npm - @treeseed/sdk - Versions diffs - 0.10.28 → 0.11.0 - Mend

@treeseed/sdk 0.10.28 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (148) hide show

package/README.md +207 -6
package/dist/capacity-provider.d.ts +3 -1
package/dist/capacity-provider.js +25 -5
package/dist/control-plane.d.ts +1 -0
package/dist/control-plane.js +38 -13
package/dist/db/market-schema.d.ts +8860 -6172
package/dist/db/market-schema.js +108 -0
package/dist/db/node-sqlite.js +7 -2
package/dist/hosting/apps.d.ts +12 -0
package/dist/hosting/apps.js +107 -0
package/dist/hosting/builtins.d.ts +25 -0
package/dist/hosting/builtins.js +791 -0
package/dist/hosting/contracts.d.ts +207 -0
package/dist/hosting/contracts.js +0 -0
package/dist/hosting/graph.d.ts +192 -0
package/dist/hosting/graph.js +1106 -0
package/dist/hosting/index.d.ts +4 -0
package/dist/hosting/index.js +4 -0
package/dist/index.d.ts +10 -3
package/dist/index.js +63 -6
package/dist/managed-dependencies.js +1 -2
package/dist/market-client.d.ts +63 -3
package/dist/market-client.js +83 -11
package/dist/operations/services/bootstrap-runner.d.ts +3 -1
package/dist/operations/services/bootstrap-runner.js +22 -2
package/dist/operations/services/config-runtime.d.ts +10 -5
package/dist/operations/services/config-runtime.js +209 -66
package/dist/operations/services/deploy.d.ts +70 -7
package/dist/operations/services/deploy.js +579 -64
package/dist/operations/services/deployment-readiness.d.ts +30 -0
package/dist/operations/services/deployment-readiness.js +175 -0
package/dist/operations/services/git-workflow.d.ts +2 -1
package/dist/operations/services/git-workflow.js +9 -3
package/dist/operations/services/github-actions-verification.d.ts +1 -0
package/dist/operations/services/github-actions-verification.js +1 -0
package/dist/operations/services/github-api.js +1 -1
package/dist/operations/services/github-automation.d.ts +1 -1
package/dist/operations/services/github-automation.js +4 -3
package/dist/operations/services/github-credentials.d.ts +13 -0
package/dist/operations/services/github-credentials.js +58 -0
package/dist/operations/services/hosted-service-checks.d.ts +63 -0
package/dist/operations/services/hosted-service-checks.js +327 -0
package/dist/operations/services/hub-provider-launch.js +3 -3
package/dist/operations/services/live-hosted-service-checks.d.ts +25 -0
package/dist/operations/services/live-hosted-service-checks.js +350 -0
package/dist/operations/services/managed-host-security.js +1 -1
package/dist/operations/services/operations-runner-smoke.d.ts +30 -0
package/dist/operations/services/operations-runner-smoke.js +180 -0
package/dist/operations/services/package-adapters.d.ts +95 -0
package/dist/operations/services/package-adapters.js +288 -0
package/dist/operations/services/package-reference-policy.d.ts +1 -0
package/dist/operations/services/package-reference-policy.js +15 -2
package/dist/operations/services/project-platform.d.ts +80 -22
package/dist/operations/services/project-platform.js +49 -8
package/dist/operations/services/project-web-monitor.js +26 -4
package/dist/operations/services/railway-api.d.ts +88 -5
package/dist/operations/services/railway-api.js +626 -35
package/dist/operations/services/railway-deploy.d.ts +46 -40
package/dist/operations/services/railway-deploy.js +261 -293
package/dist/operations/services/release-candidate.d.ts +19 -0
package/dist/operations/services/release-candidate.js +375 -38
package/dist/operations/services/repository-save-orchestrator.d.ts +3 -1
package/dist/operations/services/repository-save-orchestrator.js +279 -66
package/dist/operations/services/runtime-tools.d.ts +1 -0
package/dist/operations/services/runtime-tools.js +10 -9
package/dist/operations/services/verification-cache.d.ts +25 -0
package/dist/operations/services/verification-cache.js +71 -0
package/dist/operations/services/workspace-dependency-mode.js +9 -1
package/dist/operations/services/workspace-save.js +1 -1
package/dist/operations/services/workspace-tools.js +2 -1
package/dist/platform/contracts.d.ts +32 -1
package/dist/platform/deploy-config.js +73 -8
package/dist/platform/env.yaml +163 -35
package/dist/platform/environment.d.ts +1 -0
package/dist/platform/environment.js +74 -5
package/dist/platform/plugin.d.ts +9 -0
package/dist/platform-operation-store.js +2 -2
package/dist/platform-operations.js +1 -1
package/dist/reconcile/bootstrap-systems.js +2 -2
package/dist/reconcile/builtin-adapters.js +372 -189
package/dist/reconcile/contracts.d.ts +9 -5
package/dist/reconcile/desired-state.d.ts +1 -0
package/dist/reconcile/desired-state.js +5 -5
package/dist/reconcile/engine.d.ts +5 -2
package/dist/reconcile/engine.js +53 -32
package/dist/reconcile/index.d.ts +2 -0
package/dist/reconcile/index.js +2 -0
package/dist/reconcile/live-acceptance.d.ts +79 -0
package/dist/reconcile/live-acceptance.js +1615 -0
package/dist/reconcile/platform.d.ts +104 -0
package/dist/reconcile/platform.js +100 -0
package/dist/reconcile/state.js +4 -4
package/dist/reconcile/units.js +2 -2
package/dist/scripts/deployment-readiness.js +20 -0
package/dist/scripts/generate-treedx-openapi-types.js +186 -0
package/dist/scripts/operations-runner-smoke.js +16 -0
package/dist/scripts/release-verify.js +4 -1
package/dist/scripts/tenant-workflow-action.js +10 -1
package/dist/sdk-types.d.ts +169 -4
package/dist/sdk-types.js +20 -2
package/dist/sdk.d.ts +35 -24
package/dist/sdk.js +186 -17
package/dist/template-launch-requirements.js +9 -0
package/dist/treedx/adapters.d.ts +6 -0
package/dist/treedx/adapters.js +36 -0
package/dist/treedx/client.d.ts +222 -0
package/dist/treedx/client.js +871 -0
package/dist/treedx/errors.d.ts +13 -0
package/dist/treedx/errors.js +17 -0
package/dist/treedx/federated-client.d.ts +27 -0
package/dist/treedx/federated-client.js +158 -0
package/dist/treedx/generated/openapi-types.d.ts +3558 -0
package/dist/treedx/generated/openapi-types.js +0 -0
package/dist/treedx/graph-adapter.d.ts +33 -0
package/dist/treedx/graph-adapter.js +156 -0
package/dist/treedx/index.d.ts +14 -0
package/dist/treedx/index.js +48 -0
package/dist/treedx/market-integration.d.ts +27 -0
package/dist/treedx/market-integration.js +131 -0
package/dist/treedx/ports.d.ts +166 -0
package/dist/treedx/ports.js +231 -0
package/dist/treedx/query-adapter.d.ts +19 -0
package/dist/treedx/query-adapter.js +62 -0
package/dist/treedx/registry-client.d.ts +11 -0
package/dist/treedx/registry-client.js +19 -0
package/dist/treedx/repository-adapter.d.ts +45 -0
package/dist/treedx/repository-adapter.js +308 -0
package/dist/treedx/sdk-integration.d.ts +27 -0
package/dist/treedx/sdk-integration.js +63 -0
package/dist/treedx/types.d.ts +1084 -0
package/dist/treedx/types.js +8 -0
package/dist/treedx/workspace-adapter.d.ts +27 -0
package/dist/treedx/workspace-adapter.js +65 -0
package/dist/treedx-backends.d.ts +218 -0
package/dist/treedx-backends.js +632 -0
package/dist/treedx-client.d.ts +86 -0
package/dist/treedx-client.js +175 -0
package/dist/treeseed/template-catalog/catalog.fixture.json +23 -23
package/dist/workflow/operations.d.ts +119 -13
package/dist/workflow/operations.js +309 -53
package/dist/workflow-state.d.ts +13 -0
package/dist/workflow-state.js +43 -26
package/dist/workflow-support.d.ts +11 -3
package/dist/workflow-support.js +67 -3
package/dist/workflow.d.ts +5 -0
package/drizzle/market/0004_treedx_market_integration.sql +99 -0
package/package.json +34 -3
package/templates/github/deploy-web.workflow.yml +39 -6

package/dist/operations/services/release-candidate.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 export type ReleaseCandidateStatus = 'passed' | 'failed';
+export type ReleaseCandidateMode = 'hybrid' | 'strict' | 'skip';
 export type ReleaseCandidateFailure = {
     code: string;
     scope: string;
@@ -15,6 +16,14 @@ export type ReleaseCandidateFingerprint = {
     lockfiles: Record<string, string | null>;
     selectedPackages: string[];
 };
+export type ReleaseCandidateTopologyFingerprint = {
+    key: string;
+    policyVersion: string;
+    packageManifests: Record<string, string | null>;
+    lockfiles: Record<string, string | null>;
+    treeseedManifests: Record<string, string | null>;
+    selectedPackages: string[];
+};
 export type ReleaseCandidateCheck = {
     name: string;
     status: 'passed' | 'skipped' | 'failed';
@@ -23,6 +32,9 @@ export type ReleaseCandidateCheck = {
 export type ReleaseCandidateReport = {
     status: ReleaseCandidateStatus;
     fingerprint: ReleaseCandidateFingerprint;
+    mode: ReleaseCandidateMode;
+    reason: string;
+    topology: ReleaseCandidateTopologyFingerprint;
     reused: boolean;
     checkedAt: string;
     failures: ReleaseCandidateFailure[];
@@ -33,9 +45,16 @@ export type ReleaseCandidateInput = {
     plannedVersions: Record<string, unknown>;
     selectedPackageNames?: string[];
     allowReuse?: boolean;
+    mode?: ReleaseCandidateMode;
 };
 export declare function buildReleaseCandidateFingerprint(input: ReleaseCandidateInput): ReleaseCandidateFingerprint;
+export declare function buildReleaseCandidateTopologyFingerprint(input: ReleaseCandidateInput): ReleaseCandidateTopologyFingerprint;
 export declare function readCachedReleaseCandidateReport(root: string, key: string): ReleaseCandidateReport | null;
 export declare function writeReleaseCandidateReport(root: string, report: ReleaseCandidateReport): ReleaseCandidateReport;
 export declare function collectReleaseCandidateOutputFailures(line: string): string[];
+export declare function isRootWebReleaseCandidateEntry(entry: {
+    id: string;
+    group?: string | null;
+    serviceTargets?: unknown;
+}): boolean;
 export declare function runReleaseCandidateGate(input: ReleaseCandidateInput): Promise<ReleaseCandidateReport>;

package/dist/operations/services/release-candidate.js CHANGED Viewed

@@ -6,15 +6,20 @@ import { dirname, join, relative, resolve } from "node:path";
 import { isTreeseedEnvironmentEntryRelevant, isTreeseedEnvironmentEntryRequired } from "../../platform/environment.js";
 import { maybeResolveGitHubRepositorySlug } from "./github-automation.js";
 import { createGitHubApiClient, listGitHubEnvironmentSecretNames, listGitHubEnvironmentVariableNames } from "./github-api.js";
-import { collectInternalDevReferenceIssues, normalizeGitRemoteForManifest } from "./package-reference-policy.js";
+import { resolveGitHubCredentialForRepository } from "./github-credentials.js";
+import { collectInternalDevReferenceIssues, installableInternalDependencyVersions, normalizeGitRemoteForManifest } from "./package-reference-policy.js";
 import { collectTreeseedEnvironmentContext, resolveTreeseedMachineEnvironmentValues, validateTreeseedCommandEnvironment } from "./config-runtime.js";
 import { loadDeployState } from "./deploy.js";
 import { loadCliDeployConfig } from "./runtime-tools.js";
 import { packagesWithScript, run, workspacePackages } from "./workspace-tools.js";
 import { createBuildWarningSummary, formatAllowedBuildWarnings } from "./build-warning-policy.js";
+import { discoverTreeseedPackageAdapters } from "./package-adapters.js";
 const RELEASE_CANDIDATE_CACHE_DIR = ".treeseed/workflow/release-candidates";
-const RELEASE_CANDIDATE_POLICY_VERSION = "strict-output-v1";
+const RELEASE_CANDIDATE_POLICY_VERSION = "package-adapters-v2-hybrid";
+const RELEASE_CANDIDATE_TOPOLOGY_POLICY_VERSION = "topology-v1";
 const STABLE_SEMVER = /^\d+\.\d+\.\d+$/u;
+const INTERNAL_DEPENDENCY_FIELDS = ["dependencies", "optionalDependencies", "peerDependencies", "devDependencies"];
+const TOPOLOGY_SCRIPT_PREFIXES = ["build", "check", "prepare", "prepack", "postpack", "release:", "verify", "sandbox:"];
 const REHEARSAL_IGNORED_SEGMENTS = /* @__PURE__ */ new Set([
   ".git",
   ".treeseed",
@@ -24,6 +29,22 @@ const REHEARSAL_IGNORED_SEGMENTS = /* @__PURE__ */ new Set([
   "dist",
   "node_modules"
 ]);
+const ROOT_WEB_EXCLUDED_DEPLOY_CONFIG_IDS = /* @__PURE__ */ new Set([
+  "DOCKERHUB_TOKEN",
+  "SECRET_KEY_BASE",
+  "TREEDX_JWT_HS256_SECRET",
+  "TREESEED_CREDENTIAL_SESSION_SECRET",
+  "TREESEED_PLATFORM_RUNNER_SECRET"
+]);
+const API_APP_SERVICE_TARGETS = /* @__PURE__ */ new Set([
+  "api",
+  "operationsRunner",
+  "marketOperationsRunner",
+  "publicTreeDxFederation",
+  "publicTreeDxNode",
+  "treedx",
+  "treeDx"
+]);
 function nowIso() {
   return (/* @__PURE__ */ new Date()).toISOString();
 }
@@ -51,6 +72,9 @@ function safePackageJson(filePath) {
     return null;
   }
 }
+function dockerManifestCheckMode() {
+  return process.env.TREESEED_RELEASE_CANDIDATE_DOCKER_MANIFEST_MODE === "check" ? "check" : "skip";
+}
 function writeJsonFile(filePath, value) {
   writeFileSync(filePath, `${JSON.stringify(value, null, 2)}
 `, "utf8");
@@ -62,6 +86,9 @@ function packageScripts(filePath) {
 function releaseCandidateCachePath(root, key) {
   return resolve(root, RELEASE_CANDIDATE_CACHE_DIR, `${key}.json`);
 }
+function releaseCandidateTopologyCachePath(root, key) {
+  return resolve(root, RELEASE_CANDIDATE_CACHE_DIR, `topology-${key}.json`);
+}
 function ensureReleaseCandidateCacheDir(root) {
   const dir = resolve(root, RELEASE_CANDIDATE_CACHE_DIR);
   mkdirSync(dir, { recursive: true });
@@ -75,16 +102,19 @@ function ensureReleaseCandidateCacheDir(root) {
 function buildReleaseCandidateFingerprint(input) {
   const selectedPackages = [...new Set((input.selectedPackageNames ?? []).map(String))].sort();
   const selectedPackageSet = new Set(selectedPackages);
-  const packages = workspacePackages(input.root).filter((pkg) => typeof pkg.name === "string" && pkg.name.startsWith("@treeseed/"));
+  const packages = discoverTreeseedPackageAdapters(input.root).filter((pkg) => selectedPackageSet.size === 0 || selectedPackageSet.has(pkg.id) || selectedPackageSet.has(pkg.name));
   const packageShas = sortedRecord(Object.fromEntries(
-    packages.map((pkg) => [pkg.name, safeGitHead(pkg.dir)])
+    packages.map((pkg) => [pkg.id, safeGitHead(pkg.dir)])
   ));
   const plannedVersions = sortedRecord(Object.fromEntries(
     Object.entries(input.plannedVersions).filter(([name]) => name === "@treeseed/market" || selectedPackageSet.has(name)).map(([name, version]) => [name, String(version)])
   ));
   const lockfiles = sortedRecord({
     "@treeseed/market": fileSha256(resolve(input.root, "package-lock.json")),
-    ...Object.fromEntries(packages.map((pkg) => [pkg.name, fileSha256(resolve(pkg.dir, "package-lock.json"))]))
+    ...Object.fromEntries(packages.map((pkg) => [
+      pkg.id,
+      pkg.kind === "node-typescript" ? fileSha256(resolve(pkg.dir, "package-lock.json")) : fileSha256(resolve(pkg.dir, "Cargo.lock")) ?? fileSha256(resolve(pkg.dir, "mix.lock"))
+    ]))
   });
   const base = {
     policyVersion: RELEASE_CANDIDATE_POLICY_VERSION,
@@ -99,6 +129,123 @@ function buildReleaseCandidateFingerprint(input) {
     key: sha256(JSON.stringify(base))
   };
 }
+function isInternalTreeseedPackageName(name, internalPackageNames) {
+  return internalPackageNames.has(name) || name.startsWith("@treeseed/");
+}
+function normalizeDependencySpecForTopology(name, spec, internalPackageNames) {
+  if (!isInternalTreeseedPackageName(name, internalPackageNames)) return spec;
+  const value = String(spec ?? "").trim();
+  if (!value) return value;
+  if (/^(?:git\+|github:|gitlab:|bitbucket:|ssh:\/\/|https:\/\/|file:)/u.test(value) || /^\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?$/u.test(value) || /^workspace:/u.test(value)) {
+    return "<internal-treeseed-reference>";
+  }
+  return value;
+}
+function normalizePackageJsonForTopology(packageJson, internalPackageNames) {
+  const normalized = {};
+  for (const [key, value] of Object.entries(packageJson)) {
+    if (key === "version") continue;
+    if (INTERNAL_DEPENDENCY_FIELDS.includes(key) && value && typeof value === "object" && !Array.isArray(value)) {
+      normalized[key] = sortedRecord(Object.fromEntries(Object.entries(value).map(([dependencyName, spec]) => [dependencyName, normalizeDependencySpecForTopology(dependencyName, spec, internalPackageNames)])));
+      continue;
+    }
+    if (key === "scripts" && value && typeof value === "object" && !Array.isArray(value)) {
+      normalized[key] = sortedRecord(Object.fromEntries(Object.entries(value).filter(([scriptName]) => TOPOLOGY_SCRIPT_PREFIXES.some((prefix) => scriptName === prefix || scriptName.startsWith(prefix))).map(([scriptName, command]) => [scriptName, command])));
+      continue;
+    }
+    if (["name", "type", "private", "workspaces", "main", "module", "exports", "files", "bin", "publishConfig", "repository", "engines", "packageManager"].includes(key)) {
+      normalized[key] = value;
+    }
+  }
+  return sortedRecord(normalized);
+}
+function normalizePackageLockForTopology(lockfile, internalPackageNames) {
+  const packages = lockfile.packages && typeof lockfile.packages === "object" && !Array.isArray(lockfile.packages) ? lockfile.packages : {};
+  const normalizedPackages = {};
+  for (const [path, entry] of Object.entries(packages)) {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry)) continue;
+    const record = entry;
+    const packageName = typeof record.name === "string" ? record.name : path.startsWith("node_modules/") ? path.replace(/^node_modules\//u, "") : null;
+    const normalized = {};
+    for (const key of ["name", "link", "dev", "optional", "peer"]) {
+      if (key in record) normalized[key] = record[key];
+    }
+    for (const field of INTERNAL_DEPENDENCY_FIELDS) {
+      const values = record[field];
+      if (values && typeof values === "object" && !Array.isArray(values)) {
+        normalized[field] = sortedRecord(Object.fromEntries(Object.entries(values).map(([dependencyName, spec]) => [dependencyName, normalizeDependencySpecForTopology(dependencyName, spec, internalPackageNames)])));
+      }
+    }
+    if (packageName && isInternalTreeseedPackageName(packageName, internalPackageNames)) {
+      normalized.version = "<internal-treeseed-reference>";
+      normalized.resolved = "<internal-treeseed-reference>";
+      normalized.integrity = "<internal-treeseed-reference>";
+    } else {
+      for (const key of ["version", "resolved", "integrity", "license"]) {
+        if (key in record) normalized[key] = record[key];
+      }
+    }
+    normalizedPackages[path] = sortedRecord(normalized);
+  }
+  return sortedRecord({
+    name: lockfile.name,
+    lockfileVersion: lockfile.lockfileVersion,
+    requires: lockfile.requires,
+    packages: sortedRecord(normalizedPackages)
+  });
+}
+function topologyJsonHash(value) {
+  return sha256(JSON.stringify(value));
+}
+function topologyPackageHash(packageJsonPath, internalPackageNames) {
+  const packageJson = safePackageJson(packageJsonPath);
+  if (!packageJson) return null;
+  return topologyJsonHash(normalizePackageJsonForTopology(packageJson, internalPackageNames));
+}
+function topologyLockfileHash(lockfilePath, internalPackageNames) {
+  const lockfile = safePackageJson(lockfilePath);
+  if (!lockfile) return null;
+  return topologyJsonHash(normalizePackageLockForTopology(lockfile, internalPackageNames));
+}
+function buildReleaseCandidateTopologyFingerprint(input) {
+  const selectedPackages = [...new Set((input.selectedPackageNames ?? []).map(String))].sort();
+  const selectedPackageSet = new Set(selectedPackages);
+  const packages = discoverTreeseedPackageAdapters(input.root).filter((pkg) => selectedPackageSet.size === 0 || selectedPackageSet.has(pkg.id) || selectedPackageSet.has(pkg.name));
+  const internalPackageNames = /* @__PURE__ */ new Set([
+    "@treeseed/market",
+    ...discoverTreeseedPackageAdapters(input.root).map((pkg) => pkg.name)
+  ]);
+  const packageManifests = sortedRecord({
+    "@treeseed/market": topologyPackageHash(resolve(input.root, "package.json"), internalPackageNames),
+    ...Object.fromEntries(packages.map((pkg) => [pkg.id, topologyPackageHash(resolve(pkg.dir, "package.json"), internalPackageNames)]))
+  });
+  const lockfiles = sortedRecord({
+    "@treeseed/market": topologyLockfileHash(resolve(input.root, "package-lock.json"), internalPackageNames),
+    ...Object.fromEntries(packages.map((pkg) => [
+      pkg.id,
+      pkg.kind === "node-typescript" ? topologyLockfileHash(resolve(pkg.dir, "package-lock.json"), internalPackageNames) : fileSha256(resolve(pkg.dir, "Cargo.lock")) ?? fileSha256(resolve(pkg.dir, "mix.lock"))
+    ]))
+  });
+  const manifestEntries = {
+    "treeseed.site.yaml": fileSha256(resolve(input.root, "treeseed.site.yaml")),
+    "treeseed.package.yaml": fileSha256(resolve(input.root, "treeseed.package.yaml"))
+  };
+  for (const pkg of packages) {
+    manifestEntries[`${pkg.id}:treeseed.package.yaml`] = fileSha256(resolve(pkg.dir, "treeseed.package.yaml"));
+    manifestEntries[`${pkg.id}:treeseed.site.yaml`] = fileSha256(resolve(pkg.dir, "treeseed.site.yaml"));
+  }
+  const base = {
+    policyVersion: RELEASE_CANDIDATE_TOPOLOGY_POLICY_VERSION,
+    packageManifests,
+    lockfiles,
+    treeseedManifests: sortedRecord(manifestEntries),
+    selectedPackages
+  };
+  return {
+    ...base,
+    key: sha256(JSON.stringify(base))
+  };
+}
 function readCachedReleaseCandidateReport(root, key) {
   const cachePath = releaseCandidateCachePath(root, key);
   if (!existsSync(cachePath)) return null;
@@ -112,8 +259,27 @@ function writeReleaseCandidateReport(root, report) {
   ensureReleaseCandidateCacheDir(root);
   writeFileSync(releaseCandidateCachePath(root, report.fingerprint.key), `${JSON.stringify(report, null, 2)}
 `, "utf8");
+  if (report.status === "passed" && report.mode === "strict") {
+    writeFileSync(releaseCandidateTopologyCachePath(root, report.topology.key), `${JSON.stringify({
+      key: report.topology.key,
+      checkedAt: report.checkedAt,
+      fingerprintKey: report.fingerprint.key,
+      mode: report.mode,
+      reason: report.reason
+    }, null, 2)}
+`, "utf8");
+  }
   return report;
 }
+function readStrictTopologyProof(root, key) {
+  const cachePath = releaseCandidateTopologyCachePath(root, key);
+  if (!existsSync(cachePath)) return null;
+  try {
+    return JSON.parse(readFileSync(cachePath, "utf8"));
+  } catch {
+    return null;
+  }
+}
 function addFailure(failures, failure) {
   failures.push({
     ...failure,
@@ -121,53 +287,108 @@ function addFailure(failures, failure) {
     provider: failure.provider ?? null
   });
 }
-function packageReadinessChecks(root, selectedPackageNames, failures) {
+function packageReadinessChecks(root, selectedPackageNames, failures, options = {}) {
   if (selectedPackageNames.length === 0) {
     return { name: "package-release-readiness", status: "skipped", detail: "No packages are selected for this release." };
   }
   const selected = new Set(selectedPackageNames);
-  const packages = workspacePackages(root).filter((pkg) => selected.has(pkg.name));
+  const packages = discoverTreeseedPackageAdapters(root).filter((pkg) => selected.has(pkg.id) || selected.has(pkg.name));
   for (const pkg of packages) {
+    checkPackageAdapterReadiness(pkg, failures, options);
+  }
+  return {
+    name: "package-release-readiness",
+    status: failures.some((failure) => failure.code.startsWith("missing_") || failure.code === "npm_pack_dry_run_failed" || failure.code === "docker_manifest_check_failed") ? "failed" : "passed",
+    detail: `Checked ${packages.length} selected package adapter${packages.length === 1 ? "" : "s"}${options.skipNpmPack ? " without npm pack rehearsal" : ""}: ${packages.map((pkg) => `${pkg.id} (${pkg.kind})`).join(", ") || "none"}.`
+  };
+}
+function checkPackageAdapterReadiness(pkg, failures, options = {}) {
+  if (pkg.kind === "node-typescript") {
     const packageJson = safePackageJson(resolve(pkg.dir, "package.json"));
     const scripts = packageJson?.scripts && typeof packageJson.scripts === "object" && !Array.isArray(packageJson.scripts) ? packageJson.scripts : {};
     if (!existsSync(resolve(pkg.dir, ".github", "workflows", "publish.yml"))) {
       addFailure(failures, {
         code: "missing_publish_workflow",
-        scope: pkg.name,
+        scope: pkg.id,
         provider: "github",
-        message: `${pkg.name} is missing .github/workflows/publish.yml.`
+        message: `${pkg.id} is missing .github/workflows/publish.yml.`
       });
     }
     if (typeof scripts["release:publish"] !== "string") {
       addFailure(failures, {
         code: "missing_publish_script",
-        scope: pkg.name,
-        message: `${pkg.name} is missing a release:publish script.`
+        scope: pkg.id,
+        message: `${pkg.id} is missing a release:publish script.`
       });
     }
-    if (typeof scripts["verify:local"] !== "string" && typeof scripts["verify"] !== "string" && typeof scripts["verify:action"] !== "string") {
+    if (typeof scripts["verify:local"] !== "string" && typeof scripts.verify !== "string" && typeof scripts["verify:action"] !== "string") {
       addFailure(failures, {
         code: "missing_verify_script",
-        scope: pkg.name,
-        message: `${pkg.name} is missing a release-ready verify script.`
+        scope: pkg.id,
+        message: `${pkg.id} is missing a release-ready verify script.`
       });
     }
-    try {
-      run("npm", ["pack", "--dry-run"], { cwd: pkg.dir, capture: true, timeoutMs: 12e4 });
-    } catch (error) {
-      addFailure(failures, {
-        code: "npm_pack_dry_run_failed",
-        scope: pkg.name,
-        message: `${pkg.name} failed npm pack --dry-run.`,
-        details: { error: error instanceof Error ? error.message : String(error) }
-      });
+    if (!options.skipNpmPack) {
+      try {
+        run("npm", ["pack", "--dry-run"], { cwd: pkg.dir, capture: true, timeoutMs: 12e4 });
+      } catch (error) {
+        addFailure(failures, {
+          code: "npm_pack_dry_run_failed",
+          scope: pkg.id,
+          message: `${pkg.id} failed npm pack --dry-run.`,
+          details: { error: error instanceof Error ? error.message : String(error) }
+        });
+      }
+    }
+    return;
+  }
+  if (!pkg.version) {
+    addFailure(failures, {
+      code: "missing_package_version",
+      scope: pkg.id,
+      message: `${pkg.id} is missing a readable BEAM package version.`,
+      details: { versionSource: pkg.versionSource }
+    });
+  }
+  if (pkg.id === "treedx" && !existsSync(resolve(pkg.dir, ".github", "workflows", "dev-image.yml"))) {
+    addFailure(failures, {
+      code: "missing_development_image_workflow",
+      scope: pkg.id,
+      provider: "github",
+      message: `${pkg.id} is missing .github/workflows/dev-image.yml for staging-safe development image publication.`
+    });
+  }
+  if (!pkg.verifyCommands.local) {
+    addFailure(failures, {
+      code: "missing_verify_script",
+      scope: pkg.id,
+      message: `${pkg.id} is missing a BEAM package local verification command.`
+    });
+  }
+  if (!pkg.verifyCommands.release) {
+    addFailure(failures, {
+      code: "missing_release_gate",
+      scope: pkg.id,
+      message: `${pkg.id} is missing a BEAM package release gate command.`
+    });
+  }
+  if (dockerManifestCheckMode() !== "check") return;
+  for (const artifact of pkg.artifacts.filter((entry) => entry.provider === "docker")) {
+    for (const tag of artifact.tags ?? []) {
+      if (tag.includes("<")) continue;
+      try {
+        run("docker", ["manifest", "inspect", `${artifact.name}:${tag}`], { cwd: pkg.dir, capture: true, timeoutMs: 12e4 });
+      } catch (error) {
+        addFailure(failures, {
+          code: "docker_manifest_check_failed",
+          scope: pkg.id,
+          provider: "docker",
+          message: `${pkg.id} Docker artifact is not published: ${artifact.name}:${tag}.`,
+          details: { error: error instanceof Error ? error.message : String(error) }
+        });
+      }
     }
   }
-  return {
-    name: "package-release-readiness",
-    status: failures.some((failure) => failure.code.startsWith("missing_") || failure.code === "npm_pack_dry_run_failed") ? "failed" : "passed",
-    detail: `Checked ${packages.length} selected package${packages.length === 1 ? "" : "s"}.`
-  };
 }
 function copyWorkspaceForProductionRehearsal(root) {
   const tempParent = mkdtempSync(join(tmpdir(), "treeseed-release-candidate-"));
@@ -187,7 +408,8 @@ function applyPlannedStableMetadata(root, plannedVersions) {
   const stableVersions = new Map(
     Object.entries(plannedVersions).filter(([, version]) => STABLE_SEMVER.test(version))
   );
-  const stableGitReferences = stablePackageGitReferences(root, stableVersions);
+  const dependencyVersions = installableInternalDependencyVersions(root, stableVersions);
+  const stableGitReferences = stablePackageGitReferences(root, dependencyVersions);
   const targets = [
     { name: "@treeseed/market", dir: root },
     ...workspacePackages(root).map((pkg) => ({ name: pkg.name, dir: pkg.dir }))
@@ -205,7 +427,7 @@ function applyPlannedStableMetadata(root, plannedVersions) {
     for (const field of ["dependencies", "optionalDependencies", "peerDependencies", "devDependencies"]) {
       const values = packageJson[field];
       if (!values || typeof values !== "object" || Array.isArray(values)) continue;
-      for (const [dependencyName, version] of stableVersions.entries()) {
+      for (const [dependencyName, version] of dependencyVersions.entries()) {
         if (!(dependencyName in values)) continue;
         const dependencySpec = stableGitReferences.get(dependencyName) ?? version;
         if (String(values[dependencyName]) === dependencySpec) continue;
@@ -285,6 +507,15 @@ function runNpmRehearsalCommand(args, options) {
     ].join("\n"));
   }
 }
+function npmRehearsalEnv(extra = {}) {
+  return {
+    ...process.env,
+    npm_config_jobs: process.env.npm_config_jobs ?? "2",
+    npm_config_audit: process.env.npm_config_audit ?? "false",
+    npm_config_fund: process.env.npm_config_fund ?? "false",
+    ...extra
+  };
+}
 function collectReleaseCandidateOutputFailures(line) {
   const value = String(line ?? "").trim();
   if (!value) return [];
@@ -315,17 +546,18 @@ function runProductionDependencyRehearsal(root, plannedVersions, selectedPackage
     const copied = copyWorkspaceForProductionRehearsal(root);
     tempParent = copied.tempParent;
     applyPlannedStableMetadata(copied.tempRoot, plannedVersions);
-    runNpmRehearsalCommand(["install", "--package-lock-only", "--ignore-scripts"], { cwd: copied.tempRoot, timeoutMs: 3e5 });
-    runNpmRehearsalCommand(["ci", "--ignore-scripts"], { cwd: copied.tempRoot, timeoutMs: 6e5 });
+    const npmEnv = npmRehearsalEnv();
+    runNpmRehearsalCommand(["install", "--package-lock-only", "--ignore-scripts", "--no-audit", "--no-fund", "--prefer-offline"], { cwd: copied.tempRoot, timeoutMs: 3e5, env: npmEnv });
+    runNpmRehearsalCommand(["ci", "--ignore-scripts", "--no-audit", "--no-fund", "--prefer-offline"], { cwd: copied.tempRoot, timeoutMs: 6e5, env: npmEnv });
     buildRehearsalWorkspacePackageArtifacts(copied.tempRoot);
     const scriptName = rehearsalVerifyScript(copied.tempRoot);
     if (scriptName) {
       const packageJson = safePackageJson(resolve(copied.tempRoot, "package.json"));
-      const parallelMarketVerify = packageJson?.name === "@treeseed/market" && (scriptName === "verify:direct" || scriptName === "verify:local" || scriptName === "verify");
+      const parallelMarketVerify = process.env.TREESEED_RELEASE_CANDIDATE_MARKET_VERIFY_PARALLEL === "1" && packageJson?.name === "@treeseed/market" && (scriptName === "verify:direct" || scriptName === "verify:local" || scriptName === "verify");
       runNpmRehearsalCommand(["run", scriptName], {
         cwd: copied.tempRoot,
         timeoutMs: 9e5,
-        env: parallelMarketVerify ? { ...process.env, TREESEED_VERIFY_PARALLEL: "1" } : process.env
+        env: parallelMarketVerify ? npmRehearsalEnv({ TREESEED_VERIFY_PARALLEL: "1" }) : npmEnv
       });
     }
     const postInstallIssues = collectInternalDevReferenceIssues(copied.tempRoot, selectedPackageSet);
@@ -400,11 +632,95 @@ function dependencyRehearsalChecks(root, plannedVersions, selectedPackageNames,
     detail: `${devReferenceIssues.length > 0 ? `Rehearsed stable replacements for ${devReferenceIssues.length} internal dev reference${devReferenceIssues.length === 1 ? "" : "s"}.` : "Checked planned stable versions and internal dependency references."} ${rehearsalDetail}`
   };
 }
+function validateInternalGitReferenceTags(root, failures) {
+  const issues = collectInternalDevReferenceIssues(root);
+  let checked = 0;
+  const seen = /* @__PURE__ */ new Set();
+  for (const issue of issues) {
+    const spec = issue.spec;
+    const hashIndex = spec.lastIndexOf("#");
+    if (hashIndex === -1 || !/^(?:git\+|github:|gitlab:|bitbucket:|ssh:\/\/|https:\/\/|file:)/u.test(spec)) continue;
+    const rawRemote = spec.slice(0, hashIndex).replace(/^git\+/u, "");
+    const githubMatch = rawRemote.match(/^github:([^/]+\/[^/]+?)(?:\.git)?$/u);
+    const remote = githubMatch ? `https://github.com/${githubMatch[1]}.git` : rawRemote;
+    const tagName = decodeURIComponent(spec.slice(hashIndex + 1));
+    if (!remote || !tagName) continue;
+    const key = `${remote}#${tagName}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    checked += 1;
+    try {
+      run("git", ["ls-remote", "--exit-code", "--tags", remote, `refs/tags/${tagName}`], { cwd: root, capture: true, timeoutMs: 12e4 });
+    } catch (error) {
+      addFailure(failures, {
+        code: "internal_git_tag_missing",
+        scope: issue.dependencyName ?? issue.repoName,
+        provider: "git",
+        message: `Internal git dependency tag is not reachable: ${issue.dependencyName ?? issue.repoName}#${tagName}.`,
+        details: { spec, remote, tagName, filePath: issue.filePath, error: error instanceof Error ? error.message : String(error) }
+      });
+    }
+  }
+  return checked;
+}
+function lightweightDependencyChecks(root, failures) {
+  const before = failures.length;
+  try {
+    runNpmRehearsalCommand(["install", "--package-lock-only", "--ignore-scripts", "--dry-run", "--workspaces=false", "--no-audit", "--no-fund", "--prefer-offline"], {
+      cwd: root,
+      timeoutMs: 3e5,
+      env: npmRehearsalEnv()
+    });
+  } catch (error) {
+    addFailure(failures, {
+      code: "lockfile_dry_run_failed",
+      scope: "@treeseed/market",
+      message: "Root lockfile dry-run validation failed.",
+      details: { error: error instanceof Error ? error.message : String(error) }
+    });
+  }
+  const checkedTags = validateInternalGitReferenceTags(root, failures);
+  return {
+    name: "hybrid-dependency-readiness",
+    status: failures.length > before ? "failed" : "passed",
+    detail: `Validated root lockfile with npm install --package-lock-only --ignore-scripts --dry-run --workspaces=false and checked ${checkedTags} internal git tag${checkedTags === 1 ? "" : "s"} without temp install rehearsal.`
+  };
+}
+function skippedReleaseCandidateReport(fingerprint, topology) {
+  return {
+    status: "passed",
+    fingerprint,
+    mode: "skip",
+    reason: "Release-candidate checks skipped by explicit request.",
+    topology,
+    reused: false,
+    checkedAt: nowIso(),
+    failures: [],
+    checks: [{
+      name: "release-candidate",
+      status: "skipped",
+      detail: "Skipped by --release-candidate skip or TREESEED_RELEASE_CANDIDATE_MODE=skip."
+    }]
+  };
+}
+function entryServiceTargets(entry) {
+  return Array.isArray(entry.serviceTargets) ? entry.serviceTargets.filter((target) => typeof target === "string") : [];
+}
+function isRootWebReleaseCandidateEntry(entry) {
+  if (ROOT_WEB_EXCLUDED_DEPLOY_CONFIG_IDS.has(entry.id)) return false;
+  const serviceTargets = entryServiceTargets(entry);
+  if (serviceTargets.length > 0 && serviceTargets.every((target) => API_APP_SERVICE_TARGETS.has(target))) {
+    return false;
+  }
+  if (entry.group === "docker") return false;
+  return true;
+}
 function localConfigCheck(root, scope, failures) {
   try {
     const report = validateTreeseedCommandEnvironment({ tenantRoot: root, scope, purpose: "deploy" });
     const problems = [...report.validation.missing, ...report.validation.invalid];
     for (const problem of problems) {
+      if (!isRootWebReleaseCandidateEntry(problem.entry)) continue;
       addFailure(failures, {
         code: "missing_local_config",
         scope,
@@ -437,7 +753,11 @@ async function githubRemoteConfigCheck(root, scope, failures) {
   try {
     const environment = scope === "prod" ? "production" : scope;
     const expected = expectedGitHubDeployEnvironment(root, scope);
-    const client = createGitHubApiClient();
+    const values = resolveTreeseedMachineEnvironmentValues(root, scope);
+    const credential = resolveGitHubCredentialForRepository(repository, { values, env: process.env });
+    const client = createGitHubApiClient({
+      env: credential.token ? { GH_TOKEN: credential.token, GITHUB_TOKEN: credential.token } : process.env
+    });
     const [secretNames, variableNames] = await Promise.all([
       listGitHubEnvironmentSecretNames(repository, environment, { client }),
       listGitHubEnvironmentVariableNames(repository, environment, { client })
@@ -476,6 +796,7 @@ function expectedGitHubDeployEnvironment(root, scope) {
   const registry = collectTreeseedEnvironmentContext(root);
   const values = resolveTreeseedMachineEnvironmentValues(root, scope);
   const expectedEntries = registry.entries.filter((entry) => {
+    if (!isRootWebReleaseCandidateEntry(entry)) return false;
     if (!isTreeseedEnvironmentEntryRelevant(entry, registry.context, scope, "deploy")) return false;
     if (isTreeseedEnvironmentEntryRequired(entry, registry.context, scope, "deploy")) return true;
     return typeof values[entry.id] === "string" && values[entry.id].trim().length > 0;
@@ -572,33 +893,47 @@ function migrationCompatibilityChecks(root, failures) {
   return {
     name: "migration-compatibility",
     status: missing.length > 0 ? "failed" : "passed",
-    detail: "Checked required Drizzle migration artifacts for Market PostgreSQL and SDK D1."
+    detail: "Checked required Drizzle migration artifacts for Treeseed PostgreSQL and SDK D1."
   };
 }
 async function runReleaseCandidateGate(input) {
   const fingerprint = buildReleaseCandidateFingerprint(input);
+  const topology = buildReleaseCandidateTopologyFingerprint(input);
+  const requestedMode = input.mode ?? "strict";
   if (input.allowReuse !== false) {
     const cached = readCachedReleaseCandidateReport(input.root, fingerprint.key);
     if (cached?.status === "passed") {
       return {
         ...cached,
+        mode: cached.mode ?? "strict",
+        reason: cached.reason ?? "Reused cached release-candidate report.",
+        topology: cached.topology ?? topology,
         reused: true
       };
     }
   }
+  if (requestedMode === "skip") {
+    return skippedReleaseCandidateReport(fingerprint, topology);
+  }
   const selectedPackageNames = [...new Set((input.selectedPackageNames ?? []).map(String))].sort();
   const plannedVersions = Object.fromEntries(
     Object.entries(input.plannedVersions).map(([name, version]) => [name, String(version)])
   );
+  const strictTopologyProof = readStrictTopologyProof(input.root, topology.key);
+  const effectiveMode = requestedMode;
+  const reason = requestedMode === "hybrid" ? strictTopologyProof ? `Hybrid release-candidate selected; strict rehearsal skipped because topology ${topology.key.slice(0, 12)} was already proven.` : `Hybrid release-candidate selected; lightweight checks used because strict topology proof is reserved for promotion lanes.` : "Strict release-candidate selected.";
   const failures = [];
   const checks = [];
-  checks.push(dependencyRehearsalChecks(input.root, plannedVersions, selectedPackageNames, failures));
-  checks.push(packageReadinessChecks(input.root, selectedPackageNames, failures));
+  checks.push(effectiveMode === "hybrid" ? lightweightDependencyChecks(input.root, failures) : dependencyRehearsalChecks(input.root, plannedVersions, selectedPackageNames, failures));
+  checks.push(packageReadinessChecks(input.root, selectedPackageNames, failures, { skipNpmPack: effectiveMode === "hybrid" }));
   checks.push(await configParityChecks(input.root, failures));
   checks.push(migrationCompatibilityChecks(input.root, failures));
   const report = {
     status: failures.length === 0 ? "passed" : "failed",
     fingerprint,
+    mode: effectiveMode,
+    reason,
+    topology,
     reused: false,
     checkedAt: nowIso(),
     failures,
@@ -609,7 +944,9 @@ async function runReleaseCandidateGate(input) {
 }
 export {
   buildReleaseCandidateFingerprint,
+  buildReleaseCandidateTopologyFingerprint,
   collectReleaseCandidateOutputFailures,
+  isRootWebReleaseCandidateEntry,
   readCachedReleaseCandidateReport,
   runReleaseCandidateGate,
   writeReleaseCandidateReport