@treeseed/sdk 0.10.23 → 0.10.25

package/dist/operations/services/template-secret-sync.d.ts

@@ -0,0 +1,97 @@
+import { syncTreeseedCloudflareEnvironment, syncTreeseedGitHubEnvironment, syncTreeseedRailwayEnvironment, type TreeseedConfigScope } from './config-runtime.ts';
+import type { ProjectLaunchResolvedHostBinding, ProjectLaunchSecretDeploymentPlanItem } from '../../template-launch-requirements.ts';
+import type { ProjectLaunchRequirementKind } from '../../sdk-types.ts';
+export type ProjectLaunchSecretSyncProvider = 'github' | 'cloudflare' | 'railway';
+export type ProjectLaunchSecretSyncStatus = 'synced' | 'skipped' | 'failed';
+export type ProjectLaunchSecretSyncProviderStatus = 'running' | 'completed' | 'failed';
+export type ProjectLaunchSecretSyncTargetKind = 'github-secret' | 'github-variable' | 'cloudflare-secret' | 'cloudflare-var' | 'railway-secret' | 'railway-var';
+export interface ProjectLaunchSecretValueDiagnostic {
+    code: 'missing_value' | 'unsupported_target';
+    requirementKey: string;
+    requirementKind: ProjectLaunchRequirementKind;
+    env: string;
+    source: string;
+    targets: string[];
+    scopes: TreeseedConfigScope[];
+    message: string;
+}
+export interface ProjectLaunchResolvedSecretValueItem {
+    requirementKey: string;
+    requirementKind: ProjectLaunchRequirementKind;
+    env: string;
+    source: string;
+    targets: ProjectLaunchSecretSyncTargetKind[];
+    scopes: TreeseedConfigScope[];
+    sensitivity: string;
+    sourceHostId?: string | null;
+    resolved: boolean;
+}
+export interface ProjectLaunchSecretValueOverlayResult {
+    valuesOverlay: Record<string, string>;
+    items: ProjectLaunchResolvedSecretValueItem[];
+    diagnostics: ProjectLaunchSecretValueDiagnostic[];
+}
+export interface ProjectLaunchSecretSyncSummaryItem {
+    provider: ProjectLaunchSecretSyncProvider;
+    scope: TreeseedConfigScope;
+    target: ProjectLaunchSecretSyncTargetKind;
+    env: string;
+    requirementKey: string;
+    requirementKind: ProjectLaunchRequirementKind;
+    sensitivity: string;
+    status: ProjectLaunchSecretSyncStatus;
+    error?: {
+        message: string;
+    };
+}
+export interface ProjectLaunchSecretSyncProviderSummary {
+    provider: ProjectLaunchSecretSyncProvider;
+    scope: TreeseedConfigScope;
+    entryIds: string[];
+    status: Exclude<ProjectLaunchSecretSyncProviderStatus, 'running'>;
+    error?: {
+        message: string;
+    };
+}
+export interface ProjectLaunchSecretSyncProgressEvent {
+    provider: ProjectLaunchSecretSyncProvider;
+    scope: TreeseedConfigScope;
+    status: ProjectLaunchSecretSyncProviderStatus;
+    entryIds: string[];
+    message: string;
+}
+export interface ProjectLaunchSecretSyncResult {
+    ok: boolean;
+    items: ProjectLaunchSecretSyncSummaryItem[];
+    providers: ProjectLaunchSecretSyncProviderSummary[];
+    diagnostics: ProjectLaunchSecretValueDiagnostic[];
+}
+export interface ProjectLaunchSecretSyncAdapters {
+    github?: typeof syncTreeseedGitHubEnvironment;
+    cloudflare?: typeof syncTreeseedCloudflareEnvironment;
+    railway?: typeof syncTreeseedRailwayEnvironment;
+}
+export interface ResolveProjectLaunchSecretValueOverlayOptions {
+    hostBindings?: Record<string, ProjectLaunchResolvedHostBinding> | null;
+    secretDeploymentPlan?: {
+        items?: ProjectLaunchSecretDeploymentPlanItem[] | null;
+    } | null;
+    valuesOverlay?: Record<string, string | undefined> | null;
+    valuesByScope?: Partial<Record<TreeseedConfigScope, Record<string, string | undefined> | null>> | null;
+    processEnv?: Record<string, string | undefined>;
+    scopes?: TreeseedConfigScope[];
+}
+export interface SyncProjectLaunchHostBindingSecretsOptions extends ResolveProjectLaunchSecretValueOverlayOptions {
+    projectRoot: string;
+    repository?: string | null;
+    dryRun?: boolean;
+    providers?: ProjectLaunchSecretSyncProvider[];
+    onProgress?: (event: ProjectLaunchSecretSyncProgressEvent) => void | Promise<void>;
+    adapters?: ProjectLaunchSecretSyncAdapters;
+}
+export declare class ProjectLaunchSecretSyncError extends Error {
+    readonly result: ProjectLaunchSecretSyncResult;
+    constructor(message: string, result: ProjectLaunchSecretSyncResult);
+}
+export declare function resolveProjectLaunchSecretValueOverlay(options: ResolveProjectLaunchSecretValueOverlayOptions): ProjectLaunchSecretValueOverlayResult;
+export declare function syncProjectLaunchHostBindingSecrets(options: SyncProjectLaunchHostBindingSecretsOptions): Promise<ProjectLaunchSecretSyncResult>;

package/dist/operations/services/template-secret-sync.js

@@ -0,0 +1,292 @@
+import {
+  syncTreeseedCloudflareEnvironment,
+  syncTreeseedGitHubEnvironment,
+  syncTreeseedRailwayEnvironment
+} from "./config-runtime.js";
+const PROVIDER_TARGETS = {
+  github: ["github-secret", "github-variable"],
+  cloudflare: ["cloudflare-secret", "cloudflare-var"],
+  railway: ["railway-secret", "railway-var"]
+};
+const DEFAULT_SCOPES = ["staging", "prod"];
+const NON_PROVIDER_TARGETS = /* @__PURE__ */ new Set(["local-runtime", "local-cloudflare", "config-file"]);
+const SECRET_TOKEN_PATTERN = /(?:gh[pousr]_[A-Za-z0-9_]{20,}|sk-[A-Za-z0-9_-]{16,}|[A-Za-z0-9+/=]{32,})/gu;
+class ProjectLaunchSecretSyncError extends Error {
+  result;
+  constructor(message, result) {
+    super(message);
+    this.name = "ProjectLaunchSecretSyncError";
+    this.result = result;
+  }
+}
+function stringValue(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : "";
+}
+function normalizeSecretTargets(targets) {
+  const allowed = new Set(Object.values(PROVIDER_TARGETS).flat());
+  return targets.map((target) => String(target ?? "").trim()).filter((target) => allowed.has(target));
+}
+function normalizeScopes(items, requested) {
+  const scopes = new Set(requested?.length ? requested : DEFAULT_SCOPES);
+  for (const item of items) {
+    for (const scope of item.scopes ?? []) {
+      if (scope === "staging" || scope === "prod") {
+        scopes.add(scope);
+      }
+    }
+  }
+  return [...scopes];
+}
+function valueCandidatesForSource(source) {
+  const value = String(source ?? "").trim();
+  if (!value) return [];
+  const [, suffix = ""] = /^(?:selectedHost|host)\.(?:secret|config|environment|env):(.+)$/u.exec(value) ?? [];
+  if (suffix) {
+    return [suffix, suffix.toUpperCase(), `TREESEED_${suffix.toUpperCase()}`];
+  }
+  const [, dotted = ""] = /^(?:selectedHost|host)\.([A-Za-z0-9_]+)$/u.exec(value) ?? [];
+  if (dotted) {
+    return [dotted, dotted.toUpperCase(), `TREESEED_${dotted.toUpperCase()}`];
+  }
+  return [];
+}
+function scopedOverlay(options, scope) {
+  return {
+    ...options.processEnv ?? process.env,
+    ...options.valuesOverlay ?? {},
+    ...options.valuesByScope?.[scope] ?? {}
+  };
+}
+function bindingValue(binding, key) {
+  if (!binding || !key) return "";
+  const record = binding;
+  for (const containerKey of ["environmentValues", "configValues", "secrets", "secretValues", "metadata"]) {
+    const container = record[containerKey];
+    if (container && typeof container === "object") {
+      const value = stringValue(container[key]) || stringValue(container[key.toUpperCase()]);
+      if (value) return value;
+    }
+  }
+  return stringValue(record[key]) || stringValue(record[key.toUpperCase()]);
+}
+function resolvePlanItemValue(item, scope, options) {
+  const values = scopedOverlay(options, scope);
+  const direct = stringValue(values[item.env]);
+  if (direct) return direct;
+  const binding = item.sourceHostId ? options.hostBindings?.[item.requirementKey] : void 0;
+  for (const candidate of valueCandidatesForSource(item.source)) {
+    const overlayValue = stringValue(values[candidate]);
+    if (overlayValue) return overlayValue;
+    const hostValue = bindingValue(binding, candidate);
+    if (hostValue) return hostValue;
+  }
+  return "";
+}
+function providerForTarget(target) {
+  if (target.startsWith("github-")) return "github";
+  if (target.startsWith("cloudflare-")) return "cloudflare";
+  return "railway";
+}
+function redactSecretSyncMessage(message) {
+  return String(message instanceof Error ? message.message : message ?? "Secret sync failed.").replace(SECRET_TOKEN_PATTERN, "[redacted]").replace(/(token|password|secret|key)=([^,\s]+)/giu, "$1=[redacted]");
+}
+function resolveProjectLaunchSecretValueOverlay(options) {
+  const planItems = options.secretDeploymentPlan?.items?.filter(Boolean) ?? [];
+  const scopes = normalizeScopes(planItems, options.scopes);
+  const valuesOverlay = {};
+  const resolvedItems = [];
+  const diagnostics = [];
+  for (const item of planItems) {
+    const targets = normalizeSecretTargets(item.targets ?? []);
+    const itemScopes = (item.scopes ?? []).filter((scope) => scope === "local" || scope === "staging" || scope === "prod");
+    if (targets.length === 0) {
+      if ((item.targets ?? []).every((target) => NON_PROVIDER_TARGETS.has(String(target)))) {
+        continue;
+      }
+      diagnostics.push({
+        code: "unsupported_target",
+        requirementKey: item.requirementKey,
+        requirementKind: item.requirementKind,
+        env: item.env,
+        source: item.source,
+        targets: item.targets ?? [],
+        scopes: itemScopes,
+        message: `Secret deployment target is not supported for ${item.env}.`
+      });
+      continue;
+    }
+    const activeScopes = itemScopes.filter((scope) => scopes.includes(scope));
+    let resolved = false;
+    for (const scope of activeScopes) {
+      const value = resolvePlanItemValue(item, scope, options);
+      if (value) {
+        valuesOverlay[item.env] = value;
+        resolved = true;
+        break;
+      }
+    }
+    if (!resolved) {
+      diagnostics.push({
+        code: "missing_value",
+        requirementKey: item.requirementKey,
+        requirementKind: item.requirementKind,
+        env: item.env,
+        source: item.source,
+        targets,
+        scopes: activeScopes,
+        message: `No launch secret value was available for ${item.env}.`
+      });
+    }
+    resolvedItems.push({
+      requirementKey: item.requirementKey,
+      requirementKind: item.requirementKind,
+      env: item.env,
+      source: item.source,
+      targets,
+      scopes: activeScopes,
+      sensitivity: item.sensitivity,
+      sourceHostId: item.sourceHostId ?? null,
+      resolved
+    });
+  }
+  return { valuesOverlay, items: resolvedItems, diagnostics };
+}
+function itemsForProviderScope(items, provider, scope) {
+  const targets = new Set(PROVIDER_TARGETS[provider]);
+  return items.filter((item) => item.resolved && item.scopes.includes(scope) && item.targets.some((target) => targets.has(target)));
+}
+function summaryItemsFor(items, provider, scope, status, error) {
+  const targets = new Set(PROVIDER_TARGETS[provider]);
+  return items.flatMap((item) => item.targets.filter((target) => targets.has(target)).map((target) => ({
+    provider,
+    scope,
+    target,
+    env: item.env,
+    requirementKey: item.requirementKey,
+    requirementKind: item.requirementKind,
+    sensitivity: item.sensitivity,
+    status,
+    ...error ? { error: { message: redactSecretSyncMessage(error) } } : {}
+  })));
+}
+async function syncProjectLaunchHostBindingSecrets(options) {
+  const planItems = options.secretDeploymentPlan?.items?.filter(Boolean) ?? [];
+  const scopes = normalizeScopes(planItems, options.scopes);
+  const providers = options.providers?.length ? options.providers : Object.keys(PROVIDER_TARGETS);
+  const overlay = resolveProjectLaunchSecretValueOverlay({ ...options, scopes });
+  const relevantDiagnostics = overlay.diagnostics.filter((diagnostic) => diagnostic.scopes.some((scope) => scopes.includes(scope)) && diagnostic.targets.some((target) => providers.includes(providerForTarget(target))));
+  const result = {
+    ok: relevantDiagnostics.length === 0,
+    items: [],
+    providers: [],
+    diagnostics: overlay.diagnostics
+  };
+  if (relevantDiagnostics.length > 0) {
+    for (const diagnostic of relevantDiagnostics) {
+      for (const target of normalizeSecretTargets(diagnostic.targets)) {
+        const provider = providerForTarget(target);
+        for (const scope of diagnostic.scopes.filter((entry) => scopes.includes(entry))) {
+          result.items.push({
+            provider,
+            scope,
+            target,
+            env: diagnostic.env,
+            requirementKey: diagnostic.requirementKey,
+            requirementKind: diagnostic.requirementKind,
+            sensitivity: "secret",
+            status: "failed",
+            error: { message: diagnostic.message }
+          });
+        }
+      }
+    }
+    throw new ProjectLaunchSecretSyncError("Host-bound secret sync could not resolve every required value.", result);
+  }
+  const adapters = {
+    github: options.adapters?.github ?? syncTreeseedGitHubEnvironment,
+    cloudflare: options.adapters?.cloudflare ?? syncTreeseedCloudflareEnvironment,
+    railway: options.adapters?.railway ?? syncTreeseedRailwayEnvironment
+  };
+  for (const provider of providers) {
+    for (const scope of scopes) {
+      if (scope === "local") continue;
+      const scopedItems = itemsForProviderScope(overlay.items, provider, scope);
+      if (scopedItems.length === 0) continue;
+      const entryIds = [...new Set(scopedItems.map((item) => item.env))];
+      await options.onProgress?.({
+        provider,
+        scope,
+        entryIds,
+        status: "running",
+        message: `Syncing ${entryIds.length} host-bound ${provider} entr${entryIds.length === 1 ? "y" : "ies"} for ${scope}.`
+      });
+      try {
+        const valuesOverlay = {
+          ...overlay.valuesOverlay,
+          ...options.valuesByScope?.[scope] ?? {}
+        };
+        if (provider === "github") {
+          await adapters.github({
+            tenantRoot: options.projectRoot,
+            scope,
+            dryRun: options.dryRun,
+            repository: options.repository ?? null,
+            valuesOverlay,
+            entryIds,
+            execution: "sequential"
+          });
+        } else if (provider === "cloudflare") {
+          adapters.cloudflare({
+            tenantRoot: options.projectRoot,
+            scope,
+            dryRun: options.dryRun,
+            valuesOverlay,
+            entryIds
+          });
+        } else {
+          adapters.railway({
+            tenantRoot: options.projectRoot,
+            scope,
+            dryRun: options.dryRun,
+            valuesOverlay,
+            entryIds
+          });
+        }
+        result.items.push(...summaryItemsFor(scopedItems, provider, scope, "synced"));
+        result.providers.push({ provider, scope, entryIds, status: "completed" });
+        await options.onProgress?.({
+          provider,
+          scope,
+          entryIds,
+          status: "completed",
+          message: `Synced host-bound ${provider} entries for ${scope}.`
+        });
+      } catch (error) {
+        result.ok = false;
+        result.items.push(...summaryItemsFor(scopedItems, provider, scope, "failed", error));
+        result.providers.push({
+          provider,
+          scope,
+          entryIds,
+          status: "failed",
+          error: { message: redactSecretSyncMessage(error) }
+        });
+        await options.onProgress?.({
+          provider,
+          scope,
+          entryIds,
+          status: "failed",
+          message: redactSecretSyncMessage(error)
+        });
+        throw new ProjectLaunchSecretSyncError(redactSecretSyncMessage(error), result);
+      }
+    }
+  }
+  result.ok = result.providers.every((provider) => provider.status === "completed") && result.diagnostics.length === 0;
+  return result;
+}
+export {
+  ProjectLaunchSecretSyncError,
+  resolveProjectLaunchSecretValueOverlay,
+  syncProjectLaunchHostBindingSecrets
+};

package/dist/platform/contracts.d.ts

@@ -283,6 +283,7 @@ export interface TreeseedDeployConfig {
     slug: string;
     siteUrl: string;
     contactEmail: string;
+    projectRoot?: string;
     hosting?: TreeseedHostingConfig;
     hub: TreeseedHubConfig;
     runtime: TreeseedRuntimeConfig;

package/dist/platform/deploy-config.js

@@ -9,7 +9,8 @@ import {
 } from "./plugins/constants.js";
 const deployConfigFieldAliases = {
   siteUrl: { key: "siteUrl", aliases: ["site_url"] },
-  contactEmail: { key: "contactEmail", aliases: ["contact_email"] }
+  contactEmail: { key: "contactEmail", aliases: ["contact_email"] },
+  projectRoot: { key: "projectRoot", aliases: ["project_root"] }
 };
 const hostingFieldAliases = {
   kind: { key: "kind", aliases: ["kind"] },
@@ -547,6 +548,7 @@ function parseDeployConfig(raw) {
     slug: expectString(parsed.slug, "slug"),
     siteUrl: expectString(parsed.siteUrl, "siteUrl"),
     contactEmail: expectString(parsed.contactEmail, "contactEmail"),
+    projectRoot: optionalString(parsed.projectRoot),
     hosting: compatibilityHosting,
     hub,
     runtime,
@@ -630,10 +632,15 @@ function loadTreeseedDeployConfig(configPath = "treeseed.site.yaml") {
 function loadTreeseedDeployConfigFromPath(resolvedConfigPath) {
   const tenantRoot = dirname(resolvedConfigPath);
   const parsed = parseDeployConfig(readFileSync(resolvedConfigPath, "utf8"));
+  const projectRoot = parsed.projectRoot ? resolve(tenantRoot, parsed.projectRoot) : tenantRoot;
   Object.defineProperty(parsed, "__tenantRoot", {
     value: tenantRoot,
     enumerable: false
   });
+  Object.defineProperty(parsed, "__projectRoot", {
+    value: projectRoot,
+    enumerable: false
+  });
   Object.defineProperty(parsed, "__configPath", {
     value: resolvedConfigPath,
     enumerable: false

package/dist/platform/deploy-runtime.js

@@ -6,6 +6,7 @@ function defaultDeployConfig() {
     slug: "treeseed-site",
     siteUrl: "https://example.com",
     contactEmail: "contact@example.com",
+    projectRoot: ".",
     cloudflare: {
       accountId: "",
       workerName: "treeseed-site"

package/dist/platform/environment.d.ts

@@ -86,6 +86,9 @@ export type TreeseedEnvironmentEntry = {
     localDefaultValue?: TreeseedEnvironmentValueResolver;
     isRelevant?: (context: TreeseedEnvironmentContext, scope: TreeseedEnvironmentScope, purpose?: TreeseedEnvironmentPurpose) => boolean;
     requiredWhen?: (context: TreeseedEnvironmentContext, scope: TreeseedEnvironmentScope, purpose?: TreeseedEnvironmentPurpose) => boolean;
+    sourceRequirement?: string;
+    sourceHostType?: string | null;
+    sourceProvider?: string | null;
 };
 export type TreeseedEnvironmentEntryYaml = Omit<TreeseedEnvironmentEntry, 'id' | 'defaultValue' | 'localDefaultValue' | 'isRelevant' | 'requiredWhen'> & {
     cluster?: string;

package/dist/project-workflow.d.ts

@@ -1,4 +1,4 @@
-import type { ProjectConnection, RemoteJobStatus } from './sdk-types.ts';
+import type { ProjectConnection, ProjectLaunchHostBindingInput, RemoteJobStatus } from './sdk-types.ts';
 export declare const PROJECT_TEAM_CAPABILITIES: readonly ["launch_projects", "edit_direct", "manage_workstreams", "stage_releases", "publish_releases", "publish_market_listings", "manage_products", "manage_billing", "approve_remote_execution"];
 export declare const PROJECT_JOB_STATUSES: readonly ["queued", "running", "waiting_for_approval", "failed", "completed", "rolled_back", "cancelled"];
 export declare const WORKSTREAM_STATES: readonly ["drafting", "active_local", "verifying", "saved_remote", "in_staging", "archived"];
@@ -201,9 +201,15 @@ export interface LaunchProjectRequest {
     sourceKind: 'blank' | 'template' | 'knowledge_pack';
     sourceRef?: string | null;
     hostingMode: 'managed' | 'hybrid' | 'self_hosted';
+    repositoryHostId?: string | null;
+    repositoryHostConfig?: Record<string, unknown> | null;
     cloudflareHostId?: string | null;
     cloudflareHostMode?: 'team_owned' | 'treeseed_managed' | null;
     cloudflareHostConfig?: Record<string, unknown> | null;
+    emailHostId?: string | null;
+    emailHostMode?: 'team_owned' | 'treeseed_managed' | null;
+    emailHostConfig?: Record<string, unknown> | null;
+    hostBindings?: Record<string, ProjectLaunchHostBindingInput>;
     targetEnvironments?: Array<'local' | 'staging' | 'prod'>;
     publicSite?: boolean;
     repoProvider?: 'github';

package/dist/reconcile/engine.d.ts

@@ -1,5 +1,6 @@
 import type { TreeseedObservedUnitState, TreeseedReconcilePlan, TreeseedReconcileResult, TreeseedReconcileStateRecord, TreeseedReconcileTarget, TreeseedUnitVerificationResult } from './contracts.ts';
 import { type TreeseedRunnableBootstrapSystem } from './bootstrap-systems.ts';
+import { type TreeseedTimingEntry } from '../timing.ts';
 export declare function observeTreeseedUnits({ tenantRoot, target, env, systems, write, }: {
     tenantRoot: string;
     target: TreeseedReconcileTarget;
@@ -417,6 +418,7 @@ export declare function reconcileTreeseedTarget({ tenantRoot, target, env, syste
     plans: TreeseedReconcilePlan[];
     results: TreeseedReconcileResult[];
     state: TreeseedReconcileStateRecord;
+    timings: TreeseedTimingEntry[];
 }>;
 export declare function destroyTreeseedTargetUnits({ tenantRoot, target, env, write, }: {
     tenantRoot: string;

package/dist/reconcile/engine.js

@@ -3,6 +3,7 @@ import { deriveTreeseedDesiredUnits } from "./desired-state.js";
 import { ensureTreeseedPersistedUnitState, desiredUnitSpecHash, loadTreeseedReconcileState, updateTreeseedPersistedUnitState, writeTreeseedReconcileState } from "./state.js";
 import { reverseTopologicallySortedUnits, topologicallySortDesiredUnits } from "./units.js";
 import { filterTreeseedDesiredUnitsByBootstrapSystems } from "./bootstrap-systems.js";
+import { elapsedMs, formatDurationMs } from "../timing.js";
 function nowIso() {
   return (/* @__PURE__ */ new Date()).toISOString();
 }
@@ -209,7 +210,9 @@ async function reconcileTreeseedTarget({
   const context = createRunContext(tenantRoot, target, env, write);
   const results = [];
   const verificationMap = /* @__PURE__ */ new Map();
+  const timingEntries = [];
   context.session.set("treeseed:verification-results", verificationMap);
+  context.session.set("treeseed:timings", timingEntries);
   const planByUnitId = new Map(planned.plans.map((plan) => [plan.unit.unitId, plan]));
   let persistChain = Promise.resolve();
   const persistVerifiedResult = async (persisted, verifiedResult) => {
@@ -221,20 +224,43 @@ async function reconcileTreeseedTarget({
   };
   await runByDependencyLevel(topologicallySortDesiredUnits(planned.units), async (unit) => {
     const plan = planByUnitId.get(unit.unitId);
-    write?.(`Reconciling ${plan.unit.provider}:${plan.unit.unitType}...`);
+    const unitTiming = {
+      name: `reconcile:${plan.unit.provider}:${plan.unit.unitType}:${plan.unit.logicalName}`,
+      durationMs: 0,
+      status: "running",
+      children: [],
+      metadata: { unitId: plan.unit.unitId, action: plan.diff.action }
+    };
+    const unitStartMs = performance.now();
+    timingEntries.push(unitTiming);
+    write?.(`Reconciling ${plan.unit.provider}:${plan.unit.unitType} (${plan.unit.logicalName})...`);
     const adapter = registry.get(plan.unit.unitType, plan.unit.provider);
     const persisted = ensureTreeseedPersistedUnitState(planned.state, plan.unit);
     try {
+      const stageStartMs = performance.now();
       await Promise.resolve(adapter.validate?.({
         context,
         unit: plan.unit,
         persistedState: persisted
       }));
+      unitTiming.children?.push({
+        name: `${unitTiming.name}:validate`,
+        durationMs: elapsedMs(stageStartMs),
+        status: "success"
+      });
     } catch (error) {
+      unitTiming.children?.push({
+        name: `${unitTiming.name}:validate`,
+        durationMs: elapsedMs(unitStartMs),
+        status: "failed"
+      });
+      unitTiming.durationMs = elapsedMs(unitStartMs);
+      unitTiming.status = "failed";
       wrapAdapterFailure("validate", plan.unit.provider, plan.unit.unitType, plan.unit.unitId, error);
     }
     let result;
     try {
+      const stageStartMs = performance.now();
       result = await Promise.resolve(adapter.reconcile({
         context,
         unit: plan.unit,
@@ -242,10 +268,22 @@ async function reconcileTreeseedTarget({
         observed: plan.observed,
         diff: plan.diff
       }));
+      unitTiming.children?.push({
+        name: `${unitTiming.name}:reconcile`,
+        durationMs: elapsedMs(stageStartMs),
+        status: "success"
+      });
     } catch (error) {
+      unitTiming.children?.push({
+        name: `${unitTiming.name}:reconcile`,
+        durationMs: elapsedMs(unitStartMs),
+        status: "failed"
+      });
+      unitTiming.durationMs = elapsedMs(unitStartMs);
+      unitTiming.status = "failed";
       wrapAdapterFailure("reconcile", plan.unit.provider, plan.unit.unitType, plan.unit.unitId, error);
     }
-    write?.(`Verifying ${plan.unit.provider}:${plan.unit.unitType}...`);
+    write?.(`Verifying ${plan.unit.provider}:${plan.unit.unitType} (${plan.unit.logicalName})...`);
     const postconditions = await Promise.resolve(adapter.requiredPostconditions?.({
       context,
       unit: plan.unit,
@@ -253,6 +291,7 @@ async function reconcileTreeseedTarget({
     }) ?? []);
     let verification;
     try {
+      const stageStartMs = performance.now();
       verification = await Promise.resolve(adapter.verify({
         context,
         unit: plan.unit,
@@ -262,7 +301,19 @@ async function reconcileTreeseedTarget({
         result,
         postconditions
       }));
+      unitTiming.children?.push({
+        name: `${unitTiming.name}:verify`,
+        durationMs: elapsedMs(stageStartMs),
+        status: verification.verified ? "success" : "failed"
+      });
     } catch (error) {
+      unitTiming.children?.push({
+        name: `${unitTiming.name}:verify`,
+        durationMs: elapsedMs(unitStartMs),
+        status: "failed"
+      });
+      unitTiming.durationMs = elapsedMs(unitStartMs);
+      unitTiming.status = "failed";
       wrapAdapterFailure("verify", plan.unit.provider, plan.unit.unitType, plan.unit.unitId, error);
     }
     const verifiedResult = {
@@ -274,6 +325,9 @@ async function reconcileTreeseedTarget({
       ]
     };
     verificationMap.set(plan.unit.unitId, verification);
+    unitTiming.durationMs = elapsedMs(unitStartMs);
+    unitTiming.status = verification.verified ? "success" : "failed";
+    write?.(`Finished ${plan.unit.provider}:${plan.unit.unitType} (${plan.unit.logicalName}) in ${formatDurationMs(unitTiming.durationMs)}.`);
     if (!verification.verified) {
       await persistVerifiedResult(persisted, verifiedResult);
       throw new Error(`Treeseed reconcile verification failed for ${plan.unit.provider}:${plan.unit.unitType} (${plan.unit.unitId}): ${formatVerificationFailure(verification)}`);
@@ -287,7 +341,8 @@ async function reconcileTreeseedTarget({
     units: planned.units,
     plans: planned.plans,
     results,
-    state: planned.state
+    state: planned.state,
+    timings: timingEntries
   };
 }
 async function destroyTreeseedTargetUnits({

package/dist/scripts/scaffold-site.js

@@ -1,10 +1,11 @@
 #!/usr/bin/env node
 import { resolve } from 'node:path';
 import { scaffoldTemplateProject } from '../operations/services/template-registry.js';
+import { TREESEED_DEFAULT_STARTER_TEMPLATE_ID } from '../sdk-types.js';
 function parseArgs(argv) {
     const args = {
         target: null,
-        template: 'starter-basic',
+        template: TREESEED_DEFAULT_STARTER_TEMPLATE_ID,
         name: null,
         slug: null,
         siteUrl: null,
@@ -59,7 +60,7 @@ console.log(`Created Treeseed tenant from ${definition.id} at ${targetRoot}`);
 console.log('Next steps:');
 console.log(`  cd ${options.target}`);
 console.log('  npm install');
-console.log('  treeseed template show starter-basic');
+console.log(`  treeseed template show ${options.template}`);
 console.log('  treeseed sync --check');
 console.log('  treeseed config --environment local');
 console.log('  treeseed dev');

package/dist/scripts/test-scaffold.js

@@ -5,6 +5,7 @@ import { dirname, join, resolve } from 'node:path';
 import { spawnSync } from 'node:child_process';
 import { corePackageRoot, packageRoot, packageScriptPath, sdkPackageRoot } from '../operations/services/runtime-tools.js';
 import { listTemplateProducts, validateTemplateProduct } from '../operations/services/template-registry.js';
+import { TREESEED_DEFAULT_STARTER_TEMPLATE_ID } from '../sdk-types.js';
 const npmCacheDir = process.env.TREESEED_SCAFFOLD_NPM_CACHE_DIR
     ? resolve(process.env.TREESEED_SCAFFOLD_NPM_CACHE_DIR)
     : resolve(tmpdir(), 'treeseed-npm-cache');
@@ -204,7 +205,7 @@ async function scaffoldSite(siteRoot) {
     for (const definition of await listTemplateProducts({ writeWarning: (message) => console.warn(message) })) {
         await validateTemplateProduct(definition, { writeWarning: (message) => console.warn(message) });
     }
-    runStep(process.execPath, [packageScriptPath('scaffold-site'), siteRoot, '--template', 'starter-basic', '--name', 'Smoke Site', '--site-url', 'https://smoke.example.com', '--contact-email', 'hello@example.com']);
+    runStep(process.execPath, [packageScriptPath('scaffold-site'), siteRoot, '--template', TREESEED_DEFAULT_STARTER_TEMPLATE_ID, '--name', 'Smoke Site', '--site-url', 'https://smoke.example.com', '--contact-email', 'hello@example.com']);
 }
 function installScaffold(siteRoot, { coreTarballPath, sdkTarballPath, cliTarballPath }) {
     if (coreTarballPath && sdkTarballPath && cliTarballPath) {