@rtrentjones/greenlight 0.4.0 → 0.4.1

package/dist/bin.js

@@ -62,6 +62,12 @@ jobs:
           RUN_TOKEN: \${{ secrets.RUN_TOKEN }}
         run: |
           cd tools/${name}
+          # Account id as code: resolve the (non-secret) account id from the domain's zone and inject
+          # it into wrangler.toml \u2014 wrangler can't call /memberships to auto-discover it with a scoped
+          # token. Derived, so the repo keeps the REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID placeholder.
+          ACCT=$(curl -fsS "https://api.cloudflare.com/client/v4/zones?name=${domain}" -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq -r '.result[0].account.id // empty')
+          if [ -z "$ACCT" ]; then echo "::error::could not resolve the Cloudflare account id for ${domain} (token needs Zone:Read?)"; exit 1; fi
+          sed -i "s/REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID/$ACCT/g" wrangler.toml
           # KV namespace as code: find-or-create the STATE namespace (idempotent), then inject its id
           # into wrangler.toml for this deploy. The id is non-secret + derived, so the repo keeps the
           # REPLACE_WITH_KV_NAMESPACE_ID placeholder \u2014 no manual create, no hardcoded id.
@@ -93,19 +99,6 @@ jobs:
         run: echo "Missing CLOUDFLARE_API_TOKEN or GEMINI_API_KEY \u2014 ${name} deploy skipped."
 `;
 }
-async function resolveCloudflareAccountId(domain, token) {
-  try {
-    const res = await fetch(
-      `https://api.cloudflare.com/client/v4/zones?name=${encodeURIComponent(domain)}`,
-      { headers: { Authorization: `Bearer ${token}` } }
-    );
-    if (!res.ok) return null;
-    const data = await res.json();
-    return data.result?.[0]?.account?.id ?? null;
-  } catch {
-    return null;
-  }
-}
 
 // src/asset-paths.ts
 import { existsSync } from "fs";
@@ -489,7 +482,7 @@ var PACKS = [
     id: "github",
     name: "GitHub",
     always: true,
-    // secrets sync + repo/branch infra
+    // the single secret store (Actions secrets) + repo/branch infra
     appliesTo: () => true,
     guide: "docs/provider-tokens.md \u2014 GitHub (gh auth, or a fine-grained PAT)",
     setupUrl: "https://github.com/settings/personal-access-tokens/new",
@@ -590,7 +583,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.4.0";
+var MODULE_REF = "v0.4.1";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -915,10 +908,103 @@ function providersForTool(tool) {
   return out;
 }
 
+// src/commands/agent.ts
+import { cpSync, existsSync as existsSync3, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { resolve as resolve3 } from "path";
+
+// src/agent-kit.ts
+function recommendedMcp(tool) {
+  return mcpForTool(tool);
+}
+function mergeMcpServers(existing, add) {
+  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
+  for (const [name, val] of Object.entries(add)) {
+    if (out.mcpServers[name]) continue;
+    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
+  }
+  return out;
+}
+
+// src/commands/agent.ts
+var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
+
+This repo uses Greenlight. Deliver every change through the ONE model (same shape for web + MCP
+tools \u2014 the deploy-verify-promote skill has the lane\xD7target matrix):
+branch \u2192 change \u2192 \`greenlight preview <name>\` (local gate) \u2192 add it to the tool's verify.config \u2192
+push (CI gates on the tool's own tests) \u2192 deploy \u2192 \`greenlight verify <name> --env prod\`.
+Web tools also get beta + \`greenlight promote\`; oci is direct-to-prod (the local gate is the
+pre-prod safety). \`greenlight status <name>\` shows the run chain; \`greenlight doctor\` flags drift.
+
+Agentic kit:
+- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the one model + the matrix).
+- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
+    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
+- Best-practice skills (one-time, user scope):
+    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
+`;
+function materializeAgentKit(dir, tool) {
+  const src = skillAssetDir();
+  if (!existsSync3(src)) throw new Error(`skill asset not found at ${src}`);
+  const dest = resolve3(dir, ".claude/skills/deploy-verify-promote");
+  mkdirSync(dest, { recursive: true });
+  cpSync(src, dest, { recursive: true });
+  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
+  for (const pack of packsForTool(tool)) {
+    if (!pack.skill) continue;
+    const skillSrc = skillAssetDir(pack.skill);
+    if (!existsSync3(skillSrc)) continue;
+    const skillDest = resolve3(dir, ".claude/skills", pack.skill);
+    mkdirSync(skillDest, { recursive: true });
+    cpSync(skillSrc, skillDest, { recursive: true });
+    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
+  }
+  const mcpPath = resolve3(dir, ".mcp.json");
+  const existingMcp = existsSync3(mcpPath) ? JSON.parse(readFileSync(mcpPath, "utf8")) : null;
+  const servers = recommendedMcp(tool);
+  writeFileSync(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
+`);
+  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
+  const claudePath = resolve3(dir, "CLAUDE.md");
+  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
+  const existing = existsSync3(claudePath) ? readFileSync(claudePath, "utf8") : "";
+  if (existing.includes(marker)) {
+    console.log("\xB7 CLAUDE.md already has the loop block");
+  } else {
+    writeFileSync(claudePath, existing ? `${existing.trimEnd()}
+
+${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
+    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
+  }
+}
+async function agentCommand(args) {
+  if (args[0] !== "sync") {
+    console.log(
+      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
+    );
+    process.exit(args[0] ? 1 : 0);
+  }
+  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
+  if (name) {
+    const { config } = await loadManifest();
+    const entry = resolveEntry(config, name);
+    const dir = resolve3(process.cwd(), entry.dir ?? ".");
+    materializeAgentKit(dir, { lane: entry.lane, target: entry.target, data: entry.data });
+    console.log(
+      `
+Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (lane=${entry.lane}, target=${entry.target}, data=${entry.data}).`
+    );
+    return;
+  }
+  materializeAgentKit(process.cwd());
+  console.log(
+    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
+  );
+}
+
 // src/commands/secrets.ts
 import { execFileSync } from "child_process";
-import { existsSync as existsSync3, readFileSync } from "fs";
-import { resolve as resolve3 } from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve4 } from "path";
 import { createInterface } from "readline";
 function parseOciConfig(text) {
   const out = {};
@@ -933,7 +1019,7 @@ function parseOciConfig(text) {
   return out;
 }
 function ociPrefill(configPath, keyPath) {
-  const cfg = parseOciConfig(readFileSync(configPath, "utf8"));
+  const cfg = parseOciConfig(readFileSync2(configPath, "utf8"));
   const map = /* @__PURE__ */ new Map();
   const set = (k, v) => {
     if (v) map.set(k, v);
@@ -943,8 +1029,8 @@ function ociPrefill(configPath, keyPath) {
   set("TF_VAR_OCI_TENANCY_OCID", cfg.tenancy);
   set("TF_VAR_OCI_REGION", cfg.region);
   const pem = keyPath ?? cfg.key_file;
-  if (pem && existsSync3(pem)) {
-    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync(pem, "utf8"));
+  if (pem && existsSync4(pem)) {
+    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync2(pem, "utf8"));
   } else if (pem) {
     console.log(`   ! PEM not found at ${pem} \u2014 set TF_VAR_OCI_PRIVATE_KEY manually (--oci-key)`);
   }
@@ -1091,7 +1177,7 @@ async function secretsCommand(args) {
     if (!repo) throw new Error("could not determine the repo \u2014 pass --repo owner/repo");
     const ociConfig2 = flag(args, "--oci-config");
     const ociKey = flag(args, "--oci-key");
-    const prefill = ociConfig2 ? ociPrefill(resolve3(process.cwd(), ociConfig2), ociKey && resolve3(process.cwd(), ociKey)) : void 0;
+    const prefill = ociConfig2 ? ociPrefill(resolve4(process.cwd(), ociConfig2), ociKey && resolve4(process.cwd(), ociKey)) : void 0;
     await gatherSecrets(name, repo, flag(args, "--env"), prefill);
     return;
   }
@@ -1101,161 +1187,6 @@ async function secretsCommand(args) {
   process.exit(sub ? 1 : 0);
 }
 
-// src/tokens.ts
-function presentEnv() {
-  const out = {};
-  for (const [k, v] of Object.entries(process.env)) {
-    if (v !== void 0) out[k] = v;
-  }
-  return out;
-}
-async function ensureTokensForTool(repo, tool, opts = {}) {
-  const doVerify = opts.verify !== false;
-  const env = presentEnv();
-  const already = listGitHubSecrets(repo, opts.env);
-  const results = [];
-  const prompt = process.stdin.isTTY ? hiddenPrompter() : null;
-  try {
-    for (const spec of tokensForTool(tool)) {
-      const key = secretKeyFor(spec, "", void 0);
-      if (key === "GITHUB_TOKEN") {
-        results.push({ envVar: spec.envVar, outcome: "skipped" });
-        continue;
-      }
-      if (env[spec.envVar] || already?.has(key)) {
-        results.push({ envVar: spec.envVar, outcome: "present" });
-        continue;
-      }
-      if (!prompt) {
-        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-        continue;
-      }
-      console.log(`
-${key} \u2014 ${spec.label}`);
-      if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
-      const entered = await prompt.ask(
-        `  value${spec.optional ? " (optional, Enter to skip)" : ""}: `
-      );
-      if (!entered) {
-        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-        continue;
-      }
-      env[spec.envVar] = entered;
-      let check;
-      if (doVerify && spec.verify) {
-        try {
-          check = await spec.verify(entered, env);
-        } catch (e) {
-          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
-        }
-        if (!check.ok && !spec.optional) {
-          throw new Error(
-            `${key} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
-          );
-        }
-      }
-      setGitHubSecret(repo, opts.env, key, entered);
-      results.push({ envVar: spec.envVar, outcome: "entered", verify: check });
-    }
-  } finally {
-    prompt?.close();
-  }
-  return results;
-}
-
-// src/commands/agent.ts
-import { cpSync, existsSync as existsSync4, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
-import { resolve as resolve4 } from "path";
-
-// src/agent-kit.ts
-function recommendedMcp(tool) {
-  return mcpForTool(tool);
-}
-function mergeMcpServers(existing, add) {
-  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
-  for (const [name, val] of Object.entries(add)) {
-    if (out.mcpServers[name]) continue;
-    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
-  }
-  return out;
-}
-
-// src/commands/agent.ts
-var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
-
-This repo uses Greenlight. Deliver every change through the ONE model (same shape for web + MCP
-tools \u2014 the deploy-verify-promote skill has the lane\xD7target matrix):
-branch \u2192 change \u2192 \`greenlight preview <name>\` (local gate) \u2192 add it to the tool's verify.config \u2192
-push (CI gates on the tool's own tests) \u2192 deploy \u2192 \`greenlight verify <name> --env prod\`.
-Web tools also get beta + \`greenlight promote\`; oci is direct-to-prod (the local gate is the
-pre-prod safety). \`greenlight status <name>\` shows the run chain; \`greenlight doctor\` flags drift.
-
-Agentic kit:
-- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the one model + the matrix).
-- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
-    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
-- Best-practice skills (one-time, user scope):
-    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
-`;
-function materializeAgentKit(dir, tool) {
-  const src = skillAssetDir();
-  if (!existsSync4(src)) throw new Error(`skill asset not found at ${src}`);
-  const dest = resolve4(dir, ".claude/skills/deploy-verify-promote");
-  mkdirSync(dest, { recursive: true });
-  cpSync(src, dest, { recursive: true });
-  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
-  for (const pack of packsForTool(tool)) {
-    if (!pack.skill) continue;
-    const skillSrc = skillAssetDir(pack.skill);
-    if (!existsSync4(skillSrc)) continue;
-    const skillDest = resolve4(dir, ".claude/skills", pack.skill);
-    mkdirSync(skillDest, { recursive: true });
-    cpSync(skillSrc, skillDest, { recursive: true });
-    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
-  }
-  const mcpPath = resolve4(dir, ".mcp.json");
-  const existingMcp = existsSync4(mcpPath) ? JSON.parse(readFileSync2(mcpPath, "utf8")) : null;
-  const servers = recommendedMcp(tool);
-  writeFileSync(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
-`);
-  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
-  const claudePath = resolve4(dir, "CLAUDE.md");
-  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
-  const existing = existsSync4(claudePath) ? readFileSync2(claudePath, "utf8") : "";
-  if (existing.includes(marker)) {
-    console.log("\xB7 CLAUDE.md already has the loop block");
-  } else {
-    writeFileSync(claudePath, existing ? `${existing.trimEnd()}
-
-${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
-    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
-  }
-}
-async function agentCommand(args) {
-  if (args[0] !== "sync") {
-    console.log(
-      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
-    );
-    process.exit(args[0] ? 1 : 0);
-  }
-  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
-  if (name) {
-    const { config } = await loadManifest();
-    const entry = resolveEntry(config, name);
-    const dir = resolve4(process.cwd(), entry.dir ?? ".");
-    materializeAgentKit(dir, { lane: entry.lane, target: entry.target, data: entry.data });
-    console.log(
-      `
-Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (lane=${entry.lane}, target=${entry.target}, data=${entry.data}).`
-    );
-    return;
-  }
-  materializeAgentKit(process.cwd());
-  console.log(
-    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
-  );
-}
-
 // src/commands/add.ts
 function flag2(args, name) {
   const i = args.indexOf(name);
@@ -1335,19 +1266,7 @@ async function addCommand(args) {
     if (existsSync5(shippedGitignore)) renameSync(shippedGitignore, join(dest, ".gitignore"));
     const wranglerPath = join(dest, "wrangler.toml");
     if (existsSync5(wranglerPath)) {
-      let wt = readFileSync3(wranglerPath, "utf8").replaceAll("agent-tool", name).replaceAll("example.dev", config.domain);
-      if (wt.includes("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID")) {
-        const token = presentEnv().CLOUDFLARE_API_TOKEN;
-        const acct = token ? await resolveCloudflareAccountId(config.domain, token) : null;
-        if (acct) {
-          wt = wt.replaceAll("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID", acct);
-          console.log("\u2714 resolved the Cloudflare account id into wrangler.toml");
-        } else {
-          console.log(
-            "\xB7 could not resolve the Cloudflare account id \u2014 set account_id in wrangler.toml"
-          );
-        }
-      }
+      const wt = readFileSync3(wranglerPath, "utf8").replaceAll("agent-tool", name).replaceAll("example.dev", config.domain);
       writeFileSync2(wranglerPath, wt);
     }
     console.log(`\u2714 copied ${src} \u2192 tools/${name}`);
@@ -2494,6 +2413,70 @@ ${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}`);
 import { existsSync as existsSync8, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4 } from "fs";
 import { resolve as resolve7 } from "path";
 import { createInterface as createInterface2 } from "readline/promises";
+
+// src/tokens.ts
+function presentEnv() {
+  const out = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v !== void 0) out[k] = v;
+  }
+  return out;
+}
+async function ensureTokensForTool(repo, tool, opts = {}) {
+  const doVerify = opts.verify !== false;
+  const env = presentEnv();
+  const already = listGitHubSecrets(repo, opts.env);
+  const results = [];
+  const prompt = process.stdin.isTTY ? hiddenPrompter() : null;
+  try {
+    for (const spec of tokensForTool(tool)) {
+      const key = secretKeyFor(spec, "", void 0);
+      if (key === "GITHUB_TOKEN") {
+        results.push({ envVar: spec.envVar, outcome: "skipped" });
+        continue;
+      }
+      if (env[spec.envVar] || already?.has(key)) {
+        results.push({ envVar: spec.envVar, outcome: "present" });
+        continue;
+      }
+      if (!prompt) {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      console.log(`
+${key} \u2014 ${spec.label}`);
+      if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
+      const entered = await prompt.ask(
+        `  value${spec.optional ? " (optional, Enter to skip)" : ""}: `
+      );
+      if (!entered) {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      env[spec.envVar] = entered;
+      let check;
+      if (doVerify && spec.verify) {
+        try {
+          check = await spec.verify(entered, env);
+        } catch (e) {
+          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
+        }
+        if (!check.ok && !spec.optional) {
+          throw new Error(
+            `${key} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
+          );
+        }
+      }
+      setGitHubSecret(repo, opts.env, key, entered);
+      results.push({ envVar: spec.envVar, outcome: "entered", verify: check });
+    }
+  } finally {
+    prompt?.close();
+  }
+  return results;
+}
+
+// src/commands/init.ts
 function flag5(args, name) {
   const i = args.indexOf(name);
   return i >= 0 ? args[i + 1] : void 0;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rtrentjones/greenlight",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "description": "Greenlight CLI — setup and lifecycle for the harness.",
   "license": "MIT",
   "repository": {
@@ -31,10 +31,10 @@
     "@anthropic-ai/sdk": "^0.69.0"
   },
   "devDependencies": {
-    "@rtrentjones/greenlight-loop": "0.4.0",
-    "@rtrentjones/greenlight-adapters": "0.4.0",
-    "@rtrentjones/greenlight-verify": "0.4.0",
-    "@rtrentjones/greenlight-shared": "0.4.0"
+    "@rtrentjones/greenlight-adapters": "0.4.1",
+    "@rtrentjones/greenlight-verify": "0.4.1",
+    "@rtrentjones/greenlight-loop": "0.4.1",
+    "@rtrentjones/greenlight-shared": "0.4.1"
   },
   "scripts": {
     "build": "node scripts/copy-assets.mjs && tsup",

package/templates/_template-agent/wrangler.toml

@@ -1,10 +1,10 @@
-# Agent Worker. `greenlight add` rewrites `name` + the route domain + the account_id, and emits a
-# .github/workflows/deploy-<name>.yml that (on push to main) creates the KV namespace, deploys, sets
-# the GEMINI_API_KEY + RUN_TOKEN Worker secrets from GitHub secrets, seeds, and verifies. So you only
-# add those two GitHub secrets — no manual wrangler.
+# Agent Worker. `greenlight add` rewrites `name` + the route domain, and emits a
+# .github/workflows/deploy-<name>.yml that (on push to main) resolves the account id + KV namespace,
+# deploys, sets the GEMINI_API_KEY + RUN_TOKEN Worker secrets from GitHub secrets, seeds, and verifies.
+# So you only add those two GitHub secrets — no manual wrangler, no local secrets.
 name = "agent-tool"
-# Non-secret account id (committed config). `greenlight add` resolves + fills this from your domain's
-# zone; without it wrangler calls /memberships, which a scoped API token can't do.
+# Non-secret account id. The emitted deploy workflow resolves it from your domain's zone in CI and
+# fills this placeholder (wrangler can't call /memberships to auto-discover it with a scoped token).
 account_id = "REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID"
 main = "src/index.ts"
 compatibility_date = "2025-06-01"