npm - @rtrentjones/greenlight - Versions diffs - 0.3.1 → 0.4.1 - Mend

@rtrentjones/greenlight 0.3.1 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/assets/skills/provider-cloudflare/SKILL.md +4 -3
package/assets/skills/provider-github/SKILL.md +6 -5
package/assets/skills/provider-supabase/SKILL.md +2 -1
package/assets/skills/provider-vercel/SKILL.md +2 -1
package/dist/bin.js +287 -380
package/package.json +5 -5
package/templates/_template-agent/wrangler.toml +6 -6

package/assets/skills/provider-cloudflare/SKILL.md CHANGED Viewed

@@ -19,9 +19,10 @@ One token, these scopes (a missing scope took down a live apply more than once):
 - **Account · Cloudflare Tunnel · Edit** — only if a tool uses `target: oci` (the cloudflared
   tunnel). Without it, the tunnel resource fails with **403 Forbidden** on `cfd_tunnel` at apply.
-Create at dash → My Profile → API Tokens → Custom Token. Store in `.greenlight/secrets.env`
-(gitignored) and push to GitHub Actions with `greenlight secrets sync`. `greenlight add`
-verifies it against `/user/tokens/verify` (status must be `active`) before you commit.
+Create at dash → My Profile → API Tokens → Custom Token. Push it straight to GitHub Actions
+with `greenlight secrets gather` (or `gh secret set CLOUDFLARE_API_TOKEN`) — Greenlight keeps
+no local secret file. `greenlight add` verifies it against `/user/tokens/verify` (status must
+be `active`) before you commit.
 ## Terraform modules

package/assets/skills/provider-github/SKILL.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: provider-github
-description: How GitHub works in a Greenlight setup — secrets sync target (Actions secrets/environments), the repo/branch/protection Terraform module, the develop→main flow, and OIDC-over-PAT preference. Use when syncing tokens, wiring branch protection/environments, or debugging gh/secrets/CI auth.
+description: How GitHub works in a Greenlight setup — the single secret store (Actions secrets/environments), the repo/branch/protection Terraform module, the develop→main flow, and OIDC-over-PAT preference. Use when setting tokens, wiring branch protection/environments, or debugging gh/secrets/CI auth.
 ---
 # provider-github
@@ -32,11 +32,12 @@ pushes each to the right repo; see docs/provider-tokens.md):
 Provider creds (OCI/Cloudflare/…) live **only in the wrapper**; the tool repo holds just the
 dispatch PAT (its build pushes to GHCR with the built-in `github.token`).
-## Secrets sync
+## Setting secrets
-`greenlight secrets sync [--repo o/r] [--env <env>]` pushes `.greenlight/secrets.env` to the
-repo's Actions secrets via `gh` (values piped on stdin — never in argv or logs). Run
-`gh auth login` first. This is the "init writes to provider stores" piece.
+GitHub Actions secrets are the **single** secret store — Greenlight keeps no local secret file.
+`greenlight secrets gather <tool> [--repo o/r] [--env <env>]` prompts the tool's tokens (and the
+always-on base tokens) with hidden input and pipes them straight to `gh secret set` (never on
+disk, never in argv or logs). Run `gh auth login` first. `gh secret set` is the manual alternative.
 ## Terraform module — `infra/modules/repo`

package/assets/skills/provider-supabase/SKILL.md CHANGED Viewed

@@ -12,7 +12,8 @@ name/region are replace-forcing, so the module sets `ignore_changes` to protect
 ## Token — `SUPABASE_ACCESS_TOKEN`
-Dashboard → Account → Access Tokens (Management API). Store in `.greenlight/secrets.env`;
+Dashboard → Account → Access Tokens (Management API). Push it straight to GitHub Actions with
+`greenlight secrets gather` (or `gh secret set`) — Greenlight keeps no local secret file.
 `greenlight add` verifies it against `/v1/projects` (HTTP 200). The DB password
 (`TF_VAR_supabase_database_password`) is only used if the project is recreated — ignored on
 import, so `import-placeholder` is fine for an existing project.

package/assets/skills/provider-vercel/SKILL.md CHANGED Viewed

@@ -13,7 +13,8 @@ build). The wrapper owns infra; the tool repo owns deploys.
 ## Token — `VERCEL_API_TOKEN`
 Account → Settings → Tokens. **Scope it to the team** that owns the project. The Terraform
-`vercel` provider also takes `team` (the `team_…` id). Store in `.greenlight/secrets.env`;
+`vercel` provider also takes `team` (the `team_…` id). Push it straight to GitHub Actions with
+`greenlight secrets gather` (or `gh secret set`) — Greenlight keeps no local secret file.
 `greenlight add` verifies it against `/v2/user` (HTTP 200) before commit.
 ## Terraform module — `infra/modules/vercel`

package/dist/bin.js CHANGED Viewed

@@ -15,8 +15,8 @@ import "./chunk-XWTOJHLV.js";
 import "./chunk-QFKE5JKC.js";
 // src/commands/add.ts
-import { cpSync as cpSync2, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, renameSync, writeFileSync as writeFileSync3 } from "fs";
-import { join, resolve as resolve6 } from "path";
+import { cpSync as cpSync2, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, renameSync, writeFileSync as writeFileSync2 } from "fs";
+import { join, resolve as resolve5 } from "path";
 // src/agent-deploy.ts
 function emitAgentDeployWorkflow(name, domain) {
@@ -62,6 +62,12 @@ jobs:
           RUN_TOKEN: \${{ secrets.RUN_TOKEN }}
         run: |
           cd tools/${name}
+          # Account id as code: resolve the (non-secret) account id from the domain's zone and inject
+          # it into wrangler.toml \u2014 wrangler can't call /memberships to auto-discover it with a scoped
+          # token. Derived, so the repo keeps the REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID placeholder.
+          ACCT=$(curl -fsS "https://api.cloudflare.com/client/v4/zones?name=${domain}" -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq -r '.result[0].account.id // empty')
+          if [ -z "$ACCT" ]; then echo "::error::could not resolve the Cloudflare account id for ${domain} (token needs Zone:Read?)"; exit 1; fi
+          sed -i "s/REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID/$ACCT/g" wrangler.toml
           # KV namespace as code: find-or-create the STATE namespace (idempotent), then inject its id
           # into wrangler.toml for this deploy. The id is non-secret + derived, so the repo keeps the
           # REPLACE_WITH_KV_NAMESPACE_ID placeholder \u2014 no manual create, no hardcoded id.
@@ -93,19 +99,6 @@ jobs:
         run: echo "Missing CLOUDFLARE_API_TOKEN or GEMINI_API_KEY \u2014 ${name} deploy skipped."
 `;
 }
-async function resolveCloudflareAccountId(domain, token) {
-  try {
-    const res = await fetch(
-      `https://api.cloudflare.com/client/v4/zones?name=${encodeURIComponent(domain)}`,
-      { headers: { Authorization: `Bearer ${token}` } }
-    );
-    if (!res.ok) return null;
-    const data = await res.json();
-    return data.result?.[0]?.account?.id ?? null;
-  } catch {
-    return null;
-  }
-}
 // src/asset-paths.ts
 import { existsSync } from "fs";
@@ -489,7 +482,7 @@ var PACKS = [
     id: "github",
     name: "GitHub",
     always: true,
-    // secrets sync + repo/branch infra
+    // the single secret store (Actions secrets) + repo/branch infra
     appliesTo: () => true,
     guide: "docs/provider-tokens.md \u2014 GitHub (gh auth, or a fine-grained PAT)",
     setupUrl: "https://github.com/settings/personal-access-tokens/new",
@@ -590,7 +583,7 @@ function tokensForTool(tool) {
 }
 // src/version.ts
-var MODULE_REF = "v0.3.1";
+var MODULE_REF = "v0.4.1";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -915,27 +908,104 @@ function providersForTool(tool) {
   return out;
 }
-// src/tokens.ts
-import { existsSync as existsSync4, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
-import { resolve as resolve4 } from "path";
-import { createInterface as createInterface2 } from "readline/promises";
-// src/commands/secrets.ts
-import { execFileSync } from "child_process";
-import { existsSync as existsSync3, readFileSync } from "fs";
+// src/commands/agent.ts
+import { cpSync, existsSync as existsSync3, mkdirSync, readFileSync, writeFileSync } from "fs";
 import { resolve as resolve3 } from "path";
-import { createInterface } from "readline";
-function parseSecretsEnv(text) {
-  const out = [];
-  for (const raw of text.split("\n")) {
-    const line = raw.trim();
-    if (line === "" || line.startsWith("#")) continue;
-    const eq = line.indexOf("=");
-    if (eq <= 0) continue;
-    out.push({ key: line.slice(0, eq).trim(), value: line.slice(eq + 1) });
+// src/agent-kit.ts
+function recommendedMcp(tool) {
+  return mcpForTool(tool);
+}
+function mergeMcpServers(existing, add) {
+  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
+  for (const [name, val] of Object.entries(add)) {
+    if (out.mcpServers[name]) continue;
+    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
   }
   return out;
 }
+// src/commands/agent.ts
+var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
+This repo uses Greenlight. Deliver every change through the ONE model (same shape for web + MCP
+tools \u2014 the deploy-verify-promote skill has the lane\xD7target matrix):
+branch \u2192 change \u2192 \`greenlight preview <name>\` (local gate) \u2192 add it to the tool's verify.config \u2192
+push (CI gates on the tool's own tests) \u2192 deploy \u2192 \`greenlight verify <name> --env prod\`.
+Web tools also get beta + \`greenlight promote\`; oci is direct-to-prod (the local gate is the
+pre-prod safety). \`greenlight status <name>\` shows the run chain; \`greenlight doctor\` flags drift.
+Agentic kit:
+- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the one model + the matrix).
+- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
+    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
+- Best-practice skills (one-time, user scope):
+    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
+`;
+function materializeAgentKit(dir, tool) {
+  const src = skillAssetDir();
+  if (!existsSync3(src)) throw new Error(`skill asset not found at ${src}`);
+  const dest = resolve3(dir, ".claude/skills/deploy-verify-promote");
+  mkdirSync(dest, { recursive: true });
+  cpSync(src, dest, { recursive: true });
+  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
+  for (const pack of packsForTool(tool)) {
+    if (!pack.skill) continue;
+    const skillSrc = skillAssetDir(pack.skill);
+    if (!existsSync3(skillSrc)) continue;
+    const skillDest = resolve3(dir, ".claude/skills", pack.skill);
+    mkdirSync(skillDest, { recursive: true });
+    cpSync(skillSrc, skillDest, { recursive: true });
+    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
+  }
+  const mcpPath = resolve3(dir, ".mcp.json");
+  const existingMcp = existsSync3(mcpPath) ? JSON.parse(readFileSync(mcpPath, "utf8")) : null;
+  const servers = recommendedMcp(tool);
+  writeFileSync(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
+`);
+  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
+  const claudePath = resolve3(dir, "CLAUDE.md");
+  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
+  const existing = existsSync3(claudePath) ? readFileSync(claudePath, "utf8") : "";
+  if (existing.includes(marker)) {
+    console.log("\xB7 CLAUDE.md already has the loop block");
+  } else {
+    writeFileSync(claudePath, existing ? `${existing.trimEnd()}
+${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
+    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
+  }
+}
+async function agentCommand(args) {
+  if (args[0] !== "sync") {
+    console.log(
+      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
+    );
+    process.exit(args[0] ? 1 : 0);
+  }
+  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
+  if (name) {
+    const { config } = await loadManifest();
+    const entry = resolveEntry(config, name);
+    const dir = resolve3(process.cwd(), entry.dir ?? ".");
+    materializeAgentKit(dir, { lane: entry.lane, target: entry.target, data: entry.data });
+    console.log(
+      `
+Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (lane=${entry.lane}, target=${entry.target}, data=${entry.data}).`
+    );
+    return;
+  }
+  materializeAgentKit(process.cwd());
+  console.log(
+    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
+  );
+}
+// src/commands/secrets.ts
+import { execFileSync } from "child_process";
+import { existsSync as existsSync4, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve4 } from "path";
+import { createInterface } from "readline";
 function parseOciConfig(text) {
   const out = {};
   for (const raw of text.split("\n")) {
@@ -949,7 +1019,7 @@ function parseOciConfig(text) {
   return out;
 }
 function ociPrefill(configPath, keyPath) {
-  const cfg = parseOciConfig(readFileSync(configPath, "utf8"));
+  const cfg = parseOciConfig(readFileSync2(configPath, "utf8"));
   const map = /* @__PURE__ */ new Map();
   const set = (k, v) => {
     if (v) map.set(k, v);
@@ -959,8 +1029,8 @@ function ociPrefill(configPath, keyPath) {
   set("TF_VAR_OCI_TENANCY_OCID", cfg.tenancy);
   set("TF_VAR_OCI_REGION", cfg.region);
   const pem = keyPath ?? cfg.key_file;
-  if (pem && existsSync3(pem)) {
-    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync(pem, "utf8"));
+  if (pem && existsSync4(pem)) {
+    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync2(pem, "utf8"));
   } else if (pem) {
     console.log(`   ! PEM not found at ${pem} \u2014 set TF_VAR_OCI_PRIVATE_KEY manually (--oci-key)`);
   }
@@ -987,49 +1057,17 @@ function detectRepo(cwd) {
     return null;
   }
 }
-function syncSecrets(opts) {
-  const repo = opts.repo ?? detectRepo(opts.cwd);
-  if (!repo) {
-    throw new Error(
-      "could not determine the repo \u2014 pass --repo owner/repo (no github.com origin remote)"
-    );
-  }
-  const path = resolve3(opts.cwd, ".greenlight/secrets.env");
-  if (!existsSync3(path)) {
-    throw new Error("no .greenlight/secrets.env \u2014 run `greenlight init` with tokens first");
-  }
-  const entries = parseSecretsEnv(readFileSync(path, "utf8"));
-  const target = opts.env ? `env "${opts.env}"` : "repo";
-  for (const { key, value } of entries) {
-    const ghArgs = ["secret", "set", key, "--repo", repo];
-    if (opts.env) ghArgs.push("--env", opts.env);
-    try {
-      execFileSync("gh", ghArgs, { input: value });
-    } catch (e) {
-      const err = e;
-      if (err.code === "ENOENT") {
-        throw new Error("the GitHub CLI `gh` is required \u2014 install it and run `gh auth login`");
-      }
-      const detail = err.stderr?.toString().trim();
-      throw new Error(
-        `failed to set ${key}${detail ? `: ${detail}` : " (check `gh auth status`)"}`
-      );
-    }
-    console.log(`\u2714 set ${key} \u2192 ${repo} ${target}`);
-  }
-  return { repo, count: entries.length };
-}
 function hiddenPrompter() {
   const tty = Boolean(process.stdin.isTTY);
   const rl = createInterface({ input: process.stdin, output: process.stdout, terminal: tty });
   if (tty) rl._writeToOutput = () => {
   };
   return {
-    ask: (query) => new Promise((resolve11) => {
+    ask: (query) => new Promise((resolve10) => {
       process.stdout.write(query);
       rl.question("", (val) => {
         process.stdout.write("\n");
-        resolve11(val.trim());
+        resolve10(val.trim());
       });
     }),
     close: () => rl.close()
@@ -1139,200 +1177,14 @@ async function secretsCommand(args) {
     if (!repo) throw new Error("could not determine the repo \u2014 pass --repo owner/repo");
     const ociConfig2 = flag(args, "--oci-config");
     const ociKey = flag(args, "--oci-key");
-    const prefill = ociConfig2 ? ociPrefill(resolve3(process.cwd(), ociConfig2), ociKey && resolve3(process.cwd(), ociKey)) : void 0;
+    const prefill = ociConfig2 ? ociPrefill(resolve4(process.cwd(), ociConfig2), ociKey && resolve4(process.cwd(), ociKey)) : void 0;
     await gatherSecrets(name, repo, flag(args, "--env"), prefill);
     return;
   }
-  if (sub !== "sync") {
-    console.log(
-      "usage:\n  greenlight secrets sync [--repo owner/repo] [--env <env>]            # push .greenlight/secrets.env\n  greenlight secrets gather <name> [--repo owner/repo] [--env <env>]   # guided, link-first, straight to GitHub (no disk/logs)\n    [--oci-config <path>] [--oci-key <path>]                           # auto-fill OCI auth from the API-key config preview + .pem"
-    );
-    process.exit(sub ? 1 : 0);
-  }
-  const { count } = syncSecrets({
-    cwd: process.cwd(),
-    repo: flag(args, "--repo"),
-    env: flag(args, "--env")
-  });
-  if (count === 0) {
-    console.log("no secrets to sync");
-    return;
-  }
-  console.log(
-    `
-${count} secret(s) synced. (Prefer GitHub OIDC over long-lived tokens where supported.)`
-  );
-}
-// src/tokens.ts
-var SECRETS_DIR = ".greenlight";
-var SECRETS_FILE = "secrets.env";
-function presentEnv(cwd) {
-  const out = {};
-  const p = resolve4(cwd, SECRETS_DIR, SECRETS_FILE);
-  if (existsSync4(p)) {
-    for (const { key, value } of parseSecretsEnv(readFileSync2(p, "utf8"))) out[key] = value;
-  }
-  for (const [k, v] of Object.entries(process.env)) {
-    if (v !== void 0 && !(k in out)) out[k] = v;
-  }
-  return out;
-}
-function upsertSecret(cwd, key, value) {
-  const dir = resolve4(cwd, SECRETS_DIR);
-  mkdirSync(dir, { recursive: true });
-  const p = resolve4(dir, SECRETS_FILE);
-  const lines = existsSync4(p) ? readFileSync2(p, "utf8").split("\n") : [];
-  const idx = lines.findIndex((l) => l.startsWith(`${key}=`));
-  if (idx >= 0) lines[idx] = `${key}=${value}`;
-  else {
-    while (lines.length && (lines[lines.length - 1] ?? "").trim() === "") lines.pop();
-    lines.push(`${key}=${value}`);
-  }
-  writeFileSync(p, `${lines.join("\n").replace(/\n*$/, "")}
-`, { mode: 384 });
-}
-async function ensureTokensForTool(cwd, tool, opts = {}) {
-  const doVerify = opts.verify !== false;
-  const interactive = Boolean(process.stdin.isTTY);
-  const env = presentEnv(cwd);
-  const results = [];
-  const rl = interactive ? createInterface2({ input: process.stdin, output: process.stdout }) : null;
-  try {
-    for (const spec of tokensForTool(tool)) {
-      let value = env[spec.envVar];
-      if (value) {
-        results.push({ envVar: spec.envVar, outcome: "present" });
-      } else if (rl) {
-        console.log(`
-${spec.envVar} \u2014 ${spec.label}`);
-        if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
-        const entered = (await rl.question(`  paste value${spec.optional ? " (optional, Enter to skip)" : ""}: `)).trim();
-        if (!entered) {
-          results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-          continue;
-        }
-        upsertSecret(cwd, spec.envVar, entered);
-        env[spec.envVar] = entered;
-        value = entered;
-        results.push({ envVar: spec.envVar, outcome: "entered" });
-      } else {
-        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-        continue;
-      }
-      if (value && doVerify && spec.verify) {
-        let check;
-        try {
-          check = await spec.verify(value, env);
-        } catch (e) {
-          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
-        }
-        const last = results[results.length - 1];
-        if (last) last.verify = check;
-        if (!check.ok && !spec.optional) {
-          throw new Error(
-            `${spec.envVar} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
-          );
-        }
-      }
-    }
-  } finally {
-    rl?.close();
-  }
-  return results;
-}
-// src/commands/agent.ts
-import { cpSync, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
-import { resolve as resolve5 } from "path";
-// src/agent-kit.ts
-function recommendedMcp(tool) {
-  return mcpForTool(tool);
-}
-function mergeMcpServers(existing, add) {
-  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
-  for (const [name, val] of Object.entries(add)) {
-    if (out.mcpServers[name]) continue;
-    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
-  }
-  return out;
-}
-// src/commands/agent.ts
-var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
-This repo uses Greenlight. Deliver every change through the ONE model (same shape for web + MCP
-tools \u2014 the deploy-verify-promote skill has the lane\xD7target matrix):
-branch \u2192 change \u2192 \`greenlight preview <name>\` (local gate) \u2192 add it to the tool's verify.config \u2192
-push (CI gates on the tool's own tests) \u2192 deploy \u2192 \`greenlight verify <name> --env prod\`.
-Web tools also get beta + \`greenlight promote\`; oci is direct-to-prod (the local gate is the
-pre-prod safety). \`greenlight status <name>\` shows the run chain; \`greenlight doctor\` flags drift.
-Agentic kit:
-- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the one model + the matrix).
-- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
-    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
-- Best-practice skills (one-time, user scope):
-    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
-`;
-function materializeAgentKit(dir, tool) {
-  const src = skillAssetDir();
-  if (!existsSync5(src)) throw new Error(`skill asset not found at ${src}`);
-  const dest = resolve5(dir, ".claude/skills/deploy-verify-promote");
-  mkdirSync2(dest, { recursive: true });
-  cpSync(src, dest, { recursive: true });
-  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
-  for (const pack of packsForTool(tool)) {
-    if (!pack.skill) continue;
-    const skillSrc = skillAssetDir(pack.skill);
-    if (!existsSync5(skillSrc)) continue;
-    const skillDest = resolve5(dir, ".claude/skills", pack.skill);
-    mkdirSync2(skillDest, { recursive: true });
-    cpSync(skillSrc, skillDest, { recursive: true });
-    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
-  }
-  const mcpPath = resolve5(dir, ".mcp.json");
-  const existingMcp = existsSync5(mcpPath) ? JSON.parse(readFileSync3(mcpPath, "utf8")) : null;
-  const servers = recommendedMcp(tool);
-  writeFileSync2(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
-`);
-  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
-  const claudePath = resolve5(dir, "CLAUDE.md");
-  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
-  const existing = existsSync5(claudePath) ? readFileSync3(claudePath, "utf8") : "";
-  if (existing.includes(marker)) {
-    console.log("\xB7 CLAUDE.md already has the loop block");
-  } else {
-    writeFileSync2(claudePath, existing ? `${existing.trimEnd()}
-${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
-    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
-  }
-}
-async function agentCommand(args) {
-  if (args[0] !== "sync") {
-    console.log(
-      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
-    );
-    process.exit(args[0] ? 1 : 0);
-  }
-  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
-  if (name) {
-    const { config } = await loadManifest();
-    const entry = resolveEntry(config, name);
-    const dir = resolve5(process.cwd(), entry.dir ?? ".");
-    materializeAgentKit(dir, { lane: entry.lane, target: entry.target, data: entry.data });
-    console.log(
-      `
-Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (lane=${entry.lane}, target=${entry.target}, data=${entry.data}).`
-    );
-    return;
-  }
-  materializeAgentKit(process.cwd());
   console.log(
-    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
+    "usage:\n  greenlight secrets gather <name> [--repo owner/repo] [--env <env>]   # guided, link-first, straight to GitHub (no disk/logs)\n    [--oci-config <path>] [--oci-key <path>]                           # auto-fill OCI auth from the API-key config preview + .pem"
   );
+  process.exit(sub ? 1 : 0);
 }
 // src/commands/add.ts
@@ -1346,25 +1198,25 @@ function templateDir(lane, target) {
 }
 function registerWorkspaceMember(cwd, member) {
   const wsPath = join(cwd, "pnpm-workspace.yaml");
-  if (!existsSync6(wsPath)) {
-    writeFileSync3(wsPath, `packages:
+  if (!existsSync5(wsPath)) {
+    writeFileSync2(wsPath, `packages:
   - "${member}"
 `);
     console.log(`\u2714 created pnpm-workspace.yaml (member ${member})`);
     return;
   }
-  const text = readFileSync4(wsPath, "utf8");
+  const text = readFileSync3(wsPath, "utf8");
   if (text.includes(member) || /^\s*-\s*["']?tools\/\*/m.test(text)) return;
   const lines = text.split("\n");
   const pkgIdx = lines.findIndex((l) => /^packages\s*:/.test(l));
   if (pkgIdx === -1) {
-    writeFileSync3(wsPath, `${text.replace(/\s*$/, "")}
+    writeFileSync2(wsPath, `${text.replace(/\s*$/, "")}
 packages:
   - "${member}"
 `);
   } else {
     lines.splice(pkgIdx + 1, 0, `  - "${member}"`);
-    writeFileSync3(wsPath, lines.join("\n"));
+    writeFileSync2(wsPath, lines.join("\n"));
   }
   console.log(`\u2714 registered ${member} in pnpm-workspace.yaml`);
 }
@@ -1398,60 +1250,48 @@ async function addCommand(args) {
   const data = entry?.data ?? "none";
   const envs = entry?.envs ?? ["beta", "prod"];
   const toolInfo = { lane, target, data };
-  const dest = resolve6(process.cwd(), "tools", name);
-  if (existsSync6(dest)) throw new Error(`tools/${name} already exists`);
+  const dest = resolve5(process.cwd(), "tools", name);
+  if (existsSync5(dest)) throw new Error(`tools/${name} already exists`);
   const src = templateDir(lane, target);
-  if (existsSync6(src)) {
+  if (existsSync5(src)) {
     cpSync2(src, dest, { recursive: true });
     const pkgPath = join(dest, "package.json");
-    if (existsSync6(pkgPath)) {
-      const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
+    if (existsSync5(pkgPath)) {
+      const pkg = JSON.parse(readFileSync3(pkgPath, "utf8"));
       pkg.name = name;
-      writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
+      writeFileSync2(pkgPath, `${JSON.stringify(pkg, null, 2)}
 `);
     }
     const shippedGitignore = join(dest, "gitignore");
-    if (existsSync6(shippedGitignore)) renameSync(shippedGitignore, join(dest, ".gitignore"));
+    if (existsSync5(shippedGitignore)) renameSync(shippedGitignore, join(dest, ".gitignore"));
     const wranglerPath = join(dest, "wrangler.toml");
-    if (existsSync6(wranglerPath)) {
-      let wt = readFileSync4(wranglerPath, "utf8").replaceAll("agent-tool", name).replaceAll("example.dev", config.domain);
-      if (wt.includes("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID")) {
-        const token = presentEnv(process.cwd()).CLOUDFLARE_API_TOKEN;
-        const acct = token ? await resolveCloudflareAccountId(config.domain, token) : null;
-        if (acct) {
-          wt = wt.replaceAll("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID", acct);
-          console.log("\u2714 resolved the Cloudflare account id into wrangler.toml");
-        } else {
-          console.log(
-            "\xB7 could not resolve the Cloudflare account id \u2014 set account_id in wrangler.toml"
-          );
-        }
-      }
-      writeFileSync3(wranglerPath, wt);
+    if (existsSync5(wranglerPath)) {
+      const wt = readFileSync3(wranglerPath, "utf8").replaceAll("agent-tool", name).replaceAll("example.dev", config.domain);
+      writeFileSync2(wranglerPath, wt);
     }
     console.log(`\u2714 copied ${src} \u2192 tools/${name}`);
-    if (existsSync6(pkgPath)) registerWorkspaceMember(process.cwd(), `tools/${name}`);
+    if (existsSync5(pkgPath)) registerWorkspaceMember(process.cwd(), `tools/${name}`);
   } else {
     console.log(`! no template at ${src} \u2014 manifest entry added without scaffolding`);
   }
-  writeFileSync3(path, serializeConfig(next));
+  writeFileSync2(path, serializeConfig(next));
   console.log(`\u2714 added "${name}" (${lane}/${target}) to the manifest`);
   const cwd = process.cwd();
   const providers = providersForTool(toolInfo);
-  const infraDir = resolve6(cwd, "infra");
+  const infraDir = resolve5(cwd, "infra");
   const mainTf = join(infraDir, "main.tf");
-  if (!existsSync6(mainTf)) {
-    mkdirSync3(infraDir, { recursive: true });
-    writeFileSync3(mainTf, emitWrapperMainTf({ domain: config.domain, providers }));
+  if (!existsSync5(mainTf)) {
+    mkdirSync2(infraDir, { recursive: true });
+    writeFileSync2(mainTf, emitWrapperMainTf({ domain: config.domain, providers }));
     console.log("\u2714 scaffolded infra/main.tf (providers + HCP backend placeholder)");
   } else if (providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 infra/main.tf exists \u2014 ensure it declares provider(s): ${providers.join(", ")}`);
   }
   const toolTf = join(infraDir, `${name}.tf`);
-  if (existsSync6(toolTf)) {
+  if (existsSync5(toolTf)) {
     console.log(`\xB7 infra/${name}.tf exists \u2014 left as-is`);
   } else {
-    writeFileSync3(
+    writeFileSync2(
       toolTf,
       emitToolTf({
         name,
@@ -1468,13 +1308,13 @@ async function addCommand(args) {
     console.log(`\u2714 wrote infra/${name}.tf (modules: ${providers.join(", ")})`);
   }
   if (lane === "agent") {
-    const wfDir = resolve6(cwd, ".github/workflows");
+    const wfDir = resolve5(cwd, ".github/workflows");
     const wfPath = join(wfDir, `deploy-${name}.yml`);
-    if (existsSync6(wfPath)) {
+    if (existsSync5(wfPath)) {
       console.log(`\xB7 .github/workflows/deploy-${name}.yml exists \u2014 left as-is`);
     } else {
-      mkdirSync3(wfDir, { recursive: true });
-      writeFileSync3(wfPath, emitAgentDeployWorkflow(name, config.domain));
+      mkdirSync2(wfDir, { recursive: true });
+      writeFileSync2(wfPath, emitAgentDeployWorkflow(name, config.domain));
       console.log(`\u2714 wrote .github/workflows/deploy-${name}.yml`);
     }
   }
@@ -1500,8 +1340,8 @@ Next:${gather ? "" : `
 // src/commands/adopt.ts
 import { execFileSync as execFileSync2 } from "child_process";
-import { cpSync as cpSync3, existsSync as existsSync7, mkdirSync as mkdirSync4, readFileSync as readFileSync5, readdirSync, writeFileSync as writeFileSync4 } from "fs";
-import { join as join2, resolve as resolve7 } from "path";
+import { cpSync as cpSync3, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, readdirSync, writeFileSync as writeFileSync3 } from "fs";
+import { join as join2, resolve as resolve6 } from "path";
 var REF = MODULE_REF;
 function flag3(args, name) {
   const i = args.indexOf(name);
@@ -1517,7 +1357,7 @@ function mergePackageJson(existing, repoName, vendor) {
 }
 function vendorDeps(vendorDir) {
   const out = {};
-  if (!existsSync7(vendorDir)) return out;
+  if (!existsSync6(vendorDir)) return out;
   for (const f of readdirSync(vendorDir)) {
     if (!f.endsWith(".tgz")) continue;
     const base = f.replace(/-\d+\.\d+\.\d+(-[\w.]+)?\.tgz$/, "");
@@ -1972,12 +1812,12 @@ export default [api, ...agentWeb];
 `;
 }
 function writeIfAbsent(path, contents, label) {
-  if (existsSync7(path)) {
+  if (existsSync6(path)) {
     console.log(`\xB7 ${label} exists \u2014 left as-is`);
     return;
   }
-  mkdirSync4(resolve7(path, ".."), { recursive: true });
-  writeFileSync4(path, contents);
+  mkdirSync3(resolve6(path, ".."), { recursive: true });
+  writeFileSync3(path, contents);
   console.log(`\u2714 ${label}`);
 }
 async function adoptCommand(args) {
@@ -2013,10 +1853,10 @@ async function adoptWrapper(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
   const cwd = process.cwd();
   const toolRel = `tools/${name}`;
-  const dest = resolve7(cwd, toolRel);
+  const dest = resolve6(cwd, toolRel);
   console.log(`adopting "${name}" (${lane}/${target}) as the submodule ${toolRel}
 `);
-  if (!existsSync7(dest)) {
+  if (!existsSync6(dest)) {
     try {
       execFileSync2("git", ["submodule", "add", repoArg, toolRel], { cwd, stdio: "inherit" });
       console.log(`\u2714 git submodule add ${repoArg} ${toolRel}`);
@@ -2052,7 +1892,7 @@ async function adoptWrapper(ctx) {
       }
     } : {}
   });
-  writeFileSync4(regPath, serializeConfig(nextReg));
+  writeFileSync3(regPath, serializeConfig(nextReg));
   console.log(
     `\u2714 ${existed ? "updated" : "registered"} "${name}" (external, dir ${toolRel}) in the wrapper manifest`
   );
@@ -2070,7 +1910,7 @@ async function adoptWrapper(ctx) {
     );
   }
   const providers = providersForTool({ lane, target, data });
-  if (existsSync7(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
+  if (existsSync6(join2(cwd, "infra/main.tf")) && providers.some((p) => p !== "cloudflare" && p !== "github")) {
     console.log(`\xB7 ensure infra/main.tf declares provider(s): ${providers.join(", ")}`);
   }
   materializeAgentKit(dest, { lane, target, data });
@@ -2122,9 +1962,9 @@ Next:
 }
 async function adoptStandalone(ctx) {
   const { name, repoArg, lane, target, data, auth, envs, domain, reg, regPath } = ctx;
-  const repo = resolve7(process.cwd(), repoArg);
-  if (!existsSync7(repo)) throw new Error(`no such repo: ${repo} (--standalone needs a local path)`);
-  const regVendor = resolve7(process.cwd(), "vendor");
+  const repo = resolve6(process.cwd(), repoArg);
+  if (!existsSync6(repo)) throw new Error(`no such repo: ${repo} (--standalone needs a local path)`);
+  const regVendor = resolve6(process.cwd(), "vendor");
   const vendor = vendorDeps(regVendor);
   if (Object.keys(vendor).length === 0) {
     throw new Error(
@@ -2142,15 +1982,15 @@ async function adoptStandalone(ctx) {
   );
   const slug = parseRepo(safeGit(repo, ["remote", "get-url", "origin"])) ?? `OWNER/${name}`;
   const pkgPath = join2(repo, "package.json");
-  const existingPkg = existsSync7(pkgPath) ? JSON.parse(readFileSync5(pkgPath, "utf8")) : null;
-  writeFileSync4(
+  const existingPkg = existsSync6(pkgPath) ? JSON.parse(readFileSync4(pkgPath, "utf8")) : null;
+  writeFileSync3(
     pkgPath,
     `${JSON.stringify(mergePackageJson(existingPkg, name, vendor), null, 2)}
 `
   );
   console.log("\u2714 package.json (merged framework deps + overrides)");
   const repoVendor = join2(repo, "vendor");
-  mkdirSync4(repoVendor, { recursive: true });
+  mkdirSync3(repoVendor, { recursive: true });
   for (const f of readdirSync(regVendor)) {
     if (f.endsWith(".tgz")) cpSync3(join2(regVendor, f), join2(repoVendor, f));
   }
@@ -2184,7 +2024,7 @@ async function adoptStandalone(ctx) {
     external: true,
     adopted: true
   });
-  writeFileSync4(regPath, serializeConfig(nextReg));
+  writeFileSync3(regPath, serializeConfig(nextReg));
   console.log(`\u2714 registered "${name}" in ${regPath.replace(`${process.cwd()}/`, "")} (external)`);
   console.log(`
 Next (in the adopted repo):
@@ -2197,20 +2037,20 @@ Note: deploying ${target} needs the ${target} adapter (workers is built; oci/ver
 }
 function addGreenlightScript(dir) {
   const pkgPath = join2(dir, "package.json");
-  if (!existsSync7(pkgPath)) {
+  if (!existsSync6(pkgPath)) {
     console.log(
       "\xB7 no package.json (non-Node tool) \u2014 run the loop via `npx @rtrentjones/greenlight`"
     );
     return;
   }
-  const pkg = JSON.parse(readFileSync5(pkgPath, "utf8"));
+  const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
   pkg.scripts = { ...pkg.scripts ?? {} };
   if (pkg.scripts.greenlight) {
     console.log("\xB7 package.json already has a greenlight script");
     return;
   }
   pkg.scripts.greenlight = "npx @rtrentjones/greenlight";
-  writeFileSync4(pkgPath, `${JSON.stringify(pkg, null, 2)}
+  writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
 `);
   console.log("\u2714 package.json (greenlight script \u2014 runnable via npx post-publish)");
 }
@@ -2355,10 +2195,10 @@ async function deployCommand(args) {
 // src/commands/doctor.ts
 import { execFileSync as execFileSync4 } from "child_process";
 import { lookup } from "dns/promises";
-import { existsSync as existsSync8, readFileSync as readFileSync6, readdirSync as readdirSync2 } from "fs";
+import { existsSync as existsSync7, readFileSync as readFileSync5, readdirSync as readdirSync2 } from "fs";
 import { join as join4 } from "path";
 function dirCheck(label, dir) {
-  return existsSync8(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
+  return existsSync7(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
 }
 function conformanceChecks(t, root) {
   const out = [];
@@ -2368,7 +2208,7 @@ function conformanceChecks(t, root) {
     join4(toolDir, `verify/${t.name}.config.ts`),
     join4(toolDir, "verify.config.ts")
   ] : [join4(toolDir, "verify.config.ts")];
-  const found = specCandidates.find((p) => existsSync8(join4(root, p)));
+  const found = specCandidates.find((p) => existsSync7(join4(root, p)));
   out.push({
     name: `${t.name}: in the verify loop`,
     status: found ? "ok" : "warn",
@@ -2394,14 +2234,14 @@ function conformanceChecks(t, root) {
   }
   if (!t.external && t.lane === "next" && t.target === "vercel") {
     const wsPath = join4(root, "pnpm-workspace.yaml");
-    const ws = existsSync8(wsPath) ? readFileSync6(wsPath, "utf8") : "";
+    const ws = existsSync7(wsPath) ? readFileSync5(wsPath, "utf8") : "";
     const member = ws.includes(toolDir) || /^\s*-\s*["']?tools\/\*/m.test(ws);
     out.push({
       name: `${t.name}: pnpm workspace member`,
       status: member ? "ok" : "warn",
       detail: member ? void 0 : `add "${toolDir}" to pnpm-workspace.yaml \u2014 else Vercel's root install skips its deps`
     });
-    const hasVercelJson = existsSync8(join4(root, toolDir, "vercel.json"));
+    const hasVercelJson = existsSync7(join4(root, toolDir, "vercel.json"));
     out.push({
       name: `${t.name}: vercel.json framework`,
       status: hasVercelJson ? "ok" : "warn",
@@ -2415,7 +2255,7 @@ function versionDriftCheck(root) {
   let installed;
   try {
     const pkg = JSON.parse(
-      readFileSync6(join4(root, "node_modules/@rtrentjones/greenlight/package.json"), "utf8")
+      readFileSync5(join4(root, "node_modules/@rtrentjones/greenlight/package.json"), "utf8")
     );
     installed = pkg.version;
   } catch {
@@ -2423,7 +2263,7 @@ function versionDriftCheck(root) {
   const refs = /* @__PURE__ */ new Set();
   try {
     for (const f of readdirSync2(join4(root, "infra")).filter((f2) => f2.endsWith(".tf"))) {
-      const body = readFileSync6(join4(root, "infra", f), "utf8");
+      const body = readFileSync5(join4(root, "infra", f), "utf8");
       for (const m of body.matchAll(/greenlight\.git\/\/infra\/modules\/[^?"]+\?ref=(v[0-9.]+)/g)) {
         if (m[1]) refs.add(m[1]);
       }
@@ -2479,7 +2319,7 @@ function runDoctor(config, root) {
       checks.push({ name: `${t.name}: external (registry)`, status: "ok", detail: url });
       if (t.dir) {
         checks.push(
-          existsSync8(join4(root, t.dir)) ? { name: `${t.name}: dir present`, status: "ok", detail: t.dir } : {
+          existsSync7(join4(root, t.dir)) ? { name: `${t.name}: dir present`, status: "ok", detail: t.dir } : {
             name: `${t.name}: dir present`,
             status: "warn",
             detail: `declared dir "${t.dir}" missing \u2014 run \`git submodule update --init\``
@@ -2570,9 +2410,73 @@ ${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}`);
 }
 // src/commands/init.ts
-import { existsSync as existsSync9, mkdirSync as mkdirSync5, writeFileSync as writeFileSync5 } from "fs";
-import { resolve as resolve8 } from "path";
-import { createInterface as createInterface3 } from "readline/promises";
+import { existsSync as existsSync8, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4 } from "fs";
+import { resolve as resolve7 } from "path";
+import { createInterface as createInterface2 } from "readline/promises";
+// src/tokens.ts
+function presentEnv() {
+  const out = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v !== void 0) out[k] = v;
+  }
+  return out;
+}
+async function ensureTokensForTool(repo, tool, opts = {}) {
+  const doVerify = opts.verify !== false;
+  const env = presentEnv();
+  const already = listGitHubSecrets(repo, opts.env);
+  const results = [];
+  const prompt = process.stdin.isTTY ? hiddenPrompter() : null;
+  try {
+    for (const spec of tokensForTool(tool)) {
+      const key = secretKeyFor(spec, "", void 0);
+      if (key === "GITHUB_TOKEN") {
+        results.push({ envVar: spec.envVar, outcome: "skipped" });
+        continue;
+      }
+      if (env[spec.envVar] || already?.has(key)) {
+        results.push({ envVar: spec.envVar, outcome: "present" });
+        continue;
+      }
+      if (!prompt) {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      console.log(`
+${key} \u2014 ${spec.label}`);
+      if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
+      const entered = await prompt.ask(
+        `  value${spec.optional ? " (optional, Enter to skip)" : ""}: `
+      );
+      if (!entered) {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      env[spec.envVar] = entered;
+      let check;
+      if (doVerify && spec.verify) {
+        try {
+          check = await spec.verify(entered, env);
+        } catch (e) {
+          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
+        }
+        if (!check.ok && !spec.optional) {
+          throw new Error(
+            `${key} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
+          );
+        }
+      }
+      setGitHubSecret(repo, opts.env, key, entered);
+      results.push({ envVar: spec.envVar, outcome: "entered", verify: check });
+    }
+  } finally {
+    prompt?.close();
+  }
+  return results;
+}
+// src/commands/init.ts
 function flag5(args, name) {
   const i = args.indexOf(name);
   return i >= 0 ? args[i + 1] : void 0;
@@ -2594,7 +2498,7 @@ function wrapperPackageJson(name) {
 }
 var WRAPPER_GITIGNORE = `# Greenlight wrapper
 node_modules/
-.greenlight/        # gathered tokens \u2014 never committed
+.greenlight/        # local scratch \u2014 never committed (tokens live in GitHub Actions)
 .terraform/
 *.tfplan
 tf.plan
@@ -2656,12 +2560,12 @@ jobs:
 `;
 }
 function scaffoldIfAbsent(path, contents, label) {
-  if (existsSync9(path)) {
+  if (existsSync8(path)) {
     console.log(`\xB7 ${label} exists \u2014 left as-is`);
     return;
   }
-  mkdirSync5(resolve8(path, ".."), { recursive: true });
-  writeFileSync5(path, contents);
+  mkdirSync4(resolve7(path, ".."), { recursive: true });
+  writeFileSync4(path, contents);
   console.log(`\u2714 wrote ${label}`);
 }
 var TOKEN_FLAGS = {
@@ -2676,70 +2580,74 @@ async function initCommand(args) {
   let domain = flag5(args, "--domain");
   if (!domain) {
     if (!process.stdin.isTTY) throw new Error("init needs --domain <domain> (no TTY for prompts)");
-    const rl = createInterface3({ input: process.stdin, output: process.stdout });
+    const rl = createInterface2({ input: process.stdin, output: process.stdout });
     domain = (await rl.question("Domain (e.g. example.dev): ")).trim();
     rl.close();
   }
   if (!domain) throw new Error("a domain is required");
   const cwd = process.cwd();
-  const configPath = resolve8(cwd, "greenlight.config.ts");
-  if (existsSync9(configPath) && !force) {
+  const configPath = resolve7(cwd, "greenlight.config.ts");
+  if (existsSync8(configPath) && !force) {
     throw new Error("greenlight.config.ts already exists \u2014 pass --force to overwrite");
   }
-  writeFileSync5(configPath, scaffoldConfig(domain));
+  writeFileSync4(configPath, scaffoldConfig(domain));
   console.log(`\u2714 wrote greenlight.config.ts (domain: ${domain})`);
   const repoName = domain.replace(/\./g, "-");
   scaffoldIfAbsent(
-    resolve8(cwd, ".github/workflows/infra.yml"),
+    resolve7(cwd, ".github/workflows/infra.yml"),
     wrapperInfraYml(),
     ".github/workflows/infra.yml (HCP-backed terraform apply on push)"
   );
-  scaffoldIfAbsent(resolve8(cwd, ".gitignore"), WRAPPER_GITIGNORE, ".gitignore");
-  scaffoldIfAbsent(resolve8(cwd, "package.json"), wrapperPackageJson(repoName), "package.json");
-  scaffoldIfAbsent(resolve8(cwd, "mise.toml"), WRAPPER_MISE, "mise.toml");
-  scaffoldIfAbsent(resolve8(cwd, ".node-version"), "24\n", ".node-version");
-  const secrets = [];
-  for (const [f, key] of Object.entries(TOKEN_FLAGS)) {
-    const v = flag5(args, f);
-    if (v) secrets.push(`${key}=${v}`);
-  }
-  if (secrets.length > 0) {
-    mkdirSync5(resolve8(cwd, ".greenlight"), { recursive: true });
-    writeFileSync5(resolve8(cwd, ".greenlight/secrets.env"), `${secrets.join("\n")}
-`, {
-      mode: 384
-    });
-    console.log(`\u2714 wrote .greenlight/secrets.env (${secrets.length} token(s), gitignored)`);
-  }
-  if (process.stdin.isTTY && !args.includes("--no-tokens")) {
-    try {
-      await ensureTokensForTool(cwd, {}, { verify: !args.includes("--no-verify") });
-    } catch (e) {
-      console.log(`\u2716 ${e instanceof Error ? e.message : String(e)}`);
+  scaffoldIfAbsent(resolve7(cwd, ".gitignore"), WRAPPER_GITIGNORE, ".gitignore");
+  scaffoldIfAbsent(resolve7(cwd, "package.json"), wrapperPackageJson(repoName), "package.json");
+  scaffoldIfAbsent(resolve7(cwd, "mise.toml"), WRAPPER_MISE, "mise.toml");
+  scaffoldIfAbsent(resolve7(cwd, ".node-version"), "24\n", ".node-version");
+  const repo = flag5(args, "--repo") ?? detectRepo(cwd);
+  let pushed = 0;
+  if (repo && !args.includes("--no-push")) {
+    for (const [f, key] of Object.entries(TOKEN_FLAGS)) {
+      const v = flag5(args, f);
+      if (!v || key.startsWith("GITHUB_")) continue;
+      try {
+        setGitHubSecret(repo, void 0, key, v);
+        console.log(`\u2714 set ${key} \u2192 ${repo} (GitHub Actions)`);
+        pushed++;
+      } catch (e) {
+        console.log(`! could not set ${key}: ${e instanceof Error ? e.message : String(e)}`);
+      }
     }
   }
-  let pushed = false;
-  if (existsSync9(resolve8(cwd, ".greenlight/secrets.env")) && !args.includes("--no-push")) {
-    try {
-      const { repo, count } = syncSecrets({ cwd, repo: flag5(args, "--repo") });
-      console.log(`\u2714 pushed ${count} secret(s) to ${repo} (GitHub Actions)`);
-      pushed = true;
-    } catch (e) {
-      console.log(`! skipped pushing secrets: ${e instanceof Error ? e.message : String(e)}`);
-      console.log("  run `greenlight secrets sync` once `gh` is authenticated.");
+  if (process.stdin.isTTY && !args.includes("--no-tokens")) {
+    if (repo) {
+      try {
+        const results = await ensureTokensForTool(
+          repo,
+          {},
+          {
+            verify: !args.includes("--no-verify")
+          }
+        );
+        pushed += results.filter((r) => r.outcome === "entered").length;
+      } catch (e) {
+        console.log(`\u2716 ${e instanceof Error ? e.message : String(e)}`);
+      }
+    } else {
+      console.log(
+        "\n\xB7 no GitHub repo detected yet \u2014 create it + `gh auth login`, then set the base secrets\n  (CLOUDFLARE_API_TOKEN, TF_API_TOKEN) via `greenlight add <tool>` (prompts them) or `gh secret set`."
+      );
     }
   }
   console.log(`
 Next:
   1. greenlight add <name> --lane <lane> --target <target>   # scaffold a tool, emit infra, and
-                                                             # gather THAT tool's keys \u2192 GitHub${pushed ? "" : "\n  (run `greenlight secrets sync` if base tokens were not pushed)"}
+                                                             # gather THAT tool's keys \u2192 GitHub${pushed ? "" : "\n  (it also prompts the base tokens if they are not set yet)"}
   2. set the HCP backend (cloud{} org + workspace) in infra/main.tf   # docs/terraform-state.md
   3. commit + push \u2192 CI (.github/workflows/infra.yml) runs \`terraform apply\`
   4. greenlight verify <name> --env prod   |   greenlight doctor`);
 }
 // src/commands/migrations.ts
-import { existsSync as existsSync10, readFileSync as readFileSync7, readdirSync as readdirSync3 } from "fs";
+import { existsSync as existsSync9, readFileSync as readFileSync6, readdirSync as readdirSync3 } from "fs";
 import { join as join5 } from "path";
 var DEFAULT_DIR = "supabase/migrations";
 var CANDIDATE_DIRS = [
@@ -2751,7 +2659,7 @@ var CANDIDATE_DIRS = [
 ];
 function resolveMigrationsDir(explicit, root = process.cwd()) {
   if (explicit) return explicit;
-  return CANDIDATE_DIRS.find((d) => existsSync10(join5(root, d))) ?? DEFAULT_DIR;
+  return CANDIDATE_DIRS.find((d) => existsSync9(join5(root, d))) ?? DEFAULT_DIR;
 }
 async function migrationsCommand(args) {
   if (args[0] !== "scan") {
@@ -2777,7 +2685,7 @@ async function migrationsCommand(args) {
   }
   const files = names.map((f) => ({
     path: join5(dir, f),
-    content: readFileSync7(join5(dir, f), "utf8")
+    content: readFileSync6(join5(dir, f), "utf8")
   }));
   const findings = scanSqlFiles(files);
   if (findings.length === 0) {
@@ -2802,12 +2710,12 @@ ${verdict} (${dangers.length} danger, ${findings.length - dangers.length} warn).
 // src/commands/preview.ts
 import { execFileSync as execFileSync5, spawn } from "child_process";
-import { resolve as resolve10 } from "path";
+import { resolve as resolve9 } from "path";
 import { setTimeout as sleep } from "timers/promises";
 // src/commands/verify.ts
 import { spawnSync } from "child_process";
-import { resolve as resolve9 } from "path";
+import { resolve as resolve8 } from "path";
 function defaultSpec(lane) {
   switch (lane) {
     case "astro":
@@ -2935,7 +2843,7 @@ ${pass2 ? "\u2714 ALL PASS" : "\u2718 FAIL"} (${reports2.length} specs)`);
   if (reachableTimeoutMs > 0) {
     console.log(`waiting up to ${reachableTimeoutMs / 1e3}s for ${url} to become reachable\u2026`);
   }
-  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve8(process.cwd(), entry.dir ?? ".");
   const reports = await verifyAll(url, specs, { reachableTimeoutMs, toolDir });
   attachFailureLogs(reports, specs, toolDir);
   for (const report of reports) printReport(report);
@@ -2979,7 +2887,7 @@ async function verifyLocal(entry, url) {
   process.env.GREENLIGHT_PREVIEW = "1";
   process.env.GREENLIGHT_VERIFY_URL = url;
   const specs = await loadSpecs(entry);
-  const toolDir = resolve10(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
   const reports = await verifyAll(url, specs, { toolDir });
   for (const report of reports) printReport(report);
   return allPass(reports);
@@ -2990,7 +2898,7 @@ async function previewViaDescriptor(entry, name, portOverride) {
   const port = portOverride ?? pv.port ?? entry.port ?? lane.port;
   const path = pv.path ?? lane.path;
   const url = `http://localhost:${port}${path}`;
-  const toolDir = resolve10(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
   console.log(`preview ${name}: ${pv.command}  (\u2192 ${url})`);
   const child = spawn(pv.command, {
     cwd: toolDir,
@@ -3303,7 +3211,6 @@ var HELP = `greenlight <command>
   promote <name> [--perform] [--push]           gated develop -> main fast-forward
   status <name>                                 last ship/deploy/verify run for a tool (via gh)
   secrets gather <name> [--repo o/r] [--env e]  guided, link-first token prompts -> GitHub secrets (no disk/logs)
-  secrets sync [--repo o/r] [--env <env>]       push .greenlight/secrets.env -> GitHub Actions secrets
   agent sync [<name>]                           write the loop kit (named \u2192 tool-aware, into its dir)
   adopt <name> --repo <path> --lane --target    onboard an existing tool repo as a thin consumer
   migrations scan [<dir>] [--strict]            dangerous-SQL gate for migrations (pre-apply)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.3.1",
+  "version": "0.4.1",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -31,10 +31,10 @@
     "@anthropic-ai/sdk": "^0.69.0"
   },
   "devDependencies": {
-    "@rtrentjones/greenlight-adapters": "0.3.1",
-    "@rtrentjones/greenlight-loop": "0.3.1",
-    "@rtrentjones/greenlight-shared": "0.3.1",
-    "@rtrentjones/greenlight-verify": "0.3.1"
+    "@rtrentjones/greenlight-adapters": "0.4.1",
+    "@rtrentjones/greenlight-verify": "0.4.1",
+    "@rtrentjones/greenlight-loop": "0.4.1",
+    "@rtrentjones/greenlight-shared": "0.4.1"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",

package/templates/_template-agent/wrangler.toml CHANGED Viewed

@@ -1,10 +1,10 @@
-# Agent Worker. `greenlight add` rewrites `name` + the route domain + the account_id, and emits a
-# .github/workflows/deploy-<name>.yml that (on push to main) creates the KV namespace, deploys, sets
-# the GEMINI_API_KEY + RUN_TOKEN Worker secrets from GitHub secrets, seeds, and verifies. So you only
-# add those two GitHub secrets — no manual wrangler.
+# Agent Worker. `greenlight add` rewrites `name` + the route domain, and emits a
+# .github/workflows/deploy-<name>.yml that (on push to main) resolves the account id + KV namespace,
+# deploys, sets the GEMINI_API_KEY + RUN_TOKEN Worker secrets from GitHub secrets, seeds, and verifies.
+# So you only add those two GitHub secrets — no manual wrangler, no local secrets.
 name = "agent-tool"
-# Non-secret account id (committed config). `greenlight add` resolves + fills this from your domain's
-# zone; without it wrangler calls /memberships, which a scoped API token can't do.
+# Non-secret account id. The emitted deploy workflow resolves it from your domain's zone in CI and
+# fills this placeholder (wrangler can't call /memberships to auto-discover it with a scoped token).
 account_id = "REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID"
 main = "src/index.ts"
 compatibility_date = "2025-06-01"