@rtrentjones/greenlight 0.4.0 → 0.5.0

package/dist/bin.js

@@ -1,12 +1,14 @@
 #!/usr/bin/env node
 import {
   ConfigSchema,
+  MATRIX,
   allPass,
+  describeMatrix,
   loadConfig,
   resolveUrl,
   scanSqlFiles,
   verifyAll
-} from "./chunk-P6FRYOOV.js";
+} from "./chunk-OBWWE7GE.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";
@@ -62,6 +64,12 @@ jobs:
           RUN_TOKEN: \${{ secrets.RUN_TOKEN }}
         run: |
           cd tools/${name}
+          # Account id as code: resolve the (non-secret) account id from the domain's zone and inject
+          # it into wrangler.toml \u2014 wrangler can't call /memberships to auto-discover it with a scoped
+          # token. Derived, so the repo keeps the REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID placeholder.
+          ACCT=$(curl -fsS "https://api.cloudflare.com/client/v4/zones?name=${domain}" -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq -r '.result[0].account.id // empty')
+          if [ -z "$ACCT" ]; then echo "::error::could not resolve the Cloudflare account id for ${domain} (token needs Zone:Read?)"; exit 1; fi
+          sed -i "s/REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID/$ACCT/g" wrangler.toml
           # KV namespace as code: find-or-create the STATE namespace (idempotent), then inject its id
           # into wrangler.toml for this deploy. The id is non-secret + derived, so the repo keeps the
           # REPLACE_WITH_KV_NAMESPACE_ID placeholder \u2014 no manual create, no hardcoded id.
@@ -93,19 +101,6 @@ jobs:
         run: echo "Missing CLOUDFLARE_API_TOKEN or GEMINI_API_KEY \u2014 ${name} deploy skipped."
 `;
 }
-async function resolveCloudflareAccountId(domain, token) {
-  try {
-    const res = await fetch(
-      `https://api.cloudflare.com/client/v4/zones?name=${encodeURIComponent(domain)}`,
-      { headers: { Authorization: `Bearer ${token}` } }
-    );
-    if (!res.ok) return null;
-    const data = await res.json();
-    return data.result?.[0]?.account?.id ?? null;
-  } catch {
-    return null;
-  }
-}
 
 // src/asset-paths.ts
 import { existsSync } from "fs";
@@ -340,11 +335,27 @@ var PACKS = [
           "Account \xB7 Cloudflare Tunnel \xB7 Edit (only if a tool uses target: oci)"
         ],
         verify: async (t) => {
+          const auth = { Authorization: `Bearer ${t}` };
           const r = await fetch("https://api.cloudflare.com/client/v4/user/tokens/verify", {
-            headers: { Authorization: `Bearer ${t}` }
+            headers: auth
           });
           const j = await r.json().catch(() => ({}));
-          return { ok: r.ok && j.result?.status === "active", detail: j.result?.status };
+          if (!r.ok || j.result?.status !== "active") {
+            return { ok: false, detail: j.result?.status ?? `HTTP ${r.status}` };
+          }
+          const ar = await fetch("https://api.cloudflare.com/client/v4/accounts?per_page=1", {
+            headers: auth
+          }).catch(() => null);
+          if (ar?.ok) {
+            const aj = await ar.json().catch(() => ({}));
+            if (Array.isArray(aj.result) && aj.result.length === 0) {
+              return {
+                ok: false,
+                detail: "active but no account access \u2014 a Zone-DNS-only token can't resolve account_id; needs Account \xB7 Workers Scripts:Edit + Workers KV Storage:Edit + Account Settings:Read"
+              };
+            }
+          }
+          return { ok: true, detail: "active" };
         }
       }
     ],
@@ -489,7 +500,7 @@ var PACKS = [
     id: "github",
     name: "GitHub",
     always: true,
-    // secrets sync + repo/branch infra
+    // the single secret store (Actions secrets) + repo/branch infra
     appliesTo: () => true,
     guide: "docs/provider-tokens.md \u2014 GitHub (gh auth, or a fine-grained PAT)",
     setupUrl: "https://github.com/settings/personal-access-tokens/new",
@@ -590,7 +601,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.4.0";
+var MODULE_REF = "v0.5.0";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -915,10 +926,103 @@ function providersForTool(tool) {
   return out;
 }
 
+// src/commands/agent.ts
+import { cpSync, existsSync as existsSync3, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { resolve as resolve3 } from "path";
+
+// src/agent-kit.ts
+function recommendedMcp(tool) {
+  return mcpForTool(tool);
+}
+function mergeMcpServers(existing, add) {
+  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
+  for (const [name, val] of Object.entries(add)) {
+    if (out.mcpServers[name]) continue;
+    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
+  }
+  return out;
+}
+
+// src/commands/agent.ts
+var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
+
+This repo uses Greenlight. Deliver every change through the ONE model (same shape for web + MCP
+tools \u2014 the deploy-verify-promote skill has the lane\xD7target matrix):
+branch \u2192 change \u2192 \`greenlight preview <name>\` (local gate) \u2192 add it to the tool's verify.config \u2192
+push (CI gates on the tool's own tests) \u2192 deploy \u2192 \`greenlight verify <name> --env prod\`.
+Web tools also get beta + \`greenlight promote\`; oci is direct-to-prod (the local gate is the
+pre-prod safety). \`greenlight status <name>\` shows the run chain; \`greenlight doctor\` flags drift.
+
+Agentic kit:
+- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the one model + the matrix).
+- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
+    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
+- Best-practice skills (one-time, user scope):
+    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
+`;
+function materializeAgentKit(dir, tool) {
+  const src = skillAssetDir();
+  if (!existsSync3(src)) throw new Error(`skill asset not found at ${src}`);
+  const dest = resolve3(dir, ".claude/skills/deploy-verify-promote");
+  mkdirSync(dest, { recursive: true });
+  cpSync(src, dest, { recursive: true });
+  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
+  for (const pack of packsForTool(tool)) {
+    if (!pack.skill) continue;
+    const skillSrc = skillAssetDir(pack.skill);
+    if (!existsSync3(skillSrc)) continue;
+    const skillDest = resolve3(dir, ".claude/skills", pack.skill);
+    mkdirSync(skillDest, { recursive: true });
+    cpSync(skillSrc, skillDest, { recursive: true });
+    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
+  }
+  const mcpPath = resolve3(dir, ".mcp.json");
+  const existingMcp = existsSync3(mcpPath) ? JSON.parse(readFileSync(mcpPath, "utf8")) : null;
+  const servers = recommendedMcp(tool);
+  writeFileSync(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
+`);
+  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
+  const claudePath = resolve3(dir, "CLAUDE.md");
+  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
+  const existing = existsSync3(claudePath) ? readFileSync(claudePath, "utf8") : "";
+  if (existing.includes(marker)) {
+    console.log("\xB7 CLAUDE.md already has the loop block");
+  } else {
+    writeFileSync(claudePath, existing ? `${existing.trimEnd()}
+
+${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
+    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
+  }
+}
+async function agentCommand(args) {
+  if (args[0] !== "sync") {
+    console.log(
+      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
+    );
+    process.exit(args[0] ? 1 : 0);
+  }
+  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
+  if (name) {
+    const { config } = await loadManifest();
+    const entry = resolveEntry(config, name);
+    const dir = resolve3(process.cwd(), entry.dir ?? ".");
+    materializeAgentKit(dir, { lane: entry.lane, target: entry.target, data: entry.data });
+    console.log(
+      `
+Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (lane=${entry.lane}, target=${entry.target}, data=${entry.data}).`
+    );
+    return;
+  }
+  materializeAgentKit(process.cwd());
+  console.log(
+    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
+  );
+}
+
 // src/commands/secrets.ts
 import { execFileSync } from "child_process";
-import { existsSync as existsSync3, readFileSync } from "fs";
-import { resolve as resolve3 } from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve4 } from "path";
 import { createInterface } from "readline";
 function parseOciConfig(text) {
   const out = {};
@@ -933,7 +1037,7 @@ function parseOciConfig(text) {
   return out;
 }
 function ociPrefill(configPath, keyPath) {
-  const cfg = parseOciConfig(readFileSync(configPath, "utf8"));
+  const cfg = parseOciConfig(readFileSync2(configPath, "utf8"));
   const map = /* @__PURE__ */ new Map();
   const set = (k, v) => {
     if (v) map.set(k, v);
@@ -943,8 +1047,8 @@ function ociPrefill(configPath, keyPath) {
   set("TF_VAR_OCI_TENANCY_OCID", cfg.tenancy);
   set("TF_VAR_OCI_REGION", cfg.region);
   const pem = keyPath ?? cfg.key_file;
-  if (pem && existsSync3(pem)) {
-    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync(pem, "utf8"));
+  if (pem && existsSync4(pem)) {
+    map.set("TF_VAR_OCI_PRIVATE_KEY", readFileSync2(pem, "utf8"));
   } else if (pem) {
     console.log(`   ! PEM not found at ${pem} \u2014 set TF_VAR_OCI_PRIVATE_KEY manually (--oci-key)`);
   }
@@ -977,11 +1081,11 @@ function hiddenPrompter() {
   if (tty) rl._writeToOutput = () => {
   };
   return {
-    ask: (query) => new Promise((resolve10) => {
+    ask: (query) => new Promise((resolve11) => {
       process.stdout.write(query);
       rl.question("", (val) => {
         process.stdout.write("\n");
-        resolve10(val.trim());
+        resolve11(val.trim());
       });
     }),
     close: () => rl.close()
@@ -1080,8 +1184,50 @@ async function gatherSecrets(name, repo, env, prefill) {
   console.log(`
 ${pushed} secret(s) pushed to ${repo}. (None written to disk.)`);
 }
+async function secretsCheck(name, repo) {
+  const { config } = await loadManifest();
+  const tools = name ? config.tools.filter((t) => t.name === name) : config.tools;
+  if (name && tools.length === 0) throw new Error(`no tool "${name}" in the manifest`);
+  const present = listGitHubSecrets(repo, void 0);
+  console.log(`Secrets check \u2192 ${repo}`);
+  if (!present) console.log("! could not list secrets (gh unauth/no access) \u2014 names only\n");
+  else console.log("");
+  let missing = 0;
+  for (const t of tools) {
+    const expected = /* @__PURE__ */ new Set();
+    for (const pack of packsForTool({ lane: t.lane, target: t.target, data: t.data })) {
+      for (const tok of pack.tokens) {
+        if (!tok.optional) expected.add(secretKeyFor(tok, t.name, t.tokenOverrides));
+      }
+    }
+    if (t.lane === "agent") {
+      expected.add("GEMINI_API_KEY");
+      expected.add("RUN_TOKEN");
+    }
+    for (const s of t.tokens ?? []) expected.add(s);
+    console.log(
+      `\u2500\u2500 ${t.name} (${t.lane}/${t.target}${t.data && t.data !== "none" ? `/${t.data}` : ""})`
+    );
+    for (const key of [...expected].sort()) {
+      const have = present ? present.has(key) : void 0;
+      if (have === false) missing++;
+      console.log(`   ${have === void 0 ? "?" : have ? "\u2714" : "\u2718"} ${key}`);
+    }
+  }
+  if (present)
+    console.log(`
+${missing === 0 ? "\u2714 all required secrets present" : `\u2718 ${missing} missing`}`);
+  process.exit(missing > 0 ? 1 : 0);
+}
 async function secretsCommand(args) {
   const sub = args[0];
+  if (sub === "check") {
+    const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
+    const repo = flag(args, "--repo") ?? detectRepo(process.cwd());
+    if (!repo) throw new Error("could not determine the repo \u2014 pass --repo owner/repo");
+    await secretsCheck(name, repo);
+    return;
+  }
   if (sub === "gather") {
     const name = args[1];
     if (!name || name.startsWith("-")) {
@@ -1091,7 +1237,7 @@ async function secretsCommand(args) {
     if (!repo) throw new Error("could not determine the repo \u2014 pass --repo owner/repo");
     const ociConfig2 = flag(args, "--oci-config");
     const ociKey = flag(args, "--oci-key");
-    const prefill = ociConfig2 ? ociPrefill(resolve3(process.cwd(), ociConfig2), ociKey && resolve3(process.cwd(), ociKey)) : void 0;
+    const prefill = ociConfig2 ? ociPrefill(resolve4(process.cwd(), ociConfig2), ociKey && resolve4(process.cwd(), ociKey)) : void 0;
     await gatherSecrets(name, repo, flag(args, "--env"), prefill);
     return;
   }
@@ -1101,161 +1247,6 @@ async function secretsCommand(args) {
   process.exit(sub ? 1 : 0);
 }
 
-// src/tokens.ts
-function presentEnv() {
-  const out = {};
-  for (const [k, v] of Object.entries(process.env)) {
-    if (v !== void 0) out[k] = v;
-  }
-  return out;
-}
-async function ensureTokensForTool(repo, tool, opts = {}) {
-  const doVerify = opts.verify !== false;
-  const env = presentEnv();
-  const already = listGitHubSecrets(repo, opts.env);
-  const results = [];
-  const prompt = process.stdin.isTTY ? hiddenPrompter() : null;
-  try {
-    for (const spec of tokensForTool(tool)) {
-      const key = secretKeyFor(spec, "", void 0);
-      if (key === "GITHUB_TOKEN") {
-        results.push({ envVar: spec.envVar, outcome: "skipped" });
-        continue;
-      }
-      if (env[spec.envVar] || already?.has(key)) {
-        results.push({ envVar: spec.envVar, outcome: "present" });
-        continue;
-      }
-      if (!prompt) {
-        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-        continue;
-      }
-      console.log(`
-${key} \u2014 ${spec.label}`);
-      if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
-      const entered = await prompt.ask(
-        `  value${spec.optional ? " (optional, Enter to skip)" : ""}: `
-      );
-      if (!entered) {
-        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
-        continue;
-      }
-      env[spec.envVar] = entered;
-      let check;
-      if (doVerify && spec.verify) {
-        try {
-          check = await spec.verify(entered, env);
-        } catch (e) {
-          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
-        }
-        if (!check.ok && !spec.optional) {
-          throw new Error(
-            `${key} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
-          );
-        }
-      }
-      setGitHubSecret(repo, opts.env, key, entered);
-      results.push({ envVar: spec.envVar, outcome: "entered", verify: check });
-    }
-  } finally {
-    prompt?.close();
-  }
-  return results;
-}
-
-// src/commands/agent.ts
-import { cpSync, existsSync as existsSync4, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
-import { resolve as resolve4 } from "path";
-
-// src/agent-kit.ts
-function recommendedMcp(tool) {
-  return mcpForTool(tool);
-}
-function mergeMcpServers(existing, add) {
-  const out = { mcpServers: { ...existing?.mcpServers ?? {} } };
-  for (const [name, val] of Object.entries(add)) {
-    if (out.mcpServers[name]) continue;
-    out.mcpServers[name] = typeof val === "string" ? { type: "http", url: val } : val;
-  }
-  return out;
-}
-
-// src/commands/agent.ts
-var CLAUDE_BLOCK = `## Greenlight loop (deploy \u2192 verify \u2192 promote)
-
-This repo uses Greenlight. Deliver every change through the ONE model (same shape for web + MCP
-tools \u2014 the deploy-verify-promote skill has the lane\xD7target matrix):
-branch \u2192 change \u2192 \`greenlight preview <name>\` (local gate) \u2192 add it to the tool's verify.config \u2192
-push (CI gates on the tool's own tests) \u2192 deploy \u2192 \`greenlight verify <name> --env prod\`.
-Web tools also get beta + \`greenlight promote\`; oci is direct-to-prod (the local gate is the
-pre-prod safety). \`greenlight status <name>\` shows the run chain; \`greenlight doctor\` flags drift.
-
-Agentic kit:
-- Skill: \`.claude/skills/deploy-verify-promote/SKILL.md\` (the one model + the matrix).
-- MCP servers: \`.mcp.json\` recommends the relevant providers \u2014 run \`/mcp\` to authenticate.
-    Vercel is OAuth; Supabase needs \`SUPABASE_ACCESS_TOKEN\` (+ \`SUPABASE_PROJECT_REF\`) in your env.
-- Best-practice skills (one-time, user scope):
-    \`claude plugin marketplace add cloudflare/skills && claude plugin install cloudflare@cloudflare\`
-`;
-function materializeAgentKit(dir, tool) {
-  const src = skillAssetDir();
-  if (!existsSync4(src)) throw new Error(`skill asset not found at ${src}`);
-  const dest = resolve4(dir, ".claude/skills/deploy-verify-promote");
-  mkdirSync(dest, { recursive: true });
-  cpSync(src, dest, { recursive: true });
-  console.log("\u2714 .claude/skills/deploy-verify-promote/SKILL.md");
-  for (const pack of packsForTool(tool)) {
-    if (!pack.skill) continue;
-    const skillSrc = skillAssetDir(pack.skill);
-    if (!existsSync4(skillSrc)) continue;
-    const skillDest = resolve4(dir, ".claude/skills", pack.skill);
-    mkdirSync(skillDest, { recursive: true });
-    cpSync(skillSrc, skillDest, { recursive: true });
-    console.log(`\u2714 .claude/skills/${pack.skill}/SKILL.md`);
-  }
-  const mcpPath = resolve4(dir, ".mcp.json");
-  const existingMcp = existsSync4(mcpPath) ? JSON.parse(readFileSync2(mcpPath, "utf8")) : null;
-  const servers = recommendedMcp(tool);
-  writeFileSync(mcpPath, `${JSON.stringify(mergeMcpServers(existingMcp, servers), null, 2)}
-`);
-  console.log(`\u2714 .mcp.json (${Object.keys(servers).length} recommended MCP server(s))`);
-  const claudePath = resolve4(dir, "CLAUDE.md");
-  const marker = "Greenlight loop (deploy \u2192 verify \u2192 promote)";
-  const existing = existsSync4(claudePath) ? readFileSync2(claudePath, "utf8") : "";
-  if (existing.includes(marker)) {
-    console.log("\xB7 CLAUDE.md already has the loop block");
-  } else {
-    writeFileSync(claudePath, existing ? `${existing.trimEnd()}
-
-${CLAUDE_BLOCK}` : CLAUDE_BLOCK);
-    console.log(`\u2714 CLAUDE.md (${existing ? "appended" : "created"})`);
-  }
-}
-async function agentCommand(args) {
-  if (args[0] !== "sync") {
-    console.log(
-      "usage: greenlight agent sync [<name>]\n  (no name)  write the generic loop kit into THIS repo (the fallback)\n  <name>     load the manifest and sync that tool's kit into its dir, with the\n             target-specific provider skills (oci/vercel/supabase), not just the always-on ones"
-    );
-    process.exit(args[0] ? 1 : 0);
-  }
-  const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
-  if (name) {
-    const { config } = await loadManifest();
-    const entry = resolveEntry(config, name);
-    const dir = resolve4(process.cwd(), entry.dir ?? ".");
-    materializeAgentKit(dir, { lane: entry.lane, target: entry.target, data: entry.data });
-    console.log(
-      `
-Synced the kit for "${name}" \u2192 ${entry.dir ?? "."} (lane=${entry.lane}, target=${entry.target}, data=${entry.data}).`
-    );
-    return;
-  }
-  materializeAgentKit(process.cwd());
-  console.log(
-    "\nNote: the Greenlight Claude Code plugin (user scope) is the preferred path; this sync is the fallback.\nRun `/mcp` to authenticate the MCP servers."
-  );
-}
-
 // src/commands/add.ts
 function flag2(args, name) {
   const i = args.indexOf(name);
@@ -1296,9 +1287,25 @@ async function addCommand(args) {
       "usage: greenlight add <name> --lane <lane> --target <target> [--data <d>] [--auth <a>] [--envs beta,prod] [--port 8000] [--share <owner>]"
     );
   }
-  const lane = flag2(args, "--lane");
-  const target = flag2(args, "--target");
-  if (!lane || !target) throw new Error("add needs --lane and --target");
+  const lane = flag2(args, "--lane");
+  const target = flag2(args, "--target");
+  if (!lane || !target) {
+    throw new Error(
+      `add needs --lane and --target. Valid combinations:
+${describeMatrix()}
+  (defaults: next\u2192vercel; astro/mcp/agent\u2192workers)`
+    );
+  }
+  if (!(lane in MATRIX)) {
+    throw new Error(`unknown lane "${lane}". Valid lanes:
+${describeMatrix()}`);
+  }
+  const rule = MATRIX[lane];
+  if (!rule.targets.includes(target)) {
+    throw new Error(
+      `lane "${lane}" can't target "${target}" \u2014 valid target(s): ${rule.targets.join(" | ")}`
+    );
+  }
   const { config, path } = await loadManifest();
   if (path.endsWith(".example.ts")) {
     throw new Error("no greenlight.config.ts \u2014 run `greenlight init` first");
@@ -1335,19 +1342,7 @@ async function addCommand(args) {
     if (existsSync5(shippedGitignore)) renameSync(shippedGitignore, join(dest, ".gitignore"));
     const wranglerPath = join(dest, "wrangler.toml");
     if (existsSync5(wranglerPath)) {
-      let wt = readFileSync3(wranglerPath, "utf8").replaceAll("agent-tool", name).replaceAll("example.dev", config.domain);
-      if (wt.includes("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID")) {
-        const token = presentEnv().CLOUDFLARE_API_TOKEN;
-        const acct = token ? await resolveCloudflareAccountId(config.domain, token) : null;
-        if (acct) {
-          wt = wt.replaceAll("REPLACE_WITH_CLOUDFLARE_ACCOUNT_ID", acct);
-          console.log("\u2714 resolved the Cloudflare account id into wrangler.toml");
-        } else {
-          console.log(
-            "\xB7 could not resolve the Cloudflare account id \u2014 set account_id in wrangler.toml"
-          );
-        }
-      }
+      const wt = readFileSync3(wranglerPath, "utf8").replaceAll("agent-tool", name).replaceAll("example.dev", config.domain);
       writeFileSync2(wranglerPath, wt);
     }
     console.log(`\u2714 copied ${src} \u2192 tools/${name}`);
@@ -2147,6 +2142,89 @@ function safeGit(cwd, gitArgs) {
   }
 }
 
+// src/commands/bump.ts
+import { existsSync as existsSync7, readFileSync as readFileSync6, writeFileSync as writeFileSync5 } from "fs";
+import { resolve as resolve7 } from "path";
+
+// src/refs.ts
+import { readFileSync as readFileSync5, readdirSync as readdirSync2, writeFileSync as writeFileSync4 } from "fs";
+import { join as join3 } from "path";
+var REF_RE = /greenlight\.git\/\/infra\/modules\/[^?"]+\?ref=(v[0-9.]+)/g;
+function installedVersion(root) {
+  try {
+    const pkg = JSON.parse(
+      readFileSync5(join3(root, "node_modules/@rtrentjones/greenlight/package.json"), "utf8")
+    );
+    return pkg.version;
+  } catch {
+    return void 0;
+  }
+}
+function infraRefs(root) {
+  const refs = /* @__PURE__ */ new Set();
+  try {
+    for (const f of readdirSync2(join3(root, "infra")).filter((f2) => f2.endsWith(".tf"))) {
+      for (const m of readFileSync5(join3(root, "infra", f), "utf8").matchAll(REF_RE)) {
+        if (m[1]) refs.add(m[1]);
+      }
+    }
+  } catch {
+  }
+  return [...refs];
+}
+function rewriteInfraRefs(root, target) {
+  const want = target.startsWith("v") ? target : `v${target}`;
+  const changed = [];
+  let files;
+  try {
+    files = readdirSync2(join3(root, "infra")).filter((f) => f.endsWith(".tf"));
+  } catch {
+    return changed;
+  }
+  for (const f of files) {
+    const p = join3(root, "infra", f);
+    const body = readFileSync5(p, "utf8");
+    const next = body.replace(
+      /(greenlight\.git\/\/infra\/modules\/[^?"]+\?ref=)v[0-9.]+/g,
+      `$1${want}`
+    );
+    if (next !== body) {
+      writeFileSync4(p, next);
+      changed.push(f);
+    }
+  }
+  return changed;
+}
+
+// src/commands/bump.ts
+function bumpCommand(_args) {
+  const root = process.cwd();
+  const version = installedVersion(root);
+  if (!version) {
+    throw new Error(
+      "no installed @rtrentjones/greenlight here \u2014 run from a consumer wrapper after `pnpm install`"
+    );
+  }
+  const want = `v${version}`;
+  const before = infraRefs(root);
+  const changed = rewriteInfraRefs(root, version);
+  if (changed.length) {
+    console.log(`\u2714 re-pinned ${changed.length} infra file(s) \u2192 ${want}: ${changed.join(", ")}`);
+  } else {
+    console.log(`\xB7 infra ?ref already ${want}${before.length ? "" : " (no infra pins)"}`);
+  }
+  const pkgPath = resolve7(root, "package.json");
+  if (existsSync7(pkgPath)) {
+    const raw = readFileSync6(pkgPath, "utf8");
+    const next = raw.replace(/("@rtrentjones\/greenlight":\s*")[^"]+(")/, `$1^${version}$2`);
+    if (next !== raw) {
+      writeFileSync5(pkgPath, next);
+      console.log(`\u2714 package.json dep \u2192 ^${version}`);
+    }
+  }
+  console.log("\nNext: pnpm install && pnpm greenlight doctor --strict, then commit + push.");
+}
+
 // src/commands/config.ts
 import { relative } from "path";
 async function configCommand() {
@@ -2158,7 +2236,7 @@ async function configCommand() {
 
 // ../packages/adapters/src/index.ts
 import { execFileSync as execFileSync3 } from "child_process";
-import { join as join3 } from "path";
+import { join as join4 } from "path";
 function run(cmd, args, cwd, extraEnv) {
   execFileSync3(cmd, args, { cwd, stdio: "inherit", env: { ...process.env, ...extraEnv } });
 }
@@ -2174,7 +2252,7 @@ function workersAdapter(ctx) {
         siteEnv = void 0;
       }
       run("pnpm", ["run", "build"], toolDir, siteEnv);
-      return { artifactDir: join3(toolDir, "dist") };
+      return { artifactDir: join4(toolDir, "dist") };
     },
     async deploy(toolDir, env) {
       run("pnpm", ["exec", "wrangler", "deploy", "--env", env], toolDir);
@@ -2276,20 +2354,84 @@ async function deployCommand(args) {
 // src/commands/doctor.ts
 import { execFileSync as execFileSync4 } from "child_process";
 import { lookup } from "dns/promises";
-import { existsSync as existsSync7, readFileSync as readFileSync5, readdirSync as readdirSync2 } from "fs";
-import { join as join4 } from "path";
+import { existsSync as existsSync9, readFileSync as readFileSync8, readdirSync as readdirSync4 } from "fs";
+import { join as join6 } from "path";
+
+// src/commands/migrations.ts
+import { existsSync as existsSync8, readFileSync as readFileSync7, readdirSync as readdirSync3 } from "fs";
+import { join as join5 } from "path";
+var DEFAULT_DIR = "supabase/migrations";
+var CANDIDATE_DIRS = [
+  DEFAULT_DIR,
+  "migrations",
+  "drizzle/migrations",
+  "drizzle",
+  "db/migrations"
+];
+function resolveMigrationsDir(explicit, root = process.cwd()) {
+  if (explicit) return explicit;
+  return CANDIDATE_DIRS.find((d) => existsSync8(join5(root, d))) ?? DEFAULT_DIR;
+}
+async function migrationsCommand(args) {
+  if (args[0] !== "scan") {
+    console.log(
+      `usage: greenlight migrations scan [<dir>] [--strict]
+  scan SQL migrations for data-destroying / lock-heavy statements (the pre-apply gate).
+  no <dir> \u2192 auto-detects ${CANDIDATE_DIRS.join(" | ")}. Acknowledge an intentional op with \`-- greenlight:allow\`.`
+    );
+    process.exit(args[0] ? 1 : 0);
+  }
+  const dir = resolveMigrationsDir(args.slice(1).find((a) => !a.startsWith("-")));
+  const strict = args.includes("--strict");
+  let names;
+  try {
+    names = readdirSync3(dir).filter((f) => f.endsWith(".sql")).sort();
+  } catch {
+    console.log(`\xB7 no migrations dir at ${dir} \u2014 nothing to scan`);
+    process.exit(0);
+  }
+  if (names.length === 0) {
+    console.log(`\xB7 no .sql files in ${dir} \u2014 nothing to scan`);
+    process.exit(0);
+  }
+  const files = names.map((f) => ({
+    path: join5(dir, f),
+    content: readFileSync7(join5(dir, f), "utf8")
+  }));
+  const findings = scanSqlFiles(files);
+  if (findings.length === 0) {
+    console.log(`\u2714 migrations scan: ${names.length} file(s) clean (${dir})`);
+    process.exit(0);
+  }
+  for (const f of findings) {
+    console.log(
+      `  ${f.severity === "danger" ? "\u2718" : "!"} ${f.file}:${f.line} [${f.rule}] ${f.detail}
+      ${f.snippet}`
+    );
+  }
+  const dangers = findings.filter((f) => f.severity === "danger");
+  const blocking = strict ? findings : dangers;
+  const verdict = blocking.length === 0 ? "\u2714 no blocking findings" : `\u2718 ${blocking.length} blocking finding(s)`;
+  console.log(
+    `
+${verdict} (${dangers.length} danger, ${findings.length - dangers.length} warn). Acknowledge an intentional op with \`-- greenlight:allow\`.`
+  );
+  process.exit(blocking.length === 0 ? 0 : 1);
+}
+
+// src/commands/doctor.ts
 function dirCheck(label, dir) {
-  return existsSync7(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
+  return existsSync9(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
 }
 function conformanceChecks(t, root) {
   const out = [];
-  const toolDir = t.dir ?? join4("tools", t.name);
+  const toolDir = t.dir ?? join6("tools", t.name);
   const specCandidates = t.external ? [
     `verify/${t.name}.config.ts`,
-    join4(toolDir, `verify/${t.name}.config.ts`),
-    join4(toolDir, "verify.config.ts")
-  ] : [join4(toolDir, "verify.config.ts")];
-  const found = specCandidates.find((p) => existsSync7(join4(root, p)));
+    join6(toolDir, `verify/${t.name}.config.ts`),
+    join6(toolDir, "verify.config.ts")
+  ] : [join6(toolDir, "verify.config.ts")];
+  const found = specCandidates.find((p) => existsSync9(join6(root, p)));
   out.push({
     name: `${t.name}: in the verify loop`,
     status: found ? "ok" : "warn",
@@ -2314,58 +2456,61 @@ function conformanceChecks(t, root) {
     });
   }
   if (!t.external && t.lane === "next" && t.target === "vercel") {
-    const wsPath = join4(root, "pnpm-workspace.yaml");
-    const ws = existsSync7(wsPath) ? readFileSync5(wsPath, "utf8") : "";
+    const wsPath = join6(root, "pnpm-workspace.yaml");
+    const ws = existsSync9(wsPath) ? readFileSync8(wsPath, "utf8") : "";
     const member = ws.includes(toolDir) || /^\s*-\s*["']?tools\/\*/m.test(ws);
     out.push({
       name: `${t.name}: pnpm workspace member`,
       status: member ? "ok" : "warn",
       detail: member ? void 0 : `add "${toolDir}" to pnpm-workspace.yaml \u2014 else Vercel's root install skips its deps`
     });
-    const hasVercelJson = existsSync7(join4(root, toolDir, "vercel.json"));
+    const hasVercelJson = existsSync9(join6(root, toolDir, "vercel.json"));
     out.push({
       name: `${t.name}: vercel.json framework`,
       status: hasVercelJson ? "ok" : "warn",
-      detail: hasVercelJson ? void 0 : `no ${join4(toolDir, "vercel.json")} (framework: "nextjs") \u2014 Vercel may treat the build as static`
+      detail: hasVercelJson ? void 0 : `no ${join6(toolDir, "vercel.json")} (framework: "nextjs") \u2014 Vercel may treat the build as static`
     });
   }
+  if (t.data === "supabase" || t.data === "neon") {
+    const migBase = join6(root, toolDir);
+    const migDir = resolveMigrationsDir(void 0, migBase);
+    if (existsSync9(join6(migBase, migDir))) {
+      const wired = [join6(migBase, ".github/workflows"), join6(root, ".github/workflows")].some(
+        (d) => {
+          try {
+            return readdirSync4(d).filter((f) => /\.ya?ml$/.test(f)).some((f) => readFileSync8(join6(d, f), "utf8").includes("migrations scan"));
+          } catch {
+            return false;
+          }
+        }
+      );
+      out.push({
+        name: `${t.name}: migrations gate`,
+        status: wired ? "ok" : "warn",
+        detail: wired ? `${migDir} scanned in CI` : `${migDir} present but no workflow runs \`greenlight migrations scan\` \u2014 wire the dangerous-SQL gate before the apply step`
+      });
+    }
+  }
   return out;
 }
 function versionDriftCheck(root) {
   const name = "framework version drift";
-  let installed;
-  try {
-    const pkg = JSON.parse(
-      readFileSync5(join4(root, "node_modules/@rtrentjones/greenlight/package.json"), "utf8")
-    );
-    installed = pkg.version;
-  } catch {
-  }
-  const refs = /* @__PURE__ */ new Set();
-  try {
-    for (const f of readdirSync2(join4(root, "infra")).filter((f2) => f2.endsWith(".tf"))) {
-      const body = readFileSync5(join4(root, "infra", f), "utf8");
-      for (const m of body.matchAll(/greenlight\.git\/\/infra\/modules\/[^?"]+\?ref=(v[0-9.]+)/g)) {
-        if (m[1]) refs.add(m[1]);
-      }
-    }
-  } catch {
-  }
-  if (!installed && refs.size === 0) {
+  const installed = installedVersion(root);
+  const refList = infraRefs(root);
+  if (!installed && refList.length === 0) {
     return {
       name,
       status: "skip",
       detail: "no installed @rtrentjones/greenlight or infra pins here"
     };
   }
-  const refList = [...refs];
   if (installed) {
     const want = `v${installed}`;
     const bad = refList.filter((r) => r !== want);
     return bad.length === 0 ? { name, status: "ok", detail: `infra pins == installed ${want}` } : {
       name,
       status: "warn",
-      detail: `installed ${want}, but infra pins ${bad.join(", ")} \u2014 bump ?ref to ${want}`
+      detail: `installed ${want}, but infra pins ${bad.join(", ")} \u2014 run \`greenlight bump\``
     };
   }
   return refList.length <= 1 ? { name, status: "ok", detail: `infra pins uniform (${refList[0] ?? "none"})` } : { name, status: "warn", detail: `infra ?ref pins not uniform: ${refList.join(", ")}` };
@@ -2388,7 +2533,7 @@ function submoduleDriftCheck(root) {
 }
 function runDoctor(config, root) {
   const checks = [];
-  if (config.blog) checks.push(dirCheck("blog", join4(root, "apps/blog")));
+  if (config.blog) checks.push(dirCheck("blog", join6(root, "apps/blog")));
   for (const t of config.tools) {
     if (t.external) {
       const url = resolveUrl({
@@ -2400,7 +2545,7 @@ function runDoctor(config, root) {
       checks.push({ name: `${t.name}: external (registry)`, status: "ok", detail: url });
       if (t.dir) {
         checks.push(
-          existsSync7(join4(root, t.dir)) ? { name: `${t.name}: dir present`, status: "ok", detail: t.dir } : {
+          existsSync9(join6(root, t.dir)) ? { name: `${t.name}: dir present`, status: "ok", detail: t.dir } : {
             name: `${t.name}: dir present`,
             status: "warn",
             detail: `declared dir "${t.dir}" missing \u2014 run \`git submodule update --init\``
@@ -2408,7 +2553,7 @@ function runDoctor(config, root) {
         );
       }
     } else {
-      checks.push(dirCheck(t.name, join4(root, t.dir ?? join4("tools", t.name))));
+      checks.push(dirCheck(t.name, join6(root, t.dir ?? join6("tools", t.name))));
     }
     checks.push(...conformanceChecks(t, root));
   }
@@ -2475,6 +2620,7 @@ async function doctorCommand(args = []) {
     process.exit(1);
   }
   const live = args.includes("--live");
+  const strict = args.includes("--strict");
   const checks = runDoctor(config, process.cwd());
   if (live) {
     console.log("  (probing live prod URLs\u2026)");
@@ -2484,16 +2630,84 @@ async function doctorCommand(args = []) {
     console.log(`  ${ICON[c.status]} ${c.name}${c.detail ? ` \u2014 ${c.detail}` : ""}`);
   }
   const failed = checks.filter((c) => c.status === "fail").length;
-  console.log(`
-${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}`);
+  const warned = checks.filter((c) => c.status === "warn").length;
+  console.log(
+    `
+${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}${warned ? ` \xB7 ${warned} warning(s)` : ""}`
+  );
   if (!live) console.log("\xB7 run `greenlight doctor --live` for DNS + reachability probes");
-  process.exit(failed === 0 ? 0 : 1);
+  if (!strict && warned) console.log("\xB7 run `greenlight doctor --strict` to fail on warnings (CI)");
+  process.exit(failed > 0 || strict && warned > 0 ? 1 : 0);
 }
 
 // src/commands/init.ts
-import { existsSync as existsSync8, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4 } from "fs";
-import { resolve as resolve7 } from "path";
+import { existsSync as existsSync10, mkdirSync as mkdirSync4, writeFileSync as writeFileSync6 } from "fs";
+import { resolve as resolve8 } from "path";
 import { createInterface as createInterface2 } from "readline/promises";
+
+// src/tokens.ts
+function presentEnv() {
+  const out = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v !== void 0) out[k] = v;
+  }
+  return out;
+}
+async function ensureTokensForTool(repo, tool, opts = {}) {
+  const doVerify = opts.verify !== false;
+  const env = presentEnv();
+  const already = listGitHubSecrets(repo, opts.env);
+  const results = [];
+  const prompt = process.stdin.isTTY ? hiddenPrompter() : null;
+  try {
+    for (const spec of tokensForTool(tool)) {
+      const key = secretKeyFor(spec, "", void 0);
+      if (key === "GITHUB_TOKEN") {
+        results.push({ envVar: spec.envVar, outcome: "skipped" });
+        continue;
+      }
+      if (env[spec.envVar] || already?.has(key)) {
+        results.push({ envVar: spec.envVar, outcome: "present" });
+        continue;
+      }
+      if (!prompt) {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      console.log(`
+${key} \u2014 ${spec.label}`);
+      if (spec.scopes?.length) console.log(`  scopes: ${spec.scopes.join(", ")}`);
+      const entered = await prompt.ask(
+        `  value${spec.optional ? " (optional, Enter to skip)" : ""}: `
+      );
+      if (!entered) {
+        results.push({ envVar: spec.envVar, outcome: spec.optional ? "skipped" : "missing" });
+        continue;
+      }
+      env[spec.envVar] = entered;
+      let check;
+      if (doVerify && spec.verify) {
+        try {
+          check = await spec.verify(entered, env);
+        } catch (e) {
+          check = { ok: false, detail: e instanceof Error ? e.message : String(e) };
+        }
+        if (!check.ok && !spec.optional) {
+          throw new Error(
+            `${key} failed verification${check.detail ? ` (${check.detail})` : ""} \u2014 check the token's scopes (${spec.label}).`
+          );
+        }
+      }
+      setGitHubSecret(repo, opts.env, key, entered);
+      results.push({ envVar: spec.envVar, outcome: "entered", verify: check });
+    }
+  } finally {
+    prompt?.close();
+  }
+  return results;
+}
+
+// src/commands/init.ts
 function flag5(args, name) {
   const i = args.indexOf(name);
   return i >= 0 ? args[i + 1] : void 0;
@@ -2551,8 +2765,9 @@ jobs:
       TF_TOKEN_app_terraform_io: \${{ secrets.TF_API_TOKEN }} # HCP state backend auth
       GITHUB_TOKEN: \${{ github.token }} # github provider (branch/protection); creates nothing risky
       CLOUDFLARE_API_TOKEN: \${{ secrets.CLOUDFLARE_API_TOKEN }}
-      TF_VAR_cloudflare_zone_id: \${{ secrets.TF_VAR_CLOUDFLARE_ZONE_ID }}
-      TF_VAR_cloudflare_account_id: \${{ secrets.TF_VAR_CLOUDFLARE_ACCOUNT_ID }}
+      # zone/account ids are enumerable identifiers, not secrets \u2014 repo VARIABLES (vars.*)
+      TF_VAR_cloudflare_zone_id: \${{ vars.CLOUDFLARE_ZONE_ID }}
+      TF_VAR_cloudflare_account_id: \${{ vars.CLOUDFLARE_ACCOUNT_ID }}
       # vercel (target: vercel tools)
       VERCEL_API_TOKEN: \${{ secrets.VERCEL_API_TOKEN }}
       # supabase (data: supabase tools)
@@ -2577,12 +2792,12 @@ jobs:
 `;
 }
 function scaffoldIfAbsent(path, contents, label) {
-  if (existsSync8(path)) {
+  if (existsSync10(path)) {
     console.log(`\xB7 ${label} exists \u2014 left as-is`);
     return;
   }
-  mkdirSync4(resolve7(path, ".."), { recursive: true });
-  writeFileSync4(path, contents);
+  mkdirSync4(resolve8(path, ".."), { recursive: true });
+  writeFileSync6(path, contents);
   console.log(`\u2714 wrote ${label}`);
 }
 var TOKEN_FLAGS = {
@@ -2603,22 +2818,22 @@ async function initCommand(args) {
   }
   if (!domain) throw new Error("a domain is required");
   const cwd = process.cwd();
-  const configPath = resolve7(cwd, "greenlight.config.ts");
-  if (existsSync8(configPath) && !force) {
+  const configPath = resolve8(cwd, "greenlight.config.ts");
+  if (existsSync10(configPath) && !force) {
     throw new Error("greenlight.config.ts already exists \u2014 pass --force to overwrite");
   }
-  writeFileSync4(configPath, scaffoldConfig(domain));
+  writeFileSync6(configPath, scaffoldConfig(domain));
   console.log(`\u2714 wrote greenlight.config.ts (domain: ${domain})`);
   const repoName = domain.replace(/\./g, "-");
   scaffoldIfAbsent(
-    resolve7(cwd, ".github/workflows/infra.yml"),
+    resolve8(cwd, ".github/workflows/infra.yml"),
     wrapperInfraYml(),
     ".github/workflows/infra.yml (HCP-backed terraform apply on push)"
   );
-  scaffoldIfAbsent(resolve7(cwd, ".gitignore"), WRAPPER_GITIGNORE, ".gitignore");
-  scaffoldIfAbsent(resolve7(cwd, "package.json"), wrapperPackageJson(repoName), "package.json");
-  scaffoldIfAbsent(resolve7(cwd, "mise.toml"), WRAPPER_MISE, "mise.toml");
-  scaffoldIfAbsent(resolve7(cwd, ".node-version"), "24\n", ".node-version");
+  scaffoldIfAbsent(resolve8(cwd, ".gitignore"), WRAPPER_GITIGNORE, ".gitignore");
+  scaffoldIfAbsent(resolve8(cwd, "package.json"), wrapperPackageJson(repoName), "package.json");
+  scaffoldIfAbsent(resolve8(cwd, "mise.toml"), WRAPPER_MISE, "mise.toml");
+  scaffoldIfAbsent(resolve8(cwd, ".node-version"), "24\n", ".node-version");
   const repo = flag5(args, "--repo") ?? detectRepo(cwd);
   let pushed = 0;
   if (repo && !args.includes("--no-push")) {
@@ -2663,76 +2878,14 @@ Next:
   4. greenlight verify <name> --env prod   |   greenlight doctor`);
 }
 
-// src/commands/migrations.ts
-import { existsSync as existsSync9, readFileSync as readFileSync6, readdirSync as readdirSync3 } from "fs";
-import { join as join5 } from "path";
-var DEFAULT_DIR = "supabase/migrations";
-var CANDIDATE_DIRS = [
-  DEFAULT_DIR,
-  "migrations",
-  "drizzle/migrations",
-  "drizzle",
-  "db/migrations"
-];
-function resolveMigrationsDir(explicit, root = process.cwd()) {
-  if (explicit) return explicit;
-  return CANDIDATE_DIRS.find((d) => existsSync9(join5(root, d))) ?? DEFAULT_DIR;
-}
-async function migrationsCommand(args) {
-  if (args[0] !== "scan") {
-    console.log(
-      `usage: greenlight migrations scan [<dir>] [--strict]
-  scan SQL migrations for data-destroying / lock-heavy statements (the pre-apply gate).
-  no <dir> \u2192 auto-detects ${CANDIDATE_DIRS.join(" | ")}. Acknowledge an intentional op with \`-- greenlight:allow\`.`
-    );
-    process.exit(args[0] ? 1 : 0);
-  }
-  const dir = resolveMigrationsDir(args.slice(1).find((a) => !a.startsWith("-")));
-  const strict = args.includes("--strict");
-  let names;
-  try {
-    names = readdirSync3(dir).filter((f) => f.endsWith(".sql")).sort();
-  } catch {
-    console.log(`\xB7 no migrations dir at ${dir} \u2014 nothing to scan`);
-    process.exit(0);
-  }
-  if (names.length === 0) {
-    console.log(`\xB7 no .sql files in ${dir} \u2014 nothing to scan`);
-    process.exit(0);
-  }
-  const files = names.map((f) => ({
-    path: join5(dir, f),
-    content: readFileSync6(join5(dir, f), "utf8")
-  }));
-  const findings = scanSqlFiles(files);
-  if (findings.length === 0) {
-    console.log(`\u2714 migrations scan: ${names.length} file(s) clean (${dir})`);
-    process.exit(0);
-  }
-  for (const f of findings) {
-    console.log(
-      `  ${f.severity === "danger" ? "\u2718" : "!"} ${f.file}:${f.line} [${f.rule}] ${f.detail}
-      ${f.snippet}`
-    );
-  }
-  const dangers = findings.filter((f) => f.severity === "danger");
-  const blocking = strict ? findings : dangers;
-  const verdict = blocking.length === 0 ? "\u2714 no blocking findings" : `\u2718 ${blocking.length} blocking finding(s)`;
-  console.log(
-    `
-${verdict} (${dangers.length} danger, ${findings.length - dangers.length} warn). Acknowledge an intentional op with \`-- greenlight:allow\`.`
-  );
-  process.exit(blocking.length === 0 ? 0 : 1);
-}
-
 // src/commands/preview.ts
 import { execFileSync as execFileSync5, spawn } from "child_process";
-import { resolve as resolve9 } from "path";
+import { resolve as resolve10 } from "path";
 import { setTimeout as sleep } from "timers/promises";
 
 // src/commands/verify.ts
 import { spawnSync } from "child_process";
-import { resolve as resolve8 } from "path";
+import { resolve as resolve9 } from "path";
 function defaultSpec(lane) {
   switch (lane) {
     case "astro":
@@ -2860,7 +3013,7 @@ ${pass2 ? "\u2714 ALL PASS" : "\u2718 FAIL"} (${reports2.length} specs)`);
   if (reachableTimeoutMs > 0) {
     console.log(`waiting up to ${reachableTimeoutMs / 1e3}s for ${url} to become reachable\u2026`);
   }
-  const toolDir = resolve8(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
   const reports = await verifyAll(url, specs, { reachableTimeoutMs, toolDir });
   attachFailureLogs(reports, specs, toolDir);
   for (const report of reports) printReport(report);
@@ -2904,7 +3057,7 @@ async function verifyLocal(entry, url) {
   process.env.GREENLIGHT_PREVIEW = "1";
   process.env.GREENLIGHT_VERIFY_URL = url;
   const specs = await loadSpecs(entry);
-  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve10(process.cwd(), entry.dir ?? ".");
   const reports = await verifyAll(url, specs, { toolDir });
   for (const report of reports) printReport(report);
   return allPass(reports);
@@ -2915,7 +3068,7 @@ async function previewViaDescriptor(entry, name, portOverride) {
   const port = portOverride ?? pv.port ?? entry.port ?? lane.port;
   const path = pv.path ?? lane.path;
   const url = `http://localhost:${port}${path}`;
-  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve10(process.cwd(), entry.dir ?? ".");
   console.log(`preview ${name}: ${pv.command}  (\u2192 ${url})`);
   const child = spawn(pv.command, {
     cwd: toolDir,
@@ -3221,6 +3374,7 @@ var HELP = `greenlight <command>
 
   init --domain <d> [--cf-token ..] [--force]   scaffold manifest + secrets, push to GitHub Actions
   add <name> --lane <l> --target <t> [..]       scaffold a tool from a lane template + manifest entry
+  lanes                                         list the valid lane \xD7 target \xD7 data combinations
   config                                        load & validate the manifest, then print it
   deploy <name> --env <env>                     build + deploy an entry via its target adapter
   preview <name> [--port <n>]                   build + serve locally + verify (one command)
@@ -3228,10 +3382,12 @@ var HELP = `greenlight <command>
   promote <name> [--perform] [--push]           gated develop -> main fast-forward
   status <name>                                 last ship/deploy/verify run for a tool (via gh)
   secrets gather <name> [--repo o/r] [--env e]  guided, link-first token prompts -> GitHub secrets (no disk/logs)
+  secrets check [<name>] [--repo o/r]           list the GitHub secrets a tool's deploy needs + flag missing
   agent sync [<name>]                           write the loop kit (named \u2192 tool-aware, into its dir)
   adopt <name> --repo <path> --lane --target    onboard an existing tool repo as a thin consumer
   migrations scan [<dir>] [--strict]            dangerous-SQL gate for migrations (pre-apply)
-  doctor [--live]                               consistency checks (--live: DNS + reachability probes)
+  bump                                          re-pin a consumer's infra ?ref + dep to the installed version
+  doctor [--live] [--strict]                    consistency checks (--live: probes; --strict: fail on warnings)
   help                                          show this message
 
 Real cloud deploys need the target's creds (e.g. CLOUDFLARE_API_TOKEN); see docs/archive/greenlight-v1.md \xA716.`;
@@ -3248,6 +3404,10 @@ async function main() {
       return initCommand(args);
     case "add":
       return addCommand(args);
+    case "lanes":
+      console.log(`Valid lane \xD7 target \xD7 data combinations:
+${describeMatrix()}`);
+      return;
     case "config":
       return configCommand();
     case "deploy":
@@ -3268,6 +3428,8 @@ async function main() {
       return adoptCommand(args);
     case "migrations":
       return migrationsCommand(args);
+    case "bump":
+      return bumpCommand(args);
     case "doctor":
       return doctorCommand(args);
     default: