@rtrentjones/greenlight 0.3.0 → 0.4.0

package/assets/skills/provider-cloudflare/SKILL.md

@@ -19,9 +19,10 @@ One token, these scopes (a missing scope took down a live apply more than once):
 - **Account · Cloudflare Tunnel · Edit** — only if a tool uses `target: oci` (the cloudflared
   tunnel). Without it, the tunnel resource fails with **403 Forbidden** on `cfd_tunnel` at apply.
 
-Create at dash → My Profile → API Tokens → Custom Token. Store in `.greenlight/secrets.env`
-(gitignored) and push to GitHub Actions with `greenlight secrets sync`. `greenlight add`
-verifies it against `/user/tokens/verify` (status must be `active`) before you commit.
+Create at dash → My Profile → API Tokens → Custom Token. Push it straight to GitHub Actions
+with `greenlight secrets gather` (or `gh secret set CLOUDFLARE_API_TOKEN`) — Greenlight keeps
+no local secret file. `greenlight add` verifies it against `/user/tokens/verify` (status must
+be `active`) before you commit.
 
 ## Terraform modules
 

package/assets/skills/provider-gemini/SKILL.md

@@ -29,9 +29,17 @@ POST https://generativelanguage.googleapis.com/v1beta/models/gemini-2.5-flash:ge
 → candidates[0].content.parts[0].text
 ```
 
-## Deploy — wrangler (workers target)
+## Deploy — emitted CI (push to main)
 
-Like the astro blog: cron + KV + secret + `custom_domain` in `wrangler.toml`; no Terraform.
+`greenlight add` resolves the Cloudflare **account id** into `wrangler.toml` (so wrangler skips the
+`/memberships` call a scoped token can't do) and emits **`.github/workflows/deploy-<name>.yml`**. On
+a push to main that touches `tools/<name>`, that workflow: **creates the KV namespace** (find-or-create
+in-CI — no manual step, the id stays a placeholder), deploys the Worker (cron + `custom_domain` from
+`wrangler.toml`), sets the `GEMINI_API_KEY` + `RUN_TOKEN` **Worker secrets** from GitHub secrets, seeds
+the first run, and verifies. So the only setup is **adding those two GitHub secrets**. (Local instead:
+`pnpm exec wrangler deploy --env prod`.)
+
+`wrangler.toml` carries the cron + KV binding + the per-env `custom_domain` route; no Terraform.
 
 ```toml
 [triggers]

package/assets/skills/provider-github/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: provider-github
-description: How GitHub works in a Greenlight setup — secrets sync target (Actions secrets/environments), the repo/branch/protection Terraform module, the develop→main flow, and OIDC-over-PAT preference. Use when syncing tokens, wiring branch protection/environments, or debugging gh/secrets/CI auth.
+description: How GitHub works in a Greenlight setup — the single secret store (Actions secrets/environments), the repo/branch/protection Terraform module, the develop→main flow, and OIDC-over-PAT preference. Use when setting tokens, wiring branch protection/environments, or debugging gh/secrets/CI auth.
 ---
 
 # provider-github
@@ -32,11 +32,12 @@ pushes each to the right repo; see docs/provider-tokens.md):
 Provider creds (OCI/Cloudflare/…) live **only in the wrapper**; the tool repo holds just the
 dispatch PAT (its build pushes to GHCR with the built-in `github.token`).
 
-## Secrets sync
+## Setting secrets
 
-`greenlight secrets sync [--repo o/r] [--env <env>]` pushes `.greenlight/secrets.env` to the
-repo's Actions secrets via `gh` (values piped on stdin — never in argv or logs). Run
-`gh auth login` first. This is the "init writes to provider stores" piece.
+GitHub Actions secrets are the **single** secret store — Greenlight keeps no local secret file.
+`greenlight secrets gather <tool> [--repo o/r] [--env <env>]` prompts the tool's tokens (and the
+always-on base tokens) with hidden input and pipes them straight to `gh secret set` (never on
+disk, never in argv or logs). Run `gh auth login` first. `gh secret set` is the manual alternative.
 
 ## Terraform module — `infra/modules/repo`
 

package/assets/skills/provider-supabase/SKILL.md

@@ -12,7 +12,8 @@ name/region are replace-forcing, so the module sets `ignore_changes` to protect
 
 ## Token — `SUPABASE_ACCESS_TOKEN`
 
-Dashboard → Account → Access Tokens (Management API). Store in `.greenlight/secrets.env`;
+Dashboard → Account → Access Tokens (Management API). Push it straight to GitHub Actions with
+`greenlight secrets gather` (or `gh secret set`) — Greenlight keeps no local secret file.
 `greenlight add` verifies it against `/v1/projects` (HTTP 200). The DB password
 (`TF_VAR_supabase_database_password`) is only used if the project is recreated — ignored on
 import, so `import-placeholder` is fine for an existing project.

package/assets/skills/provider-vercel/SKILL.md

@@ -13,7 +13,8 @@ build). The wrapper owns infra; the tool repo owns deploys.
 ## Token — `VERCEL_API_TOKEN`
 
 Account → Settings → Tokens. **Scope it to the team** that owns the project. The Terraform
-`vercel` provider also takes `team` (the `team_…` id). Store in `.greenlight/secrets.env`;
+`vercel` provider also takes `team` (the `team_…` id). Push it straight to GitHub Actions with
+`greenlight secrets gather` (or `gh secret set`) — Greenlight keeps no local secret file.
 `greenlight add` verifies it against `/v2/user` (HTTP 200) before commit.
 
 ## Terraform module — `infra/modules/vercel`

package/dist/bin.js

@@ -18,6 +18,95 @@ import "./chunk-QFKE5JKC.js";
 import { cpSync as cpSync2, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, renameSync, writeFileSync as writeFileSync2 } from "fs";
 import { join, resolve as resolve5 } from "path";
 
+// src/agent-deploy.ts
+function emitAgentDeployWorkflow(name, domain) {
+  return `name: deploy-${name}
+
+# Agent "${name}" \u2014 a cron-triggered Cloudflare Worker (Gemini-backed). Emitted by \`greenlight add\`.
+# On a push to main touching tools/${name}, or manually: deploys the Worker, sets its secrets from
+# GitHub secrets, seeds the first run, and verifies. Creds-guarded (skips if the secrets are absent).
+on:
+  push:
+    branches: [main]
+    paths: ['tools/${name}/**']
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: deploy-${name}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: jdx/mise-action@v2
+      - run: pnpm install --frozen-lockfile
+
+      - name: Check creds
+        id: creds
+        env:
+          CF: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+          GK: \${{ secrets.GEMINI_API_KEY }}
+        run: |
+          if [ -n "$CF" ] && [ -n "$GK" ]; then echo "have=1" >> "$GITHUB_OUTPUT"; else echo "have=0" >> "$GITHUB_OUTPUT"; fi
+
+      - name: Deploy + Worker secrets + seed
+        if: steps.creds.outputs.have == '1'
+        env:
+          CLOUDFLARE_API_TOKEN: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+          GEMINI_API_KEY: \${{ secrets.GEMINI_API_KEY }}
+          RUN_TOKEN: \${{ secrets.RUN_TOKEN }}
+        run: |
+          cd tools/${name}
+          # KV namespace as code: find-or-create the STATE namespace (idempotent), then inject its id
+          # into wrangler.toml for this deploy. The id is non-secret + derived, so the repo keeps the
+          # REPLACE_WITH_KV_NAMESPACE_ID placeholder \u2014 no manual create, no hardcoded id.
+          ID=$(pnpm exec wrangler kv namespace list 2>/dev/null | jq -r '.[] | select(.title | test("${name}.*STATE")) | .id' | head -1)
+          if [ -z "$ID" ] || [ "$ID" = "null" ]; then
+            pnpm exec wrangler kv namespace create STATE || true
+            ID=$(pnpm exec wrangler kv namespace list 2>/dev/null | jq -r '.[] | select(.title | test("${name}.*STATE")) | .id' | head -1)
+          fi
+          if [ -z "$ID" ] || [ "$ID" = "null" ]; then echo "::error::could not resolve the STATE KV namespace id (token needs Workers KV Storage:Edit?)"; exit 1; fi
+          sed -i "s/REPLACE_WITH_KV_NAMESPACE_ID/$ID/g" wrangler.toml
+          pnpm exec wrangler deploy --env prod
+          printf '%s' "$GEMINI_API_KEY" | pnpm exec wrangler secret put GEMINI_API_KEY --env prod
+          printf '%s' "$RUN_TOKEN" | pnpm exec wrangler secret put RUN_TOKEN --env prod
+          cd ../..
+          # Seed the first run (the cron is daily). Retry while the custom domain propagates.
+          for i in $(seq 1 8); do
+            if curl -fsS -XPOST "https://${name}.${domain}/run" -H "Authorization: Bearer $RUN_TOKEN" >/dev/null; then
+              echo "seeded"; break
+            fi
+            echo "seed attempt $i: not ready, retrying in 10s"; sleep 10
+          done
+
+      - name: Verify
+        if: steps.creds.outputs.have == '1'
+        run: pnpm exec greenlight verify ${name} --env prod
+
+      - name: Skip notice
+        if: steps.creds.outputs.have != '1'
+        run: echo "Missing CLOUDFLARE_API_TOKEN or GEMINI_API_KEY \u2014 ${name} deploy skipped."
+`;
+}
+async function resolveCloudflareAccountId(domain, token) {
+  try {
+    const res = await fetch(
+      `https://api.cloudflare.com/client/v4/zones?name=${encodeURIComponent(domain)}`,
+      { headers: { Authorization: `Bearer ${token}` } }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return data.result?.[0]?.account?.id ?? null;
+  } catch {
+    return null;
+  }
+}
+
 // src/asset-paths.ts
 import { existsSync } from "fs";
 import { dirname, resolve } from "path";
@@ -501,7 +590,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.3.0";
+var MODULE_REF = "v0.4.0";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -826,115 +915,11 @@ function providersForTool(tool) {
   return out;
 }
 
-// src/commands/agent.ts
-import { cpSync, existsSync as existsSync3, mkdirSync, readFileSync, writeFileSync } from "fs";
-import { resolve as resolve3 } from "path";
-
-// src/agent-kit.ts
-function recommendedMcp(tool) {
-  return mcpForTool(tool);
-}
-function mergeMcpServers(existing, add) {
-  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
-  for (const [name, val] of Object.entries(add)) {
-    if (out.mcpServers[name]) continue;
-    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
-  }
-  return out;
-}
-
-// src/commands/agent.ts
-var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
-
-This repo uses Greenlight. Deliver every change through the ONE model (same shape for web + MCP
-tools \u2014 the deploy-verify-promote skill has the lane\xD7target matrix):
-branch \u2192 change \u2192 \`greenlight preview <name>\` (local gate) \u2192 add it to the tool's verify.config \u2192
-push (CI gates on the tool's own tests) \u2192 deploy \u2192 \`greenlight verify <name> --env prod\`.
-Web tools also get beta + \`greenlight promote\`; oci is direct-to-prod (the local gate is the
-pre-prod safety). \`greenlight status <name>\` shows the run chain; \`greenlight doctor\` flags drift.
-
-Agentic kit:
-- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the one model + the matrix).
-- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
-    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
-- Best-practice skills (one-time, user scope):
-    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
-`;
-function materializeAgentKit(dir, tool) {
-  const src = skillAssetDir();
-  if (!existsSync3(src)) throw new Error(`skill asset not found at ${src}`);
-  const dest = resolve3(dir, ".claude/skills/deploy-verify-promote");
-  mkdirSync(dest, { recursive: true });
-  cpSync(src, dest, { recursive: true });
-  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
-  for (const pack of packsForTool(tool)) {
-    if (!pack.skill) continue;
-    const skillSrc = skillAssetDir(pack.skill);
-    if (!existsSync3(skillSrc)) continue;
-    const skillDest = resolve3(dir, ".claude/skills", pack.skill);
-    mkdirSync(skillDest, { recursive: true });
-    cpSync(skillSrc, skillDest, { recursive: true });
-    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
-  }
-  const mcpPath = resolve3(dir, ".mcp.json");
-  const existingMcp = existsSync3(mcpPath) ? JSON.parse(readFileSync(mcpPath, "utf8")) : null;
-  const servers = recommendedMcp(tool);
-  writeFileSync(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
-`);
-  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
-  const claudePath = resolve3(dir, "CLAUDE.md");
-  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
-  const existing = existsSync3(claudePath) ? readFileSync(claudePath, "utf8") : "";
-  if (existing.includes(marker)) {
-    console.log("\xB7 CLAUDE.md already has the loop block");
-  } else {
-    writeFileSync(claudePath, existing ? `${existing.trimEnd()}
-
-${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
-    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
-  }
-}
-async function agentCommand(args) {
-  if (args[0] !== "sync") {
-    console.log(
-      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
-    );
-    process.exit(args[0] ? 1 : 0);
-  }
-  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
-  if (name) {
-    const { config } = await loadManifest();
-    const entry = resolveEntry(config, name);
-    const dir = resolve3(process.cwd(), entry.dir ?? ".");
-    materializeAgentKit(dir, { lane: entry.lane, target: entry.target, data: entry.data });
-    console.log(
-      `
-Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (lane=${entry.lane}, target=${entry.target}, data=${entry.data}).`
-    );
-    return;
-  }
-  materializeAgentKit(process.cwd());
-  console.log(
-    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
-  );
-}
-
 // src/commands/secrets.ts
 import { execFileSync } from "child_process";
-import { existsSync as existsSync4, readFileSync as readFileSync2 } from "fs";
-import { resolve as resolve4 } from "path";
+import { existsSync as existsSync3, readFileSync } from "fs";
+import { resolve as resolve3 } from "path";
 import { createInterface } from "readline";
-function parseSecretsEnv(text) {
-  const out = [];
-  for (const raw of text.split("\n")) {
-    const line = raw.trim();
-    if (line === "" || line.startsWith("#")) continue;
-    const eq = line.indexOf("=");
-    if (eq <= 0) continue;
-    out.push({ key: line.slice(0, eq).trim(), value: line.slice(eq + 1) });
-  }
-  return out;
-}
 function parseOciConfig(text) {
   const out = {};
   for (const raw of text.split("\n")) {
@@ -948,7 +933,7 @@ function parseOciConfig(text) {
   return out;
 }
 function ociPrefill(configPath, keyPath) {
-  const cfg = parseOciConfig(readFileSync2(configPath, "utf8"));
+  const cfg = parseOciConfig(readFileSync(configPath, "utf8"));
   const map = /* @__PURE__ */ new Map();
   const set = (k, v) => {
     if (v) map.set(k, v);
@@ -958,8 +943,8 @@ function ociPrefill(configPath, keyPath) {
   set("TF_VAR_OCI_TENANCY_OCID", cfg.tenancy);
   set("TF_VAR_OCI_REGION", cfg.region);
   const pem = keyPath ?? cfg.key_file;
-  if (pem && existsSync4(pem)) {
-    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync2(pem, "utf8"));
+  if (pem && existsSync3(pem)) {
+    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync(pem, "utf8"));
   } else if (pem) {
     console.log(`   ! PEM not found at ${pem} \u2014 set TF_VAR_OCI_PRIVATE_KEY manually (--oci-key)`);
   }
@@ -986,49 +971,17 @@ function detectRepo(cwd) {
     return null;
   }
 }
-function syncSecrets(opts) {
-  const repo = opts.repo ?? detectRepo(opts.cwd);
-  if (!repo) {
-    throw new Error(
-      "could not determine the repo \u2014 pass --repo owner/repo (no github.com origin remote)"
-    );
-  }
-  const path = resolve4(opts.cwd, ".greenlight/secrets.env");
-  if (!existsSync4(path)) {
-    throw new Error("no .greenlight/secrets.env \u2014 run `greenlight init` with tokens first");
-  }
-  const entries = parseSecretsEnv(readFileSync2(path, "utf8"));
-  const target = opts.env ? `env "${opts.env}"` : "repo";
-  for (const { key, value } of entries) {
-    const ghArgs = ["secret", "set", key, "--repo", repo];
-    if (opts.env) ghArgs.push("--env", opts.env);
-    try {
-      execFileSync("gh", ghArgs, { input: value });
-    } catch (e) {
-      const err = e;
-      if (err.code === "ENOENT") {
-        throw new Error("the GitHub CLI `gh` is required \u2014 install it and run `gh auth login`");
-      }
-      const detail = err.stderr?.toString().trim();
-      throw new Error(
-        `failed to set ${key}${detail ? `: ${detail}` : " (check `gh auth status`)"}`
-      );
-    }
-    console.log(`\u2714 set ${key} \u2192 ${repo} ${target}`);
-  }
-  return { repo, count: entries.length };
-}
 function hiddenPrompter() {
   const tty = Boolean(process.stdin.isTTY);
   const rl = createInterface({ input: process.stdin, output: process.stdout, terminal: tty });
   if (tty) rl._writeToOutput = () => {
   };
   return {
-    ask: (query) => new Promise((resolve11) => {
+    ask: (query) => new Promise((resolve10) => {
       process.stdout.write(query);
       rl.question("", (val) => {
         process.stdout.write("\n");
-        resolve11(val.trim());
+        resolve10(val.trim());
       });
     }),
     close: () => rl.close()
@@ -1138,28 +1091,168 @@ async function secretsCommand(args) {
     if (!repo) throw new Error("could not determine the repo \u2014 pass --repo owner/repo");
     const ociConfig2 = flag(args, "--oci-config");
     const ociKey = flag(args, "--oci-key");
-    const prefill = ociConfig2 ? ociPrefill(resolve4(process.cwd(), ociConfig2), ociKey && resolve4(process.cwd(), ociKey)) : void 0;
+    const prefill = ociConfig2 ? ociPrefill(resolve3(process.cwd(), ociConfig2), ociKey && resolve3(process.cwd(), ociKey)) : void 0;
     await gatherSecrets(name, repo, flag(args, "--env"), prefill);
     return;
   }
-  if (sub !== "sync") {
+  console.log(
+    "usage:\n  greenlight secrets gather <name> [--repo owner/repo] [--env <env>]   # guided, link-first, straight to GitHub (no disk/logs)\n    [--oci-config <path>] [--oci-key <path>]                           # auto-fill OCI auth from the API-key config preview + .pem"
+  );
+  process.exit(sub ? 1 : 0);
+}
+
+// src/tokens.ts
+function presentEnv() {
+  const out = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v !== void 0) out[k] = v;
+  }
+  return out;
+}
+async function ensureTokensForTool(repo, tool, opts = {}) {
+  const doVerify = opts.verify !== false;
+  const env = presentEnv();
+  const already = listGitHubSecrets(repo, opts.env);
+  const results = [];
+  const prompt = process.stdin.isTTY ? hiddenPrompter() : null;
+  try {
+    for (const spec of tokensForTool(tool)) {
+      const key = secretKeyFor(spec, "", void 0);
+      if (key === "GITHUB_TOKEN") {
+        results.push({ envVar: spec.envVar, outcome: "skipped" });
+        continue;
+      }
+      if (env[spec.envVar] || already?.has(key)) {
+        results.push({ envVar: spec.envVar, outcome: "present" });
+        continue;
+      }
+      if (!prompt) {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      console.log(`
+${key} \u2014 ${spec.label}`);
+      if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
+      const entered = await prompt.ask(
+        `  value${spec.optional ? " (optional, Enter to skip)" : ""}: `
+      );
+      if (!entered) {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      env[spec.envVar] = entered;
+      let check;
+      if (doVerify && spec.verify) {
+        try {
+          check = await spec.verify(entered, env);
+        } catch (e) {
+          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
+        }
+        if (!check.ok && !spec.optional) {
+          throw new Error(
+            `${key} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
+          );
+        }
+      }
+      setGitHubSecret(repo, opts.env, key, entered);
+      results.push({ envVar: spec.envVar, outcome: "entered", verify: check });
+    }
+  } finally {
+    prompt?.close();
+  }
+  return results;
+}
+
+// src/commands/agent.ts
+import { cpSync, existsSync as existsSync4, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
+import { resolve as resolve4 } from "path";
+
+// src/agent-kit.ts
+function recommendedMcp(tool) {
+  return mcpForTool(tool);
+}
+function mergeMcpServers(existing, add) {
+  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
+  for (const [name, val] of Object.entries(add)) {
+    if (out.mcpServers[name]) continue;
+    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
+  }
+  return out;
+}
+
+// src/commands/agent.ts
+var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
+
+This repo uses Greenlight. Deliver every change through the ONE model (same shape for web + MCP
+tools \u2014 the deploy-verify-promote skill has the lane\xD7target matrix):
+branch \u2192 change \u2192 \`greenlight preview <name>\` (local gate) \u2192 add it to the tool's verify.config \u2192
+push (CI gates on the tool's own tests) \u2192 deploy \u2192 \`greenlight verify <name> --env prod\`.
+Web tools also get beta + \`greenlight promote\`; oci is direct-to-prod (the local gate is the
+pre-prod safety). \`greenlight status <name>\` shows the run chain; \`greenlight doctor\` flags drift.
+
+Agentic kit:
+- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the one model + the matrix).
+- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
+    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
+- Best-practice skills (one-time, user scope):
+    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
+`;
+function materializeAgentKit(dir, tool) {
+  const src = skillAssetDir();
+  if (!existsSync4(src)) throw new Error(`skill asset not found at ${src}`);
+  const dest = resolve4(dir, ".claude/skills/deploy-verify-promote");
+  mkdirSync(dest, { recursive: true });
+  cpSync(src, dest, { recursive: true });
+  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
+  for (const pack of packsForTool(tool)) {
+    if (!pack.skill) continue;
+    const skillSrc = skillAssetDir(pack.skill);
+    if (!existsSync4(skillSrc)) continue;
+    const skillDest = resolve4(dir, ".claude/skills", pack.skill);
+    mkdirSync(skillDest, { recursive: true });
+    cpSync(skillSrc, skillDest, { recursive: true });
+    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
+  }
+  const mcpPath = resolve4(dir, ".mcp.json");
+  const existingMcp = existsSync4(mcpPath) ? JSON.parse(readFileSync2(mcpPath, "utf8")) : null;
+  const servers = recommendedMcp(tool);
+  writeFileSync(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
+`);
+  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
+  const claudePath = resolve4(dir, "CLAUDE.md");
+  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
+  const existing = existsSync4(claudePath) ? readFileSync2(claudePath, "utf8") : "";
+  if (existing.includes(marker)) {
+    console.log("\xB7 CLAUDE.md already has the loop block");
+  } else {
+    writeFileSync(claudePath, existing ? `${existing.trimEnd()}
+
+${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
+    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
+  }
+}
+async function agentCommand(args) {
+  if (args[0] !== "sync") {
     console.log(
-      "usage:\n  greenlight secrets sync [--repo owner/repo] [--env <env>]            # push .greenlight/secrets.env\n  greenlight secrets gather <name> [--repo owner/repo] [--env <env>]   # guided, link-first, straight to GitHub (no disk/logs)\n    [--oci-config <path>] [--oci-key <path>]                           # auto-fill OCI auth from the API-key config preview + .pem"
+      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
     );
-    process.exit(sub ? 1 : 0);
+    process.exit(args[0] ? 1 : 0);
   }
-  const { count } = syncSecrets({
-    cwd: process.cwd(),
-    repo: flag(args, "--repo"),
-    env: flag(args, "--env")
-  });
-  if (count === 0) {
-    console.log("no secrets to sync");
+  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
+  if (name) {
+    const { config } = await loadManifest();
+    const entry = resolveEntry(config, name);
+    const dir = resolve4(process.cwd(), entry.dir ?? ".");
+    materializeAgentKit(dir, { lane: entry.lane, target: entry.target, data: entry.data });
+    console.log(
+      `
+Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (lane=${entry.lane}, target=${entry.target}, data=${entry.data}).`
+    );
     return;
   }
+  materializeAgentKit(process.cwd());
   console.log(
-    `
-${count} secret(s) synced. (Prefer GitHub OIDC over long-lived tokens where supported.)`
+    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
   );
 }
 
@@ -1242,7 +1335,19 @@ async function addCommand(args) {
     if (existsSync5(shippedGitignore)) renameSync(shippedGitignore, join(dest, ".gitignore"));
     const wranglerPath = join(dest, "wrangler.toml");
     if (existsSync5(wranglerPath)) {
-      const wt = readFileSync3(wranglerPath, "utf8").replaceAll("agent-tool", name).replaceAll("example.dev", config.domain);
+      let wt = readFileSync3(wranglerPath, "utf8").replaceAll("agent-tool", name).replaceAll("example.dev", config.domain);
+      if (wt.includes("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID")) {
+        const token = presentEnv().CLOUDFLARE_API_TOKEN;
+        const acct = token ? await resolveCloudflareAccountId(config.domain, token) : null;
+        if (acct) {
+          wt = wt.replaceAll("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID", acct);
+          console.log("\u2714 resolved the Cloudflare account id into wrangler.toml");
+        } else {
+          console.log(
+            "\xB7 could not resolve the Cloudflare account id \u2014 set account_id in wrangler.toml"
+          );
+        }
+      }
       writeFileSync2(wranglerPath, wt);
     }
     console.log(`\u2714 copied ${src} \u2192 tools/${name}`);
@@ -1283,6 +1388,17 @@ async function addCommand(args) {
     );
     console.log(`\u2714 wrote infra/${name}.tf (modules: ${providers.join(", ")})`);
   }
+  if (lane === "agent") {
+    const wfDir = resolve5(cwd, ".github/workflows");
+    const wfPath = join(wfDir, `deploy-${name}.yml`);
+    if (existsSync5(wfPath)) {
+      console.log(`\xB7 .github/workflows/deploy-${name}.yml exists \u2014 left as-is`);
+    } else {
+      mkdirSync2(wfDir, { recursive: true });
+      writeFileSync2(wfPath, emitAgentDeployWorkflow(name, config.domain));
+      console.log(`\u2714 wrote .github/workflows/deploy-${name}.yml`);
+    }
+  }
   materializeAgentKit(cwd, toolInfo);
   const repo = flag2(args, "--repo") ?? detectRepo(cwd) ?? "";
   const gather = !args.includes("--no-tokens") && process.stdin.isTTY && repo !== "";
@@ -2375,92 +2491,9 @@ ${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}`);
 }
 
 // src/commands/init.ts
-import { existsSync as existsSync9, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
-import { resolve as resolve8 } from "path";
-import { createInterface as createInterface3 } from "readline/promises";
-
-// src/tokens.ts
-import { existsSync as existsSync8, mkdirSync as mkdirSync4, readFileSync as readFileSync6, writeFileSync as writeFileSync4 } from "fs";
+import { existsSync as existsSync8, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4 } from "fs";
 import { resolve as resolve7 } from "path";
 import { createInterface as createInterface2 } from "readline/promises";
-var SECRETS_DIR = ".greenlight";
-var SECRETS_FILE = "secrets.env";
-function presentEnv(cwd) {
-  const out = {};
-  const p = resolve7(cwd, SECRETS_DIR, SECRETS_FILE);
-  if (existsSync8(p)) {
-    for (const { key, value } of parseSecretsEnv(readFileSync6(p, "utf8"))) out[key] = value;
-  }
-  for (const [k, v] of Object.entries(process.env)) {
-    if (v !== void 0 && !(k in out)) out[k] = v;
-  }
-  return out;
-}
-function upsertSecret(cwd, key, value) {
-  const dir = resolve7(cwd, SECRETS_DIR);
-  mkdirSync4(dir, { recursive: true });
-  const p = resolve7(dir, SECRETS_FILE);
-  const lines = existsSync8(p) ? readFileSync6(p, "utf8").split("\n") : [];
-  const idx = lines.findIndex((l) => l.startsWith(`${key}=`));
-  if (idx >= 0) lines[idx] = `${key}=${value}`;
-  else {
-    while (lines.length && (lines[lines.length - 1] ?? "").trim() === "") lines.pop();
-    lines.push(`${key}=${value}`);
-  }
-  writeFileSync4(p, `${lines.join("\n").replace(/\n*$/, "")}
-`, { mode: 384 });
-}
-async function ensureTokensForTool(cwd, tool, opts = {}) {
-  const doVerify = opts.verify !== false;
-  const interactive = Boolean(process.stdin.isTTY);
-  const env = presentEnv(cwd);
-  const results = [];
-  const rl = interactive ? createInterface2({ input: process.stdin, output: process.stdout }) : null;
-  try {
-    for (const spec of tokensForTool(tool)) {
-      let value = env[spec.envVar];
-      if (value) {
-        results.push({ envVar: spec.envVar, outcome: "present" });
-      } else if (rl) {
-        console.log(`
-${spec.envVar} \u2014 ${spec.label}`);
-        if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
-        const entered = (await rl.question(`  paste value${spec.optional ? " (optional, Enter to skip)" : ""}: `)).trim();
-        if (!entered) {
-          results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-          continue;
-        }
-        upsertSecret(cwd, spec.envVar, entered);
-        env[spec.envVar] = entered;
-        value = entered;
-        results.push({ envVar: spec.envVar, outcome: "entered" });
-      } else {
-        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-        continue;
-      }
-      if (value && doVerify && spec.verify) {
-        let check;
-        try {
-          check = await spec.verify(value, env);
-        } catch (e) {
-          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
-        }
-        const last = results[results.length - 1];
-        if (last) last.verify = check;
-        if (!check.ok && !spec.optional) {
-          throw new Error(
-            `${spec.envVar} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
-          );
-        }
-      }
-    }
-  } finally {
-    rl?.close();
-  }
-  return results;
-}
-
-// src/commands/init.ts
 function flag5(args, name) {
   const i = args.indexOf(name);
   return i >= 0 ? args[i + 1] : void 0;
@@ -2482,7 +2515,7 @@ function wrapperPackageJson(name) {
 }
 var WRAPPER_GITIGNORE = `# Greenlight wrapper
 node_modules/
-.greenlight/        # gathered tokens \u2014 never committed
+.greenlight/        # local scratch \u2014 never committed (tokens live in GitHub Actions)
 .terraform/
 *.tfplan
 tf.plan
@@ -2544,12 +2577,12 @@ jobs:
 `;
 }
 function scaffoldIfAbsent(path, contents, label) {
-  if (existsSync9(path)) {
+  if (existsSync8(path)) {
     console.log(`\xB7 ${label} exists \u2014 left as-is`);
     return;
   }
-  mkdirSync5(resolve8(path, ".."), { recursive: true });
-  writeFileSync5(path, contents);
+  mkdirSync4(resolve7(path, ".."), { recursive: true });
+  writeFileSync4(path, contents);
   console.log(`\u2714 wrote ${label}`);
 }
 var TOKEN_FLAGS = {
@@ -2564,70 +2597,74 @@ async function initCommand(args) {
   let domain = flag5(args, "--domain");
   if (!domain) {
     if (!process.stdin.isTTY) throw new Error("init needs --domain <domain> (no TTY for prompts)");
-    const rl = createInterface3({ input: process.stdin, output: process.stdout });
+    const rl = createInterface2({ input: process.stdin, output: process.stdout });
     domain = (await rl.question("Domain (e.g. example.dev): ")).trim();
     rl.close();
   }
   if (!domain) throw new Error("a domain is required");
   const cwd = process.cwd();
-  const configPath = resolve8(cwd, "greenlight.config.ts");
-  if (existsSync9(configPath) && !force) {
+  const configPath = resolve7(cwd, "greenlight.config.ts");
+  if (existsSync8(configPath) && !force) {
     throw new Error("greenlight.config.ts already exists \u2014 pass --force to overwrite");
   }
-  writeFileSync5(configPath, scaffoldConfig(domain));
+  writeFileSync4(configPath, scaffoldConfig(domain));
   console.log(`\u2714 wrote greenlight.config.ts (domain: ${domain})`);
   const repoName = domain.replace(/\./g, "-");
   scaffoldIfAbsent(
-    resolve8(cwd, ".github/workflows/infra.yml"),
+    resolve7(cwd, ".github/workflows/infra.yml"),
     wrapperInfraYml(),
     ".github/workflows/infra.yml (HCP-backed terraform apply on push)"
   );
-  scaffoldIfAbsent(resolve8(cwd, ".gitignore"), WRAPPER_GITIGNORE, ".gitignore");
-  scaffoldIfAbsent(resolve8(cwd, "package.json"), wrapperPackageJson(repoName), "package.json");
-  scaffoldIfAbsent(resolve8(cwd, "mise.toml"), WRAPPER_MISE, "mise.toml");
-  scaffoldIfAbsent(resolve8(cwd, ".node-version"), "24\n", ".node-version");
-  const secrets = [];
-  for (const [f, key] of Object.entries(TOKEN_FLAGS)) {
-    const v = flag5(args, f);
-    if (v) secrets.push(`${key}=${v}`);
-  }
-  if (secrets.length > 0) {
-    mkdirSync5(resolve8(cwd, ".greenlight"), { recursive: true });
-    writeFileSync5(resolve8(cwd, ".greenlight/secrets.env"), `${secrets.join("\n")}
-`, {
-      mode: 384
-    });
-    console.log(`\u2714 wrote .greenlight/secrets.env (${secrets.length} token(s), gitignored)`);
-  }
-  if (process.stdin.isTTY && !args.includes("--no-tokens")) {
-    try {
-      await ensureTokensForTool(cwd, {}, { verify: !args.includes("--no-verify") });
-    } catch (e) {
-      console.log(`\u2716 ${e instanceof Error ? e.message : String(e)}`);
+  scaffoldIfAbsent(resolve7(cwd, ".gitignore"), WRAPPER_GITIGNORE, ".gitignore");
+  scaffoldIfAbsent(resolve7(cwd, "package.json"), wrapperPackageJson(repoName), "package.json");
+  scaffoldIfAbsent(resolve7(cwd, "mise.toml"), WRAPPER_MISE, "mise.toml");
+  scaffoldIfAbsent(resolve7(cwd, ".node-version"), "24\n", ".node-version");
+  const repo = flag5(args, "--repo") ?? detectRepo(cwd);
+  let pushed = 0;
+  if (repo && !args.includes("--no-push")) {
+    for (const [f, key] of Object.entries(TOKEN_FLAGS)) {
+      const v = flag5(args, f);
+      if (!v || key.startsWith("GITHUB_")) continue;
+      try {
+        setGitHubSecret(repo, void 0, key, v);
+        console.log(`\u2714 set ${key} \u2192 ${repo} (GitHub Actions)`);
+        pushed++;
+      } catch (e) {
+        console.log(`! could not set ${key}: ${e instanceof Error ? e.message : String(e)}`);
+      }
     }
   }
-  let pushed = false;
-  if (existsSync9(resolve8(cwd, ".greenlight/secrets.env")) && !args.includes("--no-push")) {
-    try {
-      const { repo, count } = syncSecrets({ cwd, repo: flag5(args, "--repo") });
-      console.log(`\u2714 pushed ${count} secret(s) to ${repo} (GitHub Actions)`);
-      pushed = true;
-    } catch (e) {
-      console.log(`! skipped pushing secrets: ${e instanceof Error ? e.message : String(e)}`);
-      console.log("  run `greenlight secrets sync` once `gh` is authenticated.");
+  if (process.stdin.isTTY && !args.includes("--no-tokens")) {
+    if (repo) {
+      try {
+        const results = await ensureTokensForTool(
+          repo,
+          {},
+          {
+            verify: !args.includes("--no-verify")
+          }
+        );
+        pushed += results.filter((r) => r.outcome === "entered").length;
+      } catch (e) {
+        console.log(`\u2716 ${e instanceof Error ? e.message : String(e)}`);
+      }
+    } else {
+      console.log(
+        "\n\xB7 no GitHub repo detected yet \u2014 create it + `gh auth login`, then set the base secrets\n  (CLOUDFLARE_API_TOKEN, TF_API_TOKEN) via `greenlight add <tool>` (prompts them) or `gh secret set`."
+      );
     }
   }
   console.log(`
 Next:
   1. greenlight add <name> --lane <lane> --target <target>   # scaffold a tool, emit infra, and
-                                                             # gather THAT tool's keys \u2192 GitHub${pushed ? "" : "\n  (run `greenlight secrets sync` if base tokens were not pushed)"}
+                                                             # gather THAT tool's keys \u2192 GitHub${pushed ? "" : "\n  (it also prompts the base tokens if they are not set yet)"}
   2. set the HCP backend (cloud{} org + workspace) in infra/main.tf   # docs/terraform-state.md
   3. commit + push \u2192 CI (.github/workflows/infra.yml) runs \`terraform apply\`
   4. greenlight verify <name> --env prod   |   greenlight doctor`);
 }
 
 // src/commands/migrations.ts
-import { existsSync as existsSync10, readFileSync as readFileSync7, readdirSync as readdirSync3 } from "fs";
+import { existsSync as existsSync9, readFileSync as readFileSync6, readdirSync as readdirSync3 } from "fs";
 import { join as join5 } from "path";
 var DEFAULT_DIR = "supabase/migrations";
 var CANDIDATE_DIRS = [
@@ -2639,7 +2676,7 @@ var CANDIDATE_DIRS = [
 ];
 function resolveMigrationsDir(explicit, root = process.cwd()) {
   if (explicit) return explicit;
-  return CANDIDATE_DIRS.find((d) => existsSync10(join5(root, d))) ?? DEFAULT_DIR;
+  return CANDIDATE_DIRS.find((d) => existsSync9(join5(root, d))) ?? DEFAULT_DIR;
 }
 async function migrationsCommand(args) {
   if (args[0] !== "scan") {
@@ -2665,7 +2702,7 @@ async function migrationsCommand(args) {
   }
   const files = names.map((f) => ({
     path: join5(dir, f),
-    content: readFileSync7(join5(dir, f), "utf8")
+    content: readFileSync6(join5(dir, f), "utf8")
   }));
   const findings = scanSqlFiles(files);
   if (findings.length === 0) {
@@ -2690,12 +2727,12 @@ ${verdict} (${dangers.length} danger, ${findings.length - dangers.length} warn).
 
 // src/commands/preview.ts
 import { execFileSync as execFileSync5, spawn } from "child_process";
-import { resolve as resolve10 } from "path";
+import { resolve as resolve9 } from "path";
 import { setTimeout as sleep } from "timers/promises";
 
 // src/commands/verify.ts
 import { spawnSync } from "child_process";
-import { resolve as resolve9 } from "path";
+import { resolve as resolve8 } from "path";
 function defaultSpec(lane) {
   switch (lane) {
     case "astro":
@@ -2823,7 +2860,7 @@ ${pass2 ? "\u2714 ALL PASS" : "\u2718 FAIL"} (${reports2.length} specs)`);
   if (reachableTimeoutMs > 0) {
     console.log(`waiting up to ${reachableTimeoutMs / 1e3}s for ${url} to become reachable\u2026`);
   }
-  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve8(process.cwd(), entry.dir ?? ".");
   const reports = await verifyAll(url, specs, { reachableTimeoutMs, toolDir });
   attachFailureLogs(reports, specs, toolDir);
   for (const report of reports) printReport(report);
@@ -2867,7 +2904,7 @@ async function verifyLocal(entry, url) {
   process.env.GREENLIGHT_PREVIEW = "1";
   process.env.GREENLIGHT_VERIFY_URL = url;
   const specs = await loadSpecs(entry);
-  const toolDir = resolve10(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
   const reports = await verifyAll(url, specs, { toolDir });
   for (const report of reports) printReport(report);
   return allPass(reports);
@@ -2878,7 +2915,7 @@ async function previewViaDescriptor(entry, name, portOverride) {
   const port = portOverride ?? pv.port ?? entry.port ?? lane.port;
   const path = pv.path ?? lane.path;
   const url = `http://localhost:${port}${path}`;
-  const toolDir = resolve10(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
   console.log(`preview ${name}: ${pv.command}  (\u2192 ${url})`);
   const child = spawn(pv.command, {
     cwd: toolDir,
@@ -3191,7 +3228,6 @@ var HELP = `greenlight <command>
   promote <name> [--perform] [--push]           gated develop -> main fast-forward
   status <name>                                 last ship/deploy/verify run for a tool (via gh)
   secrets gather <name> [--repo o/r] [--env e]  guided, link-first token prompts -> GitHub secrets (no disk/logs)
-  secrets sync [--repo o/r] [--env <env>]       push .greenlight/secrets.env -> GitHub Actions secrets
   agent sync [<name>]                           write the loop kit (named \u2192 tool-aware, into its dir)
   adopt <name> --repo <path> --lane --target    onboard an existing tool repo as a thin consumer
   migrations scan [<dir>] [--strict]            dangerous-SQL gate for migrations (pre-apply)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -31,10 +31,10 @@
     "@anthropic-ai/sdk": "^0.69.0"
   },
   "devDependencies": {
-    "@rtrentjones/greenlight-adapters": "0.3.0",
-    "@rtrentjones/greenlight-loop": "0.3.0",
-    "@rtrentjones/greenlight-verify": "0.3.0",
-    "@rtrentjones/greenlight-shared": "0.3.0"
+    "@rtrentjones/greenlight-loop": "0.4.0",
+    "@rtrentjones/greenlight-adapters": "0.4.0",
+    "@rtrentjones/greenlight-verify": "0.4.0",
+    "@rtrentjones/greenlight-shared": "0.4.0"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",

package/templates/_template-agent/wrangler.toml

@@ -1,9 +1,11 @@
-# Agent Worker. `greenlight add` rewrites `name` (agent-tool → your tool) + the route domain
-# (example.dev → your domain). You still set the KV namespace id (create it once with
-# `wrangler kv namespace create STATE`) and the secrets:
-#   wrangler secret put GEMINI_API_KEY --env prod   (Google AI Studio key — free tier)
-#   wrangler secret put RUN_TOKEN --env prod         (any random string; bearer for POST /run)
+# Agent Worker. `greenlight add` rewrites `name` + the route domain + the account_id, and emits a
+# .github/workflows/deploy-<name>.yml that (on push to main) creates the KV namespace, deploys, sets
+# the GEMINI_API_KEY + RUN_TOKEN Worker secrets from GitHub secrets, seeds, and verifies. So you only
+# add those two GitHub secrets — no manual wrangler.
 name = "agent-tool"
+# Non-secret account id (committed config). `greenlight add` resolves + fills this from your domain's
+# zone; without it wrangler calls /memberships, which a scoped API token can't do.
+account_id = "REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID"
 main = "src/index.ts"
 compatibility_date = "2025-06-01"