@rtrentjones/greenlight 0.2.9 → 0.2.11

package/README.md

@@ -1,24 +1,28 @@
 # @rtrentjones/greenlight
 
 The Greenlight CLI — setup and lifecycle for the [Greenlight](https://github.com/RTrentJones/greenlight)
-harness. Greenlight is a **clone-and-own** baseline that turns a domain + API tokens into a live
-personal site plus a self-verifying agentic deploy loop, with plug-and-play subdomain tools (web apps
-or MCP servers). It is provider-agnostic and free-tier-first, and it **edits declarative
-infrastructure-as-code — your CI/CD applies it**. It is not a hosted PaaS.
+harness. Greenlight turns a domain + API tokens into a live personal site plus a self-verifying
+agentic deploy loop, with plug-and-play subdomain tools (web apps or MCP servers). It is
+provider-agnostic and free-tier-first, and it **edits declarative infrastructure-as-code — your CI/CD
+applies it**. It is not a hosted PaaS.
 
-This is the **single published package**: the CLI, with the framework libraries
-(`shared`/`verify`/`adapters`/`loop`) bundled in. The Terraform modules are distributed as git tags
-(pinned in lockstep with this package's version); the skills ship as a Claude Code plugin.
+**You install this CLI; you don't fork the framework.** `greenlight init` scaffolds a thin **wrapper
+repo you own** (your manifest + content) that depends on this package and updates via
+`pnpm update` — no framework code to merge. This is the **single published package**: the CLI, with
+the framework libraries (`shared`/`verify`/`adapters`/`loop`) bundled in. Terraform modules ship as
+git tags (pinned in lockstep with this version); skills ship as a Claude Code plugin.
 
-## Install
+## Quick start
 
 ```bash
-pnpm add @rtrentjones/greenlight      # or npm i / yarn add
+npx -y @rtrentjones/greenlight init --domain you.dev   # scaffold the wrapper + gather base keys
+pnpm greenlight add notes --lane mcp --target oci      # add a tool: emit infra + gather ITS keys
+git push                                               # CI runs `terraform apply`
+pnpm greenlight verify notes --env prod                # the shared harness proves it
 ```
 
-A personal site is a **thin consumer** that depends on this package and owns only its manifest
-(`greenlight.config.ts`) + content. Update with `pnpm update @rtrentjones/greenlight` — no framework
-code to merge.
+Full walkthrough: [getting-started.md](https://github.com/RTrentJones/greenlight/blob/main/docs/getting-started.md).
+Update the mechanics later with `pnpm update @rtrentjones/greenlight`.
 
 Optional peer features lazy-load and degrade to a failing check if absent (never a crash):
 

package/dist/bin.js

@@ -14,8 +14,8 @@ import "./chunk-6N7MD6FR.js";
 import "./chunk-QFKE5JKC.js";
 
 // src/commands/add.ts
-import { cpSync as cpSync2, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
-import { join, resolve as resolve6 } from "path";
+import { cpSync as cpSync2, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import { join, resolve as resolve5 } from "path";
 
 // src/asset-paths.ts
 import { existsSync } from "fs";
@@ -414,7 +414,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.2.9";
+var MODULE_REF = "v0.2.11";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -654,15 +654,87 @@ function providersForTool(tool) {
   return out;
 }
 
-// src/tokens.ts
-import { existsSync as existsSync4, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
-import { resolve as resolve4 } from "path";
-import { createInterface as createInterface2 } from "readline/promises";
+// src/commands/agent.ts
+import { cpSync, existsSync as existsSync3, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { resolve as resolve3 } from "path";
+
+// src/agent-kit.ts
+function recommendedMcp(tool) {
+  return mcpForTool(tool);
+}
+function mergeMcpServers(existing, add) {
+  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
+  for (const [name, val] of Object.entries(add)) {
+    if (out.mcpServers[name]) continue;
+    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
+  }
+  return out;
+}
+
+// src/commands/agent.ts
+var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
+
+This repo uses Greenlight. Ship changes through the deploy-verify-promote skill:
+branch \u2192 change \u2192 deploy preview \u2192 \`greenlight verify\` \u2192 beta \u2192 verify \u2192 \`greenlight promote\` \u2192 prod \u2192 verify.
+
+Agentic kit:
+- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the loop).
+- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
+    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
+- Best-practice skills (one-time, user scope):
+    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
+`;
+function materializeAgentKit(dir, tool) {
+  const src = skillAssetDir();
+  if (!existsSync3(src)) throw new Error(`skill asset not found at ${src}`);
+  const dest = resolve3(dir, ".claude/skills/deploy-verify-promote");
+  mkdirSync(dest, { recursive: true });
+  cpSync(src, dest, { recursive: true });
+  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
+  for (const pack of packsForTool(tool)) {
+    if (!pack.skill) continue;
+    const skillSrc = skillAssetDir(pack.skill);
+    if (!existsSync3(skillSrc)) continue;
+    const skillDest = resolve3(dir, ".claude/skills", pack.skill);
+    mkdirSync(skillDest, { recursive: true });
+    cpSync(skillSrc, skillDest, { recursive: true });
+    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
+  }
+  const mcpPath = resolve3(dir, ".mcp.json");
+  const existingMcp = existsSync3(mcpPath) ? JSON.parse(readFileSync(mcpPath, "utf8")) : null;
+  const servers = recommendedMcp(tool);
+  writeFileSync(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
+`);
+  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
+  const claudePath = resolve3(dir, "CLAUDE.md");
+  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
+  const existing = existsSync3(claudePath) ? readFileSync(claudePath, "utf8") : "";
+  if (existing.includes(marker)) {
+    console.log("\xB7 CLAUDE.md already has the loop block");
+  } else {
+    writeFileSync(claudePath, existing ? `${existing.trimEnd()}
+
+${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
+    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
+  }
+}
+async function agentCommand(args) {
+  if (args[0] !== "sync") {
+    console.log(
+      "usage: greenlight agent sync   # write the loop skill + .mcp.json + CLAUDE.md block"
+    );
+    process.exit(args[0] ? 1 : 0);
+  }
+  materializeAgentKit(process.cwd());
+  console.log(
+    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
+  );
+}
 
 // src/commands/secrets.ts
 import { execFileSync } from "child_process";
-import { existsSync as existsSync3, readFileSync } from "fs";
-import { resolve as resolve3 } from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve4 } from "path";
 import { createInterface } from "readline";
 function parseSecretsEnv(text) {
   const out = [];
@@ -688,7 +760,7 @@ function parseOciConfig(text) {
   return out;
 }
 function ociPrefill(configPath, keyPath) {
-  const cfg = parseOciConfig(readFileSync(configPath, "utf8"));
+  const cfg = parseOciConfig(readFileSync2(configPath, "utf8"));
   const map = /* @__PURE__ */ new Map();
   const set = (k, v) => {
     if (v) map.set(k, v);
@@ -698,8 +770,8 @@ function ociPrefill(configPath, keyPath) {
   set("TF_VAR_OCI_TENANCY_OCID", cfg.tenancy);
   set("TF_VAR_OCI_REGION", cfg.region);
   const pem = keyPath ?? cfg.key_file;
-  if (pem && existsSync3(pem)) {
-    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync(pem, "utf8"));
+  if (pem && existsSync4(pem)) {
+    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync2(pem, "utf8"));
   } else if (pem) {
     console.log(`   ! PEM not found at ${pem} \u2014 set TF_VAR_OCI_PRIVATE_KEY manually (--oci-key)`);
   }
@@ -733,11 +805,11 @@ function syncSecrets(opts) {
       "could not determine the repo \u2014 pass --repo owner/repo (no github.com origin remote)"
     );
   }
-  const path = resolve3(opts.cwd, ".greenlight/secrets.env");
-  if (!existsSync3(path)) {
+  const path = resolve4(opts.cwd, ".greenlight/secrets.env");
+  if (!existsSync4(path)) {
     throw new Error("no .greenlight/secrets.env \u2014 run `greenlight init` with tokens first");
   }
-  const entries = parseSecretsEnv(readFileSync(path, "utf8"));
+  const entries = parseSecretsEnv(readFileSync2(path, "utf8"));
   const target = opts.env ? `env "${opts.env}"` : "repo";
   for (const { key, value } of entries) {
     const ghArgs = ["secret", "set", key, "--repo", repo];
@@ -879,7 +951,7 @@ async function secretsCommand(args) {
     if (!repo) throw new Error("could not determine the repo \u2014 pass --repo owner/repo");
     const ociConfig2 = flag(args, "--oci-config");
     const ociKey = flag(args, "--oci-key");
-    const prefill = ociConfig2 ? ociPrefill(resolve3(process.cwd(), ociConfig2), ociKey && resolve3(process.cwd(), ociKey)) : void 0;
+    const prefill = ociConfig2 ? ociPrefill(resolve4(process.cwd(), ociConfig2), ociKey && resolve4(process.cwd(), ociKey)) : void 0;
     await gatherSecrets(name, repo, flag(args, "--env"), prefill);
     return;
   }
@@ -904,161 +976,6 @@ ${count} secret(s) synced. (Prefer GitHub OIDC over long-lived tokens where supp
   );
 }
 
-// src/tokens.ts
-var SECRETS_DIR = ".greenlight";
-var SECRETS_FILE = "secrets.env";
-function presentEnv(cwd) {
-  const out = {};
-  const p = resolve4(cwd, SECRETS_DIR, SECRETS_FILE);
-  if (existsSync4(p)) {
-    for (const { key, value } of parseSecretsEnv(readFileSync2(p, "utf8"))) out[key] = value;
-  }
-  for (const [k, v] of Object.entries(process.env)) {
-    if (v !== void 0 && !(k in out)) out[k] = v;
-  }
-  return out;
-}
-function upsertSecret(cwd, key, value) {
-  const dir = resolve4(cwd, SECRETS_DIR);
-  mkdirSync(dir, { recursive: true });
-  const p = resolve4(dir, SECRETS_FILE);
-  const lines = existsSync4(p) ? readFileSync2(p, "utf8").split("\n") : [];
-  const idx = lines.findIndex((l) => l.startsWith(`${key}=`));
-  if (idx >= 0) lines[idx] = `${key}=${value}`;
-  else {
-    while (lines.length && (lines[lines.length - 1] ?? "").trim() === "") lines.pop();
-    lines.push(`${key}=${value}`);
-  }
-  writeFileSync(p, `${lines.join("\n").replace(/\n*$/, "")}
-`, { mode: 384 });
-}
-async function ensureTokensForTool(cwd, tool, opts = {}) {
-  const doVerify = opts.verify !== false;
-  const interactive = Boolean(process.stdin.isTTY);
-  const env = presentEnv(cwd);
-  const results = [];
-  const rl = interactive ? createInterface2({ input: process.stdin, output: process.stdout }) : null;
-  try {
-    for (const spec of tokensForTool(tool)) {
-      let value = env[spec.envVar];
-      if (value) {
-        results.push({ envVar: spec.envVar, outcome: "present" });
-      } else if (rl) {
-        console.log(`
-${spec.envVar} \u2014 ${spec.label}`);
-        if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
-        const entered = (await rl.question(`  paste value${spec.optional ? " (optional, Enter to skip)" : ""}: `)).trim();
-        if (!entered) {
-          results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-          continue;
-        }
-        upsertSecret(cwd, spec.envVar, entered);
-        env[spec.envVar] = entered;
-        value = entered;
-        results.push({ envVar: spec.envVar, outcome: "entered" });
-      } else {
-        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-        continue;
-      }
-      if (value && doVerify && spec.verify) {
-        let check;
-        try {
-          check = await spec.verify(value, env);
-        } catch (e) {
-          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
-        }
-        const last = results[results.length - 1];
-        if (last) last.verify = check;
-        if (!check.ok && !spec.optional) {
-          throw new Error(
-            `${spec.envVar} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
-          );
-        }
-      }
-    }
-  } finally {
-    rl?.close();
-  }
-  return results;
-}
-
-// src/commands/agent.ts
-import { cpSync, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
-import { resolve as resolve5 } from "path";
-
-// src/agent-kit.ts
-function recommendedMcp(tool) {
-  return mcpForTool(tool);
-}
-function mergeMcpServers(existing, add) {
-  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
-  for (const [name, val] of Object.entries(add)) {
-    if (out.mcpServers[name]) continue;
-    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
-  }
-  return out;
-}
-
-// src/commands/agent.ts
-var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
-
-This repo uses Greenlight. Ship changes through the deploy-verify-promote skill:
-branch \u2192 change \u2192 deploy preview \u2192 \`greenlight verify\` \u2192 beta \u2192 verify \u2192 \`greenlight promote\` \u2192 prod \u2192 verify.
-
-Agentic kit:
-- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the loop).
-- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
-    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
-- Best-practice skills (one-time, user scope):
-    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
-`;
-function materializeAgentKit(dir, tool) {
-  const src = skillAssetDir();
-  if (!existsSync5(src)) throw new Error(`skill asset not found at ${src}`);
-  const dest = resolve5(dir, ".claude/skills/deploy-verify-promote");
-  mkdirSync2(dest, { recursive: true });
-  cpSync(src, dest, { recursive: true });
-  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
-  for (const pack of packsForTool(tool)) {
-    if (!pack.skill) continue;
-    const skillSrc = skillAssetDir(pack.skill);
-    if (!existsSync5(skillSrc)) continue;
-    const skillDest = resolve5(dir, ".claude/skills", pack.skill);
-    mkdirSync2(skillDest, { recursive: true });
-    cpSync(skillSrc, skillDest, { recursive: true });
-    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
-  }
-  const mcpPath = resolve5(dir, ".mcp.json");
-  const existingMcp = existsSync5(mcpPath) ? JSON.parse(readFileSync3(mcpPath, "utf8")) : null;
-  const servers = recommendedMcp(tool);
-  writeFileSync2(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
-`);
-  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
-  const claudePath = resolve5(dir, "CLAUDE.md");
-  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
-  const existing = existsSync5(claudePath) ? readFileSync3(claudePath, "utf8") : "";
-  if (existing.includes(marker)) {
-    console.log("\xB7 CLAUDE.md already has the loop block");
-  } else {
-    writeFileSync2(claudePath, existing ? `${existing.trimEnd()}
-
-${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
-    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
-  }
-}
-async function agentCommand(args) {
-  if (args[0] !== "sync") {
-    console.log(
-      "usage: greenlight agent sync   # write the loop skill + .mcp.json + CLAUDE.md block"
-    );
-    process.exit(args[0] ? 1 : 0);
-  }
-  materializeAgentKit(process.cwd());
-  console.log(
-    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
-  );
-}
-
 // src/commands/add.ts
 function flag2(args, name) {
   const i = args.indexOf(name);
@@ -1096,71 +1013,69 @@ async function addCommand(args) {
   const data = entry?.data ?? "none";
   const envs = entry?.envs ?? ["beta", "prod"];
   const toolInfo = { target, data };
-  const dest = resolve6(process.cwd(), "tools", name);
-  if (existsSync6(dest)) throw new Error(`tools/${name} already exists`);
+  const dest = resolve5(process.cwd(), "tools", name);
+  if (existsSync5(dest)) throw new Error(`tools/${name} already exists`);
   const src = templateDir(lane, target);
-  if (existsSync6(src)) {
+  if (existsSync5(src)) {
     cpSync2(src, dest, { recursive: true });
     const pkgPath = join(dest, "package.json");
-    if (existsSync6(pkgPath)) {
-      const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
+    if (existsSync5(pkgPath)) {
+      const pkg = JSON.parse(readFileSync3(pkgPath, "utf8"));
       pkg.name = name;
-      writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
+      writeFileSync2(pkgPath, `${JSON.stringify(pkg, null, 2)}
 `);
     }
     console.log(`\u2714 copied ${src} \u2192 tools/${name}`);
   } else {
     console.log(`! no template at ${src} \u2014 manifest entry added without scaffolding`);
   }
-  writeFileSync3(path, serializeConfig(next));
+  writeFileSync2(path, serializeConfig(next));
   console.log(`\u2714 added "${name}" (${lane}/${target}) to the manifest`);
   const cwd = process.cwd();
   const providers = providersForTool(toolInfo);
-  const infraDir = resolve6(cwd, "infra");
+  const infraDir = resolve5(cwd, "infra");
   const mainTf = join(infraDir, "main.tf");
-  if (!existsSync6(mainTf)) {
-    mkdirSync3(infraDir, { recursive: true });
-    writeFileSync3(mainTf, emitWrapperMainTf({ domain: config.domain, providers }));
+  if (!existsSync5(mainTf)) {
+    mkdirSync2(infraDir, { recursive: true });
+    writeFileSync2(mainTf, emitWrapperMainTf({ domain: config.domain, providers }));
     console.log("\u2714 scaffolded infra/main.tf (providers + HCP backend placeholder)");
   } else if (providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 infra/main.tf exists \u2014 ensure it declares provider(s): ${providers.join(", ")}`);
   }
   const toolTf = join(infraDir, `${name}.tf`);
-  if (existsSync6(toolTf)) {
+  if (existsSync5(toolTf)) {
     console.log(`\xB7 infra/${name}.tf exists \u2014 left as-is`);
   } else {
-    writeFileSync3(
+    writeFileSync2(
       toolTf,
       emitToolTf({ name, domain: config.domain, lane, target, data, envs, port: entry?.port })
     );
     console.log(`\u2714 wrote infra/${name}.tf (modules: ${providers.join(", ")})`);
   }
-  if (!args.includes("--no-tokens")) {
+  materializeAgentKit(cwd, toolInfo);
+  const repo = flag2(args, "--repo") ?? detectRepo(cwd) ?? "";
+  const gather = !args.includes("--no-tokens") && process.stdin.isTTY && repo !== "";
+  if (gather) {
+    console.log(`
+Gathering ${name}'s provider keys${repo ? ` \u2192 ${repo}` : ""}:`);
     try {
-      const outcomes = await ensureTokensForTool(cwd, toolInfo, {
-        verify: !args.includes("--no-verify")
-      });
-      const missing = outcomes.filter((o) => o.outcome === "missing").map((o) => o.envVar);
-      if (missing.length) {
-        console.log(
-          `! missing token(s): ${missing.join(", ")} \u2014 set in .greenlight/secrets.env, then \`greenlight secrets sync\``
-        );
-      }
+      await gatherSecrets(name, repo, flag2(args, "--env"));
     } catch (e) {
-      console.log(`\u2716 ${e instanceof Error ? e.message : String(e)}`);
+      console.log(`\u2716 secrets gather: ${e instanceof Error ? e.message : String(e)}`);
+      console.log(`  retry: greenlight secrets gather ${name}${repo ? ` --repo ${repo}` : ""}`);
     }
   }
-  materializeAgentKit(cwd, toolInfo);
   console.log(`
-Next:
+Next:${gather ? "" : `
+  greenlight secrets gather ${name}${repo ? ` --repo ${repo}` : " --repo <owner/repo>"}   # this tool's keys \u2192 GitHub`}
   review infra/${name}.tf, then commit + push \u2192 CI (infra.yml) runs \`terraform apply\`
   greenlight preview ${name}        # local build + serve + verify`);
 }
 
 // src/commands/adopt.ts
 import { execFileSync as execFileSync2 } from "child_process";
-import { cpSync as cpSync3, existsSync as existsSync7, mkdirSync as mkdirSync4, readFileSync as readFileSync5, readdirSync, writeFileSync as writeFileSync4 } from "fs";
-import { join as join2, resolve as resolve7 } from "path";
+import { cpSync as cpSync3, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, readdirSync, writeFileSync as writeFileSync3 } from "fs";
+import { join as join2, resolve as resolve6 } from "path";
 var REF = MODULE_REF;
 function flag3(args, name) {
   const i = args.indexOf(name);
@@ -1176,7 +1091,7 @@ function mergePackageJson(existing, repoName, vendor) {
 }
 function vendorDeps(vendorDir) {
   const out = {};
-  if (!existsSync7(vendorDir)) return out;
+  if (!existsSync6(vendorDir)) return out;
   for (const f of readdirSync(vendorDir)) {
     if (!f.endsWith(".tgz")) continue;
     const base = f.replace(/-\d+\.\d+\.\d+(-[\w.]+)?\.tgz$/, "");
@@ -1184,10 +1099,17 @@ function vendorDeps(vendorDir) {
   }
   return out;
 }
-function starterVerifyConfig(lane) {
-  const spec = lane === "mcp" ? "{ mode: 'mcp', expectTools: [] }" : "{ mode: 'api', checks: [{ path: '/', status: 200 }] }";
+function starterVerifyConfig(lane, target) {
+  const spec = lane === "mcp" ? "mode: 'mcp', expectTools: []" : "mode: 'api', checks: [{ path: '/', status: 200 }]";
+  const logHint = target === "oci" ? "oci logging-search search-logs ...   // the instance/container logs" : target === "vercel" ? "vercel logs <deployment-url> --token $VERCEL_API_TOKEN" : "wrangler tail --once   // workers observability";
   return `// Greenlight verify spec \u2014 edit to assert this tool's real contract.
-export default ${spec};
+export default {
+  ${spec},
+  // Telemetry-into-verify: a shell command run ONLY when this report FAILS; its last ~50 lines
+  // attach to the report so the agent/CI sees the "why" in-loop. Best-effort (never fails the
+  // gate). Uncomment + adjust:
+  // logsOnFailure: '${logHint}',
+};
 `;
 }
 function infraTf(name, domain, lane, target, data, envs, slug) {
@@ -1379,26 +1301,8 @@ jobs:
             -F client_payload[sha]=\${{ github.sha }}
 `;
 }
-function deployListenerYml(name, toolRepo) {
-  return `name: greenlight-deploy-${name}
-
-# Option B: ${toolRepo} fires repository_dispatch(deploy-${name}) after pushing a new image.
-on:
-  repository_dispatch:
-    types: [deploy-${name}]
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: jdx/mise-action@v2
-      - run: pnpm install --frozen-lockfile
-      - run: pip install --quiet oci-cli
+function ociDeployAndVerifySteps(name) {
+  return `      - run: pip install --quiet oci-cli
       - name: Deploy (resolve instance OCID by name -> restart -> re-pull GHCR image)
         env:
           # The OCI CLI reuses the SAME TF_VAR_OCI_* secrets the apply uses \u2014 one secret set.
@@ -1431,7 +1335,33 @@ jobs:
         # The deploy "succeeds" only if the NEW image is actually serving. verify has a built-in
         # readiness wait (re-pull + container start). A failure here fails the job \u2192 the status
         # posted back is red. oci is verify-gated direct-to-prod (no cheap standing beta on free A1).
-        run: pnpm exec greenlight verify ${name} --env prod
+        run: pnpm exec greenlight verify ${name} --env prod`;
+}
+function deployListenerYml(name, toolRepo) {
+  return `name: greenlight-deploy-${name}
+
+# Option B: ${toolRepo} fires repository_dispatch(deploy-${name}) after pushing a new image.
+on:
+  repository_dispatch:
+    types: [deploy-${name}]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+# Share the self-heal workflow's group so a deploy and a remediation never run at the same time.
+concurrency:
+  group: deploy-${name}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: jdx/mise-action@v2
+      - run: pnpm install --frozen-lockfile
+${ociDeployAndVerifySteps(name)}
       - name: Report status back to ${toolRepo}
         if: \${{ always() && github.event.client_payload.sha != '' }}
         env:
@@ -1445,6 +1375,65 @@ jobs:
             -f description="\${{ job.status }}"
 `;
 }
+function remediateYml(name) {
+  return `name: greenlight-remediate-${name}
+
+# Auto-heal: the keepalive Worker dispatches remediate-${name} when ${name} (oci) is unreachable.
+on:
+  repository_dispatch:
+    types: [remediate-${name}]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+# Same group as greenlight-deploy-${name}: a self-heal never overlaps a deploy or another heal, and
+# re-applying an already-healthy instance is idempotent (no diff) \u2014 anti-flap with no extra state.
+concurrency:
+  group: deploy-${name}
+  cancel-in-progress: false
+
+jobs:
+  remediate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: jdx/mise-action@v2
+      - run: pnpm install --frozen-lockfile
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: '~1.10'
+          terraform_wrapper: false
+      - name: Re-apply the instance (recreate it if OCI idle-reclaimed the Always-Free box)
+        env:
+          TF_TOKEN_app_terraform_io: \${{ secrets.TF_API_TOKEN }} # HCP state backend auth
+          TF_VAR_oci_tenancy_ocid: \${{ secrets.TF_VAR_OCI_TENANCY_OCID }}
+          TF_VAR_oci_user_ocid: \${{ secrets.TF_VAR_OCI_USER_OCID }}
+          TF_VAR_oci_fingerprint: \${{ secrets.TF_VAR_OCI_FINGERPRINT }}
+          TF_VAR_oci_private_key: \${{ secrets.TF_VAR_OCI_PRIVATE_KEY }}
+          TF_VAR_oci_region: \${{ secrets.TF_VAR_OCI_REGION }}
+          TF_VAR_oci_compartment_id: \${{ secrets.TF_VAR_OCI_COMPARTMENT_ID }}
+        run: |
+          if [ -z "$TF_TOKEN_app_terraform_io" ]; then
+            echo "::warning::no TF_API_TOKEN \u2014 skipping re-apply; will still attempt a restart below"
+            exit 0
+          fi
+          terraform -chdir=infra init -input=false
+          # -target pulls in the instance's deps (the ${name}_network module) automatically.
+          terraform -chdir=infra apply -input=false -auto-approve -target=module.${name}_instance
+${ociDeployAndVerifySteps(name)}
+      - name: Escalate if the self-heal failed
+        if: \${{ failure() }}
+        env:
+          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh issue create --repo \${{ github.repository }} \\
+            --title "remediate-${name}: self-heal FAILED" \\
+            --body "Automatic remediation for ${name} (reason: \${{ github.event.client_payload.reason }}) did not bring prod back. Manual attention needed." \\
+            --label keepalive || true
+`;
+}
 function verifyWorkflowYml(name) {
   return `name: greenlight-verify
 
@@ -1490,12 +1479,16 @@ function nextVerifyConfig(name) {
 // Unit tests belong in this repo's PR CI; to also gate the deploy on them, add
 // { mode: 'test', command: 'pnpm test' } + a tolerant deps-install step in greenlight-verify.yml.
 const bypass = process.env.VERCEL_AUTOMATION_BYPASS_SECRET;
+// Telemetry-into-verify: on a FAILED report, fetch the Vercel deployment's runtime logs and attach
+// the tail to the report (best-effort, never fails the gate). Needs VERCEL_API_TOKEN in CI.
+const logsOnFailure = 'vercel logs "$DEPLOYMENT_URL" --token "$VERCEL_API_TOKEN" 2>&1 || true';
 const api = bypass
   ? {
       mode: 'api',
       checks: [{ path: '/', status: 200, requestHeaders: { 'x-vercel-protection-bypass': bypass } }],
+      logsOnFailure,
     }
-  : { mode: 'api', checks: [{ path: '/', status: 401 }] };
+  : { mode: 'api', checks: [{ path: '/', status: 401 }], logsOnFailure };
 const agentWeb = process.env.ANTHROPIC_API_KEY
   ? [
       {
@@ -1515,12 +1508,12 @@ export default [api, ...agentWeb];
 `;
 }
 function writeIfAbsent(path, contents, label) {
-  if (existsSync7(path)) {
+  if (existsSync6(path)) {
     console.log(`\xB7 ${label} exists \u2014 left as-is`);
     return;
   }
-  mkdirSync4(resolve7(path, ".."), { recursive: true });
-  writeFileSync4(path, contents);
+  mkdirSync3(resolve6(path, ".."), { recursive: true });
+  writeFileSync3(path, contents);
   console.log(`\u2714 ${label}`);
 }
 async function adoptCommand(args) {
@@ -1556,10 +1549,10 @@ async function adoptWrapper(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
   const cwd = process.cwd();
   const toolRel = `tools/${name}`;
-  const dest = resolve7(cwd, toolRel);
+  const dest = resolve6(cwd, toolRel);
   console.log(`adopting "${name}" (${lane}/${target}) as the submodule ${toolRel}
 `);
-  if (!existsSync7(dest)) {
+  if (!existsSync6(dest)) {
     try {
       execFileSync2("git", ["submodule", "add", repoArg, toolRel], { cwd, stdio: "inherit" });
       console.log(`\u2714 git submodule add ${repoArg} ${toolRel}`);
@@ -1584,7 +1577,7 @@ async function adoptWrapper(ctx) {
     external: true,
     adopted: true
   });
-  writeFileSync4(regPath, serializeConfig(nextReg));
+  writeFileSync3(regPath, serializeConfig(nextReg));
   console.log(
     `\u2714 ${existed ? "updated" : "registered"} "${name}" (external, dir ${toolRel}) in the wrapper manifest`
   );
@@ -1597,12 +1590,12 @@ async function adoptWrapper(ctx) {
   if (target !== "vercel") {
     writeIfAbsent(
       join2(cwd, `verify/${name}.config.ts`),
-      starterVerifyConfig(lane),
+      starterVerifyConfig(lane, target),
       `verify/${name}.config.ts`
     );
   }
   const providers = providersForTool({ target, data });
-  if (existsSync7(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
+  if (existsSync6(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 ensure infra/main.tf declares provider(s): ${providers.join(", ")}`);
   }
   materializeAgentKit(dest, { target, data });
@@ -1614,6 +1607,11 @@ async function adoptWrapper(ctx) {
       deployListenerYml(name, slug),
       `.github/workflows/greenlight-deploy-${name}.yml (wrapper deploy listener)`
     );
+    writeIfAbsent(
+      join2(cwd, `.github/workflows/greenlight-remediate-${name}.yml`),
+      remediateYml(name),
+      `.github/workflows/greenlight-remediate-${name}.yml (wrapper self-heal listener)`
+    );
     writeIfAbsent(
       join2(dest, ".github/workflows/greenlight-build.yml"),
       containerBuildYml(name, wrapperSlug),
@@ -1648,9 +1646,9 @@ Next:
 }
 async function adoptStandalone(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
-  const repo = resolve7(process.cwd(), repoArg);
-  if (!existsSync7(repo)) throw new Error(`no such repo: ${repo} (--standalone needs a local path)`);
-  const regVendor = resolve7(process.cwd(), "vendor");
+  const repo = resolve6(process.cwd(), repoArg);
+  if (!existsSync6(repo)) throw new Error(`no such repo: ${repo} (--standalone needs a local path)`);
+  const regVendor = resolve6(process.cwd(), "vendor");
   const vendor = vendorDeps(regVendor);
   if (Object.keys(vendor).length === 0) {
     throw new Error(
@@ -1668,15 +1666,15 @@ async function adoptStandalone(ctx) {
   );
   const slug = parseRepo(safeGit(repo, ["remote", "get-url", "origin"])) ?? `OWNER/${name}`;
   const pkgPath = join2(repo, "package.json");
-  const existingPkg = existsSync7(pkgPath) ? JSON.parse(readFileSync5(pkgPath, "utf8")) : null;
-  writeFileSync4(
+  const existingPkg = existsSync6(pkgPath) ? JSON.parse(readFileSync4(pkgPath, "utf8")) : null;
+  writeFileSync3(
     pkgPath,
     `${JSON.stringify(mergePackageJson(existingPkg, name, vendor), null, 2)}
 `
   );
   console.log("\u2714 package.json (merged framework deps + overrides)");
   const repoVendor = join2(repo, "vendor");
-  mkdirSync4(repoVendor, { recursive: true });
+  mkdirSync3(repoVendor, { recursive: true });
   for (const f of readdirSync(regVendor)) {
     if (f.endsWith(".tgz")) cpSync3(join2(regVendor, f), join2(repoVendor, f));
   }
@@ -1710,7 +1708,7 @@ async function adoptStandalone(ctx) {
     external: true,
     adopted: true
   });
-  writeFileSync4(regPath, serializeConfig(nextReg));
+  writeFileSync3(regPath, serializeConfig(nextReg));
   console.log(`\u2714 registered "${name}" in ${regPath.replace(`${process.cwd()}/`, "")} (external)`);
   console.log(`
 Next (in the adopted repo):
@@ -1723,20 +1721,20 @@ Note: deploying ${target} needs the ${target} adapter (workers is built; oci/ver
 }
 function addGreenlightScript(dir) {
   const pkgPath = join2(dir, "package.json");
-  if (!existsSync7(pkgPath)) {
+  if (!existsSync6(pkgPath)) {
     console.log(
       "\xB7 no package.json (non-Node tool) \u2014 run the loop via `npx @rtrentjones/greenlight`"
     );
     return;
   }
-  const pkg = JSON.parse(readFileSync5(pkgPath, "utf8"));
+  const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
   pkg.scripts = { ...pkg.scripts ?? {} };
   if (pkg.scripts.greenlight) {
     console.log("\xB7 package.json already has a greenlight script");
     return;
   }
   pkg.scripts.greenlight = "npx @rtrentjones/greenlight";
-  writeFileSync4(pkgPath, `${JSON.stringify(pkg, null, 2)}
+  writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
 `);
   console.log("\u2714 package.json (greenlight script \u2014 runnable via npx post-publish)");
 }
@@ -1879,10 +1877,10 @@ async function deployCommand(args) {
 }
 
 // src/commands/doctor.ts
-import { existsSync as existsSync8 } from "fs";
+import { existsSync as existsSync7 } from "fs";
 import { join as join4 } from "path";
 function dirCheck(label, dir) {
-  return existsSync8(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
+  return existsSync7(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
 }
 function runDoctor(config, root) {
   const checks = [];
@@ -1904,8 +1902,8 @@ function runDoctor(config, root) {
       const vc = join4(dir, "verify.config.ts");
       checks.push({
         name: `${t.name}: verify.config.ts`,
-        status: existsSync8(vc) ? "ok" : "warn",
-        detail: existsSync8(vc) ? void 0 : "missing \u2014 verify will use the lane default"
+        status: existsSync7(vc) ? "ok" : "warn",
+        detail: existsSync7(vc) ? void 0 : "missing \u2014 verify will use the lane default"
       });
     }
   }
@@ -1951,10 +1949,180 @@ ${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}`);
 import { existsSync as existsSync9, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
 import { resolve as resolve8 } from "path";
 import { createInterface as createInterface3 } from "readline/promises";
+
+// src/tokens.ts
+import { existsSync as existsSync8, mkdirSync as mkdirSync4, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
+import { resolve as resolve7 } from "path";
+import { createInterface as createInterface2 } from "readline/promises";
+var SECRETS_DIR = ".greenlight";
+var SECRETS_FILE = "secrets.env";
+function presentEnv(cwd) {
+  const out = {};
+  const p = resolve7(cwd, SECRETS_DIR, SECRETS_FILE);
+  if (existsSync8(p)) {
+    for (const { key, value } of parseSecretsEnv(readFileSync5(p, "utf8"))) out[key] = value;
+  }
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v !== void 0 && !(k in out)) out[k] = v;
+  }
+  return out;
+}
+function upsertSecret(cwd, key, value) {
+  const dir = resolve7(cwd, SECRETS_DIR);
+  mkdirSync4(dir, { recursive: true });
+  const p = resolve7(dir, SECRETS_FILE);
+  const lines = existsSync8(p) ? readFileSync5(p, "utf8").split("\n") : [];
+  const idx = lines.findIndex((l) => l.startsWith(`${key}=`));
+  if (idx >= 0) lines[idx] = `${key}=${value}`;
+  else {
+    while (lines.length && (lines[lines.length - 1] ?? "").trim() === "") lines.pop();
+    lines.push(`${key}=${value}`);
+  }
+  writeFileSync4(p, `${lines.join("\n").replace(/\n*$/, "")}
+`, { mode: 384 });
+}
+async function ensureTokensForTool(cwd, tool, opts = {}) {
+  const doVerify = opts.verify !== false;
+  const interactive = Boolean(process.stdin.isTTY);
+  const env = presentEnv(cwd);
+  const results = [];
+  const rl = interactive ? createInterface2({ input: process.stdin, output: process.stdout }) : null;
+  try {
+    for (const spec of tokensForTool(tool)) {
+      let value = env[spec.envVar];
+      if (value) {
+        results.push({ envVar: spec.envVar, outcome: "present" });
+      } else if (rl) {
+        console.log(`
+${spec.envVar} \u2014 ${spec.label}`);
+        if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
+        const entered = (await rl.question(`  paste value${spec.optional ? " (optional, Enter to skip)" : ""}: `)).trim();
+        if (!entered) {
+          results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+          continue;
+        }
+        upsertSecret(cwd, spec.envVar, entered);
+        env[spec.envVar] = entered;
+        value = entered;
+        results.push({ envVar: spec.envVar, outcome: "entered" });
+      } else {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      if (value && doVerify && spec.verify) {
+        let check;
+        try {
+          check = await spec.verify(value, env);
+        } catch (e) {
+          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
+        }
+        const last = results[results.length - 1];
+        if (last) last.verify = check;
+        if (!check.ok && !spec.optional) {
+          throw new Error(
+            `${spec.envVar} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
+          );
+        }
+      }
+    }
+  } finally {
+    rl?.close();
+  }
+  return results;
+}
+
+// src/commands/init.ts
 function flag5(args, name) {
   const i = args.indexOf(name);
   return i >= 0 ? args[i + 1] : void 0;
 }
+var NPM_DEP = `^${MODULE_REF.replace(/^v/, "")}`;
+function wrapperPackageJson(name) {
+  return `${JSON.stringify(
+    {
+      name,
+      private: true,
+      type: "module",
+      scripts: { greenlight: "greenlight" },
+      dependencies: { "@rtrentjones/greenlight": NPM_DEP }
+    },
+    null,
+    2
+  )}
+`;
+}
+var WRAPPER_GITIGNORE = `# Greenlight wrapper
+node_modules/
+.greenlight/        # gathered tokens \u2014 never committed
+.terraform/
+*.tfplan
+tf.plan
+dist/
+`;
+var WRAPPER_MISE = `[tools]
+node = "24"
+pnpm = "10.12.1"
+`;
+function wrapperInfraYml() {
+  return `name: infra
+
+# Apply the wrapper's Terraform on push to main (paths: infra/**). State + locking are in HCP
+# Terraform (set the cloud{} block in infra/main.tf); the run happens here with provider creds
+# from GitHub Actions secrets (populate them per tool via \`greenlight secrets gather\`).
+on:
+  push:
+    branches: [main]
+    paths: ['infra/**']
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: infra
+  cancel-in-progress: false # never interrupt an in-flight apply
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    env:
+      TF_TOKEN_app_terraform_io: \${{ secrets.TF_API_TOKEN }} # HCP state backend auth
+      GITHUB_TOKEN: \${{ github.token }} # github provider (branch/protection); creates nothing risky
+      CLOUDFLARE_API_TOKEN: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+      TF_VAR_cloudflare_zone_id: \${{ secrets.TF_VAR_CLOUDFLARE_ZONE_ID }}
+      TF_VAR_cloudflare_account_id: \${{ secrets.TF_VAR_CLOUDFLARE_ACCOUNT_ID }}
+      # vercel (target: vercel tools)
+      VERCEL_API_TOKEN: \${{ secrets.VERCEL_API_TOKEN }}
+      # supabase (data: supabase tools)
+      SUPABASE_ACCESS_TOKEN: \${{ secrets.SUPABASE_ACCESS_TOKEN }}
+      TF_VAR_supabase_database_password: \${{ secrets.TF_VAR_SUPABASE_DATABASE_PASSWORD }}
+      # oci (target: oci tools) \u2014 VCN/subnet/AD are IaC; only auth (+ optional compartment) here
+      TF_VAR_oci_tenancy_ocid: \${{ secrets.TF_VAR_OCI_TENANCY_OCID }}
+      TF_VAR_oci_user_ocid: \${{ secrets.TF_VAR_OCI_USER_OCID }}
+      TF_VAR_oci_fingerprint: \${{ secrets.TF_VAR_OCI_FINGERPRINT }}
+      TF_VAR_oci_private_key: \${{ secrets.TF_VAR_OCI_PRIVATE_KEY }}
+      TF_VAR_oci_region: \${{ secrets.TF_VAR_OCI_REGION }}
+      TF_VAR_oci_compartment_id: \${{ secrets.TF_VAR_OCI_COMPARTMENT_ID }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: '~1.10'
+          terraform_wrapper: false
+      - run: terraform -chdir=infra init -input=false
+      - run: terraform -chdir=infra plan -input=false -out=tf.plan
+      - run: terraform -chdir=infra apply -input=false tf.plan
+`;
+}
+function scaffoldIfAbsent(path, contents, label) {
+  if (existsSync9(path)) {
+    console.log(`\xB7 ${label} exists \u2014 left as-is`);
+    return;
+  }
+  mkdirSync5(resolve8(path, ".."), { recursive: true });
+  writeFileSync5(path, contents);
+  console.log(`\u2714 wrote ${label}`);
+}
 var TOKEN_FLAGS = {
   "--cf-token": "CLOUDFLARE_API_TOKEN",
   "--github-token": "GITHUB_TOKEN",
@@ -1979,6 +2147,16 @@ async function initCommand(args) {
   }
   writeFileSync5(configPath, scaffoldConfig(domain));
   console.log(`\u2714 wrote greenlight.config.ts (domain: ${domain})`);
+  const repoName = domain.replace(/\./g, "-");
+  scaffoldIfAbsent(
+    resolve8(cwd, ".github/workflows/infra.yml"),
+    wrapperInfraYml(),
+    ".github/workflows/infra.yml (HCP-backed terraform apply on push)"
+  );
+  scaffoldIfAbsent(resolve8(cwd, ".gitignore"), WRAPPER_GITIGNORE, ".gitignore");
+  scaffoldIfAbsent(resolve8(cwd, "package.json"), wrapperPackageJson(repoName), "package.json");
+  scaffoldIfAbsent(resolve8(cwd, "mise.toml"), WRAPPER_MISE, "mise.toml");
+  scaffoldIfAbsent(resolve8(cwd, ".node-version"), "24\n", ".node-version");
   const secrets = [];
   for (const [f, key] of Object.entries(TOKEN_FLAGS)) {
     const v = flag5(args, f);
@@ -2012,10 +2190,11 @@ async function initCommand(args) {
   }
   console.log(`
 Next:
-  greenlight add <name> --lane mcp --target oci   # scaffold a tool${pushed ? "" : "\n  greenlight secrets sync                         # push tokens to GitHub Actions"}
-  greenlight doctor                               # check consistency
-  terraform -chdir=infra apply                    # branches/protection/DNS (module "repo"/"tool")
-  greenlight deploy blog --env prod               # first live deploy`);
+  1. greenlight add <name> --lane <lane> --target <target>   # scaffold a tool, emit infra, and
+                                                             # gather THAT tool's keys \u2192 GitHub${pushed ? "" : "\n  (run `greenlight secrets sync` if base tokens were not pushed)"}
+  2. set the HCP backend (cloud{} org + workspace) in infra/main.tf   # docs/terraform-state-r2.md
+  3. commit + push \u2192 CI (.github/workflows/infra.yml) runs \`terraform apply\`
+  4. greenlight verify <name> --env prod   |   greenlight doctor`);
 }
 
 // src/commands/preview.ts
@@ -2024,6 +2203,7 @@ import { resolve as resolve10 } from "path";
 import { setTimeout as sleep } from "timers/promises";
 
 // src/commands/verify.ts
+import { spawnSync } from "child_process";
 import { resolve as resolve9 } from "path";
 function defaultSpec(lane) {
   switch (lane) {
@@ -2043,6 +2223,37 @@ function printReport(report) {
   }
   console.log(`
 ${report.pass ? "\u2714 PASS" : "\u2718 FAIL"}`);
+  if (!report.pass && report.logs) {
+    console.log(`
+--- recent logs (${report.mode}) ---
+${report.logs}
+--- end logs ---`);
+  }
+}
+var LOG_TAIL_LINES = 50;
+function attachFailureLogs(reports, specs, toolDir) {
+  reports.forEach((report, i) => {
+    if (report.pass) return;
+    const cmd = specs[i]?.logsOnFailure;
+    if (!cmd) {
+      report.logs = "(no logsOnFailure configured for this spec)";
+      return;
+    }
+    try {
+      const res = spawnSync(cmd, {
+        shell: true,
+        cwd: toolDir,
+        timeout: 3e4,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024
+      });
+      const out = `${res.stdout ?? ""}${res.stderr ?? ""}`.trimEnd();
+      const tail = out.split("\n").slice(-LOG_TAIL_LINES).join("\n");
+      report.logs = tail || `(logsOnFailure produced no output${res.error ? `: ${res.error.message}` : ""})`;
+    } catch (e) {
+      report.logs = `(log fetch failed: ${e instanceof Error ? e.message : String(e)})`;
+    }
+  });
 }
 function flag6(args, name) {
   const i = args.indexOf(name);
@@ -2061,6 +2272,7 @@ async function verifyCommand(args) {
       reachableTimeoutMs: waitMs,
       toolDir: process.cwd()
     });
+    attachFailureLogs(reports2, specs2, process.cwd());
     for (const report of reports2) printReport(report);
     const pass2 = allPass(reports2);
     if (reports2.length > 1)
@@ -2098,6 +2310,7 @@ ${pass2 ? "\u2714 ALL PASS" : "\u2718 FAIL"} (${reports2.length} specs)`);
   }
   const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
   const reports = await verifyAll(url, specs, { reachableTimeoutMs, toolDir });
+  attachFailureLogs(reports, specs, toolDir);
   for (const report of reports) printReport(report);
   const pass = allPass(reports);
   if (reports.length > 1)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.2.9",
+  "version": "0.2.11",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -31,9 +31,9 @@
     "@anthropic-ai/sdk": "^0.69.0"
   },
   "devDependencies": {
-    "@rtrentjones/greenlight-adapters": "0.2.4",
     "@rtrentjones/greenlight-loop": "0.2.4",
     "@rtrentjones/greenlight-shared": "0.2.4",
+    "@rtrentjones/greenlight-adapters": "0.2.4",
     "@rtrentjones/greenlight-verify": "0.2.4"
   },
   "scripts": {