@treeseed/sdk 0.10.21 → 0.10.23

package/dist/operations/services/hosting-audit.d.ts

@@ -53,6 +53,7 @@ export type TreeseedHostingAuditOptions = {
     valuesOverlay?: Record<string, string | undefined>;
     hostKinds?: TreeseedHostingAuditHostKind[];
     providerConnectionChecks?: boolean;
+    resourceChecks?: boolean;
     write?: (line: string) => void;
 };
 export declare function resolveTreeseedHostingAuditTarget({ tenantRoot, environment, }: {
@@ -64,5 +65,5 @@ export declare function resolveTreeseedHostingAuditTarget({ tenantRoot, environm
     target: TreeseedReconcileTarget;
     branchName: string | null;
 };
-export declare function runTreeseedHostingAudit({ tenantRoot, environment, repair, env, valuesOverlay, hostKinds: requestedHostKinds, providerConnectionChecks: shouldCheckProviderConnections, write, }: TreeseedHostingAuditOptions): Promise<TreeseedHostingAuditReport>;
+export declare function runTreeseedHostingAudit({ tenantRoot, environment, repair, env, valuesOverlay, hostKinds: requestedHostKinds, providerConnectionChecks: shouldCheckProviderConnections, resourceChecks: shouldCheckResources, write, }: TreeseedHostingAuditOptions): Promise<TreeseedHostingAuditReport>;
 export declare function formatTreeseedHostingAuditReport(report: TreeseedHostingAuditReport): string;

package/dist/operations/services/hosting-audit.js

@@ -463,6 +463,7 @@ async function runTreeseedHostingAudit({
   valuesOverlay = {},
   hostKinds: requestedHostKinds,
   providerConnectionChecks: shouldCheckProviderConnections = true,
+  resourceChecks: shouldCheckResources = true,
   write
 }) {
   const resolved = resolveTreeseedHostingAuditTarget({ tenantRoot, environment });
@@ -509,7 +510,17 @@ async function runTreeseedHostingAudit({
   const systems = reconcileSystemsForHostKinds(hostKinds);
   let resources = {};
   let repaired = false;
-  if (resolved.environment !== "local" && systems.length > 0) {
+  if (!shouldCheckResources) {
+    checks.push({
+      id: "resources.skipped",
+      hostType: "platform",
+      provider: "treeseed",
+      category: "resource",
+      status: "skipped",
+      severity: "info",
+      summary: "Hosted provider resource checks are skipped for this audit."
+    });
+  } else if (resolved.environment !== "local" && systems.length > 0) {
     try {
       const state = loadDeployState(tenantRoot, deployConfig, { target: resolved.target });
       resources = buildProvisioningSummary(deployConfig, state, resolved.target);

package/dist/operations/services/hub-launch.d.ts

@@ -42,6 +42,7 @@ export interface KnowledgeHubLaunchIntent {
         name: string;
         slug: string;
         purpose?: string | null;
+        coreObjective?: string | null;
         visibility?: 'private' | 'team' | 'public';
     };
     source?: {

package/dist/operations/services/hub-launch.js

@@ -193,6 +193,7 @@ function providerLaunchInputFromIntent(plan) {
     projectSlug: intent.hub.slug,
     projectName: intent.hub.name,
     summary: intent.hub.purpose ?? null,
+    coreObjective: providerInput.coreObjective ?? intent.hub.coreObjective ?? intent.hub.purpose ?? null,
     sourceKind: sourceKind === "blank_hub" ? "blank" : sourceKind === "market_listing" ? "template" : sourceKind,
     sourceRef: intent.source?.ref ?? null,
     hostingMode: intent.hosting?.mode === "treeseed_managed" ? "managed" : intent.hosting?.mode ?? "managed",

package/dist/operations/services/hub-provider-launch.d.ts

@@ -9,6 +9,7 @@ export interface KnowledgeHubProviderLaunchInput {
     projectSlug: string;
     projectName: string;
     summary?: string | null;
+    coreObjective?: string | null;
     sourceKind: 'blank' | 'template' | 'knowledge_pack';
     sourceRef?: string | null;
     hostingMode?: 'managed' | 'hybrid' | 'self_hosted';
@@ -38,6 +39,14 @@ export interface KnowledgeHubProviderLaunchInput {
     enableDefaultAgents?: boolean;
     preserveWorkingTree?: boolean;
     cloudflareHost?: KnowledgeHubCloudflareHostLaunchInput | null;
+    domains?: {
+        productionDomain?: string | null;
+        stagingDomain?: string | null;
+        zoneName?: string | null;
+        zoneId?: string | null;
+        manageDns?: boolean;
+        provider?: string | null;
+    } | null;
 }
 export interface KnowledgeHubCloudflareHostConfig {
     CLOUDFLARE_API_TOKEN?: string;

package/dist/operations/services/hub-provider-launch.js

@@ -10,6 +10,7 @@ import {
   createGitHubRepository,
   ensureGitHubDeployAutomation,
   initializeGitHubRepositoryWorkingTree,
+  resolveGitHubRemoteUrls,
   resolveDefaultGitHubOwner
 } from "./github-automation.js";
 import { configuredRailwayServices, deployRailwayService, ensureRailwayScheduledJobs, validateRailwayDeployPrerequisites, verifyRailwayScheduledJobs } from "./railway-deploy.js";
@@ -41,6 +42,10 @@ function envOrNull(name) {
 function normalizeBaseUrl(value) {
   return String(value ?? "").trim().replace(/\/+$/u, "");
 }
+function domainUrl(domain) {
+  const value = String(domain ?? "").trim().replace(/^https?:\/\//u, "").replace(/\/+$/u, "");
+  return value ? `https://${value}` : null;
+}
 function resolveManagedWebUrl(slug) {
   const baseDomain = envOrNull("TREESEED_MANAGED_WEB_BASE_DOMAIN");
   if (baseDomain) {
@@ -65,10 +70,25 @@ function runGit(cwd, args, capture = true) {
     encoding: "utf8"
   });
   if (result.status !== 0) {
-    throw new Error(result.stderr?.trim() || result.stdout?.trim() || `git ${args.join(" ")} failed`);
+    if (args[0] === "push" && !args.includes("--force")) {
+      const retryArgs = ["push", "--force", ...args.slice(1)];
+      const retry = spawnSync("git", retryArgs, {
+        cwd,
+        stdio: capture ? "pipe" : "inherit",
+        encoding: "utf8"
+      });
+      if (retry.status === 0) return retry;
+      const retryDetail = retry.stderr?.trim() || retry.stdout?.trim();
+      throw new Error(`git ${retryArgs.join(" ")} failed${retryDetail ? `: ${retryDetail}` : ""}`);
+    }
+    const detail = result.stderr?.trim() || result.stdout?.trim();
+    throw new Error(`git ${args.join(" ")} failed${detail ? `: ${detail}` : ""}`);
   }
   return result;
 }
+function gitOutput(cwd, args) {
+  return runGit(cwd, args, true).stdout?.trim() ?? "";
+}
 function writeText(path, body) {
   ensureDir(dirname(path));
   writeFileSync(path, body, "utf8");
@@ -81,6 +101,20 @@ function updateYamlFile(path, updater) {
 function currentTemplateCatalogUrl() {
   return `file:${resolve(templateCatalogRoot, "catalog.fixture.json")}`;
 }
+function frontmatter(fields) {
+  return `---
+${stringifyYaml(fields).trim()}
+---`;
+}
+function normalizeMarkdownBody(value, fallback) {
+  const markdown = String(value ?? "").trim();
+  return markdown || fallback;
+}
+function markdownToSummary(markdown, fallback) {
+  const text = markdown.replace(/^---[\s\S]*?---/u, " ").replace(/```[\s\S]*?```/gu, " ").replace(/`([^`]+)`/gu, "$1").replace(/!\[[^\]]*\]\([^)]+\)/gu, " ").replace(/\[([^\]]+)\]\([^)]+\)/gu, "$1").replace(/^#{1,6}\s+/gmu, "").replace(/^\s*[-*+]\s+/gmu, "").replace(/^\s*\d+\.\s+/gmu, "").replace(/[*_~>#]/gu, "").replace(/\s+/gu, " ").trim();
+  if (!text) return fallback;
+  return text.length > 240 ? `${text.slice(0, 237).trimEnd()}...` : text;
+}
 function seedLaunchContent(projectRoot, input) {
   const objectiveId = `objective:launch-${slugify(input.projectSlug, "hub")}`;
   const questionId = `question:operating-${slugify(input.projectSlug, "hub")}`;
@@ -88,6 +122,13 @@ function seedLaunchContent(projectRoot, input) {
   const decisionId = `decision:launch-${slugify(input.projectSlug, "hub")}`;
   const stewardSlug = "launch-steward";
   const noteSlug = `${slugify(input.projectSlug, "hub")}-operating-model`;
+  const today = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+  const defaultCoreObjective = `# Core Objective
+
+Build and maintain ${input.projectName} as a living TreeSeed project with clear direction, active work, reliable releases, and useful AI agent context.
+`;
+  const coreObjective = normalizeMarkdownBody(input.coreObjective ?? input.summary, defaultCoreObjective);
+  const coreObjectiveSummary = markdownToSummary(coreObjective, `Define the enduring objective for ${input.projectName}.`);
   writeText(resolve(projectRoot, "src/content/people", `${stewardSlug}.mdx`), `---
 name: Launch Steward
 role: Team steward
@@ -99,17 +140,34 @@ tags:
 ---
 
 The launch steward keeps the first operating cycle legible while the hub moves from setup into active use.
+`);
+  writeText(resolve(projectRoot, "src/content/objectives", "core.md"), `${frontmatter({
+    id: "objective:core",
+    title: `${input.projectName} Core Objective`,
+    description: coreObjectiveSummary,
+    date: today,
+    summary: coreObjectiveSummary,
+    status: "live",
+    timeHorizon: "strategic",
+    motivation: "The core objective anchors TreeSeed agent context and keeps project work aligned.",
+    primaryContributor: stewardSlug,
+    canonical: true
+  })}
+
+${coreObjective}
 `);
   writeText(resolve(projectRoot, "src/content/objectives", "launch-knowledge-hub.mdx"), `---
 id: ${objectiveId}
 title: Launch ${input.projectName}
 description: Bring the initial knowledge hub online with live managed infrastructure and a clear operating direction.
-date: ${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)}
+date: ${today}
 summary: Stand up the hub, connect the runtime, and make the first workstream visible to the team.
 status: live
 timeHorizon: near-term
 motivation: TreeSeed launches should create immediately usable hubs instead of leaving teams in setup limbo.
 primaryContributor: ${stewardSlug}
+relatedObjectives:
+  - core
 ---
 
 Launch ${input.projectName} as a living knowledge hub with real GitHub, Cloudflare, and Railway infrastructure.
@@ -118,7 +176,7 @@ Launch ${input.projectName} as a living knowledge hub with real GitHub, Cloudfla
 id: ${questionId}
 title: What Should The First Release Cover?
 description: Scope the first release around the foundation of the hub and the initial operating routines.
-date: ${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)}
+date: ${today}
 summary: Define the first release around setup completion, clear direction, and baseline operating visibility.
 status: live
 questionType: strategy
@@ -133,7 +191,7 @@ The first release should verify that the hub is live, the core direction is visi
   writeText(resolve(projectRoot, "src/content/notes", `${noteSlug}.mdx`), `---
 title: ${input.projectName} Operating Model
 description: The initial working agreements for this Knowledge Hub.
-date: ${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)}
+date: ${today}
 summary: Managed launch created the default branches, runtime wiring, and first operational checkpoints.
 status: live
 ---
@@ -144,7 +202,7 @@ This hub starts with a Knowledge Hub launch, a seeded objective, and a visible f
 id: ${proposalId}
 title: Establish The Initial Operating Routine
 description: Turn the seeded objective and question into a concrete launch proposal for the first team cycle.
-date: ${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)}
+date: ${today}
 summary: Make the launch posture explicit so the team can move from setup into a concrete operating loop.
 status: live
 proposalType: strategy
@@ -165,7 +223,7 @@ Adopt a simple first operating routine: keep direction visible, keep the first r
 id: ${decisionId}
 title: Adopt The Initial Launch Posture
 description: Record the launch decision for the first operating cycle of the hub.
-date: ${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)}
+date: ${today}
 summary: The Knowledge Hub launch will begin with a narrow first release and explicit direction artifacts.
 status: live
 decisionType: approved
@@ -237,13 +295,17 @@ console.log(\`Treeseed project API listening on \${server.url}\`);
 function applyManagedProjectDefaults(projectRoot, input) {
   const slug = slugify(input.projectSlug, "project");
   const marketBaseUrl = normalizeBaseUrl(input.marketBaseUrl ?? envOrNull("TREESEED_MARKET_API_BASE_URL") ?? "https://knowledge.coop");
-  const siteUrl = resolveManagedWebUrl(slug);
+  const productionDomain = String(input.domains?.productionDomain ?? "").trim() || null;
+  const stagingDomain = String(input.domains?.stagingDomain ?? "").trim() || null;
+  const productionSiteUrl = domainUrl(productionDomain) ?? resolveManagedWebUrl(slug);
+  const stagingSiteUrl = domainUrl(stagingDomain);
+  const siteUrl = productionSiteUrl;
   const projectApiBaseUrl = normalizeBaseUrl(input.projectApiBaseUrl ?? resolveManagedApiUrl(slug));
   const cloudflareAccountId = envOrNull("CLOUDFLARE_ACCOUNT_ID") ?? "replace-with-cloudflare-account-id";
-  const runtimeMode = input.hostingMode === "managed" ? "treeseed_managed" : input.hostingMode === "hybrid" ? "byo_attached" : "none";
-  const runtimeRegistration = input.hostingMode === "managed" ? "required" : input.hostingMode === "hybrid" ? "optional" : "none";
+  const runtimeMode = input.hostingMode === "hybrid" ? "byo_attached" : "none";
+  const runtimeRegistration = input.hostingMode === "hybrid" ? "optional" : "none";
   const hubMode = input.hostingMode === "self_hosted" ? "customer_hosted" : "treeseed_hosted";
-  const managedRuntime = runtimeMode === "treeseed_managed";
+  const managedRuntime = false;
   updateYamlFile(resolve(projectRoot, "treeseed.site.yaml"), (config) => ({
     ...config,
     name: input.projectName,
@@ -270,6 +332,7 @@ function applyManagedProjectDefaults(projectRoot, input) {
     cloudflare: {
       ...config.cloudflare ?? {},
       accountId: cloudflareAccountId,
+      ...input.domains?.zoneId ? { zoneId: input.domains.zoneId } : {},
       workerName: slug,
       queueName: `${slug}-agent-work`,
       dlqName: `${slug}-agent-work-dlq`,
@@ -297,35 +360,34 @@ function applyManagedProjectDefaults(projectRoot, input) {
         rootDir: ".",
         publicBaseUrl: siteUrl,
         localBaseUrl: "http://127.0.0.1:4321",
-        ...config.surfaces?.web ?? {}
+        ...config.surfaces?.web ?? {},
+        environments: {
+          ...config.surfaces?.web?.environments ?? {},
+          ...stagingDomain ? { staging: { ...config.surfaces?.web?.environments?.staging ?? {}, domain: stagingDomain, baseUrl: stagingSiteUrl } } : {},
+          ...productionDomain ? { prod: { ...config.surfaces?.web?.environments?.prod ?? {}, domain: productionDomain, baseUrl: productionSiteUrl } } : {}
+        }
       },
       api: {
         enabled: managedRuntime,
-        provider: managedRuntime ? "railway" : "none",
+        provider: "none",
         rootDir: ".",
         localBaseUrl: "http://127.0.0.1:3000",
         ...config.surfaces?.api ?? {}
       }
     },
     services: {
+      ...config.services ?? {},
       api: {
         enabled: managedRuntime,
-        provider: managedRuntime ? "railway" : "none",
+        provider: "none",
         rootDir: ".",
         publicBaseUrl: projectApiBaseUrl,
-        railway: {
-          serviceName: `${slug}-api`,
-          buildCommand: "npm run build:api",
-          startCommand: "node ./src/api/server.js",
-          healthcheckTimeoutSeconds: 120
-        },
         environments: {
           local: {
             baseUrl: "http://127.0.0.1:3000"
           }
         }
-      },
-      ...config.services ?? {}
+      }
     },
     plugins: [{ package: "@treeseed/core/plugin-default" }],
     providers: {
@@ -419,7 +481,19 @@ function createDefaultWorkstream(projectId, input, seed) {
 }
 function pushDefaultWorkstreamBranch(projectRoot) {
   runGit(projectRoot, ["checkout", "-B", "task/initial-launch"], false);
-  runGit(projectRoot, ["push", "-u", "origin", "task/initial-launch"], false);
+  runGit(projectRoot, ["push", "--force", "-u", "origin", "task/initial-launch"], false);
+  runGit(projectRoot, ["checkout", "main"], false);
+}
+function commitAndPushLaunchRepository(projectRoot, message, { forcePush = false } = {}) {
+  runGit(projectRoot, ["checkout", "main"], false);
+  runGit(projectRoot, ["add", "-A"], false);
+  if (gitOutput(projectRoot, ["status", "--porcelain"])) {
+    runGit(projectRoot, ["commit", "-m", message], false);
+  }
+  runGit(projectRoot, ["push", ...forcePush ? ["--force"] : [], "-u", "origin", "main"], false);
+  runGit(projectRoot, ["checkout", "staging"], false);
+  runGit(projectRoot, ["merge", "--ff-only", "main"], false);
+  runGit(projectRoot, ["push", ...forcePush ? ["--force"] : [], "-u", "origin", "staging"], false);
   runGit(projectRoot, ["checkout", "main"], false);
 }
 function loadProjectMetadata(projectId, input, seed, workstream, siteUrl, projectApiBaseUrl, repository) {
@@ -567,7 +641,7 @@ function scaffoldLaunchSource(projectRoot, input) {
   });
 }
 function repositoryHostGitHubEnvOverlay() {
-  const token = process.env.TREESEED_HOSTED_HUBS_GITHUB_TOKEN || "";
+  const token = process.env.GH_TOKEN || process.env.GITHUB_TOKEN || process.env.TREESEED_HOSTED_HUBS_GITHUB_TOKEN || "";
   return token ? { ...process.env, GH_TOKEN: token, GITHUB_TOKEN: token } : process.env;
 }
 function prepareKnowledgeHubContentRepositoryRoot(sourceRoot, contentRoot, input) {
@@ -597,6 +671,8 @@ Content source for the ${input.projectName} TreeSeed Knowledge Hub.
 }
 function stripSoftwareContentOverlay(sourceRoot, input) {
   const contentRoot = resolve(sourceRoot, "src", "content");
+  const coreObjectiveSource = resolve(contentRoot, "objectives", "core.md");
+  const coreObjective = existsSync(coreObjectiveSource) ? readFileSync(coreObjectiveSource, "utf8") : null;
   rmSync(contentRoot, { recursive: true, force: true });
   mkdirSync(contentRoot, { recursive: true });
   writeFileSync(resolve(contentRoot, ".gitkeep"), "", "utf8");
@@ -611,6 +687,10 @@ Content source: ${input.contentRepository?.name ?? `${slugify(input.projectSlug,
 `,
     "utf8"
   );
+  if (coreObjective) {
+    mkdirSync(resolve(contentRoot, "objectives"), { recursive: true });
+    writeFileSync(resolve(contentRoot, "objectives", "core.md"), coreObjective, "utf8");
+  }
 }
 async function validateKnowledgeHubProviderLaunchPrerequisites(tenantRoot = process.cwd(), { valuesOverlay = {} } = {}) {
   const values = collectTreeseedConfigSeedValues(tenantRoot, "prod", process.env, valuesOverlay);
@@ -669,11 +749,13 @@ async function executeKnowledgeHubProviderLaunch(input, options = {}) {
   try {
     await appendPhase(phases, "repo_provision", "running", "Creating or connecting GitHub software repository.", reportPhase);
     const repository = input.existingRepository?.url ? {
+      ...resolveGitHubRemoteUrls(input.existingRepository.owner, input.existingRepository.name),
       slug: `${input.existingRepository.owner}/${input.existingRepository.name}`,
       owner: input.existingRepository.owner,
       name: input.existingRepository.name,
       url: input.existingRepository.url,
-      visibility: input.existingRepository.visibility ?? input.repoVisibility ?? "private"
+      visibility: input.existingRepository.visibility ?? input.repoVisibility ?? "private",
+      defaultBranch: input.existingRepository.defaultBranch ?? "main"
     } : await createGitHubRepository({
       owner: repoOwner,
       name: repoName,
@@ -698,11 +780,13 @@ async function executeKnowledgeHubProviderLaunch(input, options = {}) {
       contentRepositoryWorkingRoot = mkdtempSync(join(tmpdir(), `market-content-${slugify(input.projectSlug, "project")}-`));
       prepareKnowledgeHubContentRepositoryRoot(workingRoot, contentRepositoryWorkingRoot, input);
       const createdContentRepository = input.contentRepository.url ? {
+        ...resolveGitHubRemoteUrls(input.contentRepository.owner ?? repoOwner, input.contentRepository.name),
         slug: `${slugify(input.contentRepository.owner ?? repoOwner, "treeseed-ai")}/${slugify(input.contentRepository.name, `${repoName}-content`)}`,
         owner: slugify(input.contentRepository.owner ?? repoOwner, "treeseed-ai"),
         name: slugify(input.contentRepository.name, `${repoName}-content`),
         url: input.contentRepository.url,
-        visibility: input.contentRepository.visibility ?? input.repoVisibility ?? "private"
+        visibility: input.contentRepository.visibility ?? input.repoVisibility ?? "private",
+        defaultBranch: input.contentRepository.defaultBranch ?? "main"
       } : await createGitHubRepository({
         owner: slugify(input.contentRepository.owner ?? repoOwner, "treeseed-ai"),
         name: slugify(input.contentRepository.name, `${repoName}-content`),
@@ -714,7 +798,8 @@ async function executeKnowledgeHubProviderLaunch(input, options = {}) {
       const contentInitResult = initializeGitHubRepositoryWorkingTree(contentRepositoryWorkingRoot, createdContentRepository, {
         defaultBranch: input.contentRepository.defaultBranch ?? "main",
         createStaging: true,
-        commitMessage: `Initialize ${input.projectName} content`
+        commitMessage: `Initialize ${input.projectName} content`,
+        forcePush: !input.contentRepository.url
       });
       contentRepository = {
         slug: createdContentRepository.slug,
@@ -732,22 +817,14 @@ async function executeKnowledgeHubProviderLaunch(input, options = {}) {
     const initResult = initializeGitHubRepositoryWorkingTree(workingRoot, repository, {
       defaultBranch: "main",
       createStaging: true,
-      commitMessage: `Initialize ${input.projectName}`
+      commitMessage: `Initialize ${input.projectName}`,
+      push: false
     });
-    pushDefaultWorkstreamBranch(workingRoot);
     const workflows = await ensureGitHubDeployAutomation(workingRoot, { valuesOverlay: prodEnvOverlay });
-    const githubEnvironmentSync = [];
-    for (const [scope, valuesOverlay] of [["staging", stagingEnvOverlay], ["prod", prodEnvOverlay]]) {
-      githubEnvironmentSync.push(await syncTreeseedGitHubEnvironment({
-        tenantRoot: workingRoot,
-        scope,
-        repository: repository.slug,
-        valuesOverlay,
-        execution: "sequential"
-      }));
-    }
-    const workflowSummary = { ...workflows, environmentSync: githubEnvironmentSync };
-    await appendPhase(phases, "workflow_bootstrap", "completed", "Configured GitHub workflows, secrets, and variables.", reportPhase);
+    commitAndPushLaunchRepository(workingRoot, `Configure ${input.projectName} deployment`, { forcePush: !input.existingRepository?.url });
+    pushDefaultWorkstreamBranch(workingRoot);
+    let workflowSummary = { ...workflows, environmentSync: [] };
+    await appendPhase(phases, "workflow_bootstrap", "completed", "Configured GitHub workflows.", reportPhase);
     await appendPhase(phases, "hosting_registration", "running", "Provisioning Cloudflare resources and deploy state.", reportPhase);
     const staging = await reconcileTreeseedTarget({
       tenantRoot: workingRoot,
@@ -759,6 +836,29 @@ async function executeKnowledgeHubProviderLaunch(input, options = {}) {
       target: createPersistentDeployTarget("prod"),
       env: { ...process.env, ...prodEnvOverlay }
     });
+    const turnstileOverlay = (state, base) => {
+      const widget = state?.turnstileWidgets?.formGuard ?? {};
+      return {
+        ...base,
+        ...typeof widget.sitekey === "string" && widget.sitekey.length > 0 ? { TREESEED_PUBLIC_TURNSTILE_SITE_KEY: widget.sitekey } : {},
+        ...typeof widget.secret === "string" && widget.secret.length > 0 ? { TREESEED_TURNSTILE_SECRET_KEY: widget.secret } : {}
+      };
+    };
+    const githubEnvironmentSync = [];
+    for (const [scope, valuesOverlay] of [
+      ["staging", turnstileOverlay(staging.state, stagingEnvOverlay)],
+      ["prod", turnstileOverlay(prod.state, prodEnvOverlay)]
+    ]) {
+      githubEnvironmentSync.push(await syncTreeseedGitHubEnvironment({
+        tenantRoot: workingRoot,
+        scope,
+        repository: repository.slug,
+        valuesOverlay,
+        execution: "sequential"
+      }));
+    }
+    workflowSummary = { ...workflowSummary, environmentSync: githubEnvironmentSync };
+    runRemoteD1Migrations(workingRoot, { scope: "staging" });
     runRemoteD1Migrations(workingRoot, { scope: "prod" });
     const verification = await collectTreeseedReconcileStatus({
       tenantRoot: workingRoot,

package/dist/operations/services/managed-host-security.d.ts

@@ -7,7 +7,7 @@ export declare function filterManagedHostGitHubEnvironment(required: {
     secrets: string[];
     variables: string[];
 }): {
-    secrets: never[];
+    secrets: string[];
     variables: string[];
 };
 export declare function shouldExposeManagedHostRuntimeSecret(deployConfig: Pick<TreeseedDeployConfig, 'hosting' | 'hub' | 'runtime'> | null | undefined, _secretName: string, env?: Record<string, string | undefined>): boolean;

package/dist/operations/services/managed-host-security.js

@@ -8,6 +8,9 @@ const SAFE_MANAGED_HOST_CI_VARIABLES = /* @__PURE__ */ new Set([
   "TREESEED_MARKET_API_BASE_URL",
   "TREESEED_PROJECT_ID"
 ]);
+const SAFE_MANAGED_HOST_CI_SECRETS = /* @__PURE__ */ new Set([
+  "TREESEED_TURNSTILE_SECRET_KEY"
+]);
 const MANAGED_HOST_FORBIDDEN_VARIABLE_PREFIXES = [
   "CLOUDFLARE_",
   "RAILWAY_",
@@ -31,7 +34,7 @@ function usesManagedHostOperationRequests(deployConfig, env = process.env) {
 }
 function filterManagedHostGitHubEnvironment(required) {
   return {
-    secrets: [],
+    secrets: required.secrets.filter((name) => SAFE_MANAGED_HOST_CI_SECRETS.has(name)),
     variables: required.variables.filter((name) => {
       if (SAFE_MANAGED_HOST_CI_VARIABLES.has(name)) {
         return true;

package/dist/operations/services/project-platform.js

@@ -1087,6 +1087,22 @@ async function provisionProjectPlatform(options) {
       locator: state.lastDeployedUrl ?? null,
       metadata: { workerName: state.workerName }
     },
+    {
+      environment: options.scope,
+      provider: "cloudflare",
+      resourceKind: "kv",
+      logicalName: state.kvNamespaces?.FORM_GUARD_KV?.name ?? "form-guard",
+      locator: state.kvNamespaces?.FORM_GUARD_KV?.id ?? null,
+      metadata: state.kvNamespaces?.FORM_GUARD_KV ?? {}
+    },
+    {
+      environment: options.scope,
+      provider: "cloudflare",
+      resourceKind: "turnstile-widget",
+      logicalName: state.turnstileWidgets?.formGuard?.name ?? "form-guard-turnstile",
+      locator: state.turnstileWidgets?.formGuard?.sitekey ?? null,
+      metadata: state.turnstileWidgets?.formGuard ?? {}
+    },
     {
       environment: options.scope,
       provider: "cloudflare",

package/dist/operations/services/railway-api.js

@@ -1,3 +1,4 @@
+import { request as httpsRequest } from "node:https";
 const DEFAULT_RAILWAY_API_URL = "https://backboard.railway.com/graphql/v2";
 const DEFAULT_RAILWAY_WORKSPACE = "knowledge-coop";
 const RAILWAY_POSTGRES_TEMPLATE_ID = "b55da7dc-09be-4140-bc65-1284d15d349c";
@@ -295,7 +296,7 @@ async function railwayGraphqlRequest({
     const controller = new AbortController();
     let timer = null;
     try {
-      const response = await Promise.race([
+      const response = fetchImpl === fetch ? await railwayGraphqlHttpsRequest(apiUrl || resolveRailwayApiUrl(env), token, { query, variables }, timeoutMs) : await Promise.race([
         fetchImpl(apiUrl || resolveRailwayApiUrl(env), {
           method: "POST",
           headers: {
@@ -304,7 +305,12 @@ async function railwayGraphqlRequest({
           },
           body: JSON.stringify({ query, variables }),
           signal: controller.signal
-        }),
+        }).then(async (fetchResponse) => ({
+          ok: fetchResponse.ok,
+          status: fetchResponse.status,
+          payload: await fetchResponse.json().catch(() => ({})),
+          retryAfter: fetchResponse.headers.get("retry-after")
+        })),
         new Promise((_, reject) => {
           timer = setTimeout(() => {
             controller.abort();
@@ -312,11 +318,11 @@ async function railwayGraphqlRequest({
           }, timeoutMs);
         })
       ]);
-      const payload = await response.json().catch(() => ({}));
+      const payload = response.payload;
       if (!response.ok || Array.isArray(payload.errors) && payload.errors.length > 0) {
         const message = normalizeRailwayErrorMessage(payload, response.status);
         const hasGraphqlErrors = Array.isArray(payload.errors) && payload.errors.length > 0;
-        const retryAfterMs = parseRetryAfterMs(response.headers.get("retry-after"));
+        const retryAfterMs = parseRetryAfterMs(response.retryAfter);
         const shouldRetry = isRetryableRailwayStatus(response.status) || /rate limit|too many requests/iu.test(message);
         const error = new Error(message);
         if (shouldRetry || hasGraphqlErrors && /rate limit|too many requests/iu.test(message)) {
@@ -340,6 +346,47 @@ async function railwayGraphqlRequest({
     }
   }
 }
+async function railwayGraphqlHttpsRequest(url, token, body, timeoutMs) {
+  const rawBody = JSON.stringify(body);
+  return new Promise((resolve, reject) => {
+    const req = httpsRequest(url, {
+      method: "POST",
+      headers: {
+        authorization: `Bearer ${token}`,
+        "content-type": "application/json",
+        "content-length": Buffer.byteLength(rawBody)
+      },
+      timeout: timeoutMs
+    }, (res) => {
+      const chunks = [];
+      res.setEncoding("utf8");
+      res.on("data", (chunk) => chunks.push(chunk));
+      res.on("end", () => {
+        const text = chunks.join("");
+        let payload = {};
+        try {
+          payload = text ? JSON.parse(text) : {};
+        } catch {
+          payload = {};
+        }
+        const status = res.statusCode ?? 0;
+        const retryAfterHeader = res.headers["retry-after"];
+        resolve({
+          ok: status >= 200 && status < 300,
+          status,
+          payload,
+          retryAfter: Array.isArray(retryAfterHeader) ? retryAfterHeader[0] ?? null : retryAfterHeader ?? null
+        });
+      });
+    });
+    req.on("timeout", () => {
+      req.destroy(markRailwayTransientError(new Error(`Railway API request timed out after ${timeoutMs}ms.`)));
+    });
+    req.on("error", reject);
+    req.write(rawBody);
+    req.end();
+  });
+}
 async function getRailwayAuthProfile({
   env = process.env,
   fetchImpl = fetch
@@ -839,13 +886,13 @@ async function ensureRailwayServiceInstanceConfiguration({
   runtimeMode,
   env = process.env,
   fetchImpl = fetch,
-  settleAttempts = 24,
+  settleAttempts = 60,
   settleDelayMs = 5e3
 }) {
   let current = await getRailwayServiceInstance({ serviceId, environmentId, env, fetchImpl });
   if (!current.id) {
-    for (let attempt = 0; attempt < 8 && !current.id; attempt += 1) {
-      await new Promise((resolve) => setTimeout(resolve, 1500));
+    for (let attempt = 0; attempt < settleAttempts && !current.id; attempt += 1) {
+      await new Promise((resolve) => setTimeout(resolve, settleDelayMs));
       current = await getRailwayServiceInstance({ serviceId, environmentId, env, fetchImpl });
     }
   }
@@ -1248,7 +1295,8 @@ async function ensureRailwayServiceVolume({
   if (!volume) {
     volume = await createReplacementVolume();
   }
-  if (volume.name && volume.name !== name) {
+  const desiredNameInUse = volumes.some((candidate) => candidate.id !== volume?.id && candidate.name === name);
+  if (volume.name && volume.name !== name && !desiredNameInUse) {
     try {
       volume = await updateRailwayVolumeName({ volumeId: volume.id, name, env, fetchImpl }) ?? { ...volume, name };
     } catch (error) {

package/dist/operations/services/railway-deploy.d.ts

@@ -6,9 +6,10 @@ export declare function deriveRailwayMarketOperationsRunnerVolumeName(serviceNam
 export declare function railwayServiceRuntimeStartCommand(service: any): any;
 export declare function parseRailwayJsonOutput(output: any): any;
 export declare function collectRailwayDeploymentStatusChecks(statusPayload: any, scope: any, services: any): any;
-export declare function listRailwayServiceVolumesWithCli({ cwd, serviceId, environmentId, name, mountPath, env, }: {
+export declare function listRailwayServiceVolumesWithCli({ cwd, serviceId, serviceName, environmentId, name, mountPath, env, }: {
     cwd: any;
     serviceId: any;
+    serviceName: any;
     environmentId: any;
     name: any;
     mountPath: any;