@treeseed/sdk 0.10.22 → 0.10.23

package/dist/operations/services/railway-deploy.js

@@ -191,7 +191,7 @@ function collectRailwayDeploymentStatusChecks(statusPayload, scope, services) {
     };
   });
 }
-function normalizeRailwayCliVolume(value, { serviceId, environmentId, fallbackName, fallbackMountPath }) {
+function normalizeRailwayCliVolume(value, { serviceId, serviceName, environmentId, fallbackName, fallbackMountPath }) {
   if (!value || typeof value !== "object") {
     return null;
   }
@@ -200,6 +200,10 @@ function normalizeRailwayCliVolume(value, { serviceId, environmentId, fallbackNa
   if (!id) {
     return null;
   }
+  const listedServiceName = typeof record.serviceName === "string" && record.serviceName.trim() ? record.serviceName.trim() : "";
+  if (listedServiceName && serviceName && listedServiceName !== serviceName) {
+    return null;
+  }
   const name = typeof record.name === "string" && record.name.trim() ? record.name.trim() : fallbackName;
   const mountPath = typeof record.mountPath === "string" && record.mountPath.trim() ? record.mountPath.trim() : fallbackMountPath;
   const sizeMb = typeof record.sizeMB === "number" ? record.sizeMB : null;
@@ -228,6 +232,7 @@ function normalizeRailwayCliVolumeList(value, options) {
 function listRailwayServiceVolumesWithCli({
   cwd,
   serviceId,
+  serviceName,
   environmentId,
   name,
   mountPath,
@@ -244,6 +249,7 @@ function listRailwayServiceVolumesWithCli({
   }
   return normalizeRailwayCliVolumeList(parseRailwayJsonOutput(listResult.stdout ?? ""), {
     serviceId,
+    serviceName,
     environmentId,
     fallbackName: name,
     fallbackMountPath: mountPath
@@ -1776,6 +1782,7 @@ async function ensureRailwayServiceVolumeWithCliFallback({
   const listResult = runRailway([...volumeArgs, "list", "--json"], cliOptions);
   const existingVolumes = normalizeRailwayCliVolumeList(parseRailwayJsonOutput(listResult.stdout ?? ""), {
     serviceId,
+    serviceName,
     environmentId,
     fallbackName: name,
     fallbackMountPath: mountPath
@@ -1787,6 +1794,7 @@ async function ensureRailwayServiceVolumeWithCliFallback({
     const createResult = runRailway([...volumeArgs, "add", "--mount-path", mountPath, "--json"], cliOptions);
     volume = normalizeRailwayCliVolume(parseRailwayJsonOutput(createResult.stdout ?? ""), {
       serviceId,
+      serviceName,
       environmentId,
       fallbackName: name,
       fallbackMountPath: mountPath
@@ -1810,6 +1818,7 @@ async function ensureRailwayServiceVolumeWithCliFallback({
     }
     const attachedVolume = (attachResult.status ?? 1) === 0 ? normalizeRailwayCliVolume(parseRailwayJsonOutput(attachResult.stdout ?? ""), {
       serviceId,
+      serviceName,
       environmentId,
       fallbackName: name,
       fallbackMountPath: mountPath
@@ -1833,21 +1842,6 @@ async function ensureRailwayServiceVolumeWithCliFallback({
     instance = volume.instances.find((entry) => entry.serviceId === serviceId && entry.environmentId === environmentId) ?? volume.instances[0] ?? null;
     updated = true;
   }
-  if (volume.name !== name || instance?.mountPath !== mountPath) {
-    const updateResult = runRailway([...volumeArgs, "update", "--volume", volume.id, "--name", name, "--mount-path", mountPath, "--json"], cliOptions);
-    const updatedVolume = normalizeRailwayCliVolume(parseRailwayJsonOutput(updateResult.stdout ?? ""), {
-      serviceId,
-      environmentId,
-      fallbackName: name,
-      fallbackMountPath: mountPath
-    });
-    volume = updatedVolume ?? {
-      ...volume,
-      name,
-      instances: volume.instances.map((entry) => ({ ...entry, mountPath }))
-    };
-    updated = true;
-  }
   const apiVolume = await waitForRailwayServiceVolumeMount({
     projectId,
     volumeId: volume.id,
@@ -1859,6 +1853,8 @@ async function ensureRailwayServiceVolumeWithCliFallback({
   });
   if (apiVolume) {
     volume = apiVolume;
+  } else {
+    throw new Error(`Railway volume ${name} was not attached to ${serviceName} at ${mountPath}.`);
   }
   return {
     volume,
@@ -1878,11 +1874,12 @@ async function waitForRailwayServiceVolumeMount({
 }) {
   for (let attempt = 0; attempt <= 24; attempt += 1) {
     const volumes = await listRailwayVolumes({ projectId, env });
-    const match = volumes.find(
-      (entry) => entry.id === volumeId || entry.name === volumeName || entry.instances.some(
+    const mounted = volumes.find(
+      (entry) => entry.instances.some(
         (instance) => instance.serviceId === serviceId && instance.environmentId === environmentId && instance.mountPath === mountPath
       )
     ) ?? null;
+    const match = mounted ?? volumes.find((entry) => entry.id === volumeId) ?? volumes.find((entry) => entry.name === volumeName) ?? null;
     if (match?.instances.some(
       (instance) => instance.serviceId === serviceId && instance.environmentId === environmentId && instance.mountPath === mountPath
     )) {

package/dist/platform/environment.d.ts

@@ -1,7 +1,7 @@
 import type { TreeseedDeployConfig, TreeseedTenantConfig } from './contracts.ts';
 import { type LoadedTreeseedPluginEntry } from './plugins.ts';
 export declare const TREESEED_ENVIRONMENT_SCOPES: readonly ["local", "staging", "prod"];
-export declare const TREESEED_ENVIRONMENT_REQUIREMENTS: readonly ["required", "conditional", "optional"];
+export declare const TREESEED_ENVIRONMENT_REQUIREMENTS: readonly ["required", "conditional", "optional", "generated"];
 export declare const TREESEED_ENVIRONMENT_TARGETS: readonly ["local-runtime", "local-cloudflare", "github-secret", "github-variable", "cloudflare-secret", "cloudflare-var", "railway-secret", "railway-var", "config-file"];
 export declare const TREESEED_ENVIRONMENT_PURPOSES: readonly ["dev", "save", "deploy", "destroy", "config"];
 export declare const TREESEED_ENVIRONMENT_SENSITIVITY: readonly ["secret", "plain", "derived"];

package/dist/platform/environment.js

@@ -8,7 +8,7 @@ import { loadTreeseedDeployConfig } from "./deploy-config.js";
 import { loadTreeseedPlugins } from "./plugins.js";
 import { loadTreeseedManifest } from "./tenant-config.js";
 const TREESEED_ENVIRONMENT_SCOPES = ["local", "staging", "prod"];
-const TREESEED_ENVIRONMENT_REQUIREMENTS = ["required", "conditional", "optional"];
+const TREESEED_ENVIRONMENT_REQUIREMENTS = ["required", "conditional", "optional", "generated"];
 const TREESEED_ENVIRONMENT_TARGETS = [
   "local-runtime",
   "local-cloudflare",

package/dist/reconcile/builtin-adapters.js

@@ -7,9 +7,11 @@ import {
   buildProvisioningSummary,
   buildSecretMap,
   cloudflareApiRequest,
+  createTurnstileWidget,
   createBranchPreviewDeployTarget,
   createPersistentDeployTarget,
   destroyCloudflareResources,
+  getTurnstileWidget,
   hasProvisionedCloudflareResources,
   isWranglerAlreadyExistsError,
   listD1Databases,
@@ -17,6 +19,7 @@ import {
   listPagesProjects,
   listQueues,
   listR2Buckets,
+  listTurnstileWidgets,
   mergeCloudflarePagesDeploymentConfig,
   loadDeployState,
   queueId,
@@ -26,6 +29,7 @@ import {
   resolveCloudflareZoneIdForHost,
   runWrangler,
   scopeFromTarget,
+  updateTurnstileWidget,
   writeDeployState
 } from "../operations/services/deploy.js";
 import {
@@ -33,7 +37,6 @@ import {
   deriveRailwayMarketOperationsRunnerVolumeName,
   ensureRailwayProjectContext,
   ensureRailwayServiceVolumeWithCliFallback,
-  listRailwayServiceVolumesWithCli,
   runRailway,
   validateRailwayDeployPrerequisites
 } from "../operations/services/railway-deploy.js";
@@ -293,6 +296,30 @@ function getCloudflareKvById(env, namespaceId) {
   );
   return payload?.result ?? null;
 }
+function normalizeTurnstileDomains(value) {
+  return [...new Set((Array.isArray(value) ? value : []).map((entry) => typeof entry === "string" ? entry.trim() : "").filter(Boolean))].sort();
+}
+function turnstileDomainsEqual(left, right) {
+  return JSON.stringify(normalizeTurnstileDomains(left)) === JSON.stringify(normalizeTurnstileDomains(right));
+}
+function mergeTurnstileWidget(...widgets) {
+  const merged = {};
+  for (const widget of widgets) {
+    if (!widget) continue;
+    for (const [key, value] of Object.entries(widget)) {
+      if (value === void 0 || value === null) continue;
+      if (key === "domains" && !Array.isArray(value)) continue;
+      merged[key] = value;
+    }
+  }
+  return Object.keys(merged).length > 0 ? merged : null;
+}
+function findTurnstileWidget(widgets, current, desiredName) {
+  return widgets.find((entry) => {
+    if (!entry || typeof entry !== "object") return false;
+    return current?.sitekey && entry.sitekey === current.sitekey || desiredName && entry.name === desiredName;
+  });
+}
 function listCloudflareQueuesViaApi(env) {
   const accountId = env.CLOUDFLARE_ACCOUNT_ID;
   if (!accountId) {
@@ -314,7 +341,8 @@ function cloudflareObservationSnapshot(input, forceRefresh = false) {
       d1Databases: listD1Databases(input.context.tenantRoot, env),
       queues: listCloudflareQueuesViaApi(env),
       buckets: listR2Buckets(input.context.tenantRoot, env),
-      pagesProjects: listPagesProjects(input.context.tenantRoot, env)
+      pagesProjects: listPagesProjects(input.context.tenantRoot, env),
+      turnstileWidgets: listTurnstileWidgets(input.context.tenantRoot, env)
     };
   }, forceRefresh);
 }
@@ -591,7 +619,10 @@ function collectCloudflareEnvironmentSync(input) {
   const generatedSecrets = buildSecretMap(input.context.deployConfig, state);
   const publicVars = buildPublicVars(input.context.deployConfig, { target });
   const secrets = {};
-  const vars = { ...publicVars };
+  const generatedTurnstileSiteKey = typeof state.turnstileWidgets?.formGuard?.sitekey === "string" ? state.turnstileWidgets.formGuard.sitekey : "";
+  const vars = {
+    ...publicVars
+  };
   const secretNames = /* @__PURE__ */ new Set();
   const varNames = new Set(Object.keys(publicVars));
   for (const entry of registry.entries) {
@@ -611,8 +642,13 @@ function collectCloudflareEnvironmentSync(input) {
       varNames.add(entry.id);
     }
   }
+  if (generatedTurnstileSiteKey) {
+    vars.TREESEED_PUBLIC_TURNSTILE_SITE_KEY = generatedTurnstileSiteKey;
+    varNames.add("TREESEED_PUBLIC_TURNSTILE_SITE_KEY");
+  }
   for (const [key, value] of Object.entries(generatedSecrets)) {
-    if (typeof value === "string" && value.length > 0 && shouldExposeManagedHostRuntimeSecret(input.context.deployConfig, key)) {
+    const exposeRuntimeSecret = key === "TREESEED_TURNSTILE_SECRET_KEY" || shouldExposeManagedHostRuntimeSecret(input.context.deployConfig, key);
+    if (typeof value === "string" && value.length > 0 && exposeRuntimeSecret) {
       secrets[key] = value;
       secretNames.add(key);
     }
@@ -735,6 +771,7 @@ function reconcileCloudflareTarget(input, { dryRun = false } = {}) {
   const queues = dryRun ? [] : listQueues(input.context.tenantRoot, env);
   const buckets = dryRun ? [] : listR2Buckets(input.context.tenantRoot, env);
   const pagesProjects = dryRun ? [] : listPagesProjects(input.context.tenantRoot, env);
+  const turnstileWidgets = dryRun ? [] : listTurnstileWidgets(input.context.tenantRoot, env);
   const runStep = (label, fn) => {
     try {
       return fn();
@@ -945,11 +982,59 @@ function reconcileCloudflareTarget(input, { dryRun = false } = {}) {
     }
     current.url = `https://${current.projectName}.pages.dev`;
   };
+  const ensureTurnstileWidget = () => {
+    if (deployConfig.turnstile?.enabled !== true) {
+      return;
+    }
+    const current = state.turnstileWidgets?.formGuard;
+    if (!current?.name) {
+      return;
+    }
+    const pagesHost = state.pages?.url ? new URL(state.pages.url).hostname : null;
+    const desiredDomains = normalizeTurnstileDomains([
+      ...Array.isArray(current.domains) ? current.domains : [],
+      pagesHost
+    ]);
+    current.domains = desiredDomains;
+    current.mode = "managed";
+    current.managed = true;
+    const existing = findTurnstileWidget(turnstileWidgets, current, current.name);
+    if (dryRun) {
+      current.sitekey = current.sitekey ?? `dryrun-${current.name}-sitekey`;
+      current.secret = current.secret ?? `dryrun-${current.name}-secret`;
+      current.lastSyncedAt = nowIso();
+      return;
+    }
+    if (existing?.sitekey) {
+      const needsUpdate = existing.name !== current.name || existing.mode !== "managed" || !turnstileDomainsEqual(existing.domains, desiredDomains);
+      const updated = needsUpdate ? updateTurnstileWidget(env, String(existing.sitekey), {
+        name: current.name,
+        domains: desiredDomains,
+        mode: "managed"
+      }) : existing;
+      current.sitekey = String(updated?.sitekey ?? existing.sitekey);
+      current.secret = String(updated?.secret ?? current.secret ?? "");
+      current.lastSyncedAt = nowIso();
+      return;
+    }
+    const created = createTurnstileWidget(env, {
+      name: current.name,
+      domains: desiredDomains,
+      mode: "managed"
+    });
+    if (!created?.sitekey || !created?.secret) {
+      throw new Error(`Unable to resolve created Turnstile widget keys for ${current.name}.`);
+    }
+    current.sitekey = String(created.sitekey);
+    current.secret = String(created.secret);
+    current.lastSyncedAt = nowIso();
+  };
   runStep("kv-form-guard", () => ensureKv("FORM_GUARD_KV"));
   runStep("d1", ensureD1);
   runStep("queue", ensureQueue);
   runStep("r2", ensureR2Bucket);
   runStep("pages", ensurePagesProject);
+  runStep("turnstile-widget", ensureTurnstileWidget);
   runStep("web-cache", () => reconcileCloudflareWebCacheRules(input.context.tenantRoot, deployConfig, state, target, { dryRun, env }));
   state.readiness.configured = true;
   state.readiness.provisioned = hasProvisionedCloudflareResources(state);
@@ -989,7 +1074,7 @@ function syncCloudflareSecretsForTarget(input, { dryRun = false } = {}) {
 }
 function observeCloudflareUnit(input) {
   const snapshot = cloudflareObservationSnapshot(input);
-  const { state, kvNamespaces, d1Databases, queues, buckets, pagesProjects } = snapshot;
+  const { state, kvNamespaces, d1Databases, queues, buckets, pagesProjects, turnstileWidgets } = snapshot;
   switch (input.unit.unitType) {
     case "queue": {
       const liveQueue = queues.find((entry) => queueName(entry) === state.queues?.agentWork?.name);
@@ -1042,6 +1127,17 @@ function observeCloudflareUnit(input) {
         warnings: []
       };
     }
+    case "turnstile-widget": {
+      const current = state.turnstileWidgets?.formGuard ?? {};
+      const liveWidget = findTurnstileWidget(turnstileWidgets, current, input.unit.spec.name);
+      return {
+        exists: Boolean(liveWidget?.sitekey || current?.sitekey),
+        status: liveWidget?.sitekey ? "ready" : "pending",
+        live: { ...current, ...liveWidget ?? {} },
+        locators: { sitekey: String(liveWidget?.sitekey ?? current?.sitekey ?? "") || null },
+        warnings: []
+      };
+    }
     case "pages-project": {
       const liveProject = pagesProjects.find((entry) => entry?.name === state.pages?.projectName);
       return {
@@ -1081,7 +1177,7 @@ function verifyCloudflareUnitOnce(input, postconditions) {
     ]);
   }
   const snapshot = cloudflareObservationSnapshot(input, true);
-  const { state, kvNamespaces, d1Databases, queues, buckets, pagesProjects, env } = snapshot;
+  const { state, kvNamespaces, d1Databases, queues, buckets, pagesProjects, turnstileWidgets, env } = snapshot;
   switch (input.unit.unitType) {
     case "queue": {
       const queue = state.queues?.agentWork;
@@ -1149,6 +1245,49 @@ function verifyCloudflareUnitOnce(input, postconditions) {
         })
       ]);
     }
+    case "turnstile-widget": {
+      const current = state.turnstileWidgets?.formGuard ?? {};
+      const cachedLive = findTurnstileWidget(turnstileWidgets, current, input.unit.spec.name);
+      const refreshedListedLive = findTurnstileWidget(
+        listTurnstileWidgets(input.context.tenantRoot, env),
+        current,
+        input.unit.spec.name
+      );
+      const refreshedLive = current.sitekey ? getTurnstileWidget(env, String(current.sitekey)) : null;
+      const live = mergeTurnstileWidget(
+        cachedLive,
+        refreshedListedLive,
+        refreshedLive
+      );
+      const pagesHost = state.pages?.url ? new URL(state.pages.url).hostname : null;
+      const desiredDomains = normalizeTurnstileDomains([
+        ...Array.isArray(input.unit.spec.domains) ? input.unit.spec.domains : [],
+        ...Array.isArray(current.domains) ? current.domains : [],
+        pagesHost
+      ]);
+      return summarizeVerification(input.unit.unitId, [
+        verificationCheck("turnstile.exists", "Turnstile widget exists by name and sitekey", "api", {
+          exists: Boolean(live?.sitekey),
+          expected: input.unit.spec.name ?? null,
+          observed: live ? { name: live.name, sitekey: live.sitekey } : null,
+          issues: live?.sitekey ? [] : [`Cloudflare Turnstile widget ${String(input.unit.spec.name ?? "(unset)")} was not found after reconcile.`]
+        }),
+        verificationCheck("turnstile.mode", "Turnstile widget mode is managed", "api", {
+          exists: Boolean(live?.sitekey),
+          configured: live?.mode === "managed",
+          expected: "managed",
+          observed: live?.mode ?? null,
+          issues: live?.mode === "managed" ? [] : ["Turnstile widget mode does not match managed."]
+        }),
+        verificationCheck("turnstile.domains", "Turnstile widget domains match desired config", "api", {
+          exists: Boolean(live?.sitekey),
+          configured: turnstileDomainsEqual(live?.domains, desiredDomains),
+          expected: desiredDomains,
+          observed: normalizeTurnstileDomains(live?.domains),
+          issues: turnstileDomainsEqual(live?.domains, desiredDomains) ? [] : ["Turnstile widget domains do not match desired config."]
+        })
+      ]);
+    }
     case "content-store": {
       const bucketName = state.content?.bucketName;
       const live = buckets.find((entry) => entry?.name === bucketName);
@@ -1344,6 +1483,12 @@ function buildCloudflareAdapter(unitType) {
             { key: "kv.exists", description: "KV namespace exists by title and id" },
             { key: "kv.binding", description: "KV binding matches desired config" }
           ];
+        case "turnstile-widget":
+          return [
+            { key: "turnstile.exists", description: "Turnstile widget exists by name and sitekey" },
+            { key: "turnstile.mode", description: "Turnstile widget mode is managed" },
+            { key: "turnstile.domains", description: "Turnstile widget domains match desired config" }
+          ];
         case "content-store":
           return [
             { key: "r2.exists", description: "R2 bucket exists by name" },
@@ -1621,7 +1766,7 @@ async function syncRailwayEnvironmentForScope(input, { dryRun = false } = {}) {
           preferCli: entry.configuredService.key === "marketOperationsRunner",
           env: topology.env
         });
-        if (!volume.instance?.serviceId) {
+        if (volume.instance?.serviceId !== entry.service.id || volume.instance?.environmentId !== entry.environment.id || volume.instance?.mountPath !== entry.configuredService.volumeMountPath) {
           ensureRailwayProjectContext(entry.configuredService, { env: topology.env, capture: true });
           let attachMessage = "";
           let attached = false;
@@ -2258,25 +2403,9 @@ async function verifyRailwayUnit(input) {
         const volumes = entry.project?.id ? await listRailwayVolumes({ projectId: entry.project.id, env: topology.env }) : [];
         const expectedServiceId = entry.service?.id ?? null;
         const expectedEnvironmentId = entry.environment?.id ?? null;
-        let mountedVolume = volumes.find((volume) => volume.instances.some(
+        const mountedVolume = volumes.find((volume) => volume.instances.some(
           (instance) => instance.serviceId === expectedServiceId && instance.environmentId === expectedEnvironmentId && instance.mountPath === service.volumeMountPath
         )) ?? null;
-        let mountedVolumeSource = "api";
-        if (!mountedVolume && serviceKey === "marketOperationsRunner" && expectedServiceId && expectedEnvironmentId) {
-          ensureRailwayProjectContext(service, { env: topology.env, capture: true });
-          const cliVolumes = listRailwayServiceVolumesWithCli({
-            cwd: service.rootDir,
-            serviceId: expectedServiceId,
-            environmentId: expectedEnvironmentId,
-            name: deriveRailwayMarketOperationsRunnerVolumeName(entry.service?.name ?? service.serviceName ?? service.key, entry.environment?.name ?? service.railwayEnvironment),
-            mountPath: service.volumeMountPath,
-            env: topology.env
-          });
-          mountedVolume = cliVolumes.find((volume) => volume.instances.some(
-            (instance) => instance.serviceId === expectedServiceId && instance.environmentId === expectedEnvironmentId && instance.mountPath === service.volumeMountPath
-          )) ?? null;
-          mountedVolumeSource = mountedVolume ? "cli" : "api";
-        }
         checks.push(verificationCheck("railway.volume:data", "Railway service has persistent data volume mounted", "api", {
           exists: Boolean(mountedVolume),
           configured: Boolean(mountedVolume),
@@ -2284,7 +2413,7 @@ async function verifyRailwayUnit(input) {
           observed: mountedVolume ? {
             name: mountedVolume.name,
             mountPath: service.volumeMountPath,
-            source: mountedVolumeSource
+            source: "api"
           } : null,
           issues: mountedVolume ? [] : [`Railway service ${service.serviceName ?? service.key} is missing a persistent volume mounted at ${service.volumeMountPath}.`]
         }));
@@ -2494,6 +2623,7 @@ function createCloudflareReconcileAdapters() {
     buildCloudflareAdapter("database"),
     buildCloudflareAdapter("content-store"),
     buildCloudflareAdapter("kv-form-guard"),
+    buildCloudflareAdapter("turnstile-widget"),
     buildCloudflareAdapter("pages-project"),
     buildCloudflareAdapter("edge-worker"),
     buildCustomDomainAdapter("custom-domain:web", "cloudflare"),

package/dist/reconcile/contracts.d.ts

@@ -3,7 +3,7 @@ export type TreeseedReconcileProviderId = string;
 export type TreeseedReconcileActionKind = 'noop' | 'create' | 'update' | 'reuse' | 'drift_correct' | 'destroy';
 export type TreeseedReconcileStatusKind = 'pending' | 'ready' | 'drifted' | 'error';
 export type TreeseedReconcileVerificationSource = 'cli' | 'api' | 'sdk' | 'derived';
-export type TreeseedReconcileUnitType = 'web-ui' | 'api-runtime' | 'market-operations-runner-runtime' | 'workday-manager-runtime' | 'worker-runner-runtime' | 'edge-worker' | 'content-store' | 'queue' | 'database' | 'kv-form-guard' | 'pages-project' | 'custom-domain:web' | 'custom-domain:api' | 'dns-record' | 'railway-service:api' | 'railway-service:market-operations-runner' | 'railway-service:workday-manager' | 'railway-service:worker-runner';
+export type TreeseedReconcileUnitType = 'web-ui' | 'api-runtime' | 'market-operations-runner-runtime' | 'workday-manager-runtime' | 'worker-runner-runtime' | 'edge-worker' | 'content-store' | 'queue' | 'database' | 'kv-form-guard' | 'turnstile-widget' | 'pages-project' | 'custom-domain:web' | 'custom-domain:api' | 'dns-record' | 'railway-service:api' | 'railway-service:market-operations-runner' | 'railway-service:workday-manager' | 'railway-service:worker-runner';
 export type TreeseedReconcileTarget = {
     kind: 'persistent';
     scope: 'local' | 'staging' | 'prod';

package/dist/reconcile/desired-state.js

@@ -76,6 +76,22 @@ function deriveTreeseedDesiredUnits({
     secrets: {},
     metadata: { bootstrapSystem: "web" }
   });
+  const turnstileWidgetId = legacyState.turnstileWidgets?.formGuard?.name && deployConfig.turnstile?.enabled === true ? add({
+    unitId: createTreeseedReconcileUnitId("turnstile-widget", legacyState.turnstileWidgets.formGuard.name),
+    unitType: "turnstile-widget",
+    provider: "cloudflare",
+    identity,
+    target,
+    logicalName: legacyState.turnstileWidgets.formGuard.name,
+    dependencies: [],
+    spec: {
+      name: legacyState.turnstileWidgets.formGuard.name,
+      domains: legacyState.turnstileWidgets.formGuard.domains ?? [],
+      mode: "managed"
+    },
+    secrets: {},
+    metadata: { bootstrapSystem: "web" }
+  }) : null;
   const contentStoreId = add({
     unitId: createTreeseedReconcileUnitId("content-store", legacyState.content.bucketName ?? deployConfig.slug),
     unitType: "content-store",
@@ -118,7 +134,7 @@ function deriveTreeseedDesiredUnits({
     identity,
     target,
     logicalName: legacyState.workerName,
-    dependencies: [queueId, databaseId, formGuardKvId, contentStoreId, pagesProjectId],
+    dependencies: [queueId, databaseId, formGuardKvId, ...turnstileWidgetId ? [turnstileWidgetId] : [], contentStoreId, pagesProjectId],
     spec: {
       workerName: legacyState.workerName
     },

package/dist/reconcile/units.js

@@ -9,6 +9,7 @@ const TRESEED_RECONCILE_UNIT_TYPES = [
   "queue",
   "database",
   "kv-form-guard",
+  "turnstile-widget",
   "pages-project",
   "custom-domain:web",
   "custom-domain:api",

package/dist/sdk-types.d.ts

@@ -19,7 +19,7 @@ export declare const PROJECT_WEB_DEPLOYMENT_ACTIONS: readonly ["deploy_web", "pu
 export declare const PROJECT_DEPLOYMENT_ENVIRONMENTS: readonly ["staging", "prod"];
 export declare const PROJECT_DEPLOYMENT_STATUSES: readonly ["pending", "queued", "claimed", "dispatching", "running", "monitoring", "succeeded", "failed", "cancelled", "timed_out"];
 export declare const PROJECT_INFRA_RESOURCE_PROVIDERS: readonly ["cloudflare", "railway", "github", "market"];
-export declare const PROJECT_INFRA_RESOURCE_KINDS: readonly ["pages", "worker", "r2", "d1", "queue", "dlq", "railway_project", "railway_service", "railway_schedule"];
+export declare const PROJECT_INFRA_RESOURCE_KINDS: readonly ["pages", "worker", "kv", "turnstile-widget", "r2", "d1", "queue", "dlq", "railway_project", "railway_service", "railway_schedule"];
 export declare const AGENT_POOL_STATUSES: readonly ["pending", "active", "degraded", "offline"];
 export type SdkBuiltinModelName = (typeof SDK_MODEL_NAMES)[number];
 export type SdkModelName = SdkBuiltinModelName | (string & {});

package/dist/sdk-types.js

@@ -48,6 +48,8 @@ const PROJECT_INFRA_RESOURCE_PROVIDERS = ["cloudflare", "railway", "github", "ma
 const PROJECT_INFRA_RESOURCE_KINDS = [
   "pages",
   "worker",
+  "kv",
+  "turnstile-widget",
   "r2",
   "d1",
   "queue",

package/dist/workflow/operations.d.ts

@@ -1243,6 +1243,7 @@ export declare function workflowDestroy(helpers: WorkflowOperationHelpers, input
             siteUrl: any;
             accountId: any;
             pages: any;
+            turnstileWidget: any;
             formGuardKv: any;
             sessionKv: any;
             siteDataDb: any;
@@ -1254,6 +1255,7 @@ export declare function workflowDestroy(helpers: WorkflowOperationHelpers, input
                 queue: any;
                 dlq: any;
                 database: any;
+                turnstileWidget: any;
                 formGuardKv: any;
                 railwayProject: any;
                 webDomain: any;

package/drizzle/market/0000_market_control_plane.sql

@@ -986,8 +986,7 @@ CREATE TABLE IF NOT EXISTS "projects" (
 	"description" text,
 	"metadata_json" text,
 	"created_at" text NOT NULL,
-	"updated_at" text NOT NULL,
-	CONSTRAINT "projects_slug_unique" UNIQUE("slug")
+	"updated_at" text NOT NULL
 );
 
 CREATE TABLE IF NOT EXISTS "provider_credential_sessions" (
@@ -2839,8 +2838,8 @@ CREATE INDEX IF NOT EXISTS "idx_capacity_routing_decisions_project_workday" ON "
 CREATE UNIQUE INDEX IF NOT EXISTS "idx_catalog_artifact_versions_item_version" ON "catalog_artifact_versions" USING btree ("item_id","version");
 CREATE INDEX IF NOT EXISTS "idx_catalog_artifact_versions_team_kind" ON "catalog_artifact_versions" USING btree ("team_id","kind","published_at");
 CREATE UNIQUE INDEX IF NOT EXISTS "idx_catalog_item_collaborators_subject_role" ON "catalog_item_collaborators" USING btree ("item_id","subject_type","subject_id","role");
-CREATE UNIQUE INDEX IF NOT EXISTS "idx_catalog_items_kind_slug" ON "catalog_items" USING btree ("kind","slug");
 CREATE INDEX IF NOT EXISTS "idx_catalog_items_team_kind" ON "catalog_items" USING btree ("team_id","kind","updated_at");
+CREATE UNIQUE INDEX IF NOT EXISTS "idx_catalog_items_team_kind_slug" ON "catalog_items" USING btree ("team_id","kind","slug");
 CREATE INDEX IF NOT EXISTS "idx_catalog_items_visibility_listing" ON "catalog_items" USING btree ("visibility","listing_enabled","updated_at");
 CREATE UNIQUE INDEX IF NOT EXISTS "idx_credit_conversion_profiles_profile_key" ON "credit_conversion_profiles" USING btree ("task_signature","execution_profile_id","execution_provider_kind","native_unit");
 CREATE INDEX IF NOT EXISTS "idx_credit_conversion_profiles_kind_unit" ON "credit_conversion_profiles" USING btree ("execution_provider_kind","native_unit","updated_at");
@@ -2884,6 +2883,7 @@ CREATE INDEX IF NOT EXISTS "idx_project_summary_snapshots_team_generated" ON "pr
 CREATE INDEX IF NOT EXISTS "idx_project_update_plans_hub" ON "project_update_plans" USING btree ("hub_id","created_at");
 CREATE INDEX IF NOT EXISTS "idx_project_workday_summaries_project_environment_created" ON "project_workday_summaries" USING btree ("project_id","environment","created_at");
 CREATE INDEX IF NOT EXISTS "idx_projects_team_id" ON "projects" USING btree ("team_id");
+CREATE UNIQUE INDEX IF NOT EXISTS "idx_projects_team_slug" ON "projects" USING btree ("team_id","slug");
 CREATE INDEX IF NOT EXISTS "idx_provider_credential_sessions_team_host" ON "provider_credential_sessions" USING btree ("team_id","host_kind","host_id","status");
 CREATE INDEX IF NOT EXISTS "idx_provider_credential_sessions_job" ON "provider_credential_sessions" USING btree ("job_id","status");
 CREATE UNIQUE INDEX IF NOT EXISTS "idx_remote_job_events_job_seq" ON "remote_job_events" USING btree ("job_id","seq");

package/drizzle/market/0003_project_team_slug_unique.sql

@@ -0,0 +1,4 @@
+ALTER TABLE "projects" DROP CONSTRAINT IF EXISTS "projects_slug_unique";
+CREATE UNIQUE INDEX IF NOT EXISTS "idx_projects_team_slug" ON "projects" USING btree ("team_id","slug");
+DROP INDEX IF EXISTS "idx_catalog_items_kind_slug";
+CREATE UNIQUE INDEX IF NOT EXISTS "idx_catalog_items_team_kind_slug" ON "catalog_items" USING btree ("team_id","kind","slug");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@treeseed/sdk",
-  "version": "0.10.22",
+  "version": "0.10.23",
   "description": "Shared Treeseed SDK for content-backed and D1-backed object models.",
   "license": "AGPL-3.0-only",
   "repository": {