rejected = res.status === 401 || res.status === 403;
+    return {
+      name: "unauthenticated request rejected",
+      pass: rejected,
+      detail: rejected ? void 0 : `expected 401/403, got ${res.status}`
+    };
+  } catch (e) {
+    return { name: "unauthenticated request rejected", pass: false, detail: msg(e) };
+  }
+}
+
+export {
+  verifyMcp
+};

package/dist/eval-LLQPOEQX.js

@@ -0,0 +1,9 @@
+import {
+  llmJudge,
+  verifyEval
+} from "./chunk-6N7MD6FR.js";
+import "./chunk-QFKE5JKC.js";
+export {
+  llmJudge,
+  verifyEval
+};

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export { GreenlightConfig, defineConfig, loadConfig } from '@rtrentjones/greenlight-shared';
+export { VerifySpec, defineVerify } from '@rtrentjones/greenlight-verify';

package/dist/index.js

@@ -0,0 +1,16 @@
+import {
+  defineConfig,
+  defineVerify,
+  loadConfig
+} from "./chunk-KFKYLGFX.js";
+import "./chunk-XBDQJVAX.js";
+import "./chunk-WFZTRXBF.js";
+import "./chunk-KP3Y6WRU.js";
+import "./chunk-UXHHLEYO.js";
+import "./chunk-6N7MD6FR.js";
+import "./chunk-QFKE5JKC.js";
+export {
+  defineConfig,
+  defineVerify,
+  loadConfig
+};

package/dist/mcp-KU7WKB5K.js

@@ -0,0 +1,7 @@
+import {
+  verifyMcp
+} from "./chunk-XBDQJVAX.js";
+import "./chunk-QFKE5JKC.js";
+export {
+  verifyMcp
+};

package/dist/playwright-CGTTHGIL.js

@@ -0,0 +1,7 @@
+import {
+  verifyPlaywright
+} from "./chunk-WFZTRXBF.js";
+import "./chunk-QFKE5JKC.js";
+export {
+  verifyPlaywright
+};

package/dist/test-7GMOU7I5.js

@@ -0,0 +1,7 @@
+import {
+  verifyTest
+} from "./chunk-KP3Y6WRU.js";
+import "./chunk-QFKE5JKC.js";
+export {
+  verifyTest
+};

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@rtrentjones/greenlight",
+  "version": "0.2.4",
+  "description": "Greenlight CLI — setup and lifecycle for the harness.",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/RTrentJones/greenlight.git",
+    "directory": "cli"
+  },
+  "type": "module",
+  "main": "./dist/index.js",
+  "bin": {
+    "greenlight": "./dist/bin.js"
+  },
+  "files": [
+    "dist",
+    "templates",
+    "assets"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.12.0",
+    "jiti": "^2.4.2",
+    "zod": "^3.24.1"
+  },
+  "optionalDependencies": {
+    "playwright": "^1.49.0",
+    "@anthropic-ai/sdk": "^0.69.0"
+  },
+  "devDependencies": {
+    "@rtrentjones/greenlight-adapters": "0.2.4",
+    "@rtrentjones/greenlight-loop": "0.2.4",
+    "@rtrentjones/greenlight-shared": "0.2.4",
+    "@rtrentjones/greenlight-verify": "0.2.4"
+  },
+  "scripts": {
+    "build": "node scripts/copy-assets.mjs && tsup",
+    "typecheck": "tsc -p tsconfig.json",
+    "dev": "tsx src/bin.ts"
+  },
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  }
+}

package/templates/_template-astro/README.md

@@ -0,0 +1,18 @@
+# `_template-astro`
+
+Lane template for **Astro on Cloudflare Workers** (Static Assets) — verify mode `api`
+(+ light `playwright`). Materialized into a tool by `greenlight add <name> --lane astro --target workers`.
+
+A complete, copy-ready minimal site: a homepage, `@astrojs/sitemap`, a `wrangler.jsonc`
+for Workers Static Assets, and `astro/tsconfigs/strict`. `add` rewrites `package.json`'s
+`name` to your tool name. `site` comes from `SITE_URL` (default `example.dev`).
+
+```
+greenlight add marketing --lane astro --target workers
+pnpm --filter marketing build && pnpm --filter marketing preview
+greenlight verify marketing --url http://localhost:4321
+```
+
+The default astro verify spec is a generic web smoke (homepage 200 + no broken internal
+links). For a content site that also has a feed/sitemap (like the blog), add a
+`verify.config.ts` asserting `rssValid` / `sitemapValid` — see `apps/blog/verify.config.ts`.

package/templates/_template-astro/astro.config.mjs

@@ -0,0 +1,9 @@
+import sitemap from '@astrojs/sitemap';
+import { defineConfig } from 'astro/config';
+
+// `site` is injected from the manifest domain at build time (SITE_URL); the default
+// keeps the template generic — no real domain (seam rule 15.2.1).
+export default defineConfig({
+  site: process.env.SITE_URL ?? 'https://example.dev',
+  integrations: [sitemap()],
+});

package/templates/_template-astro/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "greenlight-template-astro",
+  "version": "0.0.0",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "astro dev",
+    "build": "astro build",
+    "preview": "astro preview"
+  },
+  "dependencies": {
+    "@astrojs/sitemap": "^3.2.1",
+    "astro": "^5.7.0"
+  },
+  "devDependencies": {
+    "wrangler": "^4.20.0"
+  }
+}

package/templates/_template-astro/src/pages/index.astro

@@ -0,0 +1,18 @@
+---
+const title = 'New Astro tool';
+---
+
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>{title}</title>
+  </head>
+  <body>
+    <main>
+      <h1>{title}</h1>
+      <p>Scaffolded by <code>greenlight add &lt;name&gt; --lane astro --target workers</code>. Edit <code>src/pages/index.astro</code> and ship it through the loop.</p>
+    </main>
+  </body>
+</html>

package/templates/_template-astro/tsconfig.json

@@ -0,0 +1,5 @@
+{
+  "extends": "astro/tsconfigs/strict",
+  "include": [".astro/types.d.ts", "**/*"],
+  "exclude": ["dist"]
+}

package/templates/_template-astro/wrangler.jsonc

@@ -0,0 +1,12 @@
+{
+  // Astro static site on Cloudflare Workers Static Assets. `greenlight add` rewrites
+  // package.json name; set the worker name to match your tool. Routes/custom domains
+  // are managed by Terraform (Phase 5) — names stay generic (seam rule 15.2.1).
+  "name": "astro-tool",
+  "compatibility_date": "2025-06-01",
+  "assets": { "directory": "./dist" },
+  "env": {
+    "beta": { "name": "astro-tool-beta" },
+    "prod": { "name": "astro-tool" }
+  }
+}

package/templates/_template-mcp/README.md

@@ -0,0 +1,28 @@
+# `_template-mcp`
+
+Lane template for **MCP servers** — verify mode `mcp` (initialize → `tools/list` → call → auth assertion). Materialized into a tool by `greenlight add`. Two target shapes:
+
+## `oci` — Node streamable-HTTP server (recommended; the BAMCP shape)
+
+A plain Node HTTP server using `@modelcontextprotocol/sdk` (`StreamableHTTPServerTransport`), containerized and run behind a Cloudflare Tunnel in prod. Best for stateful servers or ones needing local binaries/filesystem (e.g. samtools). See [oci/server.ts](oci/server.ts) + [oci/Dockerfile](oci/Dockerfile). This is the reference implementation — `tools/ping-mcp` is an instance of it.
+
+Local dev / loop proof (no cloud):
+```
+PORT=8787 node oci/server.ts            # or `pnpm --filter <pkg> start`
+greenlight verify <name> --url http://127.0.0.1:8787/mcp
+```
+
+## `workers` — remote MCP on the edge (optional)
+
+Cloudflare's `agents` package (`McpAgent` / `createMcpHandler`) can host a remote MCP on Workers. **Caveat:** `agents` pulls heavy transitive deps (`ai`, `react`) and currently needs an `ai` alias in `wrangler` config to bundle. For a simple server, prefer the `oci`/Node shape above; reach for `workers` only when you specifically want edge hosting + Durable-Object session state.
+
+## Verify spec
+
+Ship a `verify.config.ts` (default export) so `greenlight verify` asserts the real contract:
+```ts
+export default { mode: 'mcp', expectTools: ['<tool>'], call: { name: '<tool>' } };
+```
+
+## Auth
+
+`auth: none` only for public read-only servers. Mutating/private servers default to `bearer`/`oauth` (greenlight-v1.md §6/§14).

package/templates/_template-mcp/oci/Dockerfile

@@ -0,0 +1,11 @@
+# MCP server (oci lane). Node 24 strips TypeScript types natively, so server.ts runs directly.
+FROM node:24-slim
+WORKDIR /app
+
+COPY package.json ./
+RUN npm install --omit=dev
+
+COPY . .
+ENV PORT=8787
+EXPOSE 8787
+CMD ["node", "src/server.ts"]

package/templates/_template-mcp/oci/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "greenlight-template-mcp-oci",
+  "version": "0.0.0",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "start": "node src/server.ts"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.12.0"
+  }
+}

package/templates/_template-mcp/oci/server.ts

@@ -0,0 +1,80 @@
+import { randomUUID } from 'node:crypto';
+import http from 'node:http';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
+
+// MCP server template (oci lane): Node streamable-HTTP, containerized, run behind a
+// Cloudflare Tunnel in prod. Rename `my-mcp` and add your tools.
+const PORT = Number(process.env.PORT ?? 8787);
+const transports: Record<string, StreamableHTTPServerTransport> = {};
+
+function buildMcpServer(): McpServer {
+  const server = new McpServer({ name: 'my-mcp', version: '0.0.0' });
+  server.registerTool(
+    'echo',
+    { description: 'Echo the input text.', inputSchema: {} },
+    async () => ({ content: [{ type: 'text', text: 'hello from my-mcp' }] }),
+  );
+  return server;
+}
+
+function readJson(req: http.IncomingMessage): Promise<unknown> {
+  return new Promise((resolve, reject) => {
+    let data = '';
+    req.on('data', (c) => {
+      data += c;
+    });
+    req.on('end', () => {
+      try {
+        resolve(data ? JSON.parse(data) : undefined);
+      } catch (e) {
+        reject(e);
+      }
+    });
+    req.on('error', reject);
+  });
+}
+
+async function handle(req: http.IncomingMessage, res: http.ServerResponse): Promise<void> {
+  const url = new URL(req.url ?? '/', `http://${req.headers.host}`);
+  if (url.pathname !== '/mcp') {
+    res.writeHead(404).end('connect at /mcp');
+    return;
+  }
+  const sessionId = req.headers['mcp-session-id'] as string | undefined;
+  if (req.method === 'POST') {
+    const body = await readJson(req);
+    let transport = sessionId ? transports[sessionId] : undefined;
+    if (!transport && isInitializeRequest(body)) {
+      transport = new StreamableHTTPServerTransport({
+        sessionIdGenerator: () => randomUUID(),
+        onsessioninitialized: (sid) => {
+          if (transport) transports[sid] = transport;
+        },
+      });
+      await buildMcpServer().connect(transport);
+    }
+    if (!transport) {
+      res.writeHead(400).end('no session');
+      return;
+    }
+    await transport.handleRequest(req, res, body);
+  } else if (
+    (req.method === 'GET' || req.method === 'DELETE') &&
+    sessionId &&
+    transports[sessionId]
+  ) {
+    await transports[sessionId].handleRequest(req, res);
+  } else {
+    res.writeHead(405).end();
+  }
+}
+
+http
+  .createServer((req, res) => {
+    void handle(req, res);
+  })
+  .listen(PORT, () => {
+    console.log(`my-mcp listening on :${PORT}/mcp`);
+  });

package/templates/_template-mcp/workers/README.md

@@ -0,0 +1,32 @@
+# `_template-mcp/workers` (optional shape)
+
+Remote MCP on Cloudflare Workers via Cloudflare's [`agents`](https://www.npmjs.com/package/agents) package (`McpAgent` for Durable-Object session state, or `createMcpHandler` for a stateless fetch handler).
+
+**Status / caveat (Phase 4):** `agents` pulls heavy transitive deps (`ai`, `react`) and its bundle does a dynamic `import("ai")` that `wrangler` fails to resolve without an `alias` entry — e.g. in `wrangler.jsonc`:
+
+```jsonc
+{ "alias": { "ai": "./src/ai-stub.ts" } }
+```
+
+For a simple server this overhead isn't worth it — use the [`../oci`](../oci) Node shape, which proves the same protocol loop locally (`greenlight verify <name> --url http://127.0.0.1:8787/mcp`) with no exotic deps. Reach for `workers` only when you specifically need edge hosting + DO-backed sessions.
+
+Sketch (stateless handler):
+
+```ts
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { createMcpHandler } from 'agents/mcp';
+
+const server = new McpServer({ name: 'my-mcp', version: '0.0.0' });
+server.registerTool('ping', { description: 'ping', inputSchema: {} }, async () => ({
+  content: [{ type: 'text', text: 'pong' }],
+}));
+const mcp = createMcpHandler(server);
+
+export default {
+  fetch(request: Request, env: unknown, ctx: ExecutionContext) {
+    return new URL(request.url).pathname === '/mcp'
+      ? mcp(request, env, ctx)
+      : new Response('connect at /mcp', { status: 404 });
+  },
+};
+```

package/templates/_template-next/README.md

@@ -0,0 +1,5 @@
+# `_template-next` (placeholder)
+
+Lane template for **Next.js on Vercel** with Supabase — verify mode `api + playwright`.
+
+> **Phase 0:** placeholder only. Real template content arrives when the `next` lane is exercised (HeistMind migration, **Phase 9** — greenlight-v1.md §16). Materialized into a tool by `greenlight add` / `greenlight adopt`.