@rtrentjones/greenlight 0.2.6 → 0.2.8

package/assets/skills/provider-github/SKILL.md

@@ -25,8 +25,9 @@ pushes each to the right repo; see docs/provider-tokens.md):
 
 - **`GREENLIGHT_DISPATCH_TOKEN`** — on the **tool** repo, scoped **Contents: write** on the
   **wrapper** → the tool's build fires `repository_dispatch` so the wrapper deploys.
-- **`GREENLIGHT_STATUS_TOKEN`** — on the **wrapper** repo, scoped **Commit statuses: write** on the
-  **tool** → the wrapper posts deploy/verify status back to the tool's commit.
+- **`GREENLIGHT_STATUS_TOKEN_<TOOL>`** — on the **wrapper** repo, scoped **Commit statuses: write**
+  on the **tool** → the wrapper posts deploy/verify status back to the tool's commit. **Per-tool
+  suffix** (e.g. `…_BAMCP`) because it lives on the shared wrapper alongside other tools' tokens.
 
 Provider creds (OCI/Cloudflare/…) live **only in the wrapper**; the tool repo holds just the
 dispatch PAT (its build pushes to GHCR with the built-in `github.token`).

package/assets/skills/provider-vercel/SKILL.md

@@ -26,6 +26,22 @@ Manages the **existing** project (nothing to import — it configures by id):
 
 The DNS CNAME is the **cloudflare** `tool` module, unproxied (`proxied = false`) → `cname.vercel-dns.com`.
 
+## The verify loop — tool-CI on `deployment_status`
+
+Because Vercel deploys (not the wrapper), the verify gate runs in the **tool repo's own CI**, not a
+wrapper deploy listener. `greenlight adopt … --target vercel` emits, into the tool repo:
+- **`.github/workflows/greenlight-verify.yml`** — triggers on GitHub's **`deployment_status`** event
+  (Vercel posts a deployment + `target_url`); on `state == success` it runs
+  `npx @rtrentjones/greenlight verify --url <target_url> --spec verify/<name>.config.ts`. The result
+  is a check on the commit — no wrapper round-trip, no dispatch/status PATs (Vercel owns deploy + URL
+  + its own statuses).
+- **`verify/<name>.config.ts`** — a verifyAll array: `api` (deployed URL 200) + `test` (the tool's
+  suite) + `agent-web` (LLM drives the live UI), where agent-web is **config-gated on
+  `ANTHROPIC_API_KEY`** (omitted when unset → the gate stays green on api + test alone).
+
+`greenlight verify --url <url> --spec <path>` is the **manifest-free** mode that makes this work
+without carrying the wrapper's `greenlight.config.ts` into the tool repo.
+
 ## MCP
 
 `.mcp.json` wires `vercel` (hosted, OAuth, read-only). Run `/mcp` and authenticate in the

package/dist/bin.js

@@ -5,8 +5,8 @@ import {
   loadConfig,
   resolveUrl,
   verifyAll
-} from "./chunk-LM6M3DIV.js";
-import "./chunk-XBDQJVAX.js";
+} from "./chunk-VONSDNH4.js";
+import "./chunk-ADS6BJJ5.js";
 import "./chunk-WFZTRXBF.js";
 import "./chunk-KP3Y6WRU.js";
 import "./chunk-UXHHLEYO.js";
@@ -351,9 +351,12 @@ var PACKS = [
         setupUrl: "https://github.com/settings/personal-access-tokens/new"
       },
       {
+        // Stored on the shared wrapper, scoped to THIS tool's repo → per-tool name
+        // (GREENLIGHT_STATUS_TOKEN_<TOOL>) so multiple tools' status tokens don't collide.
         envVar: "GREENLIGHT_STATUS_TOKEN",
-        label: "GitHub PAT, Commits:write on the TOOL (WRAPPER posts deploy status back)",
+        label: "GitHub PAT, Commit statuses:write on the TOOL (WRAPPER posts deploy status back)",
         optional: true,
+        perTool: true,
         setupUrl: "https://github.com/settings/personal-access-tokens/new"
       }
     ],
@@ -387,7 +390,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.2.6";
+var MODULE_REF = "v0.2.8";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -797,7 +800,8 @@ async function gatherSecrets(name, repo, env, prefill) {
     for (const pack of packs) {
       console.log(`\u2500\u2500 ${pack.name}${pack.setupUrl ? `  \u2192  ${pack.setupUrl}` : ""}`);
       for (const tok of pack.tokens) {
-        const key = tok.envVar.toUpperCase();
+        const suffix = `_${name.toUpperCase().replace(/-/g, "_")}`;
+        const key = tok.envVar.toUpperCase() + (tok.perTool ? suffix : "");
         if (key === "GITHUB_TOKEN") {
           console.log("   \xB7 GITHUB_TOKEN \u2014 provided automatically by Actions; skipping");
           continue;
@@ -1317,13 +1321,13 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    # Native arm64 runner \u2014 builds the arm64 image directly (no QEMU emulation, much faster).
+    runs-on: ubuntu-24.04-arm
     steps:
       - uses: actions/checkout@v4
       - name: Resolve image ref (GHCR namespaces are lowercase)
         id: img
-        run: echo "ref=ghcr.io/\${GITHUB_REPOSITORY_OWNER,,}/${name}:prod" >> "$GITHUB_OUTPUT"
-      - uses: docker/setup-qemu-action@v3
+        run: echo "base=ghcr.io/\${GITHUB_REPOSITORY_OWNER,,}/${name}" >> "$GITHUB_OUTPUT"
       - uses: docker/setup-buildx-action@v3
       - uses: docker/login-action@v3
         with:
@@ -1335,7 +1339,12 @@ jobs:
           context: .
           platforms: linux/arm64
           push: true
-          tags: \${{ steps.img.outputs.ref }}
+          # :prod is the moving deploy tag; :<sha> is immutable (rollback + deploy-identity).
+          tags: |
+            \${{ steps.img.outputs.base }}:prod
+            \${{ steps.img.outputs.base }}:\${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
       - name: Notify wrapper to deploy
         env:
           GH_TOKEN: \${{ secrets.GREENLIGHT_DISPATCH_TOKEN }}
@@ -1402,7 +1411,8 @@ jobs:
       - name: Report status back to ${toolRepo}
         if: \${{ always() && github.event.client_payload.sha != '' }}
         env:
-          GH_TOKEN: \${{ secrets.GREENLIGHT_STATUS_TOKEN }}
+          # Per-tool name: the status PAT lives on the shared wrapper, scoped to this tool's repo.
+          GH_TOKEN: \${{ secrets.GREENLIGHT_STATUS_TOKEN_${name.toUpperCase().replace(/-/g, "_")} }}
         run: |
           [ -z "$GH_TOKEN" ] && exit 0
           gh api repos/${toolRepo}/statuses/\${{ github.event.client_payload.sha }} \\
@@ -1411,6 +1421,69 @@ jobs:
             -f description="\${{ job.status }}"
 `;
 }
+function verifyWorkflowYml(name) {
+  return `name: greenlight-verify
+
+# Vercel deploys ${name} on push and posts a deployment_status to GitHub; we verify the exact
+# deployed URL. ANTHROPIC_API_KEY (optional) enables the agent-web scenarios \u2014 absent \u2192 omitted
+# (see verify/${name}.config.ts), so the gate stays green on api + test alone.
+on:
+  deployment_status:
+
+permissions:
+  contents: read
+  statuses: write
+
+jobs:
+  verify:
+    if: \${{ github.event.deployment_status.state == 'success' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+      - name: Install deps (for test-mode)
+        run: |
+          corepack enable || true
+          if [ -f pnpm-lock.yaml ]; then pnpm install --frozen-lockfile;
+          elif [ -f yarn.lock ]; then yarn install --frozen-lockfile;
+          else npm ci; fi
+      - name: Verify the deployment
+        env:
+          ANTHROPIC_API_KEY: \${{ secrets.ANTHROPIC_API_KEY }}
+        run: npx -y @rtrentjones/greenlight@latest verify --url "\${{ github.event.deployment_status.target_url }}" --spec verify/${name}.config.ts
+`;
+}
+function nextVerifyConfig(name) {
+  return `// Greenlight verify spec for ${name} (next/vercel) \u2014 run by .github/workflows/greenlight-verify.yml
+// after Vercel deploys (deployment_status). An array combines modes (allPass):
+//  - api: the deployed URL serves (200).
+//  - test: this tool's own suite \u2014 set the real command for your package manager.
+//  - agent-web: an LLM drives the live UI; runs ONLY when ANTHROPIC_API_KEY is set (else omitted,
+//    so the gate stays green). Replace the scenario with real user tasks + assertions.
+const agentWeb = process.env.ANTHROPIC_API_KEY
+  ? [
+      {
+        mode: 'agent-web',
+        scenarios: [
+          {
+            name: 'home renders',
+            task: 'Open the home page and confirm the app loads without an error screen.',
+            asserts: [{ selector: 'body' }],
+          },
+        ],
+      },
+    ]
+  : [];
+
+export default [
+  { mode: 'api', checks: [{ path: '/', status: 200 }] },
+  { mode: 'test', command: 'npm test' },
+  ...agentWeb,
+];
+`;
+}
 function writeIfAbsent(path, contents, label) {
   if (existsSync7(path)) {
     console.log(`\xB7 ${label} exists \u2014 left as-is`);
@@ -1488,11 +1561,13 @@ async function adoptWrapper(ctx) {
     emitToolTf({ name, domain, lane, target, data, envs, slug, external: true }),
     `infra/${name}.tf`
   );
-  writeIfAbsent(
-    join2(cwd, `verify/${name}.config.ts`),
-    starterVerifyConfig(lane),
-    `verify/${name}.config.ts`
-  );
+  if (target !== "vercel") {
+    writeIfAbsent(
+      join2(cwd, `verify/${name}.config.ts`),
+      starterVerifyConfig(lane),
+      `verify/${name}.config.ts`
+    );
+  }
   const providers = providersForTool({ target, data });
   if (existsSync7(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 ensure infra/main.tf declares provider(s): ${providers.join(", ")}`);
@@ -1512,6 +1587,18 @@ async function adoptWrapper(ctx) {
       `${toolRel}/.github/workflows/greenlight-build.yml (provider-agnostic build \u2192 GHCR \u2192 dispatch)`
     );
   }
+  if (target === "vercel") {
+    writeIfAbsent(
+      join2(dest, `verify/${name}.config.ts`),
+      nextVerifyConfig(name),
+      `${toolRel}/verify/${name}.config.ts (tool-CI verify spec)`
+    );
+    writeIfAbsent(
+      join2(dest, ".github/workflows/greenlight-verify.yml"),
+      verifyWorkflowYml(name),
+      `${toolRel}/.github/workflows/greenlight-verify.yml (verify on Vercel deployment_status)`
+    );
+  }
   console.log(`
 Next:
   (in the tool repo) commit the Greenlight kit + build workflow so they travel with the submodule:
@@ -1521,7 +1608,10 @@ Next:
     git commit && git push      # CI (infra.yml) applies. Tool's CI builds; wrapper deploys.${target === "oci" ? `
   Secrets (guided): greenlight secrets gather ${name} --repo <wrapper>   # TF_VAR_OCI_* + GREENLIGHT_STATUS_TOKEN
                     greenlight secrets gather ${name} --repo ${slug}   # GREENLIGHT_DISPATCH_TOKEN
-  The instance OCID is auto-resolved by the deploy workflow (by display name) \u2014 nothing to set.` : ""}`);
+  The instance OCID is auto-resolved by the deploy workflow (by display name) \u2014 nothing to set.` : target === "vercel" ? `
+  Deploy is Vercel's git integration (no wrapper deploy). The tool's greenlight-verify.yml verifies
+  each deployment (deployment_status). Optional: add ANTHROPIC_API_KEY to ${slug} to enable the
+  agent-web scenarios in verify/${name}.config.ts (absent \u2192 api + test gate alone).` : ""}`);
 }
 async function adoptStandalone(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
@@ -1926,9 +2016,30 @@ function flag6(args, name) {
   return i >= 0 ? args[i + 1] : void 0;
 }
 async function verifyCommand(args) {
+  const specPath = flag6(args, "--spec");
+  if (specPath) {
+    const url2 = flag6(args, "--url");
+    if (!url2) throw new Error("verify --spec needs --url <deployed-url>");
+    const loaded2 = await loadVerifySpecAt(specPath);
+    if (!loaded2) throw new Error(`no verify spec at ${specPath}`);
+    const specs2 = Array.isArray(loaded2) ? loaded2 : [loaded2];
+    const waitMs = (flag6(args, "--wait") !== void 0 ? Number(flag6(args, "--wait")) : 0) * 1e3;
+    const reports2 = await verifyAll(url2, specs2, {
+      reachableTimeoutMs: waitMs,
+      toolDir: process.cwd()
+    });
+    for (const report of reports2) printReport(report);
+    const pass2 = allPass(reports2);
+    if (reports2.length > 1)
+      console.log(`
+${pass2 ? "\u2714 ALL PASS" : "\u2718 FAIL"} (${reports2.length} specs)`);
+    process.exit(pass2 ? 0 : 1);
+  }
   const name = args[0];
   if (!name || name.startsWith("-")) {
-    throw new Error("usage: greenlight verify <name> [--env <beta|prod> | --url <url>]");
+    throw new Error(
+      "usage: greenlight verify <name> [--env <beta|prod> | --url <url>] | verify --url <url> --spec <path>"
+    );
   }
   const { config } = await loadManifest();
   const entry = resolveEntry(config, name);

package/dist/{chunk-XBDQJVAX.js → chunk-ADS6BJJ5.js}

@@ -9,7 +9,10 @@ import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/
 async function verifyMcp(baseUrl, spec) {
   const checks = [];
   const client = new Client({ name: "greenlight-verify", version: "0.0.0" });
-  const transport = new StreamableHTTPClientTransport(new URL(baseUrl));
+  const transport = new StreamableHTTPClientTransport(
+    new URL(baseUrl),
+    spec.headers ? { requestInit: { headers: spec.headers } } : void 0
+  );
   try {
     await client.connect(transport);
     checks.push({ name: "initialize handshake", pass: true });

package/dist/{chunk-LM6M3DIV.js → chunk-VONSDNH4.js}

@@ -229,7 +229,7 @@ async function verify(baseUrl, spec, opts) {
     case "api":
       return verifyApi(baseUrl, spec);
     case "mcp": {
-      const { verifyMcp: verifyMcp2 } = await import("./mcp-KU7WKB5K.js");
+      const { verifyMcp: verifyMcp2 } = await import("./mcp-3L6HJ6BH.js");
       return verifyMcp2(baseUrl, spec);
     }
     case "playwright": {

package/dist/index.js

@@ -2,8 +2,8 @@ import {
   defineConfig,
   defineVerify,
   loadConfig
-} from "./chunk-LM6M3DIV.js";
-import "./chunk-XBDQJVAX.js";
+} from "./chunk-VONSDNH4.js";
+import "./chunk-ADS6BJJ5.js";
 import "./chunk-WFZTRXBF.js";
 import "./chunk-KP3Y6WRU.js";
 import "./chunk-UXHHLEYO.js";

package/dist/{mcp-KU7WKB5K.js → mcp-3L6HJ6BH.js}

@@ -1,6 +1,6 @@
 import {
   verifyMcp
-} from "./chunk-XBDQJVAX.js";
+} from "./chunk-ADS6BJJ5.js";
 import "./chunk-QFKE5JKC.js";
 export {
   verifyMcp

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.2.6",
+  "version": "0.2.8",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -32,9 +32,9 @@
   },
   "devDependencies": {
     "@rtrentjones/greenlight-adapters": "0.2.4",
-    "@rtrentjones/greenlight-loop": "0.2.4",
     "@rtrentjones/greenlight-shared": "0.2.4",
-    "@rtrentjones/greenlight-verify": "0.2.4"
+    "@rtrentjones/greenlight-verify": "0.2.4",
+    "@rtrentjones/greenlight-loop": "0.2.4"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",