@rtrentjones/greenlight 0.2.7 → 0.2.9

package/assets/skills/provider-vercel/SKILL.md

@@ -26,6 +26,29 @@ Manages the **existing** project (nothing to import — it configures by id):
 
 The DNS CNAME is the **cloudflare** `tool` module, unproxied (`proxied = false`) → `cname.vercel-dns.com`.
 
+## The verify loop — tool-CI on `deployment_status`
+
+Because Vercel deploys (not the wrapper), the verify gate runs in the **tool repo's own CI**, not a
+wrapper deploy listener. `greenlight adopt … --target vercel` emits, into the tool repo:
+- **`.github/workflows/greenlight-verify.yml`** — triggers on GitHub's **`deployment_status`** event
+  (Vercel posts a deployment + `target_url`); on `state == success` it runs
+  `npx @rtrentjones/greenlight verify --url <target_url> --spec verify/<name>.config.ts`. The result
+  is a check on the commit — no wrapper round-trip, no dispatch/status PATs (Vercel owns deploy + URL
+  + its own statuses).
+- **`verify/<name>.config.ts`** — a verifyAll array: `api` (deployed URL 200) + `test` (the tool's
+  suite) + `agent-web` (LLM drives the live UI), where agent-web is **config-gated on
+  `ANTHROPIC_API_KEY`** (omitted when unset → the gate stays green on api + test alone).
+
+`greenlight verify --url <url> --spec <path>` is the **manifest-free** mode that makes this work
+without carrying the wrapper's `greenlight.config.ts` into the tool repo.
+
+**Deployment Protection gotcha:** `deployment_status.target_url` is the `*.vercel.app` *deployment*
+URL, which Vercel **Deployment Protection** gates (→ **401**) even though the public custom domain
+is 200. To verify the real app, create a **Protection Bypass for Automation** secret (Vercel →
+project → Settings → Deployment Protection) and set it as `VERCEL_AUTOMATION_BYPASS_SECRET` on the
+tool repo — the api check sends it as `x-vercel-protection-bypass` and asserts 200. Without it the
+generated spec asserts **401** (the deployment is served + protected), so the gate stays green.
+
 ## MCP
 
 `.mcp.json` wires `vercel` (hosted, OAuth, read-only). Run `/mcp` and authenticate in the

package/dist/bin.js

@@ -5,7 +5,7 @@ import {
   loadConfig,
   resolveUrl,
   verifyAll
-} from "./chunk-VONSDNH4.js";
+} from "./chunk-JRCATCRY.js";
 import "./chunk-ADS6BJJ5.js";
 import "./chunk-WFZTRXBF.js";
 import "./chunk-KP3Y6WRU.js";
@@ -105,6 +105,30 @@ function addTool(config, t) {
   }
   return result.data;
 }
+function upsertTool(config, t) {
+  if (t.name === "blog") throw new Error('"blog" is a reserved name');
+  const entry = {
+    name: t.name,
+    lane: t.lane,
+    target: t.target,
+    data: t.data ?? "none",
+    auth: t.auth ?? "none",
+    access: t.access ?? "public",
+    envs: t.envs ?? ["beta", "prod"],
+    ...t.dir !== void 0 ? { dir: t.dir } : {},
+    ...t.adopted ? { adopted: true } : {},
+    ...t.external ? { external: true } : {},
+    ...t.port !== void 0 ? { port: t.port } : {}
+  };
+  const tools = config.tools.some((x) => x.name === t.name) ? config.tools.map((x) => x.name === t.name ? entry : x) : [...config.tools, entry];
+  const result = ConfigSchema.safeParse({ ...config, tools });
+  if (!result.success) {
+    throw new Error(
+      result.error.issues.map((i) => `${i.path.join(".") || "(root)"}: ${i.message}`).join("; ")
+    );
+  }
+  return result.data;
+}
 
 // src/manifest.ts
 import { existsSync as existsSync2 } from "fs";
@@ -390,7 +414,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.2.7";
+var MODULE_REF = "v0.2.9";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -1421,6 +1445,75 @@ jobs:
             -f description="\${{ job.status }}"
 `;
 }
+function verifyWorkflowYml(name) {
+  return `name: greenlight-verify
+
+# Vercel deploys ${name} on push and posts a deployment_status to GitHub; we verify the exact
+# deployed URL. ANTHROPIC_API_KEY (optional) enables the agent-web scenarios \u2014 absent \u2192 omitted
+# (see verify/${name}.config.ts), so the gate stays green on api + test alone.
+on:
+  deployment_status:
+
+permissions:
+  contents: read
+  statuses: write
+
+jobs:
+  verify:
+    if: \${{ github.event.deployment_status.state == 'success' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+      # agent-web needs browsers: add \`- run: npx -y playwright install --with-deps chromium\` when
+      # you set ANTHROPIC_API_KEY. test-mode needs the tool's deps: add a tolerant install step
+      # (\`pnpm install --no-frozen-lockfile\`) \u2014 but unit tests usually belong in the tool's PR CI.
+      - name: Verify the deployment
+        env:
+          # Bypass Vercel Deployment Protection on the deployment URL (Vercel \u2192 project \u2192 Deployment
+          # Protection \u2192 Protection Bypass for Automation). Without it the gate asserts 401 (served).
+          VERCEL_AUTOMATION_BYPASS_SECRET: \${{ secrets.VERCEL_AUTOMATION_BYPASS_SECRET }}
+          ANTHROPIC_API_KEY: \${{ secrets.ANTHROPIC_API_KEY }}
+        run: npx -y @rtrentjones/greenlight@latest verify --url "\${{ github.event.deployment_status.target_url }}" --spec verify/${name}.config.ts
+`;
+}
+function nextVerifyConfig(name) {
+  return `// Greenlight verify spec for ${name} (next/vercel) \u2014 run by .github/workflows/greenlight-verify.yml
+// after Vercel deploys (deployment_status). An array combines modes (allPass):
+//  - api: deployment_status' target_url is the *.vercel.app deployment URL, which Vercel Deployment
+//    Protection gates (401). With VERCEL_AUTOMATION_BYPASS_SECRET set we send the bypass header and
+//    assert 200 (the real app); without it we assert 401 (the deployment is served + protected).
+//  - agent-web: an LLM drives the live UI; runs ONLY when ANTHROPIC_API_KEY is set (else omitted,
+//    so the gate stays green). Replace the scenario with real user tasks + assertions.
+// Unit tests belong in this repo's PR CI; to also gate the deploy on them, add
+// { mode: 'test', command: 'pnpm test' } + a tolerant deps-install step in greenlight-verify.yml.
+const bypass = process.env.VERCEL_AUTOMATION_BYPASS_SECRET;
+const api = bypass
+  ? {
+      mode: 'api',
+      checks: [{ path: '/', status: 200, requestHeaders: { 'x-vercel-protection-bypass': bypass } }],
+    }
+  : { mode: 'api', checks: [{ path: '/', status: 401 }] };
+const agentWeb = process.env.ANTHROPIC_API_KEY
+  ? [
+      {
+        mode: 'agent-web',
+        scenarios: [
+          {
+            name: 'home renders',
+            task: 'Open the home page and confirm the app loads without an error screen.',
+            asserts: [{ selector: 'body' }],
+          },
+        ],
+      },
+    ]
+  : [];
+
+export default [api, ...agentWeb];
+`;
+}
 function writeIfAbsent(path, contents, label) {
   if (existsSync7(path)) {
     console.log(`\xB7 ${label} exists \u2014 left as-is`);
@@ -1451,8 +1544,8 @@ async function adoptCommand(args) {
       "run adopt from your site repo (needs a real greenlight.config.ts; run `greenlight init` first)"
     );
   }
-  if (reg.tools.some((t) => t.name === name) || name === "blog") {
-    throw new Error(`"${name}" already in the registry`);
+  if (name === "blog") {
+    throw new Error('"blog" is the apex site, not an adopted tool');
   }
   const domain = flag3(args, "--domain") ?? reg.domain;
   const ctx = { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath };
@@ -1479,7 +1572,8 @@ async function adoptWrapper(ctx) {
   } else {
     console.log(`\xB7 ${toolRel} exists \u2014 skipping submodule add`);
   }
-  const nextReg = addTool(reg, {
+  const existed = reg.tools.some((x) => x.name === name);
+  const nextReg = upsertTool(reg, {
     name,
     lane,
     target,
@@ -1491,18 +1585,22 @@ async function adoptWrapper(ctx) {
     adopted: true
   });
   writeFileSync4(regPath, serializeConfig(nextReg));
-  console.log(`\u2714 registered "${name}" (external, dir ${toolRel}) in the wrapper manifest`);
+  console.log(
+    `\u2714 ${existed ? "updated" : "registered"} "${name}" (external, dir ${toolRel}) in the wrapper manifest`
+  );
   const slug = parseRepo(repoArg) ?? parseRepo(safeGit(dest, ["remote", "get-url", "origin"])) ?? `OWNER/${name}`;
   writeIfAbsent(
     join2(cwd, `infra/${name}.tf`),
     emitToolTf({ name, domain, lane, target, data, envs, slug, external: true }),
     `infra/${name}.tf`
   );
-  writeIfAbsent(
-    join2(cwd, `verify/${name}.config.ts`),
-    starterVerifyConfig(lane),
-    `verify/${name}.config.ts`
-  );
+  if (target !== "vercel") {
+    writeIfAbsent(
+      join2(cwd, `verify/${name}.config.ts`),
+      starterVerifyConfig(lane),
+      `verify/${name}.config.ts`
+    );
+  }
   const providers = providersForTool({ target, data });
   if (existsSync7(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 ensure infra/main.tf declares provider(s): ${providers.join(", ")}`);
@@ -1522,6 +1620,18 @@ async function adoptWrapper(ctx) {
       `${toolRel}/.github/workflows/greenlight-build.yml (provider-agnostic build \u2192 GHCR \u2192 dispatch)`
     );
   }
+  if (target === "vercel") {
+    writeIfAbsent(
+      join2(dest, `verify/${name}.config.ts`),
+      nextVerifyConfig(name),
+      `${toolRel}/verify/${name}.config.ts (tool-CI verify spec)`
+    );
+    writeIfAbsent(
+      join2(dest, ".github/workflows/greenlight-verify.yml"),
+      verifyWorkflowYml(name),
+      `${toolRel}/.github/workflows/greenlight-verify.yml (verify on Vercel deployment_status)`
+    );
+  }
   console.log(`
 Next:
   (in the tool repo) commit the Greenlight kit + build workflow so they travel with the submodule:
@@ -1531,7 +1641,10 @@ Next:
     git commit && git push      # CI (infra.yml) applies. Tool's CI builds; wrapper deploys.${target === "oci" ? `
   Secrets (guided): greenlight secrets gather ${name} --repo <wrapper>   # TF_VAR_OCI_* + GREENLIGHT_STATUS_TOKEN
                     greenlight secrets gather ${name} --repo ${slug}   # GREENLIGHT_DISPATCH_TOKEN
-  The instance OCID is auto-resolved by the deploy workflow (by display name) \u2014 nothing to set.` : ""}`);
+  The instance OCID is auto-resolved by the deploy workflow (by display name) \u2014 nothing to set.` : target === "vercel" ? `
+  Deploy is Vercel's git integration (no wrapper deploy). The tool's greenlight-verify.yml verifies
+  each deployment (deployment_status). Optional: add ANTHROPIC_API_KEY to ${slug} to enable the
+  agent-web scenarios in verify/${name}.config.ts (absent \u2192 api + test gate alone).` : ""}`);
 }
 async function adoptStandalone(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
@@ -1936,9 +2049,30 @@ function flag6(args, name) {
   return i >= 0 ? args[i + 1] : void 0;
 }
 async function verifyCommand(args) {
+  const specPath = flag6(args, "--spec");
+  if (specPath) {
+    const url2 = flag6(args, "--url");
+    if (!url2) throw new Error("verify --spec needs --url <deployed-url>");
+    const loaded2 = await loadVerifySpecAt(specPath);
+    if (!loaded2) throw new Error(`no verify spec at ${specPath}`);
+    const specs2 = Array.isArray(loaded2) ? loaded2 : [loaded2];
+    const waitMs = (flag6(args, "--wait") !== void 0 ? Number(flag6(args, "--wait")) : 0) * 1e3;
+    const reports2 = await verifyAll(url2, specs2, {
+      reachableTimeoutMs: waitMs,
+      toolDir: process.cwd()
+    });
+    for (const report of reports2) printReport(report);
+    const pass2 = allPass(reports2);
+    if (reports2.length > 1)
+      console.log(`
+${pass2 ? "\u2714 ALL PASS" : "\u2718 FAIL"} (${reports2.length} specs)`);
+    process.exit(pass2 ? 0 : 1);
+  }
   const name = args[0];
   if (!name || name.startsWith("-")) {
-    throw new Error("usage: greenlight verify <name> [--env <beta|prod> | --url <url>]");
+    throw new Error(
+      "usage: greenlight verify <name> [--env <beta|prod> | --url <url>] | verify --url <url> --spec <path>"
+    );
   }
   const { config } = await loadManifest();
   const entry = resolveEntry(config, name);

package/dist/{chunk-VONSDNH4.js → chunk-JRCATCRY.js}

@@ -116,7 +116,7 @@ var trimSlash = (s) => s.replace(/\/+$/, "");
 async function checkRoute(base, c) {
   const name = `GET ${c.path}`;
   try {
-    const res = await fetch(base + c.path, { redirect: "manual" });
+    const res = await fetch(base + c.path, { redirect: "manual", headers: c.requestHeaders });
     const reasons = [];
     if (c.status !== void 0 && res.status !== c.status) {
       reasons.push(`status ${res.status} != ${c.status}`);

package/dist/index.js

@@ -2,7 +2,7 @@ import {
   defineConfig,
   defineVerify,
   loadConfig
-} from "./chunk-VONSDNH4.js";
+} from "./chunk-JRCATCRY.js";
 import "./chunk-ADS6BJJ5.js";
 import "./chunk-WFZTRXBF.js";
 import "./chunk-KP3Y6WRU.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.2.7",
+  "version": "0.2.9",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {