npm - @rtrentjones/greenlight - Versions diffs - 0.2.8 → 0.2.9 - Mend

@rtrentjones/greenlight 0.2.8 → 0.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/assets/skills/provider-vercel/SKILL.md +7 -0
package/dist/bin.js +52 -19
package/dist/{chunk-VONSDNH4.js → chunk-JRCATCRY.js} +1 -1
package/dist/index.js +1 -1
package/package.json +3 -3

package/assets/skills/provider-vercel/SKILL.md CHANGED Viewed

@@ -42,6 +42,13 @@ wrapper deploy listener. `greenlight adopt … --target vercel` emits, into the
 `greenlight verify --url <url> --spec <path>` is the **manifest-free** mode that makes this work
 without carrying the wrapper's `greenlight.config.ts` into the tool repo.
+**Deployment Protection gotcha:** `deployment_status.target_url` is the `*.vercel.app` *deployment*
+URL, which Vercel **Deployment Protection** gates (→ **401**) even though the public custom domain
+is 200. To verify the real app, create a **Protection Bypass for Automation** secret (Vercel →
+project → Settings → Deployment Protection) and set it as `VERCEL_AUTOMATION_BYPASS_SECRET` on the
+tool repo — the api check sends it as `x-vercel-protection-bypass` and asserts 200. Without it the
+generated spec asserts **401** (the deployment is served + protected), so the gate stays green.
 ## MCP
 `.mcp.json` wires `vercel` (hosted, OAuth, read-only). Run `/mcp` and authenticate in the

package/dist/bin.js CHANGED Viewed

@@ -5,7 +5,7 @@ import {
   loadConfig,
   resolveUrl,
   verifyAll
-} from "./chunk-VONSDNH4.js";
+} from "./chunk-JRCATCRY.js";
 import "./chunk-ADS6BJJ5.js";
 import "./chunk-WFZTRXBF.js";
 import "./chunk-KP3Y6WRU.js";
@@ -105,6 +105,30 @@ function addTool(config, t) {
   }
   return result.data;
 }
+function upsertTool(config, t) {
+  if (t.name === "blog") throw new Error('"blog" is a reserved name');
+  const entry = {
+    name: t.name,
+    lane: t.lane,
+    target: t.target,
+    data: t.data ?? "none",
+    auth: t.auth ?? "none",
+    access: t.access ?? "public",
+    envs: t.envs ?? ["beta", "prod"],
+    ...t.dir !== void 0 ? { dir: t.dir } : {},
+    ...t.adopted ? { adopted: true } : {},
+    ...t.external ? { external: true } : {},
+    ...t.port !== void 0 ? { port: t.port } : {}
+  };
+  const tools = config.tools.some((x) => x.name === t.name) ? config.tools.map((x) => x.name === t.name ? entry : x) : [...config.tools, entry];
+  const result = ConfigSchema.safeParse({ ...config, tools });
+  if (!result.success) {
+    throw new Error(
+      result.error.issues.map((i) => `${i.path.join(".") || "(root)"}: ${i.message}`).join("; ")
+    );
+  }
+  return result.data;
+}
 // src/manifest.ts
 import { existsSync as existsSync2 } from "fs";
@@ -390,7 +414,7 @@ function tokensForTool(tool) {
 }
 // src/version.ts
-var MODULE_REF = "v0.2.8";
+var MODULE_REF = "v0.2.9";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -1443,14 +1467,14 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-      - name: Install deps (for test-mode)
-        run: |
-          corepack enable || true
-          if [ -f pnpm-lock.yaml ]; then pnpm install --frozen-lockfile;
-          elif [ -f yarn.lock ]; then yarn install --frozen-lockfile;
-          else npm ci; fi
+      # agent-web needs browsers: add \`- run: npx -y playwright install --with-deps chromium\` when
+      # you set ANTHROPIC_API_KEY. test-mode needs the tool's deps: add a tolerant install step
+      # (\`pnpm install --no-frozen-lockfile\`) \u2014 but unit tests usually belong in the tool's PR CI.
       - name: Verify the deployment
         env:
+          # Bypass Vercel Deployment Protection on the deployment URL (Vercel \u2192 project \u2192 Deployment
+          # Protection \u2192 Protection Bypass for Automation). Without it the gate asserts 401 (served).
+          VERCEL_AUTOMATION_BYPASS_SECRET: \${{ secrets.VERCEL_AUTOMATION_BYPASS_SECRET }}
           ANTHROPIC_API_KEY: \${{ secrets.ANTHROPIC_API_KEY }}
         run: npx -y @rtrentjones/greenlight@latest verify --url "\${{ github.event.deployment_status.target_url }}" --spec verify/${name}.config.ts
 `;
@@ -1458,10 +1482,20 @@ jobs:
 function nextVerifyConfig(name) {
   return `// Greenlight verify spec for ${name} (next/vercel) \u2014 run by .github/workflows/greenlight-verify.yml
 // after Vercel deploys (deployment_status). An array combines modes (allPass):
-//  - api: the deployed URL serves (200).
-//  - test: this tool's own suite \u2014 set the real command for your package manager.
+//  - api: deployment_status' target_url is the *.vercel.app deployment URL, which Vercel Deployment
+//    Protection gates (401). With VERCEL_AUTOMATION_BYPASS_SECRET set we send the bypass header and
+//    assert 200 (the real app); without it we assert 401 (the deployment is served + protected).
 //  - agent-web: an LLM drives the live UI; runs ONLY when ANTHROPIC_API_KEY is set (else omitted,
 //    so the gate stays green). Replace the scenario with real user tasks + assertions.
+// Unit tests belong in this repo's PR CI; to also gate the deploy on them, add
+// { mode: 'test', command: 'pnpm test' } + a tolerant deps-install step in greenlight-verify.yml.
+const bypass = process.env.VERCEL_AUTOMATION_BYPASS_SECRET;
+const api = bypass
+  ? {
+      mode: 'api',
+      checks: [{ path: '/', status: 200, requestHeaders: { 'x-vercel-protection-bypass': bypass } }],
+    }
+  : { mode: 'api', checks: [{ path: '/', status: 401 }] };
 const agentWeb = process.env.ANTHROPIC_API_KEY
   ? [
       {
@@ -1477,11 +1511,7 @@ const agentWeb = process.env.ANTHROPIC_API_KEY
     ]
   : [];
-export default [
-  { mode: 'api', checks: [{ path: '/', status: 200 }] },
-  { mode: 'test', command: 'npm test' },
-  ...agentWeb,
-];
+export default [api, ...agentWeb];
 `;
 }
 function writeIfAbsent(path, contents, label) {
@@ -1514,8 +1544,8 @@ async function adoptCommand(args) {
       "run adopt from your site repo (needs a real greenlight.config.ts; run `greenlight init` first)"
     );
   }
-  if (reg.tools.some((t) => t.name === name) || name === "blog") {
-    throw new Error(`"${name}" already in the registry`);
+  if (name === "blog") {
+    throw new Error('"blog" is the apex site, not an adopted tool');
   }
   const domain = flag3(args, "--domain") ?? reg.domain;
   const ctx = { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath };
@@ -1542,7 +1572,8 @@ async function adoptWrapper(ctx) {
   } else {
     console.log(`\xB7 ${toolRel} exists \u2014 skipping submodule add`);
   }
-  const nextReg = addTool(reg, {
+  const existed = reg.tools.some((x) => x.name === name);
+  const nextReg = upsertTool(reg, {
     name,
     lane,
     target,
@@ -1554,7 +1585,9 @@ async function adoptWrapper(ctx) {
     adopted: true
   });
   writeFileSync4(regPath, serializeConfig(nextReg));
-  console.log(`\u2714 registered "${name}" (external, dir ${toolRel}) in the wrapper manifest`);
+  console.log(
+    `\u2714 ${existed ? "updated" : "registered"} "${name}" (external, dir ${toolRel}) in the wrapper manifest`
+  );
   const slug = parseRepo(repoArg) ?? parseRepo(safeGit(dest, ["remote", "get-url", "origin"])) ?? `OWNER/${name}`;
   writeIfAbsent(
     join2(cwd, `infra/${name}.tf`),

package/dist/{chunk-VONSDNH4.js → chunk-JRCATCRY.js} RENAMED Viewed

@@ -116,7 +116,7 @@ var trimSlash = (s) => s.replace(/\/+$/, "");
 async function checkRoute(base, c) {
   const name = `GET ${c.path}`;
   try {
-    const res = await fetch(base + c.path, { redirect: "manual" });
+    const res = await fetch(base + c.path, { redirect: "manual", headers: c.requestHeaders });
     const reasons = [];
     if (c.status !== void 0 && res.status !== c.status) {
       reasons.push(`status ${res.status} != ${c.status}`);

package/dist/index.js CHANGED Viewed

@@ -2,7 +2,7 @@ import {
   defineConfig,
   defineVerify,
   loadConfig
-} from "./chunk-VONSDNH4.js";
+} from "./chunk-JRCATCRY.js";
 import "./chunk-ADS6BJJ5.js";
 import "./chunk-WFZTRXBF.js";
 import "./chunk-KP3Y6WRU.js";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.2.8",
+  "version": "0.2.9",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -32,9 +32,9 @@
   },
   "devDependencies": {
     "@rtrentjones/greenlight-adapters": "0.2.4",
+    "@rtrentjones/greenlight-loop": "0.2.4",
     "@rtrentjones/greenlight-shared": "0.2.4",
-    "@rtrentjones/greenlight-verify": "0.2.4",
-    "@rtrentjones/greenlight-loop": "0.2.4"
+    "@rtrentjones/greenlight-verify": "0.2.4"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",