@rtrentjones/greenlight 0.4.1 → 0.5.0

package/dist/bin.js

@@ -1,12 +1,14 @@
 #!/usr/bin/env node
 import {
   ConfigSchema,
+  MATRIX,
   allPass,
+  describeMatrix,
   loadConfig,
   resolveUrl,
   scanSqlFiles,
   verifyAll
-} from "./chunk-P6FRYOOV.js";
+} from "./chunk-OBWWE7GE.js";
 import "./chunk-HX7VA25D.js";
 import "./chunk-N3IKUCSF.js";
 import "./chunk-KP3Y6WRU.js";
@@ -333,11 +335,27 @@ var PACKS = [
           "Account \xB7 Cloudflare Tunnel \xB7 Edit (only if a tool uses target: oci)"
         ],
         verify: async (t) => {
+          const auth = { Authorization: `Bearer ${t}` };
           const r = await fetch("https://api.cloudflare.com/client/v4/user/tokens/verify", {
-            headers: { Authorization: `Bearer ${t}` }
+            headers: auth
           });
           const j = await r.json().catch(() => ({}));
-          return { ok: r.ok && j.result?.status === "active", detail: j.result?.status };
+          if (!r.ok || j.result?.status !== "active") {
+            return { ok: false, detail: j.result?.status ?? `HTTP ${r.status}` };
+          }
+          const ar = await fetch("https://api.cloudflare.com/client/v4/accounts?per_page=1", {
+            headers: auth
+          }).catch(() => null);
+          if (ar?.ok) {
+            const aj = await ar.json().catch(() => ({}));
+            if (Array.isArray(aj.result) && aj.result.length === 0) {
+              return {
+                ok: false,
+                detail: "active but no account access \u2014 a Zone-DNS-only token can't resolve account_id; needs Account \xB7 Workers Scripts:Edit + Workers KV Storage:Edit + Account Settings:Read"
+              };
+            }
+          }
+          return { ok: true, detail: "active" };
         }
       }
     ],
@@ -583,7 +601,7 @@ function tokensForTool(tool) {
 }
 
 // src/version.ts
-var MODULE_REF = "v0.4.1";
+var MODULE_REF = "v0.5.0";
 var MODULE_SOURCE_BASE = "git::https://github.com/RTrentJones/greenlight.git//infra/modules";
 function moduleSource(module, ref = MODULE_REF) {
   return `${MODULE_SOURCE_BASE}/${module}?ref=${ref}`;
@@ -1063,11 +1081,11 @@ function hiddenPrompter() {
   if (tty) rl._writeToOutput = () => {
   };
   return {
-    ask: (query) => new Promise((resolve10) => {
+    ask: (query) => new Promise((resolve11) => {
       process.stdout.write(query);
       rl.question("", (val) => {
         process.stdout.write("\n");
-        resolve10(val.trim());
+        resolve11(val.trim());
       });
     }),
     close: () => rl.close()
@@ -1166,8 +1184,50 @@ async function gatherSecrets(name, repo, env, prefill) {
   console.log(`
 ${pushed} secret(s) pushed to ${repo}. (None written to disk.)`);
 }
+async function secretsCheck(name, repo) {
+  const { config } = await loadManifest();
+  const tools = name ? config.tools.filter((t) => t.name === name) : config.tools;
+  if (name && tools.length === 0) throw new Error(`no tool "${name}" in the manifest`);
+  const present = listGitHubSecrets(repo, void 0);
+  console.log(`Secrets check \u2192 ${repo}`);
+  if (!present) console.log("! could not list secrets (gh unauth/no access) \u2014 names only\n");
+  else console.log("");
+  let missing = 0;
+  for (const t of tools) {
+    const expected = /* @__PURE__ */ new Set();
+    for (const pack of packsForTool({ lane: t.lane, target: t.target, data: t.data })) {
+      for (const tok of pack.tokens) {
+        if (!tok.optional) expected.add(secretKeyFor(tok, t.name, t.tokenOverrides));
+      }
+    }
+    if (t.lane === "agent") {
+      expected.add("GEMINI_API_KEY");
+      expected.add("RUN_TOKEN");
+    }
+    for (const s of t.tokens ?? []) expected.add(s);
+    console.log(
+      `\u2500\u2500 ${t.name} (${t.lane}/${t.target}${t.data && t.data !== "none" ? `/${t.data}` : ""})`
+    );
+    for (const key of [...expected].sort()) {
+      const have = present ? present.has(key) : void 0;
+      if (have === false) missing++;
+      console.log(`   ${have === void 0 ? "?" : have ? "\u2714" : "\u2718"} ${key}`);
+    }
+  }
+  if (present)
+    console.log(`
+${missing === 0 ? "\u2714 all required secrets present" : `\u2718 ${missing} missing`}`);
+  process.exit(missing > 0 ? 1 : 0);
+}
 async function secretsCommand(args) {
   const sub = args[0];
+  if (sub === "check") {
+    const name = args[1] && !args[1].startsWith("-") ? args[1] : void 0;
+    const repo = flag(args, "--repo") ?? detectRepo(process.cwd());
+    if (!repo) throw new Error("could not determine the repo \u2014 pass --repo owner/repo");
+    await secretsCheck(name, repo);
+    return;
+  }
   if (sub === "gather") {
     const name = args[1];
     if (!name || name.startsWith("-")) {
@@ -1229,7 +1289,23 @@ async function addCommand(args) {
   }
   const lane = flag2(args, "--lane");
   const target = flag2(args, "--target");
-  if (!lane || !target) throw new Error("add needs --lane and --target");
+  if (!lane || !target) {
+    throw new Error(
+      `add needs --lane and --target. Valid combinations:
+${describeMatrix()}
+  (defaults: next\u2192vercel; astro/mcp/agent\u2192workers)`
+    );
+  }
+  if (!(lane in MATRIX)) {
+    throw new Error(`unknown lane "${lane}". Valid lanes:
+${describeMatrix()}`);
+  }
+  const rule = MATRIX[lane];
+  if (!rule.targets.includes(target)) {
+    throw new Error(
+      `lane "${lane}" can't target "${target}" \u2014 valid target(s): ${rule.targets.join(" | ")}`
+    );
+  }
   const { config, path } = await loadManifest();
   if (path.endsWith(".example.ts")) {
     throw new Error("no greenlight.config.ts \u2014 run `greenlight init` first");
@@ -2066,6 +2142,89 @@ function safeGit(cwd, gitArgs) {
   }
 }
 
+// src/commands/bump.ts
+import { existsSync as existsSync7, readFileSync as readFileSync6, writeFileSync as writeFileSync5 } from "fs";
+import { resolve as resolve7 } from "path";
+
+// src/refs.ts
+import { readFileSync as readFileSync5, readdirSync as readdirSync2, writeFileSync as writeFileSync4 } from "fs";
+import { join as join3 } from "path";
+var REF_RE = /greenlight\.git\/\/infra\/modules\/[^?"]+\?ref=(v[0-9.]+)/g;
+function installedVersion(root) {
+  try {
+    const pkg = JSON.parse(
+      readFileSync5(join3(root, "node_modules/@rtrentjones/greenlight/package.json"), "utf8")
+    );
+    return pkg.version;
+  } catch {
+    return void 0;
+  }
+}
+function infraRefs(root) {
+  const refs = /* @__PURE__ */ new Set();
+  try {
+    for (const f of readdirSync2(join3(root, "infra")).filter((f2) => f2.endsWith(".tf"))) {
+      for (const m of readFileSync5(join3(root, "infra", f), "utf8").matchAll(REF_RE)) {
+        if (m[1]) refs.add(m[1]);
+      }
+    }
+  } catch {
+  }
+  return [...refs];
+}
+function rewriteInfraRefs(root, target) {
+  const want = target.startsWith("v") ? target : `v${target}`;
+  const changed = [];
+  let files;
+  try {
+    files = readdirSync2(join3(root, "infra")).filter((f) => f.endsWith(".tf"));
+  } catch {
+    return changed;
+  }
+  for (const f of files) {
+    const p = join3(root, "infra", f);
+    const body = readFileSync5(p, "utf8");
+    const next = body.replace(
+      /(greenlight\.git\/\/infra\/modules\/[^?"]+\?ref=)v[0-9.]+/g,
+      `$1${want}`
+    );
+    if (next !== body) {
+      writeFileSync4(p, next);
+      changed.push(f);
+    }
+  }
+  return changed;
+}
+
+// src/commands/bump.ts
+function bumpCommand(_args) {
+  const root = process.cwd();
+  const version = installedVersion(root);
+  if (!version) {
+    throw new Error(
+      "no installed @rtrentjones/greenlight here \u2014 run from a consumer wrapper after `pnpm install`"
+    );
+  }
+  const want = `v${version}`;
+  const before = infraRefs(root);
+  const changed = rewriteInfraRefs(root, version);
+  if (changed.length) {
+    console.log(`\u2714 re-pinned ${changed.length} infra file(s) \u2192 ${want}: ${changed.join(", ")}`);
+  } else {
+    console.log(`\xB7 infra ?ref already ${want}${before.length ? "" : " (no infra pins)"}`);
+  }
+  const pkgPath = resolve7(root, "package.json");
+  if (existsSync7(pkgPath)) {
+    const raw = readFileSync6(pkgPath, "utf8");
+    const next = raw.replace(/("@rtrentjones\/greenlight":\s*")[^"]+(")/, `$1^${version}$2`);
+    if (next !== raw) {
+      writeFileSync5(pkgPath, next);
+      console.log(`\u2714 package.json dep \u2192 ^${version}`);
+    }
+  }
+  console.log("\nNext: pnpm install && pnpm greenlight doctor --strict, then commit + push.");
+}
+
 // src/commands/config.ts
 import { relative } from "path";
 async function configCommand() {
@@ -2077,7 +2236,7 @@ async function configCommand() {
 
 // ../packages/adapters/src/index.ts
 import { execFileSync as execFileSync3 } from "child_process";
-import { join as join3 } from "path";
+import { join as join4 } from "path";
 function run(cmd, args, cwd, extraEnv) {
   execFileSync3(cmd, args, { cwd, stdio: "inherit", env: { ...process.env, ...extraEnv } });
 }
@@ -2093,7 +2252,7 @@ function workersAdapter(ctx) {
         siteEnv = void 0;
       }
       run("pnpm", ["run", "build"], toolDir, siteEnv);
-      return { artifactDir: join3(toolDir, "dist") };
+      return { artifactDir: join4(toolDir, "dist") };
     },
     async deploy(toolDir, env) {
       run("pnpm", ["exec", "wrangler", "deploy", "--env", env], toolDir);
@@ -2195,20 +2354,84 @@ async function deployCommand(args) {
 // src/commands/doctor.ts
 import { execFileSync as execFileSync4 } from "child_process";
 import { lookup } from "dns/promises";
-import { existsSync as existsSync7, readFileSync as readFileSync5, readdirSync as readdirSync2 } from "fs";
-import { join as join4 } from "path";
+import { existsSync as existsSync9, readFileSync as readFileSync8, readdirSync as readdirSync4 } from "fs";
+import { join as join6 } from "path";
+
+// src/commands/migrations.ts
+import { existsSync as existsSync8, readFileSync as readFileSync7, readdirSync as readdirSync3 } from "fs";
+import { join as join5 } from "path";
+var DEFAULT_DIR = "supabase/migrations";
+var CANDIDATE_DIRS = [
+  DEFAULT_DIR,
+  "migrations",
+  "drizzle/migrations",
+  "drizzle",
+  "db/migrations"
+];
+function resolveMigrationsDir(explicit, root = process.cwd()) {
+  if (explicit) return explicit;
+  return CANDIDATE_DIRS.find((d) => existsSync8(join5(root, d))) ?? DEFAULT_DIR;
+}
+async function migrationsCommand(args) {
+  if (args[0] !== "scan") {
+    console.log(
+      `usage: greenlight migrations scan [<dir>] [--strict]
+  scan SQL migrations for data-destroying / lock-heavy statements (the pre-apply gate).
+  no <dir> \u2192 auto-detects ${CANDIDATE_DIRS.join(" | ")}. Acknowledge an intentional op with \`-- greenlight:allow\`.`
+    );
+    process.exit(args[0] ? 1 : 0);
+  }
+  const dir = resolveMigrationsDir(args.slice(1).find((a) => !a.startsWith("-")));
+  const strict = args.includes("--strict");
+  let names;
+  try {
+    names = readdirSync3(dir).filter((f) => f.endsWith(".sql")).sort();
+  } catch {
+    console.log(`\xB7 no migrations dir at ${dir} \u2014 nothing to scan`);
+    process.exit(0);
+  }
+  if (names.length === 0) {
+    console.log(`\xB7 no .sql files in ${dir} \u2014 nothing to scan`);
+    process.exit(0);
+  }
+  const files = names.map((f) => ({
+    path: join5(dir, f),
+    content: readFileSync7(join5(dir, f), "utf8")
+  }));
+  const findings = scanSqlFiles(files);
+  if (findings.length === 0) {
+    console.log(`\u2714 migrations scan: ${names.length} file(s) clean (${dir})`);
+    process.exit(0);
+  }
+  for (const f of findings) {
+    console.log(
+      `  ${f.severity === "danger" ? "\u2718" : "!"} ${f.file}:${f.line} [${f.rule}] ${f.detail}
+      ${f.snippet}`
+    );
+  }
+  const dangers = findings.filter((f) => f.severity === "danger");
+  const blocking = strict ? findings : dangers;
+  const verdict = blocking.length === 0 ? "\u2714 no blocking findings" : `\u2718 ${blocking.length} blocking finding(s)`;
+  console.log(
+    `
+${verdict} (${dangers.length} danger, ${findings.length - dangers.length} warn). Acknowledge an intentional op with \`-- greenlight:allow\`.`
+  );
+  process.exit(blocking.length === 0 ? 0 : 1);
+}
+
+// src/commands/doctor.ts
 function dirCheck(label, dir) {
-  return existsSync7(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
+  return existsSync9(dir) ? { name: `${label}: directory`, status: "ok" } : { name: `${label}: directory`, status: "fail", detail: `missing ${dir}` };
 }
 function conformanceChecks(t, root) {
   const out = [];
-  const toolDir = t.dir ?? join4("tools", t.name);
+  const toolDir = t.dir ?? join6("tools", t.name);
   const specCandidates = t.external ? [
     `verify/${t.name}.config.ts`,
-    join4(toolDir, `verify/${t.name}.config.ts`),
-    join4(toolDir, "verify.config.ts")
-  ] : [join4(toolDir, "verify.config.ts")];
-  const found = specCandidates.find((p) => existsSync7(join4(root, p)));
+    join6(toolDir, `verify/${t.name}.config.ts`),
+    join6(toolDir, "verify.config.ts")
+  ] : [join6(toolDir, "verify.config.ts")];
+  const found = specCandidates.find((p) => existsSync9(join6(root, p)));
   out.push({
     name: `${t.name}: in the verify loop`,
     status: found ? "ok" : "warn",
@@ -2233,58 +2456,61 @@ function conformanceChecks(t, root) {
     });
   }
   if (!t.external && t.lane === "next" && t.target === "vercel") {
-    const wsPath = join4(root, "pnpm-workspace.yaml");
-    const ws = existsSync7(wsPath) ? readFileSync5(wsPath, "utf8") : "";
+    const wsPath = join6(root, "pnpm-workspace.yaml");
+    const ws = existsSync9(wsPath) ? readFileSync8(wsPath, "utf8") : "";
     const member = ws.includes(toolDir) || /^\s*-\s*["']?tools\/\*/m.test(ws);
     out.push({
       name: `${t.name}: pnpm workspace member`,
       status: member ? "ok" : "warn",
       detail: member ? void 0 : `add "${toolDir}" to pnpm-workspace.yaml \u2014 else Vercel's root install skips its deps`
     });
-    const hasVercelJson = existsSync7(join4(root, toolDir, "vercel.json"));
+    const hasVercelJson = existsSync9(join6(root, toolDir, "vercel.json"));
     out.push({
       name: `${t.name}: vercel.json framework`,
       status: hasVercelJson ? "ok" : "warn",
-      detail: hasVercelJson ? void 0 : `no ${join4(toolDir, "vercel.json")} (framework: "nextjs") \u2014 Vercel may treat the build as static`
+      detail: hasVercelJson ? void 0 : `no ${join6(toolDir, "vercel.json")} (framework: "nextjs") \u2014 Vercel may treat the build as static`
     });
   }
+  if (t.data === "supabase" || t.data === "neon") {
+    const migBase = join6(root, toolDir);
+    const migDir = resolveMigrationsDir(void 0, migBase);
+    if (existsSync9(join6(migBase, migDir))) {
+      const wired = [join6(migBase, ".github/workflows"), join6(root, ".github/workflows")].some(
+        (d) => {
+          try {
+            return readdirSync4(d).filter((f) => /\.ya?ml$/.test(f)).some((f) => readFileSync8(join6(d, f), "utf8").includes("migrations scan"));
+          } catch {
+            return false;
+          }
+        }
+      );
+      out.push({
+        name: `${t.name}: migrations gate`,
+        status: wired ? "ok" : "warn",
+        detail: wired ? `${migDir} scanned in CI` : `${migDir} present but no workflow runs \`greenlight migrations scan\` \u2014 wire the dangerous-SQL gate before the apply step`
+      });
+    }
+  }
   return out;
 }
 function versionDriftCheck(root) {
   const name = "framework version drift";
-  let installed;
-  try {
-    const pkg = JSON.parse(
-      readFileSync5(join4(root, "node_modules/@rtrentjones/greenlight/package.json"), "utf8")
-    );
-    installed = pkg.version;
-  } catch {
-  }
-  const refs = /* @__PURE__ */ new Set();
-  try {
-    for (const f of readdirSync2(join4(root, "infra")).filter((f2) => f2.endsWith(".tf"))) {
-      const body = readFileSync5(join4(root, "infra", f), "utf8");
-      for (const m of body.matchAll(/greenlight\.git\/\/infra\/modules\/[^?"]+\?ref=(v[0-9.]+)/g)) {
-        if (m[1]) refs.add(m[1]);
-      }
-    }
-  } catch {
-  }
-  if (!installed && refs.size === 0) {
+  const installed = installedVersion(root);
+  const refList = infraRefs(root);
+  if (!installed && refList.length === 0) {
     return {
       name,
       status: "skip",
       detail: "no installed @rtrentjones/greenlight or infra pins here"
     };
   }
-  const refList = [...refs];
   if (installed) {
     const want = `v${installed}`;
     const bad = refList.filter((r) => r !== want);
     return bad.length === 0 ? { name, status: "ok", detail: `infra pins == installed ${want}` } : {
       name,
       status: "warn",
-      detail: `installed ${want}, but infra pins ${bad.join(", ")} \u2014 bump ?ref to ${want}`
+      detail: `installed ${want}, but infra pins ${bad.join(", ")} \u2014 run \`greenlight bump\``
     };
   }
   return refList.length <= 1 ? { name, status: "ok", detail: `infra pins uniform (${refList[0] ?? "none"})` } : { name, status: "warn", detail: `infra ?ref pins not uniform: ${refList.join(", ")}` };
@@ -2307,7 +2533,7 @@ function submoduleDriftCheck(root) {
 }
 function runDoctor(config, root) {
   const checks = [];
-  if (config.blog) checks.push(dirCheck("blog", join4(root, "apps/blog")));
+  if (config.blog) checks.push(dirCheck("blog", join6(root, "apps/blog")));
   for (const t of config.tools) {
     if (t.external) {
       const url = resolveUrl({
@@ -2319,7 +2545,7 @@ function runDoctor(config, root) {
       checks.push({ name: `${t.name}: external (registry)`, status: "ok", detail: url });
       if (t.dir) {
         checks.push(
-          existsSync7(join4(root, t.dir)) ? { name: `${t.name}: dir present`, status: "ok", detail: t.dir } : {
+          existsSync9(join6(root, t.dir)) ? { name: `${t.name}: dir present`, status: "ok", detail: t.dir } : {
             name: `${t.name}: dir present`,
             status: "warn",
             detail: `declared dir "${t.dir}" missing \u2014 run \`git submodule update --init\``
@@ -2327,7 +2553,7 @@ function runDoctor(config, root) {
         );
       }
     } else {
-      checks.push(dirCheck(t.name, join4(root, t.dir ?? join4("tools", t.name))));
+      checks.push(dirCheck(t.name, join6(root, t.dir ?? join6("tools", t.name))));
     }
     checks.push(...conformanceChecks(t, root));
   }
@@ -2394,6 +2620,7 @@ async function doctorCommand(args = []) {
     process.exit(1);
   }
   const live = args.includes("--live");
+  const strict = args.includes("--strict");
   const checks = runDoctor(config, process.cwd());
   if (live) {
     console.log("  (probing live prod URLs\u2026)");
@@ -2403,15 +2630,19 @@ async function doctorCommand(args = []) {
     console.log(`  ${ICON[c.status]} ${c.name}${c.detail ? ` \u2014 ${c.detail}` : ""}`);
   }
   const failed = checks.filter((c) => c.status === "fail").length;
-  console.log(`
-${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}`);
+  const warned = checks.filter((c) => c.status === "warn").length;
+  console.log(
+    `
+${failed === 0 ? "\u2714 no failures" : `\u2718 ${failed} failure(s)`}${warned ? ` \xB7 ${warned} warning(s)` : ""}`
+  );
   if (!live) console.log("\xB7 run `greenlight doctor --live` for DNS + reachability probes");
-  process.exit(failed === 0 ? 0 : 1);
+  if (!strict && warned) console.log("\xB7 run `greenlight doctor --strict` to fail on warnings (CI)");
+  process.exit(failed > 0 || strict && warned > 0 ? 1 : 0);
 }
 
 // src/commands/init.ts
-import { existsSync as existsSync8, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4 } from "fs";
-import { resolve as resolve7 } from "path";
+import { existsSync as existsSync10, mkdirSync as mkdirSync4, writeFileSync as writeFileSync6 } from "fs";
+import { resolve as resolve8 } from "path";
 import { createInterface as createInterface2 } from "readline/promises";
 
 // src/tokens.ts
@@ -2534,8 +2765,9 @@ jobs:
       TF_TOKEN_app_terraform_io: \${{ secrets.TF_API_TOKEN }} # HCP state backend auth
       GITHUB_TOKEN: \${{ github.token }} # github provider (branch/protection); creates nothing risky
       CLOUDFLARE_API_TOKEN: \${{ secrets.CLOUDFLARE_API_TOKEN }}
-      TF_VAR_cloudflare_zone_id: \${{ secrets.TF_VAR_CLOUDFLARE_ZONE_ID }}
-      TF_VAR_cloudflare_account_id: \${{ secrets.TF_VAR_CLOUDFLARE_ACCOUNT_ID }}
+      # zone/account ids are enumerable identifiers, not secrets \u2014 repo VARIABLES (vars.*)
+      TF_VAR_cloudflare_zone_id: \${{ vars.CLOUDFLARE_ZONE_ID }}
+      TF_VAR_cloudflare_account_id: \${{ vars.CLOUDFLARE_ACCOUNT_ID }}
       # vercel (target: vercel tools)
       VERCEL_API_TOKEN: \${{ secrets.VERCEL_API_TOKEN }}
       # supabase (data: supabase tools)
@@ -2560,12 +2792,12 @@ jobs:
 `;
 }
 function scaffoldIfAbsent(path, contents, label) {
-  if (existsSync8(path)) {
+  if (existsSync10(path)) {
     console.log(`\xB7 ${label} exists \u2014 left as-is`);
     return;
   }
-  mkdirSync4(resolve7(path, ".."), { recursive: true });
-  writeFileSync4(path, contents);
+  mkdirSync4(resolve8(path, ".."), { recursive: true });
+  writeFileSync6(path, contents);
   console.log(`\u2714 wrote ${label}`);
 }
 var TOKEN_FLAGS = {
@@ -2586,22 +2818,22 @@ async function initCommand(args) {
   }
   if (!domain) throw new Error("a domain is required");
   const cwd = process.cwd();
-  const configPath = resolve7(cwd, "greenlight.config.ts");
-  if (existsSync8(configPath) && !force) {
+  const configPath = resolve8(cwd, "greenlight.config.ts");
+  if (existsSync10(configPath) && !force) {
     throw new Error("greenlight.config.ts already exists \u2014 pass --force to overwrite");
   }
-  writeFileSync4(configPath, scaffoldConfig(domain));
+  writeFileSync6(configPath, scaffoldConfig(domain));
   console.log(`\u2714 wrote greenlight.config.ts (domain: ${domain})`);
   const repoName = domain.replace(/\./g, "-");
   scaffoldIfAbsent(
-    resolve7(cwd, ".github/workflows/infra.yml"),
+    resolve8(cwd, ".github/workflows/infra.yml"),
     wrapperInfraYml(),
     ".github/workflows/infra.yml (HCP-backed terraform apply on push)"
   );
-  scaffoldIfAbsent(resolve7(cwd, ".gitignore"), WRAPPER_GITIGNORE, ".gitignore");
-  scaffoldIfAbsent(resolve7(cwd, "package.json"), wrapperPackageJson(repoName), "package.json");
-  scaffoldIfAbsent(resolve7(cwd, "mise.toml"), WRAPPER_MISE, "mise.toml");
-  scaffoldIfAbsent(resolve7(cwd, ".node-version"), "24\n", ".node-version");
+  scaffoldIfAbsent(resolve8(cwd, ".gitignore"), WRAPPER_GITIGNORE, ".gitignore");
+  scaffoldIfAbsent(resolve8(cwd, "package.json"), wrapperPackageJson(repoName), "package.json");
+  scaffoldIfAbsent(resolve8(cwd, "mise.toml"), WRAPPER_MISE, "mise.toml");
+  scaffoldIfAbsent(resolve8(cwd, ".node-version"), "24\n", ".node-version");
   const repo = flag5(args, "--repo") ?? detectRepo(cwd);
   let pushed = 0;
   if (repo && !args.includes("--no-push")) {
@@ -2646,76 +2878,14 @@ Next:
   4. greenlight verify <name> --env prod   |   greenlight doctor`);
 }
 
-// src/commands/migrations.ts
-import { existsSync as existsSync9, readFileSync as readFileSync6, readdirSync as readdirSync3 } from "fs";
-import { join as join5 } from "path";
-var DEFAULT_DIR = "supabase/migrations";
-var CANDIDATE_DIRS = [
-  DEFAULT_DIR,
-  "migrations",
-  "drizzle/migrations",
-  "drizzle",
-  "db/migrations"
-];
-function resolveMigrationsDir(explicit, root = process.cwd()) {
-  if (explicit) return explicit;
-  return CANDIDATE_DIRS.find((d) => existsSync9(join5(root, d))) ?? DEFAULT_DIR;
-}
-async function migrationsCommand(args) {
-  if (args[0] !== "scan") {
-    console.log(
-      `usage: greenlight migrations scan [<dir>] [--strict]
-  scan SQL migrations for data-destroying / lock-heavy statements (the pre-apply gate).
-  no <dir> \u2192 auto-detects ${CANDIDATE_DIRS.join(" | ")}. Acknowledge an intentional op with \`-- greenlight:allow\`.`
-    );
-    process.exit(args[0] ? 1 : 0);
-  }
-  const dir = resolveMigrationsDir(args.slice(1).find((a) => !a.startsWith("-")));
-  const strict = args.includes("--strict");
-  let names;
-  try {
-    names = readdirSync3(dir).filter((f) => f.endsWith(".sql")).sort();
-  } catch {
-    console.log(`\xB7 no migrations dir at ${dir} \u2014 nothing to scan`);
-    process.exit(0);
-  }
-  if (names.length === 0) {
-    console.log(`\xB7 no .sql files in ${dir} \u2014 nothing to scan`);
-    process.exit(0);
-  }
-  const files = names.map((f) => ({
-    path: join5(dir, f),
-    content: readFileSync6(join5(dir, f), "utf8")
-  }));
-  const findings = scanSqlFiles(files);
-  if (findings.length === 0) {
-    console.log(`\u2714 migrations scan: ${names.length} file(s) clean (${dir})`);
-    process.exit(0);
-  }
-  for (const f of findings) {
-    console.log(
-      `  ${f.severity === "danger" ? "\u2718" : "!"} ${f.file}:${f.line} [${f.rule}] ${f.detail}
-      ${f.snippet}`
-    );
-  }
-  const dangers = findings.filter((f) => f.severity === "danger");
-  const blocking = strict ? findings : dangers;
-  const verdict = blocking.length === 0 ? "\u2714 no blocking findings" : `\u2718 ${blocking.length} blocking finding(s)`;
-  console.log(
-    `
-${verdict} (${dangers.length} danger, ${findings.length - dangers.length} warn). Acknowledge an intentional op with \`-- greenlight:allow\`.`
-  );
-  process.exit(blocking.length === 0 ? 0 : 1);
-}
-
 // src/commands/preview.ts
 import { execFileSync as execFileSync5, spawn } from "child_process";
-import { resolve as resolve9 } from "path";
+import { resolve as resolve10 } from "path";
 import { setTimeout as sleep } from "timers/promises";
 
 // src/commands/verify.ts
 import { spawnSync } from "child_process";
-import { resolve as resolve8 } from "path";
+import { resolve as resolve9 } from "path";
 function defaultSpec(lane) {
   switch (lane) {
     case "astro":
@@ -2843,7 +3013,7 @@ ${pass2 ? "\u2714 ALL PASS" : "\u2718 FAIL"} (${reports2.length} specs)`);
   if (reachableTimeoutMs > 0) {
     console.log(`waiting up to ${reachableTimeoutMs / 1e3}s for ${url} to become reachable\u2026`);
   }
-  const toolDir = resolve8(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
   const reports = await verifyAll(url, specs, { reachableTimeoutMs, toolDir });
   attachFailureLogs(reports, specs, toolDir);
   for (const report of reports) printReport(report);
@@ -2887,7 +3057,7 @@ async function verifyLocal(entry, url) {
   process.env.GREENLIGHT_PREVIEW = "1";
   process.env.GREENLIGHT_VERIFY_URL = url;
   const specs = await loadSpecs(entry);
-  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve10(process.cwd(), entry.dir ?? ".");
   const reports = await verifyAll(url, specs, { toolDir });
   for (const report of reports) printReport(report);
   return allPass(reports);
@@ -2898,7 +3068,7 @@ async function previewViaDescriptor(entry, name, portOverride) {
   const port = portOverride ?? pv.port ?? entry.port ?? lane.port;
   const path = pv.path ?? lane.path;
   const url = `http://localhost:${port}${path}`;
-  const toolDir = resolve9(process.cwd(), entry.dir ?? ".");
+  const toolDir = resolve10(process.cwd(), entry.dir ?? ".");
   console.log(`preview ${name}: ${pv.command}  (\u2192 ${url})`);
   const child = spawn(pv.command, {
     cwd: toolDir,
@@ -3204,6 +3374,7 @@ var HELP = `greenlight <command>
 
   init --domain <d> [--cf-token ..] [--force]   scaffold manifest + secrets, push to GitHub Actions
   add <name> --lane <l> --target <t> [..]       scaffold a tool from a lane template + manifest entry
+  lanes                                         list the valid lane \xD7 target \xD7 data combinations
   config                                        load & validate the manifest, then print it
   deploy <name> --env <env>                     build + deploy an entry via its target adapter
   preview <name> [--port <n>]                   build + serve locally + verify (one command)
@@ -3211,10 +3382,12 @@ var HELP = `greenlight <command>
   promote <name> [--perform] [--push]           gated develop -> main fast-forward
   status <name>                                 last ship/deploy/verify run for a tool (via gh)
   secrets gather <name> [--repo o/r] [--env e]  guided, link-first token prompts -> GitHub secrets (no disk/logs)
+  secrets check [<name>] [--repo o/r]           list the GitHub secrets a tool's deploy needs + flag missing
   agent sync [<name>]                           write the loop kit (named \u2192 tool-aware, into its dir)
   adopt <name> --repo <path> --lane --target    onboard an existing tool repo as a thin consumer
   migrations scan [<dir>] [--strict]            dangerous-SQL gate for migrations (pre-apply)
-  doctor [--live]                               consistency checks (--live: DNS + reachability probes)
+  bump                                          re-pin a consumer's infra ?ref + dep to the installed version
+  doctor [--live] [--strict]                    consistency checks (--live: probes; --strict: fail on warnings)
   help                                          show this message
 
 Real cloud deploys need the target's creds (e.g. CLOUDFLARE_API_TOKEN); see docs/archive/greenlight-v1.md \xA716.`;
@@ -3231,6 +3404,10 @@ async function main() {
       return initCommand(args);
     case "add":
       return addCommand(args);
+    case "lanes":
+      console.log(`Valid lane \xD7 target \xD7 data combinations:
+${describeMatrix()}`);
+      return;
     case "config":
       return configCommand();
     case "deploy":
@@ -3251,6 +3428,8 @@ async function main() {
       return adoptCommand(args);
     case "migrations":
       return migrationsCommand(args);
+    case "bump":
+      return bumpCommand(args);
     case "doctor":
       return doctorCommand(args);
     default: