@rtrentjones/greenlight 0.2.8 → 0.2.10

package/README.md

@@ -1,24 +1,28 @@
 # @rtrentjones/greenlight
 
 The Greenlight CLI — setup and lifecycle for the [Greenlight](https://github.com/RTrentJones/greenlight)
-harness. Greenlight is a **clone-and-own** baseline that turns a domain + API tokens into a live
-personal site plus a self-verifying agentic deploy loop, with plug-and-play subdomain tools (web apps
-or MCP servers). It is provider-agnostic and free-tier-first, and it **edits declarative
-infrastructure-as-code — your CI/CD applies it**. It is not a hosted PaaS.
+harness. Greenlight turns a domain + API tokens into a live personal site plus a self-verifying
+agentic deploy loop, with plug-and-play subdomain tools (web apps or MCP servers). It is
+provider-agnostic and free-tier-first, and it **edits declarative infrastructure-as-code — your CI/CD
+applies it**. It is not a hosted PaaS.
 
-This is the **single published package**: the CLI, with the framework libraries
-(`shared`/`verify`/`adapters`/`loop`) bundled in. The Terraform modules are distributed as git tags
-(pinned in lockstep with this package's version); the skills ship as a Claude Code plugin.
+**You install this CLI; you don't fork the framework.** `greenlight init` scaffolds a thin **wrapper
+repo you own** (your manifest + content) that depends on this package and updates via
+`pnpm update` — no framework code to merge. This is the **single published package**: the CLI, with
+the framework libraries (`shared`/`verify`/`adapters`/`loop`) bundled in. Terraform modules ship as
+git tags (pinned in lockstep with this version); skills ship as a Claude Code plugin.
 
-## Install
+## Quick start
 
 ```bash
-pnpm add @rtrentjones/greenlight      # or npm i / yarn add
+npx -y @rtrentjones/greenlight init --domain you.dev   # scaffold the wrapper + gather base keys
+pnpm greenlight add notes --lane mcp --target oci      # add a tool: emit infra + gather ITS keys
+git push                                               # CI runs `terraform apply`
+pnpm greenlight verify notes --env prod                # the shared harness proves it
 ```
 
-A personal site is a **thin consumer** that depends on this package and owns only its manifest
-(`greenlight.config.ts`) + content. Update with `pnpm update @rtrentjones/greenlight` — no framework
-code to merge.
+Full walkthrough: [getting-started.md](https://github.com/RTrentJones/greenlight/blob/main/docs/getting-started.md).
+Update the mechanics later with `pnpm update @rtrentjones/greenlight`.
 
 Optional peer features lazy-load and degrade to a failing check if absent (never a crash):
 

package/assets/skills/provider-vercel/SKILL.md

@@ -42,6 +42,13 @@ wrapper deploy listener. `greenlight adopt … --target vercel` emits, into the
 `greenlight verify --url <url> --spec <path>` is the **manifest-free** mode that makes this work
 without carrying the wrapper's `greenlight.config.ts` into the tool repo.
 
+**Deployment Protection gotcha:** `deployment_status.target_url` is the `*.vercel.app` *deployment*
+URL, which Vercel **Deployment Protection** gates (→ **401**) even though the public custom domain
+is 200. To verify the real app, create a **Protection Bypass for Automation** secret (Vercel →
+project → Settings → Deployment Protection) and set it as `VERCEL_AUTOMATION_BYPASS_SECRET` on the
+tool repo — the api check sends it as `x-vercel-protection-bypass` and asserts 200. Without it the
+generated spec asserts **401** (the deployment is served + protected), so the gate stays green.
+
 ## MCP
 
 `.mcp.json` wires `vercel` (hosted, OAuth, read-only). Run `/mcp` and authenticate in the

package/dist/bin.js

@@ -5,7 +5,7 @@ import {
   loadConfig,
   resolveUrl,
   verifyAll
-} from "./chunk-VONSDNH4.js";
+} from "./chunk-JRCATCRY.js";
 import "./chunk-ADS6BJJ5.js";
 import "./chunk-WFZTRXBF.js";
 import "./chunk-KP3Y6WRU.js";
@@ -14,8 +14,8 @@ import "./chunk-6N7MD6FR.js";
 import "./chunk-QFKE5JKC.js";
 
 // src/commands/add.ts
-import { cpSync as cpSync2, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
-import { join, resolve as resolve6 } from "path";
+import { cpSync as cpSync2, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import { join, resolve as resolve5 } from "path";
 
 // src/asset-paths.ts
 import { existsSync } from "fs";
@@ -105,6 +105,30 @@ function addTool(config, t) {
   }
   return result.data;
 }
+function upsertTool(config, t) {
+  if (t.name === "blog") throw new Error('"blog" is a reserved name');
+  const entry = {
+    name: t.name,
+    lane: t.lane,
+    target: t.target,
+    data: t.data ?? "none",
+    auth: t.auth ?? "none",
+    access: t.access ?? "public",
+    envs: t.envs ?? ["beta", "prod"],
+    ...t.dir !== void 0 ? { dir: t.dir } : {},
+    ...t.adopted ? { adopted: true } : {},
+    ...t.external ? { external: true } : {},
+    ...t.port !== void 0 ? { port: t.port } : {}
+  };
+  const tools = config.tools.some((x) => x.name === t.name) ? config.tools.map((x) => x.name === t.name ? entry : x) : [...config.tools, entry];
+  const result = ConfigSchema.safeParse({ ...config, tools });
+  if (!result.success) {
+    throw new Error(
+      result.error.issues.map((i) => `${i.path.join(".") || "(root)"}: ${i.message}`).join("; ")
+    );
+  }
+  return result.data;
+}
 
 // src/manifest.ts
 import { existsSync as existsSync2 } from "fs";
@@ -390,7 +414,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.2.8";
+var MODULE_REF = "v0.2.10";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -630,15 +654,87 @@ function providersForTool(tool) {
   return out;
 }
 
-// src/tokens.ts
-import { existsSync as existsSync4, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
-import { resolve as resolve4 } from "path";
-import { createInterface as createInterface2 } from "readline/promises";
+// src/commands/agent.ts
+import { cpSync, existsSync as existsSync3, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { resolve as resolve3 } from "path";
+
+// src/agent-kit.ts
+function recommendedMcp(tool) {
+  return mcpForTool(tool);
+}
+function mergeMcpServers(existing, add) {
+  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
+  for (const [name, val] of Object.entries(add)) {
+    if (out.mcpServers[name]) continue;
+    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
+  }
+  return out;
+}
+
+// src/commands/agent.ts
+var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
+
+This repo uses Greenlight. Ship changes through the deploy-verify-promote skill:
+branch \u2192 change \u2192 deploy preview \u2192 \`greenlight verify\` \u2192 beta \u2192 verify \u2192 \`greenlight promote\` \u2192 prod \u2192 verify.
+
+Agentic kit:
+- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the loop).
+- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
+    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
+- Best-practice skills (one-time, user scope):
+    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
+`;
+function materializeAgentKit(dir, tool) {
+  const src = skillAssetDir();
+  if (!existsSync3(src)) throw new Error(`skill asset not found at ${src}`);
+  const dest = resolve3(dir, ".claude/skills/deploy-verify-promote");
+  mkdirSync(dest, { recursive: true });
+  cpSync(src, dest, { recursive: true });
+  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
+  for (const pack of packsForTool(tool)) {
+    if (!pack.skill) continue;
+    const skillSrc = skillAssetDir(pack.skill);
+    if (!existsSync3(skillSrc)) continue;
+    const skillDest = resolve3(dir, ".claude/skills", pack.skill);
+    mkdirSync(skillDest, { recursive: true });
+    cpSync(skillSrc, skillDest, { recursive: true });
+    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
+  }
+  const mcpPath = resolve3(dir, ".mcp.json");
+  const existingMcp = existsSync3(mcpPath) ? JSON.parse(readFileSync(mcpPath, "utf8")) : null;
+  const servers = recommendedMcp(tool);
+  writeFileSync(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
+`);
+  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
+  const claudePath = resolve3(dir, "CLAUDE.md");
+  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
+  const existing = existsSync3(claudePath) ? readFileSync(claudePath, "utf8") : "";
+  if (existing.includes(marker)) {
+    console.log("\xB7 CLAUDE.md already has the loop block");
+  } else {
+    writeFileSync(claudePath, existing ? `${existing.trimEnd()}
+
+${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
+    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
+  }
+}
+async function agentCommand(args) {
+  if (args[0] !== "sync") {
+    console.log(
+      "usage: greenlight agent sync   # write the loop skill + .mcp.json + CLAUDE.md block"
+    );
+    process.exit(args[0] ? 1 : 0);
+  }
+  materializeAgentKit(process.cwd());
+  console.log(
+    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
+  );
+}
 
 // src/commands/secrets.ts
 import { execFileSync } from "child_process";
-import { existsSync as existsSync3, readFileSync } from "fs";
-import { resolve as resolve3 } from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve4 } from "path";
 import { createInterface } from "readline";
 function parseSecretsEnv(text) {
   const out = [];
@@ -664,7 +760,7 @@ function parseOciConfig(text) {
   return out;
 }
 function ociPrefill(configPath, keyPath) {
-  const cfg = parseOciConfig(readFileSync(configPath, "utf8"));
+  const cfg = parseOciConfig(readFileSync2(configPath, "utf8"));
   const map = /* @__PURE__ */ new Map();
   const set = (k, v) => {
     if (v) map.set(k, v);
@@ -674,8 +770,8 @@ function ociPrefill(configPath, keyPath) {
   set("TF_VAR_OCI_TENANCY_OCID", cfg.tenancy);
   set("TF_VAR_OCI_REGION", cfg.region);
   const pem = keyPath ?? cfg.key_file;
-  if (pem && existsSync3(pem)) {
-    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync(pem, "utf8"));
+  if (pem && existsSync4(pem)) {
+    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync2(pem, "utf8"));
   } else if (pem) {
     console.log(`   ! PEM not found at ${pem} \u2014 set TF_VAR_OCI_PRIVATE_KEY manually (--oci-key)`);
   }
@@ -709,11 +805,11 @@ function syncSecrets(opts) {
       "could not determine the repo \u2014 pass --repo owner/repo (no github.com origin remote)"
     );
   }
-  const path = resolve3(opts.cwd, ".greenlight/secrets.env");
-  if (!existsSync3(path)) {
+  const path = resolve4(opts.cwd, ".greenlight/secrets.env");
+  if (!existsSync4(path)) {
     throw new Error("no .greenlight/secrets.env \u2014 run `greenlight init` with tokens first");
   }
-  const entries = parseSecretsEnv(readFileSync(path, "utf8"));
+  const entries = parseSecretsEnv(readFileSync2(path, "utf8"));
   const target = opts.env ? `env "${opts.env}"` : "repo";
   for (const { key, value } of entries) {
     const ghArgs = ["secret", "set", key, "--repo", repo];
@@ -855,7 +951,7 @@ async function secretsCommand(args) {
     if (!repo) throw new Error("could not determine the repo \u2014 pass --repo owner/repo");
     const ociConfig2 = flag(args, "--oci-config");
     const ociKey = flag(args, "--oci-key");
-    const prefill = ociConfig2 ? ociPrefill(resolve3(process.cwd(), ociConfig2), ociKey && resolve3(process.cwd(), ociKey)) : void 0;
+    const prefill = ociConfig2 ? ociPrefill(resolve4(process.cwd(), ociConfig2), ociKey && resolve4(process.cwd(), ociKey)) : void 0;
     await gatherSecrets(name, repo, flag(args, "--env"), prefill);
     return;
   }
@@ -880,161 +976,6 @@ ${count} secret(s) synced. (Prefer GitHub OIDC over long-lived tokens where supp
   );
 }
 
-// src/tokens.ts
-var SECRETS_DIR = ".greenlight";
-var SECRETS_FILE = "secrets.env";
-function presentEnv(cwd) {
-  const out = {};
-  const p = resolve4(cwd, SECRETS_DIR, SECRETS_FILE);
-  if (existsSync4(p)) {
-    for (const { key, value } of parseSecretsEnv(readFileSync2(p, "utf8"))) out[key] = value;
-  }
-  for (const [k, v] of Object.entries(process.env)) {
-    if (v !== void 0 && !(k in out)) out[k] = v;
-  }
-  return out;
-}
-function upsertSecret(cwd, key, value) {
-  const dir = resolve4(cwd, SECRETS_DIR);
-  mkdirSync(dir, { recursive: true });
-  const p = resolve4(dir, SECRETS_FILE);
-  const lines = existsSync4(p) ? readFileSync2(p, "utf8").split("\n") : [];
-  const idx = lines.findIndex((l) => l.startsWith(`${key}=`));
-  if (idx >= 0) lines[idx] = `${key}=${value}`;
-  else {
-    while (lines.length && (lines[lines.length - 1] ?? "").trim() === "") lines.pop();
-    lines.push(`${key}=${value}`);
-  }
-  writeFileSync(p, `${lines.join("\n").replace(/\n*$/, "")}
-`, { mode: 384 });
-}
-async function ensureTokensForTool(cwd, tool, opts = {}) {
-  const doVerify = opts.verify !== false;
-  const interactive = Boolean(process.stdin.isTTY);
-  const env = presentEnv(cwd);
-  const results = [];
-  const rl = interactive ? createInterface2({ input: process.stdin, output: process.stdout }) : null;
-  try {
-    for (const spec of tokensForTool(tool)) {
-      let value = env[spec.envVar];
-      if (value) {
-        results.push({ envVar: spec.envVar, outcome: "present" });
-      } else if (rl) {
-        console.log(`
-${spec.envVar} \u2014 ${spec.label}`);
-        if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
-        const entered = (await rl.question(`  paste value${spec.optional ? " (optional, Enter to skip)" : ""}: `)).trim();
-        if (!entered) {
-          results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-          continue;
-        }
-        upsertSecret(cwd, spec.envVar, entered);
-        env[spec.envVar] = entered;
-        value = entered;
-        results.push({ envVar: spec.envVar, outcome: "entered" });
-      } else {
-        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-        continue;
-      }
-      if (value && doVerify && spec.verify) {
-        let check;
-        try {
-          check = await spec.verify(value, env);
-        } catch (e) {
-          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
-        }
-        const last = results[results.length - 1];
-        if (last) last.verify = check;
-        if (!check.ok && !spec.optional) {
-          throw new Error(
-            `${spec.envVar} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
-          );
-        }
-      }
-    }
-  } finally {
-    rl?.close();
-  }
-  return results;
-}
-
-// src/commands/agent.ts
-import { cpSync, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
-import { resolve as resolve5 } from "path";
-
-// src/agent-kit.ts
-function recommendedMcp(tool) {
-  return mcpForTool(tool);
-}
-function mergeMcpServers(existing, add) {
-  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
-  for (const [name, val] of Object.entries(add)) {
-    if (out.mcpServers[name]) continue;
-    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
-  }
-  return out;
-}
-
-// src/commands/agent.ts
-var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
-
-This repo uses Greenlight. Ship changes through the deploy-verify-promote skill:
-branch \u2192 change \u2192 deploy preview \u2192 \`greenlight verify\` \u2192 beta \u2192 verify \u2192 \`greenlight promote\` \u2192 prod \u2192 verify.
-
-Agentic kit:
-- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the loop).
-- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
-    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
-- Best-practice skills (one-time, user scope):
-    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
-`;
-function materializeAgentKit(dir, tool) {
-  const src = skillAssetDir();
-  if (!existsSync5(src)) throw new Error(`skill asset not found at ${src}`);
-  const dest = resolve5(dir, ".claude/skills/deploy-verify-promote");
-  mkdirSync2(dest, { recursive: true });
-  cpSync(src, dest, { recursive: true });
-  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
-  for (const pack of packsForTool(tool)) {
-    if (!pack.skill) continue;
-    const skillSrc = skillAssetDir(pack.skill);
-    if (!existsSync5(skillSrc)) continue;
-    const skillDest = resolve5(dir, ".claude/skills", pack.skill);
-    mkdirSync2(skillDest, { recursive: true });
-    cpSync(skillSrc, skillDest, { recursive: true });
-    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
-  }
-  const mcpPath = resolve5(dir, ".mcp.json");
-  const existingMcp = existsSync5(mcpPath) ? JSON.parse(readFileSync3(mcpPath, "utf8")) : null;
-  const servers = recommendedMcp(tool);
-  writeFileSync2(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
-`);
-  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
-  const claudePath = resolve5(dir, "CLAUDE.md");
-  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
-  const existing = existsSync5(claudePath) ? readFileSync3(claudePath, "utf8") : "";
-  if (existing.includes(marker)) {
-    console.log("\xB7 CLAUDE.md already has the loop block");
-  } else {
-    writeFileSync2(claudePath, existing ? `${existing.trimEnd()}
-
-${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
-    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
-  }
-}
-async function agentCommand(args) {
-  if (args[0] !== "sync") {
-    console.log(
-      "usage: greenlight agent sync   # write the loop skill + .mcp.json + CLAUDE.md block"
-    );
-    process.exit(args[0] ? 1 : 0);
-  }
-  materializeAgentKit(process.cwd());
-  console.log(
-    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
-  );
-}
-
 // src/commands/add.ts
 function flag2(args, name) {
   const i = args.indexOf(name);
@@ -1072,71 +1013,69 @@ async function addCommand(args) {
   const data = entry?.data ?? "none";
   const envs = entry?.envs ?? ["beta", "prod"];
   const toolInfo = { target, data };
-  const dest = resolve6(process.cwd(), "tools", name);
-  if (existsSync6(dest)) throw new Error(`tools/${name} already exists`);
+  const dest = resolve5(process.cwd(), "tools", name);
+  if (existsSync5(dest)) throw new Error(`tools/${name} already exists`);
   const src = templateDir(lane, target);
-  if (existsSync6(src)) {
+  if (existsSync5(src)) {
     cpSync2(src, dest, { recursive: true });
     const pkgPath = join(dest, "package.json");
-    if (existsSync6(pkgPath)) {
-      const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
+    if (existsSync5(pkgPath)) {
+      const pkg = JSON.parse(readFileSync3(pkgPath, "utf8"));
       pkg.name = name;
-      writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
+      writeFileSync2(pkgPath, `${JSON.stringify(pkg, null, 2)}
 `);
     }
     console.log(`\u2714 copied ${src} \u2192 tools/${name}`);
   } else {
     console.log(`! no template at ${src} \u2014 manifest entry added without scaffolding`);
   }
-  writeFileSync3(path, serializeConfig(next));
+  writeFileSync2(path, serializeConfig(next));
   console.log(`\u2714 added "${name}" (${lane}/${target}) to the manifest`);
   const cwd = process.cwd();
   const providers = providersForTool(toolInfo);
-  const infraDir = resolve6(cwd, "infra");
+  const infraDir = resolve5(cwd, "infra");
   const mainTf = join(infraDir, "main.tf");
-  if (!existsSync6(mainTf)) {
-    mkdirSync3(infraDir, { recursive: true });
-    writeFileSync3(mainTf, emitWrapperMainTf({ domain: config.domain, providers }));
+  if (!existsSync5(mainTf)) {
+    mkdirSync2(infraDir, { recursive: true });
+    writeFileSync2(mainTf, emitWrapperMainTf({ domain: config.domain, providers }));
     console.log("\u2714 scaffolded infra/main.tf (providers + HCP backend placeholder)");
   } else if (providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 infra/main.tf exists \u2014 ensure it declares provider(s): ${providers.join(", ")}`);
   }
   const toolTf = join(infraDir, `${name}.tf`);
-  if (existsSync6(toolTf)) {
+  if (existsSync5(toolTf)) {
     console.log(`\xB7 infra/${name}.tf exists \u2014 left as-is`);
   } else {
-    writeFileSync3(
+    writeFileSync2(
       toolTf,
       emitToolTf({ name, domain: config.domain, lane, target, data, envs, port: entry?.port })
     );
     console.log(`\u2714 wrote infra/${name}.tf (modules: ${providers.join(", ")})`);
   }
-  if (!args.includes("--no-tokens")) {
+  materializeAgentKit(cwd, toolInfo);
+  const repo = flag2(args, "--repo") ?? detectRepo(cwd) ?? "";
+  const gather = !args.includes("--no-tokens") && process.stdin.isTTY && repo !== "";
+  if (gather) {
+    console.log(`
+Gathering ${name}'s provider keys${repo ? ` \u2192 ${repo}` : ""}:`);
     try {
-      const outcomes = await ensureTokensForTool(cwd, toolInfo, {
-        verify: !args.includes("--no-verify")
-      });
-      const missing = outcomes.filter((o) => o.outcome === "missing").map((o) => o.envVar);
-      if (missing.length) {
-        console.log(
-          `! missing token(s): ${missing.join(", ")} \u2014 set in .greenlight/secrets.env, then \`greenlight secrets sync\``
-        );
-      }
+      await gatherSecrets(name, repo, flag2(args, "--env"));
     } catch (e) {
-      console.log(`\u2716 ${e instanceof Error ? e.message : String(e)}`);
+      console.log(`\u2716 secrets gather: ${e instanceof Error ? e.message : String(e)}`);
+      console.log(`  retry: greenlight secrets gather ${name}${repo ? ` --repo ${repo}` : ""}`);
     }
   }
-  materializeAgentKit(cwd, toolInfo);
   console.log(`
-Next:
+Next:${gather ? "" : `
+  greenlight secrets gather ${name}${repo ? ` --repo ${repo}` : " --repo <owner/repo>"}   # this tool's keys \u2192 GitHub`}
   review infra/${name}.tf, then commit + push \u2192 CI (infra.yml) runs \`terraform apply\`
   greenlight preview ${name}        # local build + serve + verify`);
 }
 
 // src/commands/adopt.ts
 import { execFileSync as execFileSync2 } from "child_process";
-import { cpSync as cpSync3, existsSync as existsSync7, mkdirSync as mkdirSync4, readFileSync as readFileSync5, readdirSync, writeFileSync as writeFileSync4 } from "fs";
-import { join as join2, resolve as resolve7 } from "path";
+import { cpSync as cpSync3, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, readdirSync, writeFileSync as writeFileSync3 } from "fs";
+import { join as join2, resolve as resolve6 } from "path";
 var REF = MODULE_REF;
 function flag3(args, name) {
   const i = args.indexOf(name);
@@ -1152,7 +1091,7 @@ function mergePackageJson(existing, repoName, vendor) {
 }
 function vendorDeps(vendorDir) {
   const out = {};
-  if (!existsSync7(vendorDir)) return out;
+  if (!existsSync6(vendorDir)) return out;
   for (const f of readdirSync(vendorDir)) {
     if (!f.endsWith(".tgz")) continue;
     const base = f.replace(/-\d+\.\d+\.\d+(-[\w.]+)?\.tgz$/, "");
@@ -1443,14 +1382,14 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-      - name: Install deps (for test-mode)
-        run: |
-          corepack enable || true
-          if [ -f pnpm-lock.yaml ]; then pnpm install --frozen-lockfile;
-          elif [ -f yarn.lock ]; then yarn install --frozen-lockfile;
-          else npm ci; fi
+      # agent-web needs browsers: add \`- run: npx -y playwright install --with-deps chromium\` when
+      # you set ANTHROPIC_API_KEY. test-mode needs the tool's deps: add a tolerant install step
+      # (\`pnpm install --no-frozen-lockfile\`) \u2014 but unit tests usually belong in the tool's PR CI.
       - name: Verify the deployment
         env:
+          # Bypass Vercel Deployment Protection on the deployment URL (Vercel \u2192 project \u2192 Deployment
+          # Protection \u2192 Protection Bypass for Automation). Without it the gate asserts 401 (served).
+          VERCEL_AUTOMATION_BYPASS_SECRET: \${{ secrets.VERCEL_AUTOMATION_BYPASS_SECRET }}
           ANTHROPIC_API_KEY: \${{ secrets.ANTHROPIC_API_KEY }}
         run: npx -y @rtrentjones/greenlight@latest verify --url "\${{ github.event.deployment_status.target_url }}" --spec verify/${name}.config.ts
 `;
@@ -1458,10 +1397,20 @@ jobs:
 function nextVerifyConfig(name) {
   return `// Greenlight verify spec for ${name} (next/vercel) \u2014 run by .github/workflows/greenlight-verify.yml
 // after Vercel deploys (deployment_status). An array combines modes (allPass):
-//  - api: the deployed URL serves (200).
-//  - test: this tool's own suite \u2014 set the real command for your package manager.
+//  - api: deployment_status' target_url is the *.vercel.app deployment URL, which Vercel Deployment
+//    Protection gates (401). With VERCEL_AUTOMATION_BYPASS_SECRET set we send the bypass header and
+//    assert 200 (the real app); without it we assert 401 (the deployment is served + protected).
 //  - agent-web: an LLM drives the live UI; runs ONLY when ANTHROPIC_API_KEY is set (else omitted,
 //    so the gate stays green). Replace the scenario with real user tasks + assertions.
+// Unit tests belong in this repo's PR CI; to also gate the deploy on them, add
+// { mode: 'test', command: 'pnpm test' } + a tolerant deps-install step in greenlight-verify.yml.
+const bypass = process.env.VERCEL_AUTOMATION_BYPASS_SECRET;
+const api = bypass
+  ? {
+      mode: 'api',
+      checks: [{ path: '/', status: 200, requestHeaders: { 'x-vercel-protection-bypass': bypass } }],
+    }
+  : { mode: 'api', checks: [{ path: '/', status: 401 }] };
 const agentWeb = process.env.ANTHROPIC_API_KEY
   ? [
       {
@@ -1477,20 +1426,16 @@ const agentWeb = process.env.ANTHROPIC_API_KEY
     ]
   : [];
 
-export default [
-  { mode: 'api', checks: [{ path: '/', status: 200 }] },
-  { mode: 'test', command: 'npm test' },
-  ...agentWeb,
-];
+export default [api, ...agentWeb];
 `;
 }
 function writeIfAbsent(path, contents, label) {
-  if (existsSync7(path)) {
+  if (existsSync6(path)) {
     console.log(`\xB7 ${label} exists \u2014 left as-is`);
     return;
   }
-  mkdirSync4(resolve7(path, ".."), { recursive: true });
-  writeFileSync4(path, contents);
+  mkdirSync3(resolve6(path, ".."), { recursive: true });
+  writeFileSync3(path, contents);
   console.log(`\u2714 ${label}`);
 }
 async function adoptCommand(args) {
@@ -1514,8 +1459,8 @@ async function adoptCommand(args) {
       "run adopt from your site repo (needs a real greenlight.config.ts; run `greenlight init` first)"
     );
   }
-  if (reg.tools.some((t) => t.name === name) || name === "blog") {
-    throw new Error(`"${name}" already in the registry`);
+  if (name === "blog") {
+    throw new Error('"blog" is the apex site, not an adopted tool');
   }
   const domain = flag3(args, "--domain") ?? reg.domain;
   const ctx = { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath };
@@ -1526,10 +1471,10 @@ async function adoptWrapper(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
   const cwd = process.cwd();
   const toolRel = `tools/${name}`;
-  const dest = resolve7(cwd, toolRel);
+  const dest = resolve6(cwd, toolRel);
   console.log(`adopting "${name}" (${lane}/${target}) as the submodule ${toolRel}
 `);
-  if (!existsSync7(dest)) {
+  if (!existsSync6(dest)) {
     try {
       execFileSync2("git", ["submodule", "add", repoArg, toolRel], { cwd, stdio: "inherit" });
       console.log(`\u2714 git submodule add ${repoArg} ${toolRel}`);
@@ -1542,7 +1487,8 @@ async function adoptWrapper(ctx) {
   } else {
     console.log(`\xB7 ${toolRel} exists \u2014 skipping submodule add`);
   }
-  const nextReg = addTool(reg, {
+  const existed = reg.tools.some((x) => x.name === name);
+  const nextReg = upsertTool(reg, {
     name,
     lane,
     target,
@@ -1553,8 +1499,10 @@ async function adoptWrapper(ctx) {
     external: true,
     adopted: true
   });
-  writeFileSync4(regPath, serializeConfig(nextReg));
-  console.log(`\u2714 registered "${name}" (external, dir ${toolRel}) in the wrapper manifest`);
+  writeFileSync3(regPath, serializeConfig(nextReg));
+  console.log(
+    `\u2714 ${existed ? "updated" : "registered"} "${name}" (external, dir ${toolRel}) in the wrapper manifest`
+  );
   const slug = parseRepo(repoArg) ?? parseRepo(safeGit(dest, ["remote", "get-url", "origin"])) ?? `OWNER/${name}`;
   writeIfAbsent(
     join2(cwd, `infra/${name}.tf`),
@@ -1569,7 +1517,7 @@ async function adoptWrapper(ctx) {
     );
   }
   const providers = providersForTool({ target, data });
-  if (existsSync7(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
+  if (existsSync6(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 ensure infra/main.tf declares provider(s): ${providers.join(", ")}`);
   }
   materializeAgentKit(dest, { target, data });
@@ -1615,9 +1563,9 @@ Next:
 }
 async function adoptStandalone(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
-  const repo = resolve7(process.cwd(), repoArg);
-  if (!existsSync7(repo)) throw new Error(`no such repo: ${repo} (--standalone needs a local path)`);
-  const regVendor = resolve7(process.cwd(), "vendor");
+  const repo = resolve6(process.cwd(), repoArg);
+  if (!existsSync6(repo)) throw new Error(`no such repo: ${repo} (--standalone needs a local path)`);
+  const regVendor = resolve6(process.cwd(), "vendor");
   const vendor = vendorDeps(regVendor);
   if (Object.keys(vendor).length === 0) {
     throw new Error(
@@ -1635,15 +1583,15 @@ async function adoptStandalone(ctx) {
   );
   const slug = parseRepo(safeGit(repo, ["remote", "get-url", "origin"])) ?? `OWNER/${name}`;
   const pkgPath = join2(repo, "package.json");
-  const existingPkg = existsSync7(pkgPath) ? JSON.parse(readFileSync5(pkgPath, "utf8")) : null;
-  writeFileSync4(
+  const existingPkg = existsSync6(pkgPath) ? JSON.parse(readFileSync4(pkgPath, "utf8")) : null;
+  writeFileSync3(
     pkgPath,
     `${JSON.stringify(mergePackageJson(existingPkg, name, vendor), null, 2)}
 `
   );
   console.log("\u2714 package.json (merged framework deps + overrides)");
   const repoVendor = join2(repo, "vendor");
-  mkdirSync4(repoVendor, { recursive: true });
+  mkdirSync3(repoVendor, { recursive: true });
   for (const f of readdirSync(regVendor)) {
     if (f.endsWith(".tgz")) cpSync3(join2(regVendor, f), join2(repoVendor, f));
   }
@@ -1677,7 +1625,7 @@ async function adoptStandalone(ctx) {
     external: true,
     adopted: true
   });
-  writeFileSync4(regPath, serializeConfig(nextReg));
+  writeFileSync3(regPath, serializeConfig(nextReg));
   console.log(`\u2714 registered "${name}" in ${regPath.replace(`${process.cwd()}/`, "")} (external)`);
   console.log(`
 Next (in the adopted repo):
@@ -1690,20 +1638,20 @@ Note: deploying ${target} needs the ${target} adapter (workers is built; oci/ver
 }
 function addGreenlightScript(dir) {
   const pkgPath = join2(dir, "package.json");
-  if (!existsSync7(pkgPath)) {
+  if (!existsSync6(pkgPath)) {
     console.log(
       "\xB7 no package.json (non-Node tool) \u2014 run the loop via `npx @rtrentjones/greenlight`"
     );
     return;
   }
-  const pkg = JSON.parse(readFileSync5(pkgPath, "utf8"));
+  const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
   pkg.scripts = { ...pkg.scripts ?? {} };
   if (pkg.scripts.greenlight) {
     console.log("\xB7 package.json already has a greenlight script");
     return;
   }
   pkg.scripts.greenlight = "npx @rtrentjones/greenlight";
-  writeFileSync4(pkgPath, `${JSON.stringify(pkg, null, 2)}
+  writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
 `);
   console.log("\u2714 package.json (greenlight script \u2014 runnable via npx post-publish)");
 }
@@ -1846,10 +1794,10 @@ async function deployCommand(args) {
 }
 
 // src/commands/doctor.ts
-import { existsSync as existsSync8 } from "fs";
+import { existsSync as existsSync7 } from "fs";
 import { join as join4 } from "path";
 function dirCheck(label, dir) {
-  return existsSync8(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
+  return existsSync7(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
 }
 function runDoctor(config, root) {
   const checks = [];
@@ -1871,8 +1819,8 @@ function runDoctor(config, root) {
       const vc = join4(dir, "verify.config.ts");
       checks.push({
         name: `${t.name}: verify.config.ts`,
-        status: existsSync8(vc) ? "ok" : "warn",
-        detail: existsSync8(vc) ? void 0 : "missing \u2014 verify will use the lane default"
+        status: existsSync7(vc) ? "ok" : "warn",
+        detail: existsSync7(vc) ? void 0 : "missing \u2014 verify will use the lane default"
       });
     }
   }
@@ -1918,10 +1866,180 @@ ${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}`);
 import { existsSync as existsSync9, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
 import { resolve as resolve8 } from "path";
 import { createInterface as createInterface3 } from "readline/promises";
+
+// src/tokens.ts
+import { existsSync as existsSync8, mkdirSync as mkdirSync4, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
+import { resolve as resolve7 } from "path";
+import { createInterface as createInterface2 } from "readline/promises";
+var SECRETS_DIR = ".greenlight";
+var SECRETS_FILE = "secrets.env";
+function presentEnv(cwd) {
+  const out = {};
+  const p = resolve7(cwd, SECRETS_DIR, SECRETS_FILE);
+  if (existsSync8(p)) {
+    for (const { key, value } of parseSecretsEnv(readFileSync5(p, "utf8"))) out[key] = value;
+  }
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v !== void 0 && !(k in out)) out[k] = v;
+  }
+  return out;
+}
+function upsertSecret(cwd, key, value) {
+  const dir = resolve7(cwd, SECRETS_DIR);
+  mkdirSync4(dir, { recursive: true });
+  const p = resolve7(dir, SECRETS_FILE);
+  const lines = existsSync8(p) ? readFileSync5(p, "utf8").split("\n") : [];
+  const idx = lines.findIndex((l) => l.startsWith(`${key}=`));
+  if (idx >= 0) lines[idx] = `${key}=${value}`;
+  else {
+    while (lines.length && (lines[lines.length - 1] ?? "").trim() === "") lines.pop();
+    lines.push(`${key}=${value}`);
+  }
+  writeFileSync4(p, `${lines.join("\n").replace(/\n*$/, "")}
+`, { mode: 384 });
+}
+async function ensureTokensForTool(cwd, tool, opts = {}) {
+  const doVerify = opts.verify !== false;
+  const interactive = Boolean(process.stdin.isTTY);
+  const env = presentEnv(cwd);
+  const results = [];
+  const rl = interactive ? createInterface2({ input: process.stdin, output: process.stdout }) : null;
+  try {
+    for (const spec of tokensForTool(tool)) {
+      let value = env[spec.envVar];
+      if (value) {
+        results.push({ envVar: spec.envVar, outcome: "present" });
+      } else if (rl) {
+        console.log(`
+${spec.envVar} \u2014 ${spec.label}`);
+        if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
+        const entered = (await rl.question(`  paste value${spec.optional ? " (optional, Enter to skip)" : ""}: `)).trim();
+        if (!entered) {
+          results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+          continue;
+        }
+        upsertSecret(cwd, spec.envVar, entered);
+        env[spec.envVar] = entered;
+        value = entered;
+        results.push({ envVar: spec.envVar, outcome: "entered" });
+      } else {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      if (value && doVerify && spec.verify) {
+        let check;
+        try {
+          check = await spec.verify(value, env);
+        } catch (e) {
+          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
+        }
+        const last = results[results.length - 1];
+        if (last) last.verify = check;
+        if (!check.ok && !spec.optional) {
+          throw new Error(
+            `${spec.envVar} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
+          );
+        }
+      }
+    }
+  } finally {
+    rl?.close();
+  }
+  return results;
+}
+
+// src/commands/init.ts
 function flag5(args, name) {
   const i = args.indexOf(name);
   return i >= 0 ? args[i + 1] : void 0;
 }
+var NPM_DEP = `^${MODULE_REF.replace(/^v/, "")}`;
+function wrapperPackageJson(name) {
+  return `${JSON.stringify(
+    {
+      name,
+      private: true,
+      type: "module",
+      scripts: { greenlight: "greenlight" },
+      dependencies: { "@rtrentjones/greenlight": NPM_DEP }
+    },
+    null,
+    2
+  )}
+`;
+}
+var WRAPPER_GITIGNORE = `# Greenlight wrapper
+node_modules/
+.greenlight/        # gathered tokens \u2014 never committed
+.terraform/
+*.tfplan
+tf.plan
+dist/
+`;
+var WRAPPER_MISE = `[tools]
+node = "24"
+pnpm = "10.12.1"
+`;
+function wrapperInfraYml() {
+  return `name: infra
+
+# Apply the wrapper's Terraform on push to main (paths: infra/**). State + locking are in HCP
+# Terraform (set the cloud{} block in infra/main.tf); the run happens here with provider creds
+# from GitHub Actions secrets (populate them per tool via \`greenlight secrets gather\`).
+on:
+  push:
+    branches: [main]
+    paths: ['infra/**']
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: infra
+  cancel-in-progress: false # never interrupt an in-flight apply
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    env:
+      TF_TOKEN_app_terraform_io: \${{ secrets.TF_API_TOKEN }} # HCP state backend auth
+      GITHUB_TOKEN: \${{ github.token }} # github provider (branch/protection); creates nothing risky
+      CLOUDFLARE_API_TOKEN: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+      TF_VAR_cloudflare_zone_id: \${{ secrets.TF_VAR_CLOUDFLARE_ZONE_ID }}
+      TF_VAR_cloudflare_account_id: \${{ secrets.TF_VAR_CLOUDFLARE_ACCOUNT_ID }}
+      # vercel (target: vercel tools)
+      VERCEL_API_TOKEN: \${{ secrets.VERCEL_API_TOKEN }}
+      # supabase (data: supabase tools)
+      SUPABASE_ACCESS_TOKEN: \${{ secrets.SUPABASE_ACCESS_TOKEN }}
+      TF_VAR_supabase_database_password: \${{ secrets.TF_VAR_SUPABASE_DATABASE_PASSWORD }}
+      # oci (target: oci tools) \u2014 VCN/subnet/AD are IaC; only auth (+ optional compartment) here
+      TF_VAR_oci_tenancy_ocid: \${{ secrets.TF_VAR_OCI_TENANCY_OCID }}
+      TF_VAR_oci_user_ocid: \${{ secrets.TF_VAR_OCI_USER_OCID }}
+      TF_VAR_oci_fingerprint: \${{ secrets.TF_VAR_OCI_FINGERPRINT }}
+      TF_VAR_oci_private_key: \${{ secrets.TF_VAR_OCI_PRIVATE_KEY }}
+      TF_VAR_oci_region: \${{ secrets.TF_VAR_OCI_REGION }}
+      TF_VAR_oci_compartment_id: \${{ secrets.TF_VAR_OCI_COMPARTMENT_ID }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: '~1.10'
+          terraform_wrapper: false
+      - run: terraform -chdir=infra init -input=false
+      - run: terraform -chdir=infra plan -input=false -out=tf.plan
+      - run: terraform -chdir=infra apply -input=false tf.plan
+`;
+}
+function scaffoldIfAbsent(path, contents, label) {
+  if (existsSync9(path)) {
+    console.log(`\xB7 ${label} exists \u2014 left as-is`);
+    return;
+  }
+  mkdirSync5(resolve8(path, ".."), { recursive: true });
+  writeFileSync5(path, contents);
+  console.log(`\u2714 wrote ${label}`);
+}
 var TOKEN_FLAGS = {
   "--cf-token": "CLOUDFLARE_API_TOKEN",
   "--github-token": "GITHUB_TOKEN",
@@ -1946,6 +2064,16 @@ async function initCommand(args) {
   }
   writeFileSync5(configPath, scaffoldConfig(domain));
   console.log(`\u2714 wrote greenlight.config.ts (domain: ${domain})`);
+  const repoName = domain.replace(/\./g, "-");
+  scaffoldIfAbsent(
+    resolve8(cwd, ".github/workflows/infra.yml"),
+    wrapperInfraYml(),
+    ".github/workflows/infra.yml (HCP-backed terraform apply on push)"
+  );
+  scaffoldIfAbsent(resolve8(cwd, ".gitignore"), WRAPPER_GITIGNORE, ".gitignore");
+  scaffoldIfAbsent(resolve8(cwd, "package.json"), wrapperPackageJson(repoName), "package.json");
+  scaffoldIfAbsent(resolve8(cwd, "mise.toml"), WRAPPER_MISE, "mise.toml");
+  scaffoldIfAbsent(resolve8(cwd, ".node-version"), "24\n", ".node-version");
   const secrets = [];
   for (const [f, key] of Object.entries(TOKEN_FLAGS)) {
     const v = flag5(args, f);
@@ -1979,10 +2107,11 @@ async function initCommand(args) {
   }
   console.log(`
 Next:
-  greenlight add <name> --lane mcp --target oci   # scaffold a tool${pushed ? "" : "\n  greenlight secrets sync                         # push tokens to GitHub Actions"}
-  greenlight doctor                               # check consistency
-  terraform -chdir=infra apply                    # branches/protection/DNS (module "repo"/"tool")
-  greenlight deploy blog --env prod               # first live deploy`);
+  1. greenlight add <name> --lane <lane> --target <target>   # scaffold a tool, emit infra, and
+                                                             # gather THAT tool's keys \u2192 GitHub${pushed ? "" : "\n  (run `greenlight secrets sync` if base tokens were not pushed)"}
+  2. set the HCP backend (cloud{} org + workspace) in infra/main.tf   # docs/terraform-state-r2.md
+  3. commit + push \u2192 CI (.github/workflows/infra.yml) runs \`terraform apply\`
+  4. greenlight verify <name> --env prod   |   greenlight doctor`);
 }
 
 // src/commands/preview.ts

package/dist/{chunk-VONSDNH4.js → chunk-JRCATCRY.js}

@@ -116,7 +116,7 @@ var trimSlash = (s) => s.replace(/\/+$/, "");
 async function checkRoute(base, c) {
   const name = `GET ${c.path}`;
   try {
-    const res = await fetch(base + c.path, { redirect: "manual" });
+    const res = await fetch(base + c.path, { redirect: "manual", headers: c.requestHeaders });
     const reasons = [];
     if (c.status !== void 0 && res.status !== c.status) {
       reasons.push(`status ${res.status} != ${c.status}`);

package/dist/index.js

@@ -2,7 +2,7 @@ import {
   defineConfig,
   defineVerify,
   loadConfig
-} from "./chunk-VONSDNH4.js";
+} from "./chunk-JRCATCRY.js";
 import "./chunk-ADS6BJJ5.js";
 import "./chunk-WFZTRXBF.js";
 import "./chunk-KP3Y6WRU.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.2.8",
+  "version": "0.2.10",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -31,10 +31,10 @@
     "@anthropic-ai/sdk": "^0.69.0"
   },
   "devDependencies": {
-    "@rtrentjones/greenlight-adapters": "0.2.4",
+    "@rtrentjones/greenlight-loop": "0.2.4",
     "@rtrentjones/greenlight-shared": "0.2.4",
     "@rtrentjones/greenlight-verify": "0.2.4",
-    "@rtrentjones/greenlight-loop": "0.2.4"
+    "@rtrentjones/greenlight-adapters": "0.2.4"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",