@treeseed/sdk 0.10.22 → 0.10.24

package/dist/operations/services/deploy.js

@@ -41,6 +41,13 @@ function ensureParent(filePath) {
 function stableHash(value) {
   return createHash("sha256").update(value).digest("hex");
 }
+function compactDeploymentKey(input) {
+  const rawKey = sanitizeResourceKey(input.rawKey ?? "");
+  if (rawKey && rawKey.length <= 40) return rawKey;
+  const base = sanitizeSegment(input.slug ?? input.projectSegment ?? "project").slice(0, 27) || "project";
+  const hash = stableHash(`${input.teamId ?? ""}:${input.projectId ?? ""}:${input.slug ?? ""}`).slice(0, 8);
+  return `${base}-${hash}`;
+}
 function readJson(filePath, fallback) {
   if (!existsSync(filePath)) {
     return fallback;
@@ -69,6 +76,9 @@ function loadTenantDeployConfig(tenantRoot) {
 function sanitizeSegment(value) {
   return String(value).trim().toLowerCase().replace(/[^a-z0-9-]+/g, "-").replace(/^-+|-+$/g, "").replace(/-{2,}/g, "-").slice(0, 36) || "default";
 }
+function sanitizeResourceKey(value) {
+  return String(value).trim().toLowerCase().replace(/[^a-z0-9-]+/g, "-").replace(/^-+|-+$/g, "").replace(/-{2,}/g, "");
+}
 function requireConfiguredIdentityValue(value, label) {
   const normalized = typeof value === "string" && value.trim() ? value.trim() : "";
   if (!normalized) {
@@ -87,7 +97,13 @@ function resolveTreeseedResourceIdentity(deployConfig, target) {
   );
   const teamSegment = sanitizeSegment(teamId);
   const projectSegment = sanitizeSegment(projectId);
-  const deploymentKey = `${teamSegment}-${projectSegment}`;
+  const deploymentKey = compactDeploymentKey({
+    rawKey: `${teamSegment}-${projectSegment}`,
+    teamId,
+    projectId,
+    projectSegment,
+    slug: deployConfig.slug
+  });
   const environment = target.kind === "persistent" ? target.scope : target.branchName;
   const environmentSegment = target.kind === "persistent" ? target.scope : sanitizeSegment(target.branchName);
   return {
@@ -168,6 +184,13 @@ function resolveConfiguredSurfaceBaseUrl(deployConfig, target, surface) {
   }
   return null;
 }
+function configuredSurfaceHosts(deployConfig, target, surface) {
+  const hosts = [
+    resolveConfiguredSurfaceDomain(deployConfig, target, surface),
+    surface === "web" && target.kind === "persistent" && target.scope === "prod" ? primaryHost(deployConfig.surfaces?.web?.publicBaseUrl ?? deployConfig.siteUrl) : null
+  ].filter(Boolean);
+  return [...new Set(hosts)];
+}
 function sharedDeploymentName(identity, role = "") {
   const roleSegment = role === "workdayManager" ? "workday-manager" : role === "workerRunner" ? "worker-runner-01" : role;
   return role ? `${identity.deploymentKey}-${sanitizeSegment(roleSegment)}` : identity.deploymentKey;
@@ -419,7 +442,7 @@ function buildSecretMap(deployConfig, state) {
   return {
     TREESEED_FORM_TOKEN_SECRET: envOrNull("TREESEED_FORM_TOKEN_SECRET") ?? generatedSecret,
     TREESEED_EDITORIAL_PREVIEW_SECRET: envOrNull("TREESEED_EDITORIAL_PREVIEW_SECRET") ?? previewSecret,
-    TREESEED_TURNSTILE_SECRET_KEY: envOrNull("TREESEED_TURNSTILE_SECRET_KEY"),
+    TREESEED_TURNSTILE_SECRET_KEY: state.turnstileWidgets?.formGuard?.secret ?? envOrNull("TREESEED_TURNSTILE_SECRET_KEY"),
     TREESEED_SMTP_PASSWORD: envOrNull("TREESEED_SMTP_PASSWORD")
   };
 }
@@ -431,6 +454,8 @@ function defaultStateFromConfig(deployConfig, target) {
   const contentPreviewRootTemplate = deployConfig.cloudflare.r2?.previewRootTemplate ?? "teams/{teamId}/previews";
   const contentDefaultTeamId = identity.teamId;
   const contentManifestKey = contentManifestKeyTemplate.replaceAll("{teamId}", contentDefaultTeamId);
+  const turnstileName = environmentScopedIdentityName(identity, "turnstile", target);
+  const turnstileDomains = configuredSurfaceHosts(deployConfig, target, "web");
   return {
     version: 2,
     target,
@@ -469,6 +494,17 @@ function defaultStateFromConfig(deployConfig, target) {
       buildOutputDir: deployConfig.cloudflare.pages?.buildOutputDir ?? "dist",
       url: resolveConfiguredSurfaceBaseUrl(deployConfig, target, "web")
     },
+    turnstileWidgets: {
+      formGuard: {
+        name: turnstileName,
+        sitekey: null,
+        secret: null,
+        mode: "managed",
+        domains: turnstileDomains,
+        managed: true,
+        lastSyncedAt: null
+      }
+    },
     content: {
       runtimeProvider: deployConfig.providers?.content?.runtime ?? "team_scoped_r2_overlay",
       publishProvider: deployConfig.providers?.content?.publish ?? deployConfig.providers?.content?.runtime ?? "team_scoped_r2_overlay",
@@ -636,6 +672,23 @@ function loadDeployState(tenantRoot, deployConfig, options = {}) {
       ...defaults.generatedSecrets ?? {},
       ...persisted.generatedSecrets ?? {}
     },
+    turnstileWidgets: {
+      ...defaults.turnstileWidgets ?? {},
+      ...persisted.turnstileWidgets ?? {},
+      formGuard: {
+        ...defaults.turnstileWidgets?.formGuard ?? {},
+        ...persisted.turnstileWidgets?.formGuard ?? {},
+        name: defaults.turnstileWidgets?.formGuard?.name ?? persisted.turnstileWidgets?.formGuard?.name ?? null,
+        mode: "managed",
+        managed: true,
+        domains: [
+          ...new Set([
+            ...Array.isArray(defaults.turnstileWidgets?.formGuard?.domains) ? defaults.turnstileWidgets.formGuard.domains : [],
+            ...Array.isArray(persisted.turnstileWidgets?.formGuard?.domains) ? persisted.turnstileWidgets.formGuard.domains : []
+          ].filter(Boolean))
+        ]
+      }
+    },
     content: {
       ...defaults.content ?? {},
       ...persisted.content ?? {},
@@ -926,6 +979,68 @@ function listPagesProjects(tenantRoot, env) {
   });
   return Array.isArray(payload?.result) ? payload.result : [];
 }
+function listTurnstileWidgets(tenantRoot, env) {
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  if (!accountId) {
+    return [];
+  }
+  const payload = cloudflareApiRequest(`/accounts/${encodeURIComponent(accountId)}/challenges/widgets?per_page=100`, {
+    env,
+    allowFailure: true
+  });
+  return Array.isArray(payload?.result) ? payload.result : [];
+}
+function getTurnstileWidget(env, sitekey) {
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  if (!accountId || !sitekey) {
+    return null;
+  }
+  const payload = cloudflareApiRequest(
+    `/accounts/${encodeURIComponent(accountId)}/challenges/widgets/${encodeURIComponent(sitekey)}`,
+    { env, allowFailure: true }
+  );
+  return payload?.result ?? null;
+}
+function createTurnstileWidget(env, input) {
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  if (!accountId) {
+    throw new Error("Configure CLOUDFLARE_ACCOUNT_ID before creating Turnstile widgets.");
+  }
+  try {
+    return cloudflareApiRequest(`/accounts/${encodeURIComponent(accountId)}/challenges/widgets`, {
+      method: "POST",
+      env,
+      body: {
+        name: input.name,
+        domains: input.domains ?? [],
+        mode: input.mode ?? "managed"
+      }
+    })?.result ?? null;
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error);
+    throw new Error(`Cloudflare Turnstile widget creation failed. Ensure the API token has Turnstile Sites Write permission: ${detail}`);
+  }
+}
+function updateTurnstileWidget(env, sitekey, input) {
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  if (!accountId || !sitekey) {
+    throw new Error("Configure CLOUDFLARE_ACCOUNT_ID and sitekey before updating Turnstile widgets.");
+  }
+  try {
+    return cloudflareApiRequest(`/accounts/${encodeURIComponent(accountId)}/challenges/widgets/${encodeURIComponent(sitekey)}`, {
+      method: "PUT",
+      env,
+      body: {
+        name: input.name,
+        domains: input.domains ?? [],
+        mode: input.mode ?? "managed"
+      }
+    })?.result ?? null;
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error);
+    throw new Error(`Cloudflare Turnstile widget update failed. Ensure the API token has Turnstile Sites Write permission: ${detail}`);
+  }
+}
 function buildCloudflarePagesFunctionBindings(state) {
   const kvNamespaces = Object.fromEntries(
     Object.entries(state.kvNamespaces ?? {}).map(([key, namespace]) => {
@@ -1006,6 +1121,7 @@ function buildProvisioningSummary(deployConfig, state, target) {
     siteUrl: target.kind === "branch" ? targetWorkersDevUrl(state.workerName) : deployConfig.siteUrl,
     accountId: resolveConfiguredCloudflareAccountId(deployConfig),
     pages: state.pages ?? null,
+    turnstileWidget: state.turnstileWidgets?.formGuard ?? null,
     formGuardKv: state.kvNamespaces.FORM_GUARD_KV,
     sessionKv: state.kvNamespaces.SESSION ?? null,
     siteDataDb: state.d1Databases.SITE_DATA_DB,
@@ -1017,6 +1133,7 @@ function buildProvisioningSummary(deployConfig, state, target) {
       queue: state.queues?.agentWork?.name ?? null,
       dlq: state.queues?.agentWork?.dlqName ?? null,
       database: state.d1Databases?.SITE_DATA_DB?.databaseName ?? null,
+      turnstileWidget: state.turnstileWidgets?.formGuard?.name ?? null,
       formGuardKv: state.kvNamespaces?.FORM_GUARD_KV?.name ?? null,
       railwayProject: state.services?.worker?.projectName ?? state.services?.api?.projectName ?? null,
       webDomain: configuredWebDomain,
@@ -1533,14 +1650,7 @@ function resolveConfiguredContentPublicBaseUrl(deployConfig) {
   return envOrNull("TREESEED_CONTENT_PUBLIC_BASE_URL") ?? deployConfig.cloudflare.r2?.publicBaseUrl ?? "";
 }
 function missingTurnstileRequirements() {
-  const issues = [];
-  if (!envOrNull("TREESEED_PUBLIC_TURNSTILE_SITE_KEY")) {
-    issues.push("Set TREESEED_PUBLIC_TURNSTILE_SITE_KEY before deploying.");
-  }
-  if (!envOrNull("TREESEED_TURNSTILE_SECRET_KEY")) {
-    issues.push("Set TREESEED_TURNSTILE_SECRET_KEY before deploying.");
-  }
-  return issues;
+  return [];
 }
 function missingContentRuntimeRequirements(deployConfig) {
   const issues = [];
@@ -1564,20 +1674,6 @@ function collectMissingDeployInputs(tenantRoot) {
       message: "Cloudflare account ID is missing. Set CLOUDFLARE_ACCOUNT_ID with treeseed config or provide it now."
     });
   }
-  if (!envOrNull("TREESEED_PUBLIC_TURNSTILE_SITE_KEY")) {
-    missing.push({
-      key: "TREESEED_PUBLIC_TURNSTILE_SITE_KEY",
-      label: "Turnstile public site key",
-      message: "Turnstile public site key is missing for deploy."
-    });
-  }
-  if (!envOrNull("TREESEED_TURNSTILE_SECRET_KEY")) {
-    missing.push({
-      key: "TREESEED_TURNSTILE_SECRET_KEY",
-      label: "Turnstile secret key",
-      message: "Turnstile secret key is missing for deploy."
-    });
-  }
   if (deployConfig.providers?.content?.runtime === "team_scoped_r2_overlay" && !envOrNull("TREESEED_EDITORIAL_PREVIEW_SECRET")) {
     missing.push({
       key: "TREESEED_EDITORIAL_PREVIEW_SECRET",
@@ -1674,6 +1770,24 @@ function resolveExistingKvIdByName(kvNamespaces, expectedName, fallbackId) {
   }
   return kvNamespaces.find((entry) => entry?.title === expectedName)?.id ?? null;
 }
+function resolveExistingTurnstileWidget(widgets, current) {
+  if (!current?.name && !current?.sitekey) {
+    return current;
+  }
+  const existing = widgets.find(
+    (entry) => current.sitekey && entry?.sitekey === current.sitekey || current.name && entry?.name === current.name
+  );
+  if (!existing?.sitekey) {
+    return current;
+  }
+  return {
+    ...current,
+    sitekey: existing.sitekey,
+    secret: existing.secret ?? current.secret ?? null,
+    domains: Array.isArray(existing.domains) ? existing.domains : current.domains ?? [],
+    mode: existing.mode ?? current.mode ?? "managed"
+  };
+}
 function resolveExistingD1ByName(d1Databases, expectedName, current) {
   if (current?.databaseId && !isPlaceholderResourceId(current.databaseId)) {
     return current;
@@ -1703,6 +1817,24 @@ function deleteKvNamespace(tenantRoot, namespaceId, { env, dryRun, preview = fal
   const deleted = deleteCloudflareApiResource(path, { env, dryRun: false, name: namespaceId, type: "kv-namespace" });
   return { status: deleted.status, id: namespaceId, preview };
 }
+function deleteTurnstileWidget(sitekey, { env, dryRun, name = null }) {
+  if (!sitekey || isPlaceholderResourceId(sitekey)) {
+    return { status: "missing", sitekey, name };
+  }
+  if (dryRun) {
+    return { status: "planned", sitekey, name };
+  }
+  const accountId = env?.CLOUDFLARE_ACCOUNT_ID ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? "";
+  const path = accountId ? `/accounts/${encodeURIComponent(accountId)}/challenges/widgets/${encodeURIComponent(sitekey)}` : null;
+  let deleted;
+  try {
+    deleted = deleteCloudflareApiResource(path, { env, dryRun: false, name: name ?? sitekey, type: "turnstile-widget" });
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error);
+    throw new Error(`Cloudflare Turnstile widget deletion failed. Ensure the API token has Turnstile Sites Write permission: ${detail}`);
+  }
+  return { status: deleted.status, sitekey, name };
+}
 function deleteD1Database(tenantRoot, databaseName, { env, dryRun }) {
   if (!databaseName) {
     return { status: "missing", name: databaseName };
@@ -2385,6 +2517,7 @@ async function destroyTreeseedEnvironmentResources(tenantRoot, options = {}) {
   const queues = dryRun ? [] : listQueues(tenantRoot, env);
   const buckets = dryRun ? [] : listR2Buckets(tenantRoot, env);
   const pagesProjects = dryRun ? [] : listPagesProjects(tenantRoot, env);
+  const turnstileWidgets = dryRun ? [] : listTurnstileWidgets(tenantRoot, env);
   state.kvNamespaces.FORM_GUARD_KV.id = resolveExistingKvIdByName(
     kvNamespaces,
     state.kvNamespaces.FORM_GUARD_KV.name,
@@ -2402,11 +2535,17 @@ async function destroyTreeseedEnvironmentResources(tenantRoot, options = {}) {
     state.d1Databases.SITE_DATA_DB.databaseName,
     state.d1Databases.SITE_DATA_DB
   );
+  state.turnstileWidgets.formGuard = resolveExistingTurnstileWidget(turnstileWidgets, state.turnstileWidgets?.formGuard);
   const pagesProject = pagesProjects.find((entry) => entry?.name === state.pages?.projectName);
   const bucket = buckets.find((entry) => entry?.name === state.content?.bucketName);
   const queue = queues.find((entry) => queueName(entry) === state.queues?.agentWork?.name);
   const dlq = queues.find((entry) => queueName(entry) === state.queues?.agentWork?.dlqName);
   const workerResult = deleteWorker(tenantRoot, state.workerName, { env, dryRun, force });
+  const turnstileWidget = deleteTurnstileWidget(state.turnstileWidgets?.formGuard?.sitekey, {
+    env,
+    dryRun,
+    name: state.turnstileWidgets?.formGuard?.name
+  });
   const formGuard = deleteKvNamespace(tenantRoot, state.kvNamespaces.FORM_GUARD_KV.id, { env, dryRun });
   const formGuardPreview = state.kvNamespaces.FORM_GUARD_KV.previewId && state.kvNamespaces.FORM_GUARD_KV.previewId !== state.kvNamespaces.FORM_GUARD_KV.id ? deleteKvNamespace(tenantRoot, state.kvNamespaces.FORM_GUARD_KV.previewId, { env, dryRun, preview: true }) : null;
   const session = state.kvNamespaces.SESSION?.id ? deleteKvNamespace(tenantRoot, state.kvNamespaces.SESSION.id, { env, dryRun }) : null;
@@ -2454,6 +2593,7 @@ async function destroyTreeseedEnvironmentResources(tenantRoot, options = {}) {
   const operations = {
     cloudflare: [
       resourceOperation("cloudflare", "worker", state.workerName, workerResult.status, workerResult),
+      resourceOperation("cloudflare", "turnstile-widget", state.turnstileWidgets?.formGuard?.name, turnstileWidget.status, turnstileWidget),
       resourceOperation("cloudflare", "kv-namespace", state.kvNamespaces.FORM_GUARD_KV.name, formGuard.status, formGuard),
       ...formGuardPreview ? [resourceOperation("cloudflare", "kv-namespace-preview", state.kvNamespaces.FORM_GUARD_KV.name, formGuardPreview.status, formGuardPreview)] : [],
       ...session ? [resourceOperation("cloudflare", "kv-namespace", state.kvNamespaces.SESSION.name, session.status, session)] : [],
@@ -2496,6 +2636,7 @@ function destroyCloudflareResources(tenantRoot, options = {}) {
   const queues = listQueues(tenantRoot, env);
   const buckets = dryRun ? [] : listR2Buckets(tenantRoot, env);
   const pagesProjects = dryRun ? [] : listPagesProjects(tenantRoot, env);
+  const turnstileWidgets = dryRun ? [] : listTurnstileWidgets(tenantRoot, env);
   state.kvNamespaces.FORM_GUARD_KV.id = resolveExistingKvIdByName(
     kvNamespaces,
     state.kvNamespaces.FORM_GUARD_KV.name,
@@ -2506,11 +2647,17 @@ function destroyCloudflareResources(tenantRoot, options = {}) {
     state.d1Databases.SITE_DATA_DB.databaseName,
     state.d1Databases.SITE_DATA_DB
   );
+  state.turnstileWidgets.formGuard = resolveExistingTurnstileWidget(turnstileWidgets, state.turnstileWidgets?.formGuard);
   const queue = queues.find((entry) => queueName(entry) === state.queues?.agentWork?.name);
   const dlq = queues.find((entry) => queueName(entry) === state.queues?.agentWork?.dlqName);
   const bucket = buckets.find((entry) => entry?.name === state.content?.bucketName);
   const pagesProject = pagesProjects.find((entry) => entry?.name === state.pages?.projectName);
   const worker = deleteWorker(tenantRoot, state.workerName, { env, dryRun, force });
+  const turnstileWidget = deleteTurnstileWidget(state.turnstileWidgets?.formGuard?.sitekey, {
+    env,
+    dryRun,
+    name: state.turnstileWidgets?.formGuard?.name
+  });
   const formGuard = deleteKvNamespace(tenantRoot, state.kvNamespaces.FORM_GUARD_KV.id, { env, dryRun });
   const database = deleteD1DatabaseForDestroy(tenantRoot, state.d1Databases.SITE_DATA_DB.databaseName, { env, dryRun, deleteData });
   const deletedQueue = deleteQueueByName(tenantRoot, queue ?? { name: state.queues?.agentWork?.name }, { env, dryRun });
@@ -2524,6 +2671,7 @@ function destroyCloudflareResources(tenantRoot, options = {}) {
   const pages = pagesProject || dryRun ? deletePagesProject(state.pages?.projectName, { env, dryRun }) : resourceOperation("cloudflare", "pages-project", state.pages?.projectName, "missing");
   const operations = {
     worker,
+    turnstileWidget,
     formGuard,
     database,
     queue: deletedQueue,
@@ -3093,12 +3241,14 @@ export {
   collectMissingDeployInputs,
   createBranchPreviewDeployTarget,
   createPersistentDeployTarget,
+  createTurnstileWidget,
   deployTargetLabel,
   deriveTreeseedStagingSurfaceDomain,
   destroyCloudflareResources,
   destroyTreeseedEnvironmentResources,
   ensureGeneratedWranglerConfig,
   finalizeDeploymentState,
+  getTurnstileWidget,
   hasProvisionedCloudflareResources,
   isWranglerAlreadyExistsError,
   listD1Databases,
@@ -3106,6 +3256,7 @@ export {
   listPagesProjects,
   listQueues,
   listR2Buckets,
+  listTurnstileWidgets,
   loadDeployState,
   markDeploymentInitialized,
   markManagedServicesInitialized,
@@ -3132,6 +3283,7 @@ export {
   scopeFromTarget,
   shouldDeleteRailwayProjectAfterEnvironmentDestroy,
   syncCloudflareSecrets,
+  updateTurnstileWidget,
   validateDeployPrerequisites,
   validateDestroyPrerequisites,
   verifyProvisionedCloudflareResources,

package/dist/operations/services/github-automation.d.ts

@@ -24,6 +24,14 @@ export interface TreeseedGitHubRepositoryTarget {
 }
 export declare function getGitHubAutomationMode(): string;
 export declare function parseGitHubRepositoryFromRemote(remoteUrl: any): string | null;
+export declare function resolveGitHubRemoteUrls(owner: any, name: any): {
+    slug: string;
+    owner: string;
+    name: string;
+    sshUrl: string;
+    httpsUrl: string;
+    url: string;
+};
 export declare function resolveGitHubRepositorySlug(tenantRoot: any): string;
 export declare function maybeResolveGitHubRepositorySlug(tenantRoot: any): string | null;
 export declare function resolveDefaultGitHubOwner(): string;
@@ -54,12 +62,13 @@ export declare function ensureGitHubBootstrapRepository(tenantRoot: string, { va
 export declare function createGitHubRepository(input: any, { env }?: {
     env?: NodeJS.ProcessEnv | undefined;
 }): Promise<import("./github-api.ts").GitHubRepositorySummary>;
-export declare function initializeGitHubRepositoryWorkingTree(cwd: any, repository: any, { defaultBranch, createStaging, commitMessage, remoteName, push, }?: {
+export declare function initializeGitHubRepositoryWorkingTree(cwd: any, repository: any, { defaultBranch, createStaging, commitMessage, remoteName, push, forcePush, }?: {
     defaultBranch?: string | undefined;
     createStaging?: boolean | undefined;
     commitMessage?: string | undefined;
     remoteName?: string | undefined;
     push?: boolean | undefined;
+    forcePush?: boolean | undefined;
 }): {
     repository: any;
     remoteName: string;

package/dist/operations/services/github-automation.js

@@ -49,7 +49,19 @@ function runGit(args, { cwd, allowFailure = false, capture = true } = {}) {
     encoding: "utf8"
   });
   if (result.status !== 0 && !allowFailure) {
-    throw new Error(result.stderr?.trim() || result.stdout?.trim() || `git ${args.join(" ")} failed`);
+    if (args[0] === "push" && !args.includes("--force")) {
+      const retryArgs = ["push", "--force", ...args.slice(1)];
+      const retry = spawnSync("git", retryArgs, {
+        cwd,
+        stdio: capture ? "pipe" : "inherit",
+        encoding: "utf8"
+      });
+      if (retry.status === 0) return retry;
+      const retryDetail = retry.stderr?.trim() || retry.stdout?.trim();
+      throw new Error(`git ${retryArgs.join(" ")} failed${retryDetail ? `: ${retryDetail}` : ""}`);
+    }
+    const detail = result.stderr?.trim() || result.stdout?.trim();
+    throw new Error(`git ${args.join(" ")} failed${detail ? `: ${detail}` : ""}`);
   }
   return result;
 }
@@ -223,7 +235,8 @@ function initializeGitHubRepositoryWorkingTree(cwd, repository, {
   createStaging = true,
   commitMessage = "Initialize TreeSeed hub",
   remoteName = "origin",
-  push = true
+  push = true,
+  forcePush = false
 } = {}) {
   runGit(["init", "-b", defaultBranch], { cwd, allowFailure: true });
   ensureGitIdentity(cwd);
@@ -239,12 +252,12 @@ function initializeGitHubRepositoryWorkingTree(cwd, repository, {
     runGit(["commit", "-m", commitMessage], { cwd });
   }
   if (push) {
-    runGit(["push", "-u", remoteName, defaultBranch], { cwd, capture: false });
+    runGit(["push", ...forcePush ? ["--force"] : [], "-u", remoteName, defaultBranch], { cwd, capture: false });
   }
   if (createStaging) {
     runGit(["checkout", "-B", "staging"], { cwd });
     if (push) {
-      runGit(["push", "-u", remoteName, "staging"], { cwd, capture: false });
+      runGit(["push", ...forcePush ? ["--force"] : [], "-u", remoteName, "staging"], { cwd, capture: false });
     }
     runGit(["checkout", defaultBranch], { cwd });
   }
@@ -501,6 +514,7 @@ export {
   requiredGitHubEnvironment,
   requiredGitHubSecrets,
   resolveDefaultGitHubOwner,
+  resolveGitHubRemoteUrls,
   resolveGitHubRepositorySlug,
   resolveGitHubRepositoryTarget,
   resolveGitRepositoryRoot,

package/dist/operations/services/hosting-audit.d.ts

@@ -53,6 +53,7 @@ export type TreeseedHostingAuditOptions = {
     valuesOverlay?: Record<string, string | undefined>;
     hostKinds?: TreeseedHostingAuditHostKind[];
     providerConnectionChecks?: boolean;
+    resourceChecks?: boolean;
     write?: (line: string) => void;
 };
 export declare function resolveTreeseedHostingAuditTarget({ tenantRoot, environment, }: {
@@ -64,5 +65,5 @@ export declare function resolveTreeseedHostingAuditTarget({ tenantRoot, environm
     target: TreeseedReconcileTarget;
     branchName: string | null;
 };
-export declare function runTreeseedHostingAudit({ tenantRoot, environment, repair, env, valuesOverlay, hostKinds: requestedHostKinds, providerConnectionChecks: shouldCheckProviderConnections, write, }: TreeseedHostingAuditOptions): Promise<TreeseedHostingAuditReport>;
+export declare function runTreeseedHostingAudit({ tenantRoot, environment, repair, env, valuesOverlay, hostKinds: requestedHostKinds, providerConnectionChecks: shouldCheckProviderConnections, resourceChecks: shouldCheckResources, write, }: TreeseedHostingAuditOptions): Promise<TreeseedHostingAuditReport>;
 export declare function formatTreeseedHostingAuditReport(report: TreeseedHostingAuditReport): string;

package/dist/operations/services/hosting-audit.js

@@ -463,6 +463,7 @@ async function runTreeseedHostingAudit({
   valuesOverlay = {},
   hostKinds: requestedHostKinds,
   providerConnectionChecks: shouldCheckProviderConnections = true,
+  resourceChecks: shouldCheckResources = true,
   write
 }) {
   const resolved = resolveTreeseedHostingAuditTarget({ tenantRoot, environment });
@@ -509,7 +510,17 @@ async function runTreeseedHostingAudit({
   const systems = reconcileSystemsForHostKinds(hostKinds);
   let resources = {};
   let repaired = false;
-  if (resolved.environment !== "local" && systems.length > 0) {
+  if (!shouldCheckResources) {
+    checks.push({
+      id: "resources.skipped",
+      hostType: "platform",
+      provider: "treeseed",
+      category: "resource",
+      status: "skipped",
+      severity: "info",
+      summary: "Hosted provider resource checks are skipped for this audit."
+    });
+  } else if (resolved.environment !== "local" && systems.length > 0) {
     try {
       const state = loadDeployState(tenantRoot, deployConfig, { target: resolved.target });
       resources = buildProvisioningSummary(deployConfig, state, resolved.target);

package/dist/operations/services/hub-launch.d.ts

@@ -42,6 +42,7 @@ export interface KnowledgeHubLaunchIntent {
         name: string;
         slug: string;
         purpose?: string | null;
+        coreObjective?: string | null;
         visibility?: 'private' | 'team' | 'public';
     };
     source?: {

package/dist/operations/services/hub-launch.js

@@ -193,6 +193,7 @@ function providerLaunchInputFromIntent(plan) {
     projectSlug: intent.hub.slug,
     projectName: intent.hub.name,
     summary: intent.hub.purpose ?? null,
+    coreObjective: providerInput.coreObjective ?? intent.hub.coreObjective ?? intent.hub.purpose ?? null,
     sourceKind: sourceKind === "blank_hub" ? "blank" : sourceKind === "market_listing" ? "template" : sourceKind,
     sourceRef: intent.source?.ref ?? null,
     hostingMode: intent.hosting?.mode === "treeseed_managed" ? "managed" : intent.hosting?.mode ?? "managed",

package/dist/operations/services/hub-provider-launch.d.ts

@@ -9,6 +9,7 @@ export interface KnowledgeHubProviderLaunchInput {
     projectSlug: string;
     projectName: string;
     summary?: string | null;
+    coreObjective?: string | null;
     sourceKind: 'blank' | 'template' | 'knowledge_pack';
     sourceRef?: string | null;
     hostingMode?: 'managed' | 'hybrid' | 'self_hosted';
@@ -38,6 +39,14 @@ export interface KnowledgeHubProviderLaunchInput {
     enableDefaultAgents?: boolean;
     preserveWorkingTree?: boolean;
     cloudflareHost?: KnowledgeHubCloudflareHostLaunchInput | null;
+    domains?: {
+        productionDomain?: string | null;
+        stagingDomain?: string | null;
+        zoneName?: string | null;
+        zoneId?: string | null;
+        manageDns?: boolean;
+        provider?: string | null;
+    } | null;
 }
 export interface KnowledgeHubCloudflareHostConfig {
     CLOUDFLARE_API_TOKEN?: string;