@treeseed/sdk 0.10.21 → 0.10.23

package/dist/operations/services/deploy.js

@@ -41,6 +41,13 @@ function ensureParent(filePath) {
 function stableHash(value) {
   return createHash("sha256").update(value).digest("hex");
 }
+function compactDeploymentKey(input) {
+  const rawKey = sanitizeResourceKey(input.rawKey ?? "");
+  if (rawKey && rawKey.length <= 40) return rawKey;
+  const base = sanitizeSegment(input.slug ?? input.projectSegment ?? "project").slice(0, 27) || "project";
+  const hash = stableHash(`${input.teamId ?? ""}:${input.projectId ?? ""}:${input.slug ?? ""}`).slice(0, 8);
+  return `${base}-${hash}`;
+}
 function readJson(filePath, fallback) {
   if (!existsSync(filePath)) {
     return fallback;
@@ -69,6 +76,9 @@ function loadTenantDeployConfig(tenantRoot) {
 function sanitizeSegment(value) {
   return String(value).trim().toLowerCase().replace(/[^a-z0-9-]+/g, "-").replace(/^-+|-+$/g, "").replace(/-{2,}/g, "-").slice(0, 36) || "default";
 }
+function sanitizeResourceKey(value) {
+  return String(value).trim().toLowerCase().replace(/[^a-z0-9-]+/g, "-").replace(/^-+|-+$/g, "").replace(/-{2,}/g, "");
+}
 function requireConfiguredIdentityValue(value, label) {
   const normalized = typeof value === "string" && value.trim() ? value.trim() : "";
   if (!normalized) {
@@ -87,7 +97,13 @@ function resolveTreeseedResourceIdentity(deployConfig, target) {
   );
   const teamSegment = sanitizeSegment(teamId);
   const projectSegment = sanitizeSegment(projectId);
-  const deploymentKey = `${teamSegment}-${projectSegment}`;
+  const deploymentKey = compactDeploymentKey({
+    rawKey: `${teamSegment}-${projectSegment}`,
+    teamId,
+    projectId,
+    projectSegment,
+    slug: deployConfig.slug
+  });
   const environment = target.kind === "persistent" ? target.scope : target.branchName;
   const environmentSegment = target.kind === "persistent" ? target.scope : sanitizeSegment(target.branchName);
   return {
@@ -168,6 +184,13 @@ function resolveConfiguredSurfaceBaseUrl(deployConfig, target, surface) {
   }
   return null;
 }
+function configuredSurfaceHosts(deployConfig, target, surface) {
+  const hosts = [
+    resolveConfiguredSurfaceDomain(deployConfig, target, surface),
+    surface === "web" && target.kind === "persistent" && target.scope === "prod" ? primaryHost(deployConfig.surfaces?.web?.publicBaseUrl ?? deployConfig.siteUrl) : null
+  ].filter(Boolean);
+  return [...new Set(hosts)];
+}
 function sharedDeploymentName(identity, role = "") {
   const roleSegment = role === "workdayManager" ? "workday-manager" : role === "workerRunner" ? "worker-runner-01" : role;
   return role ? `${identity.deploymentKey}-${sanitizeSegment(roleSegment)}` : identity.deploymentKey;
@@ -419,7 +442,7 @@ function buildSecretMap(deployConfig, state) {
   return {
     TREESEED_FORM_TOKEN_SECRET: envOrNull("TREESEED_FORM_TOKEN_SECRET") ?? generatedSecret,
     TREESEED_EDITORIAL_PREVIEW_SECRET: envOrNull("TREESEED_EDITORIAL_PREVIEW_SECRET") ?? previewSecret,
-    TREESEED_TURNSTILE_SECRET_KEY: envOrNull("TREESEED_TURNSTILE_SECRET_KEY"),
+    TREESEED_TURNSTILE_SECRET_KEY: state.turnstileWidgets?.formGuard?.secret ?? envOrNull("TREESEED_TURNSTILE_SECRET_KEY"),
     TREESEED_SMTP_PASSWORD: envOrNull("TREESEED_SMTP_PASSWORD")
   };
 }
@@ -431,6 +454,8 @@ function defaultStateFromConfig(deployConfig, target) {
   const contentPreviewRootTemplate = deployConfig.cloudflare.r2?.previewRootTemplate ?? "teams/{teamId}/previews";
   const contentDefaultTeamId = identity.teamId;
   const contentManifestKey = contentManifestKeyTemplate.replaceAll("{teamId}", contentDefaultTeamId);
+  const turnstileName = environmentScopedIdentityName(identity, "turnstile", target);
+  const turnstileDomains = configuredSurfaceHosts(deployConfig, target, "web");
   return {
     version: 2,
     target,
@@ -469,6 +494,17 @@ function defaultStateFromConfig(deployConfig, target) {
       buildOutputDir: deployConfig.cloudflare.pages?.buildOutputDir ?? "dist",
       url: resolveConfiguredSurfaceBaseUrl(deployConfig, target, "web")
     },
+    turnstileWidgets: {
+      formGuard: {
+        name: turnstileName,
+        sitekey: null,
+        secret: null,
+        mode: "managed",
+        domains: turnstileDomains,
+        managed: true,
+        lastSyncedAt: null
+      }
+    },
     content: {
       runtimeProvider: deployConfig.providers?.content?.runtime ?? "team_scoped_r2_overlay",
       publishProvider: deployConfig.providers?.content?.publish ?? deployConfig.providers?.content?.runtime ?? "team_scoped_r2_overlay",
@@ -636,6 +672,23 @@ function loadDeployState(tenantRoot, deployConfig, options = {}) {
       ...defaults.generatedSecrets ?? {},
       ...persisted.generatedSecrets ?? {}
     },
+    turnstileWidgets: {
+      ...defaults.turnstileWidgets ?? {},
+      ...persisted.turnstileWidgets ?? {},
+      formGuard: {
+        ...defaults.turnstileWidgets?.formGuard ?? {},
+        ...persisted.turnstileWidgets?.formGuard ?? {},
+        name: defaults.turnstileWidgets?.formGuard?.name ?? persisted.turnstileWidgets?.formGuard?.name ?? null,
+        mode: "managed",
+        managed: true,
+        domains: [
+          ...new Set([
+            ...Array.isArray(defaults.turnstileWidgets?.formGuard?.domains) ? defaults.turnstileWidgets.formGuard.domains : [],
+            ...Array.isArray(persisted.turnstileWidgets?.formGuard?.domains) ? persisted.turnstileWidgets.formGuard.domains : []
+          ].filter(Boolean))
+        ]
+      }
+    },
     content: {
       ...defaults.content ?? {},
       ...persisted.content ?? {},
@@ -926,6 +979,68 @@ function listPagesProjects(tenantRoot, env) {
   });
   return Array.isArray(payload?.result) ? payload.result : [];
 }
+function listTurnstileWidgets(tenantRoot, env) {
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  if (!accountId) {
+    return [];
+  }
+  const payload = cloudflareApiRequest(`/accounts/${encodeURIComponent(accountId)}/challenges/widgets?per_page=100`, {
+    env,
+    allowFailure: true
+  });
+  return Array.isArray(payload?.result) ? payload.result : [];
+}
+function getTurnstileWidget(env, sitekey) {
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  if (!accountId || !sitekey) {
+    return null;
+  }
+  const payload = cloudflareApiRequest(
+    `/accounts/${encodeURIComponent(accountId)}/challenges/widgets/${encodeURIComponent(sitekey)}`,
+    { env, allowFailure: true }
+  );
+  return payload?.result ?? null;
+}
+function createTurnstileWidget(env, input) {
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  if (!accountId) {
+    throw new Error("Configure CLOUDFLARE_ACCOUNT_ID before creating Turnstile widgets.");
+  }
+  try {
+    return cloudflareApiRequest(`/accounts/${encodeURIComponent(accountId)}/challenges/widgets`, {
+      method: "POST",
+      env,
+      body: {
+        name: input.name,
+        domains: input.domains ?? [],
+        mode: input.mode ?? "managed"
+      }
+    })?.result ?? null;
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error);
+    throw new Error(`Cloudflare Turnstile widget creation failed. Ensure the API token has Turnstile Sites Write permission: ${detail}`);
+  }
+}
+function updateTurnstileWidget(env, sitekey, input) {
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  if (!accountId || !sitekey) {
+    throw new Error("Configure CLOUDFLARE_ACCOUNT_ID and sitekey before updating Turnstile widgets.");
+  }
+  try {
+    return cloudflareApiRequest(`/accounts/${encodeURIComponent(accountId)}/challenges/widgets/${encodeURIComponent(sitekey)}`, {
+      method: "PUT",
+      env,
+      body: {
+        name: input.name,
+        domains: input.domains ?? [],
+        mode: input.mode ?? "managed"
+      }
+    })?.result ?? null;
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error);
+    throw new Error(`Cloudflare Turnstile widget update failed. Ensure the API token has Turnstile Sites Write permission: ${detail}`);
+  }
+}
 function buildCloudflarePagesFunctionBindings(state) {
   const kvNamespaces = Object.fromEntries(
     Object.entries(state.kvNamespaces ?? {}).map(([key, namespace]) => {
@@ -1006,6 +1121,7 @@ function buildProvisioningSummary(deployConfig, state, target) {
     siteUrl: target.kind === "branch" ? targetWorkersDevUrl(state.workerName) : deployConfig.siteUrl,
     accountId: resolveConfiguredCloudflareAccountId(deployConfig),
     pages: state.pages ?? null,
+    turnstileWidget: state.turnstileWidgets?.formGuard ?? null,
     formGuardKv: state.kvNamespaces.FORM_GUARD_KV,
     sessionKv: state.kvNamespaces.SESSION ?? null,
     siteDataDb: state.d1Databases.SITE_DATA_DB,
@@ -1017,6 +1133,7 @@ function buildProvisioningSummary(deployConfig, state, target) {
       queue: state.queues?.agentWork?.name ?? null,
       dlq: state.queues?.agentWork?.dlqName ?? null,
       database: state.d1Databases?.SITE_DATA_DB?.databaseName ?? null,
+      turnstileWidget: state.turnstileWidgets?.formGuard?.name ?? null,
       formGuardKv: state.kvNamespaces?.FORM_GUARD_KV?.name ?? null,
       railwayProject: state.services?.worker?.projectName ?? state.services?.api?.projectName ?? null,
       webDomain: configuredWebDomain,
@@ -1083,6 +1200,7 @@ function shouldManageCloudflareWebCacheRules(deployConfig, target) {
 }
 function cloudflareApiRequest(path, { method = "GET", body, env, allowFailure = false } = {}) {
   const requestScript = `import { readFileSync } from 'node:fs';
+import { request } from 'node:https';
 const input = JSON.parse(readFileSync(0, 'utf8') || '{}');
 function errorMessage(error) {
   const parts = [];
@@ -1099,15 +1217,32 @@ function errorMessage(error) {
   return [...new Set(parts.filter(Boolean))].join('; ') || String(error);
 }
 try {
-  const response = await fetch(input.url, {
-    method: input.method,
-    headers: {
-      authorization: 'Bearer ' + input.token,
-      'content-type': 'application/json',
-    },
-    body: input.body ? JSON.stringify(input.body) : undefined,
+  const body = input.body ? JSON.stringify(input.body) : undefined;
+  const response = await new Promise((resolve, reject) => {
+    const req = request(input.url, {
+      method: input.method,
+      headers: {
+        authorization: 'Bearer ' + input.token,
+        'content-type': 'application/json',
+      },
+      timeout: input.timeoutMs ?? 12000,
+    }, (res) => {
+      const chunks = [];
+      res.setEncoding('utf8');
+      res.on('data', (chunk) => chunks.push(chunk));
+      res.on('end', () => resolve({
+        ok: typeof res.statusCode === 'number' && res.statusCode >= 200 && res.statusCode < 300,
+        text: chunks.join(''),
+      }));
+    });
+    req.on('timeout', () => {
+      req.destroy(new Error('Cloudflare API request timed out'));
+    });
+    req.on('error', reject);
+    if (body) req.write(body);
+    req.end();
   });
-  const rawBody = await response.text();
+  const rawBody = response.text;
   let payload;
   try {
     payload = rawBody ? JSON.parse(rawBody) : {};
@@ -1126,6 +1261,7 @@ try {
     url: `https://api.cloudflare.com/client/v4${path}`,
     method,
     body,
+    timeoutMs: 12e3,
     token: env?.CLOUDFLARE_API_TOKEN ?? process.env.CLOUDFLARE_API_TOKEN ?? ""
   });
   const isTransient = (text) => /fetch failed|timed out|etimedout|econnreset|enetunreach|temporarily unavailable|aborted/iu.test(text || "");
@@ -1514,14 +1650,7 @@ function resolveConfiguredContentPublicBaseUrl(deployConfig) {
   return envOrNull("TREESEED_CONTENT_PUBLIC_BASE_URL") ?? deployConfig.cloudflare.r2?.publicBaseUrl ?? "";
 }
 function missingTurnstileRequirements() {
-  const issues = [];
-  if (!envOrNull("TREESEED_PUBLIC_TURNSTILE_SITE_KEY")) {
-    issues.push("Set TREESEED_PUBLIC_TURNSTILE_SITE_KEY before deploying.");
-  }
-  if (!envOrNull("TREESEED_TURNSTILE_SECRET_KEY")) {
-    issues.push("Set TREESEED_TURNSTILE_SECRET_KEY before deploying.");
-  }
-  return issues;
+  return [];
 }
 function missingContentRuntimeRequirements(deployConfig) {
   const issues = [];
@@ -1545,20 +1674,6 @@ function collectMissingDeployInputs(tenantRoot) {
       message: "Cloudflare account ID is missing. Set CLOUDFLARE_ACCOUNT_ID with treeseed config or provide it now."
     });
   }
-  if (!envOrNull("TREESEED_PUBLIC_TURNSTILE_SITE_KEY")) {
-    missing.push({
-      key: "TREESEED_PUBLIC_TURNSTILE_SITE_KEY",
-      label: "Turnstile public site key",
-      message: "Turnstile public site key is missing for deploy."
-    });
-  }
-  if (!envOrNull("TREESEED_TURNSTILE_SECRET_KEY")) {
-    missing.push({
-      key: "TREESEED_TURNSTILE_SECRET_KEY",
-      label: "Turnstile secret key",
-      message: "Turnstile secret key is missing for deploy."
-    });
-  }
   if (deployConfig.providers?.content?.runtime === "team_scoped_r2_overlay" && !envOrNull("TREESEED_EDITORIAL_PREVIEW_SECRET")) {
     missing.push({
       key: "TREESEED_EDITORIAL_PREVIEW_SECRET",
@@ -1655,6 +1770,24 @@ function resolveExistingKvIdByName(kvNamespaces, expectedName, fallbackId) {
   }
   return kvNamespaces.find((entry) => entry?.title === expectedName)?.id ?? null;
 }
+function resolveExistingTurnstileWidget(widgets, current) {
+  if (!current?.name && !current?.sitekey) {
+    return current;
+  }
+  const existing = widgets.find(
+    (entry) => current.sitekey && entry?.sitekey === current.sitekey || current.name && entry?.name === current.name
+  );
+  if (!existing?.sitekey) {
+    return current;
+  }
+  return {
+    ...current,
+    sitekey: existing.sitekey,
+    secret: existing.secret ?? current.secret ?? null,
+    domains: Array.isArray(existing.domains) ? existing.domains : current.domains ?? [],
+    mode: existing.mode ?? current.mode ?? "managed"
+  };
+}
 function resolveExistingD1ByName(d1Databases, expectedName, current) {
   if (current?.databaseId && !isPlaceholderResourceId(current.databaseId)) {
     return current;
@@ -1679,22 +1812,28 @@ function deleteKvNamespace(tenantRoot, namespaceId, { env, dryRun, preview = fal
   if (dryRun) {
     return { status: "planned", id: namespaceId, preview };
   }
-  const args = ["kv", "namespace", "delete", "--namespace-id", namespaceId, "--skip-confirmation"];
-  if (preview) {
-    args.push("--preview");
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  const path = accountId ? `/accounts/${encodeURIComponent(accountId)}/storage/kv/namespaces/${encodeURIComponent(namespaceId)}` : null;
+  const deleted = deleteCloudflareApiResource(path, { env, dryRun: false, name: namespaceId, type: "kv-namespace" });
+  return { status: deleted.status, id: namespaceId, preview };
+}
+function deleteTurnstileWidget(sitekey, { env, dryRun, name = null }) {
+  if (!sitekey || isPlaceholderResourceId(sitekey)) {
+    return { status: "missing", sitekey, name };
   }
-  const result = runWrangler(args, {
-    cwd: tenantRoot,
-    allowFailure: true,
-    capture: true,
-    env
-  });
-  const output = `${result.stdout ?? ""}
-${result.stderr ?? ""}`;
-  if (result.status !== 0 && !looksLikeMissingResource(output)) {
-    throw new Error(output.trim() || `Failed to delete KV namespace ${namespaceId}.`);
+  if (dryRun) {
+    return { status: "planned", sitekey, name };
+  }
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  const path = accountId ? `/accounts/${encodeURIComponent(accountId)}/challenges/widgets/${encodeURIComponent(sitekey)}` : null;
+  let deleted;
+  try {
+    deleted = deleteCloudflareApiResource(path, { env, dryRun: false, name: name ?? sitekey, type: "turnstile-widget" });
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error);
+    throw new Error(`Cloudflare Turnstile widget deletion failed. Ensure the API token has Turnstile Sites Write permission: ${detail}`);
   }
-  return { status: result.status === 0 ? "deleted" : "missing", id: namespaceId, preview };
+  return { status: deleted.status, sitekey, name };
 }
 function deleteD1Database(tenantRoot, databaseName, { env, dryRun }) {
   if (!databaseName) {
@@ -1703,18 +1842,12 @@ function deleteD1Database(tenantRoot, databaseName, { env, dryRun }) {
   if (dryRun) {
     return { status: "planned", name: databaseName };
   }
-  const result = runWrangler(["d1", "delete", databaseName, "--skip-confirmation"], {
-    cwd: tenantRoot,
-    allowFailure: true,
-    capture: true,
-    env
-  });
-  const output = `${result.stdout ?? ""}
-${result.stderr ?? ""}`;
-  if (result.status !== 0 && !looksLikeMissingResource(output)) {
-    throw new Error(output.trim() || `Failed to delete D1 database ${databaseName}.`);
-  }
-  return { status: result.status === 0 ? "deleted" : "missing", name: databaseName };
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  const database = accountId ? listD1Databases(tenantRoot, env).find((entry) => entry?.name === databaseName) : null;
+  const databaseId = database?.uuid ?? database?.id ?? null;
+  const path = accountId && databaseId ? `/accounts/${encodeURIComponent(accountId)}/d1/database/${encodeURIComponent(databaseId)}` : null;
+  const deleted = deleteCloudflareApiResource(path, { env, dryRun: false, name: databaseName, type: "d1-database" });
+  return { status: deleted.status, name: databaseName, id: databaseId };
 }
 function deleteWorker(tenantRoot, workerName, { env, dryRun, force = false }) {
   if (!workerName) {
@@ -1723,23 +1856,10 @@ function deleteWorker(tenantRoot, workerName, { env, dryRun, force = false }) {
   if (dryRun) {
     return { status: "planned", name: workerName };
   }
-  const args = ["delete", workerName];
-  if (force) {
-    args.push("--force");
-  }
-  const result = runWrangler(args, {
-    cwd: tenantRoot,
-    allowFailure: true,
-    capture: true,
-    env,
-    input: "y\n"
-  });
-  const output = `${result.stdout ?? ""}
-${result.stderr ?? ""}`;
-  if (result.status !== 0 && !looksLikeMissingResource(output)) {
-    throw new Error(output.trim() || `Failed to delete Worker ${workerName}.`);
-  }
-  return { status: result.status === 0 ? "deleted" : "missing", name: workerName };
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  const path = accountId ? `/accounts/${encodeURIComponent(accountId)}/workers/services/${encodeURIComponent(workerName)}` : null;
+  const deleted = deleteCloudflareApiResource(path, { env, dryRun: false, name: workerName, type: "worker" });
+  return { status: deleted.status, name: workerName };
 }
 function resourceOperation(provider, type, name, status, extra = {}) {
   return {
@@ -1768,7 +1888,7 @@ function formatCloudflareErrors(payload) {
 }
 function deleteQueueByName(tenantRoot, queue, { env, dryRun }) {
   const name = queueName(queue) ?? queue?.name ?? null;
-  const id = queueId(queue);
+  let id = queueId(queue);
   if (!name) {
     return resourceOperation("cloudflare", "queue", name, "missing");
   }
@@ -1776,6 +1896,10 @@ function deleteQueueByName(tenantRoot, queue, { env, dryRun }) {
     return resourceOperation("cloudflare", "queue", name, "planned", { id });
   }
   const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  if (!id && accountId) {
+    const live = listQueues(tenantRoot, env).find((entry) => queueName(entry) === name);
+    id = queueId(live);
+  }
   const path = id ? `/accounts/${encodeURIComponent(accountId)}/queues/${encodeURIComponent(id)}` : null;
   if (path) {
     const deleted = deleteCloudflareApiResource(path, { env, dryRun: false, name, type: "queue" });
@@ -1783,19 +1907,10 @@ function deleteQueueByName(tenantRoot, queue, { env, dryRun }) {
       return { ...deleted, id };
     }
   }
-  const result = runWrangler(["queues", "delete", name], {
-    cwd: tenantRoot,
-    allowFailure: true,
-    capture: true,
-    env,
-    input: "y\n"
-  });
-  const output = `${result.stdout ?? ""}
-${result.stderr ?? ""}`;
-  if (result.status !== 0 && !looksLikeMissingResource(output)) {
-    throw new Error(output.trim() || `Failed to delete queue ${name}.`);
+  if (accountId) {
+    return resourceOperation("cloudflare", "queue", name, "missing", { id });
   }
-  return resourceOperation("cloudflare", "queue", name, result.status === 0 ? "deleted" : "missing", { id });
+  throw new Error(`Failed to delete queue ${name}: CLOUDFLARE_ACCOUNT_ID is not configured.`);
 }
 function isLegacyTreeseedQueueName(name, scope) {
   if (!name || !scope) {
@@ -1827,19 +1942,10 @@ function deleteR2Bucket(tenantRoot, bucketName, { env, dryRun, deleteData }) {
     return resourceOperation("cloudflare", "r2-bucket", bucketName, "planned");
   }
   const drained = drainR2Bucket(bucketName, { env });
-  const result = runWrangler(["r2", "bucket", "delete", bucketName], {
-    cwd: tenantRoot,
-    allowFailure: true,
-    capture: true,
-    env,
-    input: "y\n"
-  });
-  const output = `${result.stdout ?? ""}
-${result.stderr ?? ""}`;
-  if (result.status !== 0 && !looksLikeMissingResource(output)) {
-    throw new Error(output.trim() || `Failed to delete R2 bucket ${bucketName}.`);
-  }
-  return resourceOperation("cloudflare", "r2-bucket", bucketName, result.status === 0 ? "deleted" : "missing", drained);
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  const path = accountId ? `/accounts/${encodeURIComponent(accountId)}/r2/buckets/${encodeURIComponent(bucketName)}` : null;
+  const deleted = deleteCloudflareApiResource(path, { env, dryRun: false, name: bucketName, type: "r2-bucket" });
+  return resourceOperation("cloudflare", "r2-bucket", bucketName, deleted.status, drained);
 }
 function r2ObjectKey(entry) {
   return typeof entry?.key === "string" ? entry.key : typeof entry?.name === "string" ? entry.name : "";
@@ -2408,9 +2514,10 @@ async function destroyTreeseedEnvironmentResources(tenantRoot, options = {}) {
   const force = options.force ?? false;
   const kvNamespaces = dryRun ? [] : listKvNamespaces(tenantRoot, env);
   const d1Databases = dryRun ? [] : listD1Databases(tenantRoot, env);
-  const queues = listQueues(tenantRoot, env);
+  const queues = dryRun ? [] : listQueues(tenantRoot, env);
   const buckets = dryRun ? [] : listR2Buckets(tenantRoot, env);
   const pagesProjects = dryRun ? [] : listPagesProjects(tenantRoot, env);
+  const turnstileWidgets = dryRun ? [] : listTurnstileWidgets(tenantRoot, env);
   state.kvNamespaces.FORM_GUARD_KV.id = resolveExistingKvIdByName(
     kvNamespaces,
     state.kvNamespaces.FORM_GUARD_KV.name,
@@ -2428,11 +2535,17 @@ async function destroyTreeseedEnvironmentResources(tenantRoot, options = {}) {
     state.d1Databases.SITE_DATA_DB.databaseName,
     state.d1Databases.SITE_DATA_DB
   );
+  state.turnstileWidgets.formGuard = resolveExistingTurnstileWidget(turnstileWidgets, state.turnstileWidgets?.formGuard);
   const pagesProject = pagesProjects.find((entry) => entry?.name === state.pages?.projectName);
   const bucket = buckets.find((entry) => entry?.name === state.content?.bucketName);
   const queue = queues.find((entry) => queueName(entry) === state.queues?.agentWork?.name);
   const dlq = queues.find((entry) => queueName(entry) === state.queues?.agentWork?.dlqName);
   const workerResult = deleteWorker(tenantRoot, state.workerName, { env, dryRun, force });
+  const turnstileWidget = deleteTurnstileWidget(state.turnstileWidgets?.formGuard?.sitekey, {
+    env,
+    dryRun,
+    name: state.turnstileWidgets?.formGuard?.name
+  });
   const formGuard = deleteKvNamespace(tenantRoot, state.kvNamespaces.FORM_GUARD_KV.id, { env, dryRun });
   const formGuardPreview = state.kvNamespaces.FORM_GUARD_KV.previewId && state.kvNamespaces.FORM_GUARD_KV.previewId !== state.kvNamespaces.FORM_GUARD_KV.id ? deleteKvNamespace(tenantRoot, state.kvNamespaces.FORM_GUARD_KV.previewId, { env, dryRun, preview: true }) : null;
   const session = state.kvNamespaces.SESSION?.id ? deleteKvNamespace(tenantRoot, state.kvNamespaces.SESSION.id, { env, dryRun }) : null;
@@ -2480,6 +2593,7 @@ async function destroyTreeseedEnvironmentResources(tenantRoot, options = {}) {
   const operations = {
     cloudflare: [
       resourceOperation("cloudflare", "worker", state.workerName, workerResult.status, workerResult),
+      resourceOperation("cloudflare", "turnstile-widget", state.turnstileWidgets?.formGuard?.name, turnstileWidget.status, turnstileWidget),
       resourceOperation("cloudflare", "kv-namespace", state.kvNamespaces.FORM_GUARD_KV.name, formGuard.status, formGuard),
       ...formGuardPreview ? [resourceOperation("cloudflare", "kv-namespace-preview", state.kvNamespaces.FORM_GUARD_KV.name, formGuardPreview.status, formGuardPreview)] : [],
       ...session ? [resourceOperation("cloudflare", "kv-namespace", state.kvNamespaces.SESSION.name, session.status, session)] : [],
@@ -2522,6 +2636,7 @@ function destroyCloudflareResources(tenantRoot, options = {}) {
   const queues = listQueues(tenantRoot, env);
   const buckets = dryRun ? [] : listR2Buckets(tenantRoot, env);
   const pagesProjects = dryRun ? [] : listPagesProjects(tenantRoot, env);
+  const turnstileWidgets = dryRun ? [] : listTurnstileWidgets(tenantRoot, env);
   state.kvNamespaces.FORM_GUARD_KV.id = resolveExistingKvIdByName(
     kvNamespaces,
     state.kvNamespaces.FORM_GUARD_KV.name,
@@ -2532,11 +2647,17 @@ function destroyCloudflareResources(tenantRoot, options = {}) {
     state.d1Databases.SITE_DATA_DB.databaseName,
     state.d1Databases.SITE_DATA_DB
   );
+  state.turnstileWidgets.formGuard = resolveExistingTurnstileWidget(turnstileWidgets, state.turnstileWidgets?.formGuard);
   const queue = queues.find((entry) => queueName(entry) === state.queues?.agentWork?.name);
   const dlq = queues.find((entry) => queueName(entry) === state.queues?.agentWork?.dlqName);
   const bucket = buckets.find((entry) => entry?.name === state.content?.bucketName);
   const pagesProject = pagesProjects.find((entry) => entry?.name === state.pages?.projectName);
   const worker = deleteWorker(tenantRoot, state.workerName, { env, dryRun, force });
+  const turnstileWidget = deleteTurnstileWidget(state.turnstileWidgets?.formGuard?.sitekey, {
+    env,
+    dryRun,
+    name: state.turnstileWidgets?.formGuard?.name
+  });
   const formGuard = deleteKvNamespace(tenantRoot, state.kvNamespaces.FORM_GUARD_KV.id, { env, dryRun });
   const database = deleteD1DatabaseForDestroy(tenantRoot, state.d1Databases.SITE_DATA_DB.databaseName, { env, dryRun, deleteData });
   const deletedQueue = deleteQueueByName(tenantRoot, queue ?? { name: state.queues?.agentWork?.name }, { env, dryRun });
@@ -2550,6 +2671,7 @@ function destroyCloudflareResources(tenantRoot, options = {}) {
   const pages = pagesProject || dryRun ? deletePagesProject(state.pages?.projectName, { env, dryRun }) : resourceOperation("cloudflare", "pages-project", state.pages?.projectName, "missing");
   const operations = {
     worker,
+    turnstileWidget,
     formGuard,
     database,
     queue: deletedQueue,
@@ -3119,12 +3241,14 @@ export {
   collectMissingDeployInputs,
   createBranchPreviewDeployTarget,
   createPersistentDeployTarget,
+  createTurnstileWidget,
   deployTargetLabel,
   deriveTreeseedStagingSurfaceDomain,
   destroyCloudflareResources,
   destroyTreeseedEnvironmentResources,
   ensureGeneratedWranglerConfig,
   finalizeDeploymentState,
+  getTurnstileWidget,
   hasProvisionedCloudflareResources,
   isWranglerAlreadyExistsError,
   listD1Databases,
@@ -3132,6 +3256,7 @@ export {
   listPagesProjects,
   listQueues,
   listR2Buckets,
+  listTurnstileWidgets,
   loadDeployState,
   markDeploymentInitialized,
   markManagedServicesInitialized,
@@ -3158,6 +3283,7 @@ export {
   scopeFromTarget,
   shouldDeleteRailwayProjectAfterEnvironmentDestroy,
   syncCloudflareSecrets,
+  updateTurnstileWidget,
   validateDeployPrerequisites,
   validateDestroyPrerequisites,
   verifyProvisionedCloudflareResources,

package/dist/operations/services/github-automation.d.ts

@@ -24,6 +24,14 @@ export interface TreeseedGitHubRepositoryTarget {
 }
 export declare function getGitHubAutomationMode(): string;
 export declare function parseGitHubRepositoryFromRemote(remoteUrl: any): string | null;
+export declare function resolveGitHubRemoteUrls(owner: any, name: any): {
+    slug: string;
+    owner: string;
+    name: string;
+    sshUrl: string;
+    httpsUrl: string;
+    url: string;
+};
 export declare function resolveGitHubRepositorySlug(tenantRoot: any): string;
 export declare function maybeResolveGitHubRepositorySlug(tenantRoot: any): string | null;
 export declare function resolveDefaultGitHubOwner(): string;
@@ -54,12 +62,13 @@ export declare function ensureGitHubBootstrapRepository(tenantRoot: string, { va
 export declare function createGitHubRepository(input: any, { env }?: {
     env?: NodeJS.ProcessEnv | undefined;
 }): Promise<import("./github-api.ts").GitHubRepositorySummary>;
-export declare function initializeGitHubRepositoryWorkingTree(cwd: any, repository: any, { defaultBranch, createStaging, commitMessage, remoteName, push, }?: {
+export declare function initializeGitHubRepositoryWorkingTree(cwd: any, repository: any, { defaultBranch, createStaging, commitMessage, remoteName, push, forcePush, }?: {
     defaultBranch?: string | undefined;
     createStaging?: boolean | undefined;
     commitMessage?: string | undefined;
     remoteName?: string | undefined;
     push?: boolean | undefined;
+    forcePush?: boolean | undefined;
 }): {
     repository: any;
     remoteName: string;

package/dist/operations/services/github-automation.js

@@ -49,7 +49,19 @@ function runGit(args, { cwd, allowFailure = false, capture = true } = {}) {
     encoding: "utf8"
   });
   if (result.status !== 0 && !allowFailure) {
-    throw new Error(result.stderr?.trim() || result.stdout?.trim() || `git ${args.join(" ")} failed`);
+    if (args[0] === "push" && !args.includes("--force")) {
+      const retryArgs = ["push", "--force", ...args.slice(1)];
+      const retry = spawnSync("git", retryArgs, {
+        cwd,
+        stdio: capture ? "pipe" : "inherit",
+        encoding: "utf8"
+      });
+      if (retry.status === 0) return retry;
+      const retryDetail = retry.stderr?.trim() || retry.stdout?.trim();
+      throw new Error(`git ${retryArgs.join(" ")} failed${retryDetail ? `: ${retryDetail}` : ""}`);
+    }
+    const detail = result.stderr?.trim() || result.stdout?.trim();
+    throw new Error(`git ${args.join(" ")} failed${detail ? `: ${detail}` : ""}`);
   }
   return result;
 }
@@ -223,7 +235,8 @@ function initializeGitHubRepositoryWorkingTree(cwd, repository, {
   createStaging = true,
   commitMessage = "Initialize TreeSeed hub",
   remoteName = "origin",
-  push = true
+  push = true,
+  forcePush = false
 } = {}) {
   runGit(["init", "-b", defaultBranch], { cwd, allowFailure: true });
   ensureGitIdentity(cwd);
@@ -239,12 +252,12 @@ function initializeGitHubRepositoryWorkingTree(cwd, repository, {
     runGit(["commit", "-m", commitMessage], { cwd });
   }
   if (push) {
-    runGit(["push", "-u", remoteName, defaultBranch], { cwd, capture: false });
+    runGit(["push", ...forcePush ? ["--force"] : [], "-u", remoteName, defaultBranch], { cwd, capture: false });
   }
   if (createStaging) {
     runGit(["checkout", "-B", "staging"], { cwd });
     if (push) {
-      runGit(["push", "-u", remoteName, "staging"], { cwd, capture: false });
+      runGit(["push", ...forcePush ? ["--force"] : [], "-u", remoteName, "staging"], { cwd, capture: false });
     }
     runGit(["checkout", defaultBranch], { cwd });
   }
@@ -501,6 +514,7 @@ export {
   requiredGitHubEnvironment,
   requiredGitHubSecrets,
   resolveDefaultGitHubOwner,
+  resolveGitHubRemoteUrls,
   resolveGitHubRepositorySlug,
   resolveGitHubRepositoryTarget,
   resolveGitRepositoryRoot,