npm - @rtrentjones/greenlight - Versions diffs - 0.3.1 → 0.4.0 - Mend

@rtrentjones/greenlight 0.3.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/assets/skills/provider-cloudflare/SKILL.md +4 -3
package/assets/skills/provider-github/SKILL.md +6 -5
package/assets/skills/provider-supabase/SKILL.md +2 -1
package/assets/skills/provider-vercel/SKILL.md +2 -1
package/dist/bin.js +167 -243
package/package.json +5 -5

package/assets/skills/provider-cloudflare/SKILL.md CHANGED Viewed

@@ -19,9 +19,10 @@ One token, these scopes (a missing scope took down a live apply more than once):
 - **Account · Cloudflare Tunnel · Edit** — only if a tool uses `target: oci` (the cloudflared
   tunnel). Without it, the tunnel resource fails with **403 Forbidden** on `cfd_tunnel` at apply.
-Create at dash → My Profile → API Tokens → Custom Token. Store in `.greenlight/secrets.env`
-(gitignored) and push to GitHub Actions with `greenlight secrets sync`. `greenlight add`
-verifies it against `/user/tokens/verify` (status must be `active`) before you commit.
+Create at dash → My Profile → API Tokens → Custom Token. Push it straight to GitHub Actions
+with `greenlight secrets gather` (or `gh secret set CLOUDFLARE_API_TOKEN`) — Greenlight keeps
+no local secret file. `greenlight add` verifies it against `/user/tokens/verify` (status must
+be `active`) before you commit.
 ## Terraform modules

package/assets/skills/provider-github/SKILL.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: provider-github
-description: How GitHub works in a Greenlight setup — secrets sync target (Actions secrets/environments), the repo/branch/protection Terraform module, the develop→main flow, and OIDC-over-PAT preference. Use when syncing tokens, wiring branch protection/environments, or debugging gh/secrets/CI auth.
+description: How GitHub works in a Greenlight setup — the single secret store (Actions secrets/environments), the repo/branch/protection Terraform module, the develop→main flow, and OIDC-over-PAT preference. Use when setting tokens, wiring branch protection/environments, or debugging gh/secrets/CI auth.
 ---
 # provider-github
@@ -32,11 +32,12 @@ pushes each to the right repo; see docs/provider-tokens.md):
 Provider creds (OCI/Cloudflare/…) live **only in the wrapper**; the tool repo holds just the
 dispatch PAT (its build pushes to GHCR with the built-in `github.token`).
-## Secrets sync
+## Setting secrets
-`greenlight secrets sync [--repo o/r] [--env <env>]` pushes `.greenlight/secrets.env` to the
-repo's Actions secrets via `gh` (values piped on stdin — never in argv or logs). Run
-`gh auth login` first. This is the "init writes to provider stores" piece.
+GitHub Actions secrets are the **single** secret store — Greenlight keeps no local secret file.
+`greenlight secrets gather <tool> [--repo o/r] [--env <env>]` prompts the tool's tokens (and the
+always-on base tokens) with hidden input and pipes them straight to `gh secret set` (never on
+disk, never in argv or logs). Run `gh auth login` first. `gh secret set` is the manual alternative.
 ## Terraform module — `infra/modules/repo`

package/assets/skills/provider-supabase/SKILL.md CHANGED Viewed

@@ -12,7 +12,8 @@ name/region are replace-forcing, so the module sets `ignore_changes` to protect
 ## Token — `SUPABASE_ACCESS_TOKEN`
-Dashboard → Account → Access Tokens (Management API). Store in `.greenlight/secrets.env`;
+Dashboard → Account → Access Tokens (Management API). Push it straight to GitHub Actions with
+`greenlight secrets gather` (or `gh secret set`) — Greenlight keeps no local secret file.
 `greenlight add` verifies it against `/v1/projects` (HTTP 200). The DB password
 (`TF_VAR_supabase_database_password`) is only used if the project is recreated — ignored on
 import, so `import-placeholder` is fine for an existing project.

package/assets/skills/provider-vercel/SKILL.md CHANGED Viewed

@@ -13,7 +13,8 @@ build). The wrapper owns infra; the tool repo owns deploys.
 ## Token — `VERCEL_API_TOKEN`
 Account → Settings → Tokens. **Scope it to the team** that owns the project. The Terraform
-`vercel` provider also takes `team` (the `team_…` id). Store in `.greenlight/secrets.env`;
+`vercel` provider also takes `team` (the `team_…` id). Push it straight to GitHub Actions with
+`greenlight secrets gather` (or `gh secret set`) — Greenlight keeps no local secret file.
 `greenlight add` verifies it against `/v2/user` (HTTP 200) before commit.
 ## Terraform module — `infra/modules/vercel`

package/dist/bin.js CHANGED Viewed

@@ -15,8 +15,8 @@ import "./chunk-XWTOJHLV.js";
 import "./chunk-QFKE5JKC.js";
 // src/commands/add.ts
-import { cpSync as cpSync2, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, renameSync, writeFileSync as writeFileSync3 } from "fs";
-import { join, resolve as resolve6 } from "path";
+import { cpSync as cpSync2, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, renameSync, writeFileSync as writeFileSync2 } from "fs";
+import { join, resolve as resolve5 } from "path";
 // src/agent-deploy.ts
 function emitAgentDeployWorkflow(name, domain) {
@@ -590,7 +590,7 @@ function tokensForTool(tool) {
 }
 // src/version.ts
-var MODULE_REF = "v0.3.1";
+var MODULE_REF = "v0.4.0";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -915,27 +915,11 @@ function providersForTool(tool) {
   return out;
 }
-// src/tokens.ts
-import { existsSync as existsSync4, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
-import { resolve as resolve4 } from "path";
-import { createInterface as createInterface2 } from "readline/promises";
 // src/commands/secrets.ts
 import { execFileSync } from "child_process";
 import { existsSync as existsSync3, readFileSync } from "fs";
 import { resolve as resolve3 } from "path";
 import { createInterface } from "readline";
-function parseSecretsEnv(text) {
-  const out = [];
-  for (const raw of text.split("\n")) {
-    const line = raw.trim();
-    if (line === "" || line.startsWith("#")) continue;
-    const eq = line.indexOf("=");
-    if (eq <= 0) continue;
-    out.push({ key: line.slice(0, eq).trim(), value: line.slice(eq + 1) });
-  }
-  return out;
-}
 function parseOciConfig(text) {
   const out = {};
   for (const raw of text.split("\n")) {
@@ -987,49 +971,17 @@ function detectRepo(cwd) {
     return null;
   }
 }
-function syncSecrets(opts) {
-  const repo = opts.repo ?? detectRepo(opts.cwd);
-  if (!repo) {
-    throw new Error(
-      "could not determine the repo \u2014 pass --repo owner/repo (no github.com origin remote)"
-    );
-  }
-  const path = resolve3(opts.cwd, ".greenlight/secrets.env");
-  if (!existsSync3(path)) {
-    throw new Error("no .greenlight/secrets.env \u2014 run `greenlight init` with tokens first");
-  }
-  const entries = parseSecretsEnv(readFileSync(path, "utf8"));
-  const target = opts.env ? `env "${opts.env}"` : "repo";
-  for (const { key, value } of entries) {
-    const ghArgs = ["secret", "set", key, "--repo", repo];
-    if (opts.env) ghArgs.push("--env", opts.env);
-    try {
-      execFileSync("gh", ghArgs, { input: value });
-    } catch (e) {
-      const err = e;
-      if (err.code === "ENOENT") {
-        throw new Error("the GitHub CLI `gh` is required \u2014 install it and run `gh auth login`");
-      }
-      const detail = err.stderr?.toString().trim();
-      throw new Error(
-        `failed to set ${key}${detail ? `: ${detail}` : " (check `gh auth status`)"}`
-      );
-    }
-    console.log(`\u2714 set ${key} \u2192 ${repo} ${target}`);
-  }
-  return { repo, count: entries.length };
-}
 function hiddenPrompter() {
   const tty = Boolean(process.stdin.isTTY);
   const rl = createInterface({ input: process.stdin, output: process.stdout, terminal: tty });
   if (tty) rl._writeToOutput = () => {
   };
   return {
-    ask: (query) => new Promise((resolve11) => {
+    ask: (query) => new Promise((resolve10) => {
       process.stdout.write(query);
       rl.question("", (val) => {
         process.stdout.write("\n");
-        resolve11(val.trim());
+        resolve10(val.trim());
       });
     }),
     close: () => rl.close()
@@ -1143,108 +1095,77 @@ async function secretsCommand(args) {
     await gatherSecrets(name, repo, flag(args, "--env"), prefill);
     return;
   }
-  if (sub !== "sync") {
-    console.log(
-      "usage:\n  greenlight secrets sync [--repo owner/repo] [--env <env>]            # push .greenlight/secrets.env\n  greenlight secrets gather <name> [--repo owner/repo] [--env <env>]   # guided, link-first, straight to GitHub (no disk/logs)\n    [--oci-config <path>] [--oci-key <path>]                           # auto-fill OCI auth from the API-key config preview + .pem"
-    );
-    process.exit(sub ? 1 : 0);
-  }
-  const { count } = syncSecrets({
-    cwd: process.cwd(),
-    repo: flag(args, "--repo"),
-    env: flag(args, "--env")
-  });
-  if (count === 0) {
-    console.log("no secrets to sync");
-    return;
-  }
   console.log(
-    `
-${count} secret(s) synced. (Prefer GitHub OIDC over long-lived tokens where supported.)`
+    "usage:\n  greenlight secrets gather <name> [--repo owner/repo] [--env <env>]   # guided, link-first, straight to GitHub (no disk/logs)\n    [--oci-config <path>] [--oci-key <path>]                           # auto-fill OCI auth from the API-key config preview + .pem"
   );
+  process.exit(sub ? 1 : 0);
 }
 // src/tokens.ts
-var SECRETS_DIR = ".greenlight";
-var SECRETS_FILE = "secrets.env";
-function presentEnv(cwd) {
+function presentEnv() {
   const out = {};
-  const p = resolve4(cwd, SECRETS_DIR, SECRETS_FILE);
-  if (existsSync4(p)) {
-    for (const { key, value } of parseSecretsEnv(readFileSync2(p, "utf8"))) out[key] = value;
-  }
   for (const [k, v] of Object.entries(process.env)) {
-    if (v !== void 0 && !(k in out)) out[k] = v;
+    if (v !== void 0) out[k] = v;
   }
   return out;
 }
-function upsertSecret(cwd, key, value) {
-  const dir = resolve4(cwd, SECRETS_DIR);
-  mkdirSync(dir, { recursive: true });
-  const p = resolve4(dir, SECRETS_FILE);
-  const lines = existsSync4(p) ? readFileSync2(p, "utf8").split("\n") : [];
-  const idx = lines.findIndex((l) => l.startsWith(`${key}=`));
-  if (idx >= 0) lines[idx] = `${key}=${value}`;
-  else {
-    while (lines.length && (lines[lines.length - 1] ?? "").trim() === "") lines.pop();
-    lines.push(`${key}=${value}`);
-  }
-  writeFileSync(p, `${lines.join("\n").replace(/\n*$/, "")}
-`, { mode: 384 });
-}
-async function ensureTokensForTool(cwd, tool, opts = {}) {
+async function ensureTokensForTool(repo, tool, opts = {}) {
   const doVerify = opts.verify !== false;
-  const interactive = Boolean(process.stdin.isTTY);
-  const env = presentEnv(cwd);
+  const env = presentEnv();
+  const already = listGitHubSecrets(repo, opts.env);
   const results = [];
-  const rl = interactive ? createInterface2({ input: process.stdin, output: process.stdout }) : null;
+  const prompt = process.stdin.isTTY ? hiddenPrompter() : null;
   try {
     for (const spec of tokensForTool(tool)) {
-      let value = env[spec.envVar];
-      if (value) {
+      const key = secretKeyFor(spec, "", void 0);
+      if (key === "GITHUB_TOKEN") {
+        results.push({ envVar: spec.envVar, outcome: "skipped" });
+        continue;
+      }
+      if (env[spec.envVar] || already?.has(key)) {
         results.push({ envVar: spec.envVar, outcome: "present" });
-      } else if (rl) {
-        console.log(`
-${spec.envVar} \u2014 ${spec.label}`);
-        if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
-        const entered = (await rl.question(`  paste value${spec.optional ? " (optional, Enter to skip)" : ""}: `)).trim();
-        if (!entered) {
-          results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-          continue;
-        }
-        upsertSecret(cwd, spec.envVar, entered);
-        env[spec.envVar] = entered;
-        value = entered;
-        results.push({ envVar: spec.envVar, outcome: "entered" });
-      } else {
+        continue;
+      }
+      if (!prompt) {
         results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
         continue;
       }
-      if (value && doVerify && spec.verify) {
-        let check;
+      console.log(`
+${key} \u2014 ${spec.label}`);
+      if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
+      const entered = await prompt.ask(
+        `  value${spec.optional ? " (optional, Enter to skip)" : ""}: `
+      );
+      if (!entered) {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      env[spec.envVar] = entered;
+      let check;
+      if (doVerify && spec.verify) {
         try {
-          check = await spec.verify(value, env);
+          check = await spec.verify(entered, env);
         } catch (e) {
           check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
         }
-        const last = results[results.length - 1];
-        if (last) last.verify = check;
         if (!check.ok && !spec.optional) {
           throw new Error(
-            `${spec.envVar} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
+            `${key} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
           );
         }
       }
+      setGitHubSecret(repo, opts.env, key, entered);
+      results.push({ envVar: spec.envVar, outcome: "entered", verify: check });
     }
   } finally {
-    rl?.close();
+    prompt?.close();
   }
   return results;
 }
 // src/commands/agent.ts
-import { cpSync, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
-import { resolve as resolve5 } from "path";
+import { cpSync, existsSync as existsSync4, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
+import { resolve as resolve4 } from "path";
 // src/agent-kit.ts
 function recommendedMcp(tool) {
@@ -1278,33 +1199,33 @@ Agentic kit:
 `;
 function materializeAgentKit(dir, tool) {
   const src = skillAssetDir();
-  if (!existsSync5(src)) throw new Error(`skill asset not found at ${src}`);
-  const dest = resolve5(dir, ".claude/skills/deploy-verify-promote");
-  mkdirSync2(dest, { recursive: true });
+  if (!existsSync4(src)) throw new Error(`skill asset not found at ${src}`);
+  const dest = resolve4(dir, ".claude/skills/deploy-verify-promote");
+  mkdirSync(dest, { recursive: true });
   cpSync(src, dest, { recursive: true });
   console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
   for (const pack of packsForTool(tool)) {
     if (!pack.skill) continue;
     const skillSrc = skillAssetDir(pack.skill);
-    if (!existsSync5(skillSrc)) continue;
-    const skillDest = resolve5(dir, ".claude/skills", pack.skill);
-    mkdirSync2(skillDest, { recursive: true });
+    if (!existsSync4(skillSrc)) continue;
+    const skillDest = resolve4(dir, ".claude/skills", pack.skill);
+    mkdirSync(skillDest, { recursive: true });
     cpSync(skillSrc, skillDest, { recursive: true });
     console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
   }
-  const mcpPath = resolve5(dir, ".mcp.json");
-  const existingMcp = existsSync5(mcpPath) ? JSON.parse(readFileSync3(mcpPath, "utf8")) : null;
+  const mcpPath = resolve4(dir, ".mcp.json");
+  const existingMcp = existsSync4(mcpPath) ? JSON.parse(readFileSync2(mcpPath, "utf8")) : null;
   const servers = recommendedMcp(tool);
-  writeFileSync2(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
+  writeFileSync(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
 `);
   console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
-  const claudePath = resolve5(dir, "CLAUDE.md");
+  const claudePath = resolve4(dir, "CLAUDE.md");
   const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
-  const existing = existsSync5(claudePath) ? readFileSync3(claudePath, "utf8") : "";
+  const existing = existsSync4(claudePath) ? readFileSync2(claudePath, "utf8") : "";
   if (existing.includes(marker)) {
     console.log("\xB7 CLAUDE.md already has the loop block");
   } else {
-    writeFileSync2(claudePath, existing ? `${existing.trimEnd()}
+    writeFileSync(claudePath, existing ? `${existing.trimEnd()}
 ${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
     console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
@@ -1321,7 +1242,7 @@ async function agentCommand(args) {
   if (name) {
     const { config } = await loadManifest();
     const entry = resolveEntry(config, name);
-    const dir = resolve5(process.cwd(), entry.dir ?? ".");
+    const dir = resolve4(process.cwd(), entry.dir ?? ".");
     materializeAgentKit(dir, { lane: entry.lane, target: entry.target, data: entry.data });
     console.log(
       `
@@ -1346,25 +1267,25 @@ function templateDir(lane, target) {
 }
 function registerWorkspaceMember(cwd, member) {
   const wsPath = join(cwd, "pnpm-workspace.yaml");
-  if (!existsSync6(wsPath)) {
-    writeFileSync3(wsPath, `packages:
+  if (!existsSync5(wsPath)) {
+    writeFileSync2(wsPath, `packages:
   - "${member}"
 `);
     console.log(`\u2714 created pnpm-workspace.yaml (member ${member})`);
     return;
   }
-  const text = readFileSync4(wsPath, "utf8");
+  const text = readFileSync3(wsPath, "utf8");
   if (text.includes(member) || /^\s*-\s*["']?tools\/\*/m.test(text)) return;
   const lines = text.split("\n");
   const pkgIdx = lines.findIndex((l) => /^packages\s*:/.test(l));
   if (pkgIdx === -1) {
-    writeFileSync3(wsPath, `${text.replace(/\s*$/, "")}
+    writeFileSync2(wsPath, `${text.replace(/\s*$/, "")}
 packages:
   - "${member}"
 `);
   } else {
     lines.splice(pkgIdx + 1, 0, `  - "${member}"`);
-    writeFileSync3(wsPath, lines.join("\n"));
+    writeFileSync2(wsPath, lines.join("\n"));
   }
   console.log(`\u2714 registered ${member} in pnpm-workspace.yaml`);
 }
@@ -1398,25 +1319,25 @@ async function addCommand(args) {
   const data = entry?.data ?? "none";
   const envs = entry?.envs ?? ["beta", "prod"];
   const toolInfo = { lane, target, data };
-  const dest = resolve6(process.cwd(), "tools", name);
-  if (existsSync6(dest)) throw new Error(`tools/${name} already exists`);
+  const dest = resolve5(process.cwd(), "tools", name);
+  if (existsSync5(dest)) throw new Error(`tools/${name} already exists`);
   const src = templateDir(lane, target);
-  if (existsSync6(src)) {
+  if (existsSync5(src)) {
     cpSync2(src, dest, { recursive: true });
     const pkgPath = join(dest, "package.json");
-    if (existsSync6(pkgPath)) {
-      const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
+    if (existsSync5(pkgPath)) {
+      const pkg = JSON.parse(readFileSync3(pkgPath, "utf8"));
       pkg.name = name;
-      writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
+      writeFileSync2(pkgPath, `${JSON.stringify(pkg, null, 2)}
 `);
     }
     const shippedGitignore = join(dest, "gitignore");
-    if (existsSync6(shippedGitignore)) renameSync(shippedGitignore, join(dest, ".gitignore"));
+    if (existsSync5(shippedGitignore)) renameSync(shippedGitignore, join(dest, ".gitignore"));
     const wranglerPath = join(dest, "wrangler.toml");
-    if (existsSync6(wranglerPath)) {
-      let wt = readFileSync4(wranglerPath, "utf8").replaceAll("agent-tool", name).replaceAll("example.dev", config.domain);
+    if (existsSync5(wranglerPath)) {
+      let wt = readFileSync3(wranglerPath, "utf8").replaceAll("agent-tool", name).replaceAll("example.dev", config.domain);
       if (wt.includes("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID")) {
-        const token = presentEnv(process.cwd()).CLOUDFLARE_API_TOKEN;
+        const token = presentEnv().CLOUDFLARE_API_TOKEN;
         const acct = token ? await resolveCloudflareAccountId(config.domain, token) : null;
         if (acct) {
           wt = wt.replaceAll("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID", acct);
@@ -1427,31 +1348,31 @@ async function addCommand(args) {
           );
         }
       }
-      writeFileSync3(wranglerPath, wt);
+      writeFileSync2(wranglerPath, wt);
     }
     console.log(`\u2714 copied ${src} \u2192 tools/${name}`);
-    if (existsSync6(pkgPath)) registerWorkspaceMember(process.cwd(), `tools/${name}`);
+    if (existsSync5(pkgPath)) registerWorkspaceMember(process.cwd(), `tools/${name}`);
   } else {
     console.log(`! no template at ${src} \u2014 manifest entry added without scaffolding`);
   }
-  writeFileSync3(path, serializeConfig(next));
+  writeFileSync2(path, serializeConfig(next));
   console.log(`\u2714 added "${name}" (${lane}/${target}) to the manifest`);
   const cwd = process.cwd();
   const providers = providersForTool(toolInfo);
-  const infraDir = resolve6(cwd, "infra");
+  const infraDir = resolve5(cwd, "infra");
   const mainTf = join(infraDir, "main.tf");
-  if (!existsSync6(mainTf)) {
-    mkdirSync3(infraDir, { recursive: true });
-    writeFileSync3(mainTf, emitWrapperMainTf({ domain: config.domain, providers }));
+  if (!existsSync5(mainTf)) {
+    mkdirSync2(infraDir, { recursive: true });
+    writeFileSync2(mainTf, emitWrapperMainTf({ domain: config.domain, providers }));
     console.log("\u2714 scaffolded infra/main.tf (providers + HCP backend placeholder)");
   } else if (providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 infra/main.tf exists \u2014 ensure it declares provider(s): ${providers.join(", ")}`);
   }
   const toolTf = join(infraDir, `${name}.tf`);
-  if (existsSync6(toolTf)) {
+  if (existsSync5(toolTf)) {
     console.log(`\xB7 infra/${name}.tf exists \u2014 left as-is`);
   } else {
-    writeFileSync3(
+    writeFileSync2(
       toolTf,
       emitToolTf({
         name,
@@ -1468,13 +1389,13 @@ async function addCommand(args) {
     console.log(`\u2714 wrote infra/${name}.tf (modules: ${providers.join(", ")})`);
   }
   if (lane === "agent") {
-    const wfDir = resolve6(cwd, ".github/workflows");
+    const wfDir = resolve5(cwd, ".github/workflows");
     const wfPath = join(wfDir, `deploy-${name}.yml`);
-    if (existsSync6(wfPath)) {
+    if (existsSync5(wfPath)) {
       console.log(`\xB7 .github/workflows/deploy-${name}.yml exists \u2014 left as-is`);
     } else {
-      mkdirSync3(wfDir, { recursive: true });
-      writeFileSync3(wfPath, emitAgentDeployWorkflow(name, config.domain));
+      mkdirSync2(wfDir, { recursive: true });
+      writeFileSync2(wfPath, emitAgentDeployWorkflow(name, config.domain));
       console.log(`\u2714 wrote .github/workflows/deploy-${name}.yml`);
     }
   }
@@ -1500,8 +1421,8 @@ Next:${gather ? "" : `
 // src/commands/adopt.ts
 import { execFileSync as execFileSync2 } from "child_process";
-import { cpSync as cpSync3, existsSync as existsSync7, mkdirSync as mkdirSync4, readFileSync as readFileSync5, readdirSync, writeFileSync as writeFileSync4 } from "fs";
-import { join as join2, resolve as resolve7 } from "path";
+import { cpSync as cpSync3, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, readdirSync, writeFileSync as writeFileSync3 } from "fs";
+import { join as join2, resolve as resolve6 } from "path";
 var REF = MODULE_REF;
 function flag3(args, name) {
   const i = args.indexOf(name);
@@ -1517,7 +1438,7 @@ function mergePackageJson(existing, repoName, vendor) {
 }
 function vendorDeps(vendorDir) {
   const out = {};
-  if (!existsSync7(vendorDir)) return out;
+  if (!existsSync6(vendorDir)) return out;
   for (const f of readdirSync(vendorDir)) {
     if (!f.endsWith(".tgz")) continue;
     const base = f.replace(/-\d+\.\d+\.\d+(-[\w.]+)?\.tgz$/, "");
@@ -1972,12 +1893,12 @@ export default [api, ...agentWeb];
 `;
 }
 function writeIfAbsent(path, contents, label) {
-  if (existsSync7(path)) {
+  if (existsSync6(path)) {
     console.log(`\xB7 ${label} exists \u2014 left as-is`);
     return;
   }
-  mkdirSync4(resolve7(path, ".."), { recursive: true });
-  writeFileSync4(path, contents);
+  mkdirSync3(resolve6(path, ".."), { recursive: true });
+  writeFileSync3(path, contents);
   console.log(`\u2714 ${label}`);
 }
 async function adoptCommand(args) {
@@ -2013,10 +1934,10 @@ async function adoptWrapper(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
   const cwd = process.cwd();
   const toolRel = `tools/${name}`;
-  const dest = resolve7(cwd, toolRel);
+  const dest = resolve6(cwd, toolRel);
   console.log(`adopting "${name}" (${lane}/${target}) as the submodule ${toolRel}
 `);
-  if (!existsSync7(dest)) {
+  if (!existsSync6(dest)) {
     try {
       execFileSync2("git", ["submodule", "add", repoArg, toolRel], { cwd, stdio: "inherit" });
       console.log(`\u2714 git submodule add ${repoArg} ${toolRel}`);
@@ -2052,7 +1973,7 @@ async function adoptWrapper(ctx) {
       }
     } : {}
   });
-  writeFileSync4(regPath, serializeConfig(nextReg));
+  writeFileSync3(regPath, serializeConfig(nextReg));
   console.log(
     `\u2714 ${existed ? "updated" : "registered"} "${name}" (external, dir ${toolRel}) in the wrapper manifest`
   );
@@ -2070,7 +1991,7 @@ async function adoptWrapper(ctx) {
     );
   }
   const providers = providersForTool({ lane, target, data });
-  if (existsSync7(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
+  if (existsSync6(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 ensure infra/main.tf declares provider(s): ${providers.join(", ")}`);
   }
   materializeAgentKit(dest, { lane, target, data });
@@ -2122,9 +2043,9 @@ Next:
 }
 async function adoptStandalone(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
-  const repo = resolve7(process.cwd(), repoArg);
-  if (!existsSync7(repo)) throw new Error(`no such repo: ${repo} (--standalone needs a local path)`);
-  const regVendor = resolve7(process.cwd(), "vendor");
+  const repo = resolve6(process.cwd(), repoArg);
+  if (!existsSync6(repo)) throw new Error(`no such repo: ${repo} (--standalone needs a local path)`);
+  const regVendor = resolve6(process.cwd(), "vendor");
   const vendor = vendorDeps(regVendor);
   if (Object.keys(vendor).length === 0) {
     throw new Error(
@@ -2142,15 +2063,15 @@ async function adoptStandalone(ctx) {
   );
   const slug = parseRepo(safeGit(repo, ["remote", "get-url", "origin"])) ?? `OWNER/${name}`;
   const pkgPath = join2(repo, "package.json");
-  const existingPkg = existsSync7(pkgPath) ? JSON.parse(readFileSync5(pkgPath, "utf8")) : null;
-  writeFileSync4(
+  const existingPkg = existsSync6(pkgPath) ? JSON.parse(readFileSync4(pkgPath, "utf8")) : null;
+  writeFileSync3(
     pkgPath,
     `${JSON.stringify(mergePackageJson(existingPkg, name, vendor), null, 2)}
 `
   );
   console.log("\u2714 package.json (merged framework deps + overrides)");
   const repoVendor = join2(repo, "vendor");
-  mkdirSync4(repoVendor, { recursive: true });
+  mkdirSync3(repoVendor, { recursive: true });
   for (const f of readdirSync(regVendor)) {
     if (f.endsWith(".tgz")) cpSync3(join2(regVendor, f), join2(repoVendor, f));
   }
@@ -2184,7 +2105,7 @@ async function adoptStandalone(ctx) {
     external: true,
     adopted: true
   });
-  writeFileSync4(regPath, serializeConfig(nextReg));
+  writeFileSync3(regPath, serializeConfig(nextReg));
   console.log(`\u2714 registered "${name}" in ${regPath.replace(`${process.cwd()}/`, "")} (external)`);
   console.log(`
 Next (in the adopted repo):
@@ -2197,20 +2118,20 @@ Note: deploying ${target} needs the ${target} adapter (workers is built; oci/ver
 }
 function addGreenlightScript(dir) {
   const pkgPath = join2(dir, "package.json");
-  if (!existsSync7(pkgPath)) {
+  if (!existsSync6(pkgPath)) {
     console.log(
       "\xB7 no package.json (non-Node tool) \u2014 run the loop via `npx @rtrentjones/greenlight`"
     );
     return;
   }
-  const pkg = JSON.parse(readFileSync5(pkgPath, "utf8"));
+  const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
   pkg.scripts = { ...pkg.scripts ?? {} };
   if (pkg.scripts.greenlight) {
     console.log("\xB7 package.json already has a greenlight script");
     return;
   }
   pkg.scripts.greenlight = "npx @rtrentjones/greenlight";
-  writeFileSync4(pkgPath, `${JSON.stringify(pkg, null, 2)}
+  writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
 `);
   console.log("\u2714 package.json (greenlight script \u2014 runnable via npx post-publish)");
 }
@@ -2355,10 +2276,10 @@ async function deployCommand(args) {
 // src/commands/doctor.ts
 import { execFileSync as execFileSync4 } from "child_process";
 import { lookup } from "dns/promises";
-import { existsSync as existsSync8, readFileSync as readFileSync6, readdirSync as readdirSync2 } from "fs";
+import { existsSync as existsSync7, readFileSync as readFileSync5, readdirSync as readdirSync2 } from "fs";
 import { join as join4 } from "path";
 function dirCheck(label, dir) {
-  return existsSync8(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
+  return existsSync7(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
 }
 function conformanceChecks(t, root) {
   const out = [];
@@ -2368,7 +2289,7 @@ function conformanceChecks(t, root) {
     join4(toolDir, `verify/${t.name}.config.ts`),
     join4(toolDir, "verify.config.ts")
   ] : [join4(toolDir, "verify.config.ts")];
-  const found = specCandidates.find((p) => existsSync8(join4(root, p)));
+  const found = specCandidates.find((p) => existsSync7(join4(root, p)));
   out.push({
     name: `${t.name}: in the verify loop`,
     status: found ? "ok" : "warn",
@@ -2394,14 +2315,14 @@ function conformanceChecks(t, root) {
   }
   if (!t.external && t.lane === "next" && t.target === "vercel") {
     const wsPath = join4(root, "pnpm-workspace.yaml");
-    const ws = existsSync8(wsPath) ? readFileSync6(wsPath, "utf8") : "";
+    const ws = existsSync7(wsPath) ? readFileSync5(wsPath, "utf8") : "";
     const member = ws.includes(toolDir) || /^\s*-\s*["']?tools\/\*/m.test(ws);
     out.push({
       name: `${t.name}: pnpm workspace member`,
       status: member ? "ok" : "warn",
       detail: member ? void 0 : `add "${toolDir}" to pnpm-workspace.yaml \u2014 else Vercel's root install skips its deps`
     });
-    const hasVercelJson = existsSync8(join4(root, toolDir, "vercel.json"));
+    const hasVercelJson = existsSync7(join4(root, toolDir, "vercel.json"));
     out.push({
       name: `${t.name}: vercel.json framework`,
       status: hasVercelJson ? "ok" : "warn",
@@ -2415,7 +2336,7 @@ function versionDriftCheck(root) {
   let installed;
   try {
     const pkg = JSON.parse(
-      readFileSync6(join4(root, "node_modules/@rtrentjones/greenlight/package.json"), "utf8")
+      readFileSync5(join4(root, "node_modules/@rtrentjones/greenlight/package.json"), "utf8")
     );
     installed = pkg.version;
   } catch {
@@ -2423,7 +2344,7 @@ function versionDriftCheck(root) {
   const refs = /* @__PURE__ */ new Set();
   try {
     for (const f of readdirSync2(join4(root, "infra")).filter((f2) => f2.endsWith(".tf"))) {
-      const body = readFileSync6(join4(root, "infra", f), "utf8");
+      const body = readFileSync5(join4(root, "infra", f), "utf8");
       for (const m of body.matchAll(/greenlight\.git\/\/infra\/modules\/[^?"]+\?ref=(v[0-9.]+)/g)) {
         if (m[1]) refs.add(m[1]);
       }
@@ -2479,7 +2400,7 @@ function runDoctor(config, root) {
       checks.push({ name: `${t.name}: external (registry)`, status: "ok", detail: url });
       if (t.dir) {
         checks.push(
-          existsSync8(join4(root, t.dir)) ? { name: `${t.name}: dir present`, status: "ok", detail: t.dir } : {
+          existsSync7(join4(root, t.dir)) ? { name: `${t.name}: dir present`, status: "ok", detail: t.dir } : {
             name: `${t.name}: dir present`,
             status: "warn",
             detail: `declared dir "${t.dir}" missing \u2014 run \`git submodule update --init\``
@@ -2570,9 +2491,9 @@ ${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}`);
 }
 // src/commands/init.ts
-import { existsSync as existsSync9, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
-import { resolve as resolve8 } from "path";
-import { createInterface as createInterface3 } from "readline/promises";
+import { existsSync as existsSync8, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4 } from "fs";
+import { resolve as resolve7 } from "path";
+import { createInterface as createInterface2 } from "readline/promises";
 function flag5(args, name) {
   const i = args.indexOf(name);
   return i >= 0 ? args[i + 1] : void 0;
@@ -2594,7 +2515,7 @@ function wrapperPackageJson(name) {
 }
 var WRAPPER_GITIGNORE = `# Greenlight wrapper
 node_modules/
-.greenlight/        # gathered tokens \u2014 never committed
+.greenlight/        # local scratch \u2014 never committed (tokens live in GitHub Actions)
 .terraform/
 *.tfplan
 tf.plan
@@ -2656,12 +2577,12 @@ jobs:
 `;
 }
 function scaffoldIfAbsent(path, contents, label) {
-  if (existsSync9(path)) {
+  if (existsSync8(path)) {
     console.log(`\xB7 ${label} exists \u2014 left as-is`);
     return;
   }
-  mkdirSync5(resolve8(path, ".."), { recursive: true });
-  writeFileSync5(path, contents);
+  mkdirSync4(resolve7(path, ".."), { recursive: true });
+  writeFileSync4(path, contents);
   console.log(`\u2714 wrote ${label}`);
 }
 var TOKEN_FLAGS = {
@@ -2676,70 +2597,74 @@ async function initCommand(args) {
   let domain = flag5(args, "--domain");
   if (!domain) {
     if (!process.stdin.isTTY) throw new Error("init needs --domain <domain> (no TTY for prompts)");
-    const rl = createInterface3({ input: process.stdin, output: process.stdout });
+    const rl = createInterface2({ input: process.stdin, output: process.stdout });
     domain = (await rl.question("Domain (e.g. example.dev): ")).trim();
     rl.close();
   }
   if (!domain) throw new Error("a domain is required");
   const cwd = process.cwd();
-  const configPath = resolve8(cwd, "greenlight.config.ts");
-  if (existsSync9(configPath) && !force) {
+  const configPath = resolve7(cwd, "greenlight.config.ts");
+  if (existsSync8(configPath) && !force) {
     throw new Error("greenlight.config.ts already exists \u2014 pass --force to overwrite");
   }
-  writeFileSync5(configPath, scaffoldConfig(domain));
+  writeFileSync4(configPath, scaffoldConfig(domain));
   console.log(`\u2714 wrote greenlight.config.ts (domain: ${domain})`);
   const repoName = domain.replace(/\./g, "-");
   scaffoldIfAbsent(
-    resolve8(cwd, ".github/workflows/infra.yml"),
+    resolve7(cwd, ".github/workflows/infra.yml"),
     wrapperInfraYml(),
     ".github/workflows/infra.yml (HCP-backed terraform apply on push)"
   );
-  scaffoldIfAbsent(resolve8(cwd, ".gitignore"), WRAPPER_GITIGNORE, ".gitignore");
-  scaffoldIfAbsent(resolve8(cwd, "package.json"), wrapperPackageJson(repoName), "package.json");
-  scaffoldIfAbsent(resolve8(cwd, "mise.toml"), WRAPPER_MISE, "mise.toml");
-  scaffoldIfAbsent(resolve8(cwd, ".node-version"), "24\n", ".node-version");
-  const secrets = [];
-  for (const [f, key] of Object.entries(TOKEN_FLAGS)) {
-    const v = flag5(args, f);
-    if (v) secrets.push(`${key}=${v}`);
-  }
-  if (secrets.length > 0) {
-    mkdirSync5(resolve8(cwd, ".greenlight"), { recursive: true });
-    writeFileSync5(resolve8(cwd, ".greenlight/secrets.env"), `${secrets.join("\n")}
-`, {
-      mode: 384
-    });
-    console.log(`\u2714 wrote .greenlight/secrets.env (${secrets.length} token(s), gitignored)`);
-  }
-  if (process.stdin.isTTY && !args.includes("--no-tokens")) {
-    try {
-      await ensureTokensForTool(cwd, {}, { verify: !args.includes("--no-verify") });
-    } catch (e) {
-      console.log(`\u2716 ${e instanceof Error ? e.message : String(e)}`);
+  scaffoldIfAbsent(resolve7(cwd, ".gitignore"), WRAPPER_GITIGNORE, ".gitignore");
+  scaffoldIfAbsent(resolve7(cwd, "package.json"), wrapperPackageJson(repoName), "package.json");
+  scaffoldIfAbsent(resolve7(cwd, "mise.toml"), WRAPPER_MISE, "mise.toml");
+  scaffoldIfAbsent(resolve7(cwd, ".node-version"), "24\n", ".node-version");
+  const repo = flag5(args, "--repo") ?? detectRepo(cwd);
+  let pushed = 0;
+  if (repo && !args.includes("--no-push")) {
+    for (const [f, key] of Object.entries(TOKEN_FLAGS)) {
+      const v = flag5(args, f);
+      if (!v || key.startsWith("GITHUB_")) continue;
+      try {
+        setGitHubSecret(repo, void 0, key, v);
+        console.log(`\u2714 set ${key} \u2192 ${repo} (GitHub Actions)`);
+        pushed++;
+      } catch (e) {
+        console.log(`! could not set ${key}: ${e instanceof Error ? e.message : String(e)}`);
+      }
     }
   }
-  let pushed = false;
-  if (existsSync9(resolve8(cwd, ".greenlight/secrets.env")) && !args.includes("--no-push")) {
-    try {
-      const { repo, count } = syncSecrets({ cwd, repo: flag5(args, "--repo") });
-      console.log(`\u2714 pushed ${count} secret(s) to ${repo} (GitHub Actions)`);
-      pushed = true;
-    } catch (e) {
-      console.log(`! skipped pushing secrets: ${e instanceof Error ? e.message : String(e)}`);
-      console.log("  run `greenlight secrets sync` once `gh` is authenticated.");
+  if (process.stdin.isTTY && !args.includes("--no-tokens")) {
+    if (repo) {
+      try {
+        const results = await ensureTokensForTool(
+          repo,
+          {},
+          {
+            verify: !args.includes("--no-verify")
+          }
+        );
+        pushed += results.filter((r) => r.outcome === "entered").length;
+      } catch (e) {
+        console.log(`\u2716 ${e instanceof Error ? e.message : String(e)}`);
+      }
+    } else {
+      console.log(
+        "\n\xB7 no GitHub repo detected yet \u2014 create it + `gh auth login`, then set the base secrets\n  (CLOUDFLARE_API_TOKEN, TF_API_TOKEN) via `greenlight add <tool>` (prompts them) or `gh secret set`."
+      );
     }
   }
   console.log(`
 Next:
   1. greenlight add <name> --lane <lane> --target <target>   # scaffold a tool, emit infra, and
-                                                             # gather THAT tool's keys \u2192 GitHub${pushed ? "" : "\n  (run `greenlight secrets sync` if base tokens were not pushed)"}
+                                                             # gather THAT tool's keys \u2192 GitHub${pushed ? "" : "\n  (it also prompts the base tokens if they are not set yet)"}
   2. set the HCP backend (cloud{} org + workspace) in infra/main.tf   # docs/terraform-state.md
   3. commit + push \u2192 CI (.github/workflows/infra.yml) runs \`terraform apply\`
   4. greenlight verify <name> --env prod   |   greenlight doctor`);
 }
 // src/commands/migrations.ts
-import { existsSync as existsSync10, readFileSync as readFileSync7, readdirSync as readdirSync3 } from "fs";
+import { existsSync as existsSync9, readFileSync as readFileSync6, readdirSync as readdirSync3 } from "fs";
 import { join as join5 } from "path";
 var DEFAULT_DIR = "supabase/migrations";
 var CANDIDATE_DIRS = [
@@ -2751,7 +2676,7 @@ var CANDIDATE_DIRS = [
 ];
 function resolveMigrationsDir(explicit, root = process.cwd()) {
   if (explicit) return explicit;
-  return CANDIDATE_DIRS.find((d) => existsSync10(join5(root, d))) ?? DEFAULT_DIR;
+  return CANDIDATE_DIRS.find((d) => existsSync9(join5(root, d))) ?? DEFAULT_DIR;
 }
 async function migrationsCommand(args) {
   if (args[0] !== "scan") {
@@ -2777,7 +2702,7 @@ async function migrationsCommand(args) {
   }
   const files = names.map((f) => ({
     path: join5(dir, f),
-    content: readFileSync7(join5(dir, f), "utf8")
+    content: readFileSync6(join5(dir, f), "utf8")
   }));
   const findings = scanSqlFiles(files);
   if (findings.length === 0) {
@@ -2802,12 +2727,12 @@ ${verdict} (${dangers.length} danger, ${findings.length - dangers.length} warn).
 // src/commands/preview.ts
 import { execFileSync as execFileSync5, spawn } from "child_process";
-import { resolve as resolve10 } from "path";
+import { resolve as resolve9 } from "path";
 import { setTimeout as sleep } from "timers/promises";
 // src/commands/verify.ts
 import { spawnSync } from "child_process";
-import { resolve as resolve9 } from "path";
+import { resolve as resolve8 } from "path";
 function defaultSpec(lane) {
   switch (lane) {
     case "astro":
@@ -2935,7 +2860,7 @@ ${pass2 ? "\u2714 ALL PASS" : "\u2718 FAIL"} (${reports2.length} specs)`);
   if (reachableTimeoutMs > 0) {
     console.log(`waiting up to ${reachableTimeoutMs / 1e3}s for ${url} to become reachable\u2026`);
   }
-  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve8(process.cwd(), entry.dir ?? ".");
   const reports = await verifyAll(url, specs, { reachableTimeoutMs, toolDir });
   attachFailureLogs(reports, specs, toolDir);
   for (const report of reports) printReport(report);
@@ -2979,7 +2904,7 @@ async function verifyLocal(entry, url) {
   process.env.GREENLIGHT_PREVIEW = "1";
   process.env.GREENLIGHT_VERIFY_URL = url;
   const specs = await loadSpecs(entry);
-  const toolDir = resolve10(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
   const reports = await verifyAll(url, specs, { toolDir });
   for (const report of reports) printReport(report);
   return allPass(reports);
@@ -2990,7 +2915,7 @@ async function previewViaDescriptor(entry, name, portOverride) {
   const port = portOverride ?? pv.port ?? entry.port ?? lane.port;
   const path = pv.path ?? lane.path;
   const url = `http://localhost:${port}${path}`;
-  const toolDir = resolve10(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
   console.log(`preview ${name}: ${pv.command}  (\u2192 ${url})`);
   const child = spawn(pv.command, {
     cwd: toolDir,
@@ -3303,7 +3228,6 @@ var HELP = `greenlight <command>
   promote <name> [--perform] [--push]           gated develop -> main fast-forward
   status <name>                                 last ship/deploy/verify run for a tool (via gh)
   secrets gather <name> [--repo o/r] [--env e]  guided, link-first token prompts -> GitHub secrets (no disk/logs)
-  secrets sync [--repo o/r] [--env <env>]       push .greenlight/secrets.env -> GitHub Actions secrets
   agent sync [<name>]                           write the loop kit (named \u2192 tool-aware, into its dir)
   adopt <name> --repo <path> --lane --target    onboard an existing tool repo as a thin consumer
   migrations scan [<dir>] [--strict]            dangerous-SQL gate for migrations (pre-apply)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.3.1",
+  "version": "0.4.0",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -31,10 +31,10 @@
     "@anthropic-ai/sdk": "^0.69.0"
   },
   "devDependencies": {
-    "@rtrentjones/greenlight-adapters": "0.3.1",
-    "@rtrentjones/greenlight-loop": "0.3.1",
-    "@rtrentjones/greenlight-shared": "0.3.1",
-    "@rtrentjones/greenlight-verify": "0.3.1"
+    "@rtrentjones/greenlight-loop": "0.4.0",
+    "@rtrentjones/greenlight-adapters": "0.4.0",
+    "@rtrentjones/greenlight-verify": "0.4.0",
+    "@rtrentjones/greenlight-shared": "0.4.0"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",