@treeseed/sdk 0.10.28 → 0.11.0

package/dist/workflow/operations.js

@@ -18,6 +18,7 @@ import {
   inspectTreeseedKeyAgentStatus,
   loadTreeseedMachineConfig,
   resolveTreeseedLaunchEnvironment,
+  resolveTreeseedMachineEnvironmentValues,
   resolveTreeseedRemoteSession,
   rotateTreeseedMachineKey,
   setTreeseedRemoteSession,
@@ -69,6 +70,7 @@ import {
   syncBranchWithOrigin
 } from "../operations/services/git-workflow.js";
 import { resolveGitHubRepositorySlug } from "../operations/services/github-automation.js";
+import { resolveGitHubCredentialForRepository } from "../operations/services/github-credentials.js";
 import { dispatchGitHubWorkflowRun } from "../operations/services/github-api.js";
 import {
   formatGitHubActionsGateFailure,
@@ -106,12 +108,14 @@ import {
   repositorySaveErrorDetails,
   runRepositorySaveOrchestrator
 } from "../operations/services/repository-save-orchestrator.js";
+import { discoverTreeseedPackageAdapters } from "../operations/services/package-adapters.js";
 import {
   assertNoInternalDevReferences,
   cleanupStaleTreeseedDevTags,
   collectTreeseedDevTagCleanupPlan,
   collectInternalDevReferenceIssues,
   devTagFromDependencySpec,
+  installableInternalDependencyVersions,
   normalizeGitRemoteForManifest,
   rewriteProjectInternalDependenciesToStableVersions
 } from "../operations/services/package-reference-policy.js";
@@ -130,6 +134,10 @@ import {
   workspaceRoot
 } from "../operations/services/workspace-tools.js";
 import { runTreeseedHostingAudit } from "../operations/services/hosting-audit.js";
+import { collectTreeseedHostedServiceChecks } from "../operations/services/hosted-service-checks.js";
+import { collectTreeseedDeploymentReadiness } from "../operations/services/deployment-readiness.js";
+import { collectTreeseedLiveHostedServiceChecks } from "../operations/services/live-hosted-service-checks.js";
+import { discoverTreeseedApplications } from "../hosting/apps.js";
 import { resolveTreeseedWorkflowState } from "../workflow-state.js";
 import { createTreeseedReconcileRegistry, deriveTreeseedDesiredUnits, filterTreeseedDesiredUnitsByBootstrapSystems, planTreeseedReconciliation, resolveTreeseedBootstrapSelection, reconcileTreeseedTarget } from "../reconcile/index.js";
 import {
@@ -214,8 +222,10 @@ function readPackageScript(root, packageDir, scriptName) {
 function ensureWorkflowWorkspacePackageArtifacts(root, helpers) {
   const packages = [
     { name: "@treeseed/sdk", dir: "packages/sdk", artifacts: ["dist/workflow-support.js", "dist/plugin-default.js", "dist/platform/env.yaml"] },
+    { name: "@treeseed/ui", dir: "packages/ui", artifacts: ["dist/index.js"] },
     { name: "@treeseed/agent", dir: "packages/agent", artifacts: ["dist/api/index.js", "dist/services/worker.js"] },
     { name: "@treeseed/core", dir: "packages/core", artifacts: ["dist/plugin-default.js"] },
+    { name: "@treeseed/admin", dir: "packages/admin", artifacts: ["dist/plugin.js"] },
     { name: "@treeseed/cli", dir: "packages/cli", artifacts: ["dist/cli/main.js"] }
   ];
   for (const entry of packages) {
@@ -307,9 +317,14 @@ function normalizeCiMode(mode, operation) {
   if (mode === "hosted" || mode === "off") return mode;
   return operation === "save" ? "off" : "hosted";
 }
-function normalizeSaveCiMode(mode, branch) {
+function normalizeSaveLane(lane) {
+  const value = lane ?? process.env.TREESEED_SAVE_LANE;
+  return value === "promotion" ? "promotion" : "fast";
+}
+function normalizeSaveCiMode(mode, branch, lane = "fast") {
   if (mode === "hosted" || mode === "off") return mode;
-  return branch === STAGING_BRANCH ? "hosted" : "off";
+  if (lane === "promotion") return branch === STAGING_BRANCH ? "hosted" : "off";
+  return "off";
 }
 function normalizeSaveVerifyMode(mode) {
   switch (mode) {
@@ -329,8 +344,16 @@ function normalizeSaveVerifyMode(mode) {
       return "skip";
   }
 }
-function shouldUseHostedSaveCi(input, branch) {
-  return normalizeSaveCiMode(input.ciMode, branch) === "hosted" || input.verifyMode === "hosted" || input.verifyMode === "both" || input.verifyDeployedResources === true;
+function normalizeReleaseCandidateMode(mode, operation, lane = "fast") {
+  const value = mode ?? process.env.TREESEED_RELEASE_CANDIDATE_MODE;
+  if (value === "hybrid" || value === "strict" || value === "skip") {
+    return value;
+  }
+  if (operation === "save" && lane === "promotion") return "strict";
+  return operation === "save" ? "hybrid" : "strict";
+}
+function shouldUseHostedSaveCi(input, branch, lane = normalizeSaveLane(input.lane)) {
+  return normalizeSaveCiMode(input.ciMode, branch, lane) === "hosted" || input.verifyMode === "hosted" || input.verifyMode === "both" || input.verifyDeployedResources === true;
 }
 function worktreePayload(root, requestedMode) {
   const metadata = managedWorkflowWorktreeMetadata(root);
@@ -412,6 +435,7 @@ async function waitForWorkflowGates(operation, gates, ciMode, options = {}) {
     }
     const result = await waitForGitHubActionsGate(gate, {
       operation,
+      env: githubWorkflowGateEnv(options.root, gate),
       onProgress: options.onProgress
     });
     const normalized = {
@@ -435,6 +459,23 @@ async function waitForWorkflowGates(operation, gates, ciMode, options = {}) {
   }
   return results;
 }
+function githubWorkflowGateEnv(root, gate) {
+  if (!root) return process.env;
+  try {
+    const repository = gate.repository ?? resolveGitHubRepositorySlug(gate.repoPath);
+    const scope = gate.branch === PRODUCTION_BRANCH ? "prod" : "staging";
+    const values = resolveTreeseedMachineEnvironmentValues(root, scope);
+    const credential = resolveGitHubCredentialForRepository(repository, { values, env: process.env });
+    if (!credential.token) return process.env;
+    return {
+      ...process.env,
+      GH_TOKEN: credential.token,
+      GITHUB_TOKEN: credential.token
+    };
+  } catch {
+    return process.env;
+  }
+}
 const HOSTED_DEPLOY_GATE_TIMEOUT_SECONDS = 45 * 60;
 function hostedDeployGate(gate) {
   return {
@@ -642,24 +683,134 @@ function buildWorkflowResult(operation, cwd, payload, options = {}) {
     errors: options.errors ?? []
   };
 }
-async function runReadOnlyHostingAuditForWorkflow(operation, root, helpers, environment, options = { enabled: true }) {
-  if (!options.enabled) {
-    return null;
+function parseGitStatusChangedPaths(status) {
+  return status.split("\n").map((line) => line.trimEnd()).filter(Boolean).map((line) => {
+    const value = line.slice(3).trim();
+    return value.includes(" -> ") ? value.split(" -> ").at(-1).trim() : value;
+  }).filter(Boolean);
+}
+function availableWorkflowAppIds(root) {
+  try {
+    const ids = discoverTreeseedApplications(root).map((app) => app.id);
+    return ids.length > 0 ? ids : ["web"];
+  } catch {
+    return ["web"];
+  }
+}
+function selectWorkflowApplications(root, input = {}) {
+  const available = availableWorkflowAppIds(root);
+  const availableSet = new Set(available);
+  const selected = /* @__PURE__ */ new Set();
+  const reasons = [];
+  const add = (appId, reason) => {
+    if (!availableSet.has(appId)) return;
+    selected.add(appId);
+    reasons.push({ appId, reason });
+  };
+  const packages = [
+    ...input.packageSelection?.selected ?? [],
+    ...input.packageSelection?.changed ?? [],
+    ...input.packageSelection?.dependents ?? []
+  ];
+  const appByPackage = new Map(discoverTreeseedApplications(root).filter((app) => app.relativeRoot.startsWith("packages/")).map((app) => [`@treeseed/${app.relativeRoot.slice("packages/".length).split("/")[0]}`, app.id]));
+  for (const packageName of packages) {
+    if (packageName === "@treeseed/api" || packageName === "@treeseed/treedx" || packageName === "@treeseed/agent") {
+      add("api", `${packageName} changed`);
+    } else if (packageName === "@treeseed/core" || packageName === "@treeseed/ui" || packageName === "@treeseed/admin") {
+      add("web", `${packageName} changed`);
+    } else if (packageName === "@treeseed/sdk" || packageName === "@treeseed/cli") {
+      add("web", `${packageName} is shared`);
+      add("api", `${packageName} is shared`);
+    }
+    const packageAppId = appByPackage.get(packageName);
+    if (packageAppId) add(packageAppId, `${packageName} owns ${packageAppId}`);
+  }
+  const changedPaths = input.changedPaths ?? parseGitStatusChangedPaths(gitStatusPorcelain(root));
+  const appByPackagePath = new Map(discoverTreeseedApplications(root).filter((app) => app.relativeRoot.startsWith("packages/")).map((app) => [app.relativeRoot, app.id]));
+  for (const file of changedPaths) {
+    if (file.startsWith("packages/api/") || file === "packages/api") {
+      add("api", `${file} is API-owned`);
+    } else if (file.startsWith("packages/treedx/") || file === "packages/treedx") {
+      add("api", `${file} is TreeDX implementation`);
+    } else if (file.startsWith("packages/core/") || file.startsWith("packages/ui/") || file.startsWith("packages/admin/") || file.startsWith("src/") || file.startsWith("content/") || file.startsWith("public/") || file === "treeseed.site.yaml") {
+      add("web", `${file} is web-owned`);
+    } else if (file.startsWith("packages/sdk/") || file.startsWith("packages/cli/") || file === "package.json" || file === "package-lock.json" || file.startsWith(".github/")) {
+      add("web", `${file} is shared workflow/config`);
+      add("api", `${file} is shared workflow/config`);
+    }
+    for (const [packageRoot, appId] of appByPackagePath) {
+      if (file === packageRoot || file.startsWith(`${packageRoot}/`)) {
+        add(appId, `${file} is ${appId}-owned`);
+      }
+    }
+  }
+  const source = packages.length > 0 ? "package-selection" : changedPaths.length > 0 ? "changed-paths" : "default";
+  const finalSelected = selected.size > 0 ? available.filter((appId) => selected.has(appId)) : available;
+  return {
+    selected: finalSelected,
+    skipped: available.filter((appId) => !finalSelected.includes(appId)).map((appId) => ({ appId, reason: "No changed files or selected packages target this application." })),
+    reasons,
+    source
+  };
+}
+function singleSelectedWorkflowAppId(selection) {
+  return selection.selected.length === 1 ? selection.selected[0] : void 0;
+}
+async function runWorkflowHostedResourceVerification(operation, root, helpers, environment, options = { enabled: true }) {
+  if (!options.enabled) return null;
+  const target = environment === "prod" ? "prod" : environment === "local" ? "local" : "staging";
+  const readiness = collectTreeseedDeploymentReadiness({
+    tenantRoot: root,
+    environment: target,
+    appId: options.appId
+  });
+  if (options.strict && !readiness.ok) {
+    const failures = readiness.checks.filter((check) => check.status === "failed").map((check) => `${check.id}: ${check.message}${check.remediation ? ` Remediation: ${check.remediation}` : ""}`);
+    workflowError(operation, "validation_failed", `Deployment readiness failed for ${target}:
+${failures.join("\n")}`, {
+      details: { readiness }
+    });
   }
-  helpers.write(`[workflow][hosting-audit] Running read-only hosting audit for ${environment}.`);
-  const report = await runTreeseedHostingAudit({
+  const hostingAudit = await runTreeseedHostingAudit({
     tenantRoot: root,
     environment,
     repair: false,
+    hostKinds: options.appId === "api" ? ["repository"] : void 0,
     env: helpers.context.env,
     write: (line) => helpers.write(line)
   });
-  if (options.strict && !report.ok) {
-    workflowError(operation, "validation_failed", `Hosting audit failed for ${report.environment}: ${report.blockers.join("\n")}`, {
-      details: { hostingAudit: report }
+  const hostedServices = options.live ? await collectTreeseedLiveHostedServiceChecks({
+    tenantRoot: root,
+    target,
+    strict: options.strict === true,
+    requireLiveRailway: options.strict === true,
+    requireLiveHttp: options.strict === true,
+    appId: options.appId,
+    retry: { attempts: 12, intervalMs: 1e4 },
+    env: helpers.context.env
+  }) : collectTreeseedHostedServiceChecks({
+    tenantRoot: root,
+    target,
+    appId: options.appId
+  });
+  if (options.strict && !hostingAudit.ok) {
+    workflowError(operation, "validation_failed", `Hosting audit failed for ${hostingAudit.environment}: ${hostingAudit.blockers.join("\n")}`, {
+      details: { hostingAudit, hostedServices, readiness }
     });
   }
-  return report;
+  if (options.strict && hostedServices.summary.failed > 0) {
+    const failures = hostedServices.checks.filter((check) => check.status === "failed").map((check) => `${check.id}: ${check.issues.join("; ") || check.description}${check.remediation ? ` Remediation: ${check.remediation}` : ""}`);
+    workflowError(operation, "validation_failed", `Hosted service checks failed for ${hostedServices.target}:
+${failures.join("\n")}`, {
+      details: { hostingAudit, hostedServices, readiness }
+    });
+  }
+  return {
+    hostingAudit,
+    hostedServices,
+    readiness,
+    live: options.live === true
+  };
 }
 function normalizeExecutionMode(input) {
   return input?.plan === true || input?.dryRun === true ? "plan" : "execute";
@@ -710,7 +861,8 @@ function writeJsonFile(path, value) {
 `, "utf8");
 }
 function applyStableWorkspaceVersionChanges(root, versions) {
-  const stableGitReferences = stablePackageGitReferences(root, versions);
+  const dependencyVersions = installableInternalDependencyVersions(root, versions);
+  const stableGitReferences = stablePackageGitReferences(root, dependencyVersions);
   for (const target of [{ name: "@treeseed/market", dir: root }, ...workspacePackages(root).map((pkg) => ({ name: pkg.name, dir: pkg.dir }))]) {
     const packageJsonPath = resolve(target.dir, "package.json");
     if (!existsSync(packageJsonPath)) continue;
@@ -724,7 +876,7 @@ function applyStableWorkspaceVersionChanges(root, versions) {
     for (const field of ["dependencies", "optionalDependencies", "peerDependencies", "devDependencies"]) {
       const values = packageJson[field];
       if (!values || typeof values !== "object" || Array.isArray(values)) continue;
-      for (const [dependencyName, version] of versions.entries()) {
+      for (const [dependencyName, version] of dependencyVersions.entries()) {
         if (!(dependencyName in values)) continue;
         const dependencySpec = stableGitReferences.get(dependencyName) ?? version;
         if (String(values[dependencyName]) === dependencySpec) continue;
@@ -1064,7 +1216,7 @@ async function connectTreeseedMarketProject(helpers, tenantRoot, input, context)
       principal: activeRemoteSession?.principal ?? null
     });
   }
-  const runnerHostId = `market-runner:${projectId}`;
+  const runnerHostId = `operations-runner:${projectId}`;
   if (connectionResult.runnerToken) {
     setTreeseedRemoteSession(tenantRoot, {
       hostId: runnerHostId,
@@ -1182,14 +1334,34 @@ function findAutoResumableSaveRun(root, branch) {
   }
   return listInterruptedWorkflowRuns(root).find((journal) => journal.command === "save" && journal.resumable && journal.session.branchName === branch) ?? null;
 }
-function gatesForSavedPackageReports(reports) {
-  return reports.filter((repo) => repo.pushed && repo.commitSha && repo.branch).map((repo) => ({
-    name: repo.name,
-    repoPath: repo.path,
-    workflow: "verify.yml",
-    branch: String(repo.branch),
-    headSha: String(repo.commitSha)
-  }));
+function workflowFileExists(repoPath, workflow) {
+  return existsSync(resolve(repoPath, ".github", "workflows", workflow));
+}
+function hostedWorkflowForSavedRepository(root, repo) {
+  const adapterByPath = new Map(discoverTreeseedPackageAdapters(root).map((adapter) => [resolve(adapter.dir), adapter]));
+  const adapterWorkflow = packageHostedVerifyWorkflow(adapterByPath.get(resolve(repo.path)));
+  if (adapterWorkflow) return adapterWorkflow;
+  if (repo.branch === STAGING_BRANCH && existsSync(resolve(repo.path, "treeseed.site.yaml")) && workflowFileExists(repo.path, "deploy.yml")) {
+    return "deploy.yml";
+  }
+  return "verify.yml";
+}
+function gatesForSavedRepositoryReports(root, reports) {
+  return reports.filter((repo) => repo.pushed && repo.commitSha && repo.branch && (repo.committed || repo.tagName)).map((repo) => {
+    const workflow = hostedWorkflowForSavedRepository(root, repo);
+    const gate = {
+      name: repo.name,
+      repoPath: repo.path,
+      workflow,
+      branch: String(repo.branch),
+      headSha: String(repo.commitSha)
+    };
+    return /^deploy(?:[-.]|$)/u.test(workflow) ? hostedDeployGate(gate) : gate;
+  });
+}
+function packageHostedVerifyWorkflow(adapter) {
+  const workflow = adapter?.metadata?.hostedVerifyWorkflow;
+  return typeof workflow === "string" && workflow.trim() ? workflow.trim().replace(/^\.github\/workflows\//u, "") : null;
 }
 function gateForSavedRootReport(report, branch, scope) {
   if (!branch || scope === "local" || !report.pushed || !report.commitSha) {
@@ -1779,13 +1951,15 @@ async function runReleaseCandidateForPlan(operation, root, plannedRelease, optio
     root,
     plannedVersions: { ...stableDependencyVersions, ...plannedVersions },
     selectedPackageNames: packageSelection.selected,
-    allowReuse: options.allowReuse
+    allowReuse: options.allowReuse,
+    mode: options.mode ?? normalizeReleaseCandidateMode(void 0, operation)
   });
   assertReleaseCandidatePassed(operation, report);
   return report;
 }
 function buildReleasePlanSnapshot(input) {
   const selectedPackageNames = new Set(input.packageSelection.selected);
+  const applicationSelection = selectWorkflowApplications(input.root, { packageSelection: input.packageSelection });
   const versionPlan = planWorkspaceReleaseBump(input.level, input.root, input.mode === "recursive-workspace" ? { selectedPackageNames, repairVersionLine: input.repairVersionLine === true, targetVersionLine: input.targetVersionLine } : {});
   const plannedSelected = [...versionPlan.selected].filter((name) => versionPlan.versions.has(name));
   const plannedChanged = input.repairVersionLine === true ? plannedSelected : Array.from(new Set(input.packageSelection.changed.filter((name) => plannedSelected.includes(name))));
@@ -1821,6 +1995,7 @@ function buildReleasePlanSnapshot(input) {
     packageSelection: plannedPackageSelection,
     plannedVersions,
     stableDependencyVersions,
+    applicationSelection,
     plannedDevReferenceRewrites,
     plannedPublishWaits: plannedPackageSelection.selected.map((name) => ({
       name,
@@ -2554,6 +2729,7 @@ async function workflowConfig(helpers, input = {}) {
         sync,
         env: helpers.context.env,
         checkConnections: bootstrapOnly || sync !== "none" || scopes.some((scope) => scope !== "local"),
+        initializePersistent: bootstrapOnly,
         systems: bootstrapSystemsInput,
         skipUnavailable,
         bootstrapExecution,
@@ -2916,6 +3092,9 @@ async function workflowSave(helpers, input) {
       const planAutoResumeRun = executionMode === "plan" ? findAutoResumableSaveRun(root, branch) : null;
       const effectiveInput = autoResumeRun ? autoResumeRun.input : input;
       const message = String(effectiveInput.message ?? "").trim();
+      const saveLane = normalizeSaveLane(effectiveInput.lane);
+      const saveCiMode = normalizeSaveCiMode(effectiveInput.ciMode, branch, saveLane);
+      const releaseCandidateMode = normalizeReleaseCandidateMode(effectiveInput.releaseCandidate, "save", saveLane);
       const optionsHotfix = effectiveInput.hotfix === true;
       const previewInitialized = branchPreviewInitialized(root, branch);
       applyTreeseedEnvironmentToProcess({ tenantRoot: root, scope, override: true });
@@ -2948,6 +3127,7 @@ async function workflowSave(helpers, input) {
           verifyMode: normalizeSaveVerifyMode(effectiveInput.verify === false ? "skip" : effectiveInput.verifyMode),
           commitMessageMode: effectiveInput.commitMessageMode ?? "auto"
         });
+        const applicationSelection = selectWorkflowApplications(root);
         const workspaceLinks = inspectWorkspaceDependencyMode(root, { mode: effectiveInput.workspaceLinks ?? "auto", env: helpers.context.env });
         return buildWorkflowResult(
           "save",
@@ -2967,8 +3147,11 @@ async function workflowSave(helpers, input) {
               failure: planAutoResumeRun.failure
             } : null,
             workspaceLinks,
-            ciMode: normalizeSaveCiMode(effectiveInput.ciMode, branch),
+            ciMode: saveCiMode,
+            lane: saveLane,
             verifyMode: effectiveInput.verifyMode ?? "fast",
+            releaseCandidateMode,
+            applicationSelection,
             ...worktreePayload(root, effectiveInput.worktreeMode),
             repositoryPlan,
             waves: repositoryPlan.waves,
@@ -2977,8 +3160,8 @@ async function workflowSave(helpers, input) {
               { id: "workspace-unlink", description: "Remove local workspace links before deployment install and lockfile updates" },
               ...repositoryPlan.plannedSteps,
               { id: "lockfile-validation", description: "Validate refreshed package-lock.json files before any save commit is pushed" },
-              ...shouldUseHostedSaveCi(effectiveInput, branch) ? [{ id: "hosted-ci", description: `Wait for hosted save workflows on ${branch}` }] : [],
-              ...branch === STAGING_BRANCH ? [{ id: "release-candidate", description: "Run release-candidate readiness checks for the saved staging state" }] : [],
+              ...shouldUseHostedSaveCi(effectiveInput, branch, saveLane) ? [{ id: "hosted-ci", description: `Wait for hosted save workflows on ${branch}` }] : [],
+              ...branch === STAGING_BRANCH ? [{ id: "release-candidate", description: `Run ${releaseCandidateMode} release-candidate readiness checks for the saved staging state` }] : [],
               { id: "workspace-link", description: "Restore local workspace links after save" },
               ...beforeState.branchRole === "feature" && (effectiveInput.preview === true || previewInitialized) ? [{ id: "preview", description: `Refresh preview deployment for ${branch}` }] : []
             ]
@@ -3014,10 +3197,12 @@ async function workflowSave(helpers, input) {
           gitDependencyProtocol: effectiveInput.gitDependencyProtocol ?? "preserve-origin",
           gitRemoteWriteMode: effectiveInput.gitRemoteWriteMode ?? "ssh-pushurl",
           verifyMode: effectiveInput.verifyMode ?? (effectiveInput.verify === false ? "skip" : "fast"),
-          ciMode: effectiveInput.ciMode ?? (branch === STAGING_BRANCH ? "hosted" : "auto"),
+          ciMode: saveCiMode,
+          lane: saveLane,
           worktreeMode: effectiveInput.worktreeMode ?? "auto",
           commitMessageMode: effectiveInput.commitMessageMode ?? "auto",
           workspaceLinks: effectiveInput.workspaceLinks ?? "auto",
+          releaseCandidate: releaseCandidateMode,
           verifyDeployedResources: effectiveInput.verifyDeployedResources === true
         },
         [
@@ -3029,7 +3214,7 @@ async function workflowSave(helpers, input) {
             branch,
             resumable: true
           },
-          ...shouldUseHostedSaveCi(effectiveInput, branch) ? [{
+          ...shouldUseHostedSaveCi(effectiveInput, branch, saveLane) ? [{
             id: "hosted-ci",
             description: `Wait for hosted save workflows on ${branch}`,
             repoName: rootRepo.name,
@@ -3085,19 +3270,19 @@ async function workflowSave(helpers, input) {
               commitMessageMode: effectiveInput.commitMessageMode ?? "auto",
               workflowRunId: workflowRun.runId,
               onProgress: (line, stream) => helpers.write(line, stream),
-              onWaveSaved: branch === STAGING_BRANCH && shouldUseHostedSaveCi(effectiveInput, branch) ? async ({ nodes, reports, rootRepo: waveRootRepo }) => {
-                const packageReportsForWave = reports.filter((repo, index) => nodes[index]?.kind === "package");
-                const rootReportForWave = nodes.some((node) => node.kind === "project") ? waveRootRepo : null;
+              onWaveSaved: branch === STAGING_BRANCH && shouldUseHostedSaveCi(effectiveInput, branch, saveLane) ? async ({ nodes, reports, rootRepo: waveRootRepo }) => {
+                const nonRootReportsForWave = reports.filter((repo, index) => nodes[index]?.id !== ".");
+                const rootReportForWave = nodes.some((node) => node.id === ".") ? waveRootRepo : null;
                 const gates = [
-                  ...gatesForSavedPackageReports(packageReportsForWave),
+                  ...gatesForSavedRepositoryReports(root, nonRootReportsForWave),
                   ...rootReportForWave ? gateForSavedRootReport(rootReportForWave, branch, scope) : []
                 ];
                 if (gates.length === 0) {
                   return [];
                 }
-                const packageNames = packageReportsForWave.map((repo) => repo.name).join(", ");
-                if (packageNames) {
-                  helpers.write(`[save][workflow] Waiting for hosted package gates before saving dependents: ${packageNames}.`);
+                const repositoryNames = gates.map((gate) => gate.name).join(", ");
+                if (nonRootReportsForWave.length > 0) {
+                  helpers.write(`[save][workflow] Waiting for hosted repository gates before saving dependents: ${repositoryNames}.`);
                 } else if (rootReportForWave) {
                   helpers.write("[save][workflow] Waiting for hosted market deploy gate.");
                 }
@@ -3131,7 +3316,7 @@ async function workflowSave(helpers, input) {
             lockfileValidation: repo.lockfileValidation
           }))
         };
-        const saveWorkflowGates = shouldUseHostedSaveCi(effectiveInput, branch) ? await executeJournalStep(root, workflowRun.runId, "hosted-ci", async () => {
+        const saveWorkflowGates = shouldUseHostedSaveCi(effectiveInput, branch, saveLane) ? await executeJournalStep(root, workflowRun.runId, "hosted-ci", async () => {
           if (branch === STAGING_BRANCH) {
             const workflowGates = saveResult?.workflowGates ?? [];
             if (effectiveInput.verifyDeployedResources !== true || scope === "local" || !savedRootRepo.commitSha) {
@@ -3200,7 +3385,7 @@ async function workflowSave(helpers, input) {
           }).then((workflowGates) => ({ workflowGates }));
         }) : { workflowGates: [] };
         const releaseCandidate = branch === STAGING_BRANCH ? await executeJournalStep(root, workflowRun.runId, "release-candidate", () => {
-          helpers.write("[save][workflow] Running staging release-candidate readiness checks.");
+          helpers.write(`[save][workflow] Running staging release-candidate readiness checks (${releaseCandidateMode}).`);
           const releaseSession = resolveTreeseedWorkflowSession(root);
           const stagingReleasePlan = buildReleasePlanSnapshot({
             root,
@@ -3211,7 +3396,7 @@ async function workflowSave(helpers, input) {
             rootRepo: savedRootRepo,
             blockers: []
           });
-          return runReleaseCandidateForPlan("save", root, stagingReleasePlan);
+          return runReleaseCandidateForPlan("save", root, stagingReleasePlan, { mode: releaseCandidateMode });
         }) : null;
         let previewAction = { status: "skipped" };
         if (beforeState.branchRole === "feature" && branch) {
@@ -3227,12 +3412,22 @@ async function workflowSave(helpers, input) {
             };
           }
         }
-        const hostingAudit = await runReadOnlyHostingAuditForWorkflow(
+        const applicationSelection = selectWorkflowApplications(root, {
+          packageSelection: {
+            selected: savedPackageReports.map((report) => report.name)
+          }
+        });
+        const hostingAudit = await runWorkflowHostedResourceVerification(
           "save",
           root,
           helpers,
           scope === "prod" ? "prod" : scope === "local" ? "local" : "staging",
-          { enabled: effectiveInput.verifyDeployedResources === true, strict: true }
+          {
+            enabled: effectiveInput.verifyDeployedResources === true,
+            strict: true,
+            live: effectiveInput.verifyDeployedResources === true,
+            appId: singleSelectedWorkflowAppId(applicationSelection)
+          }
         );
         const payload = {
           mode: saveResult?.mode ?? mode,
@@ -3257,8 +3452,11 @@ async function workflowSave(helpers, input) {
           workspaceLinks,
           commandReadiness,
           lockfileValidation,
-          ciMode: normalizeSaveCiMode(effectiveInput.ciMode, branch),
+          ciMode: saveCiMode,
+          lane: saveLane,
           verifyMode: effectiveInput.verifyMode ?? "fast",
+          releaseCandidateMode,
+          applicationSelection,
           workflowGates: saveWorkflowGates?.workflowGates ?? [],
           releaseCandidate,
           hostingAudit,
@@ -3529,6 +3727,13 @@ async function workflowStage(helpers, input) {
         } catch (error) {
           blockers.push(error instanceof Error ? error.message : String(error));
         }
+        const applicationSelection = selectWorkflowApplications(root, { packageSelection: initialSession.packageSelection });
+        const readiness = collectTreeseedDeploymentReadiness({
+          tenantRoot: root,
+          environment: "staging",
+          appId: singleSelectedWorkflowAppId(applicationSelection)
+        });
+        blockers.push(...readiness.checks.filter((check) => check.status === "failed").map((check) => `${check.id}: ${check.message}${check.remediation ? ` Remediation: ${check.remediation}` : ""}`));
         return buildWorkflowResult(
           "stage",
           root,
@@ -3539,6 +3744,7 @@ async function workflowStage(helpers, input) {
             mergeStrategy: "squash",
             message,
             ciMode,
+            applicationSelection,
             autoResumeCandidate: planAutoResumeRun ? {
               runId: planAutoResumeRun.runId,
               branch: planAutoResumeRun.session.branchName,
@@ -3547,6 +3753,7 @@ async function workflowStage(helpers, input) {
             ...worktreePayload(root, effectiveInput.worktreeMode),
             autoSaveRequired: initialSession.rootRepo.dirty || initialSession.packageRepos.some((repo) => repo.dirty),
             blockers,
+            readiness,
             rootRepo: createWorkspaceRootRepoReport(root),
             repos: createWorkspacePackageReports(root),
             plannedSteps: [
@@ -3593,6 +3800,16 @@ async function workflowStage(helpers, input) {
       applyTreeseedEnvironmentToProcess({ tenantRoot: root, scope: "staging", override: true });
       validateStagingWorkflowContracts(root);
       runWorkspaceSavePreflight({ cwd: root });
+      const stagingReadiness = collectTreeseedDeploymentReadiness({ tenantRoot: root, environment: "staging" });
+      if (!stagingReadiness.ok) {
+        workflowError(
+          "stage",
+          "validation_failed",
+          `Deployment readiness failed for staging:
+${stagingReadiness.checks.filter((check) => check.status === "failed").map((check) => `${check.id}: ${check.message}${check.remediation ? ` Remediation: ${check.remediation}` : ""}`).join("\n")}`,
+          { details: { readiness: stagingReadiness } }
+        );
+      }
       const repoDir = session.gitRoot;
       const rootRepo = createWorkspaceRootRepoReport(root);
       const packageReports = createWorkspacePackageReports(root);
@@ -3759,12 +3976,18 @@ async function workflowStage(helpers, input) {
           blockers: []
         });
         const releaseCandidate = await executeJournalStep(root, workflowRun.runId, "release-candidate", () => runReleaseCandidateForPlan("stage", root, stageReleasePlan));
-        const hostingAudit = await runReadOnlyHostingAuditForWorkflow(
+        const applicationSelection = selectWorkflowApplications(root, { packageSelection: session.packageSelection });
+        const hostingAudit = await runWorkflowHostedResourceVerification(
           "stage",
           root,
           helpers,
           "staging",
-          { enabled: effectiveInput.verifyDeployedResources === true, strict: true }
+          {
+            enabled: effectiveInput.verifyDeployedResources === true,
+            strict: true,
+            live: effectiveInput.verifyDeployedResources === true,
+            appId: singleSelectedWorkflowAppId(applicationSelection)
+          }
         );
         const previewCleanup = effectiveInput.deletePreview === false ? (skipJournalStep(root, workflowRun.runId, "preview-cleanup", { performed: false }), { performed: false }) : await executeJournalStep(root, workflowRun.runId, "preview-cleanup", () => destroyPreviewIfPresent(root, featureBranch));
         const rootCleanup = await executeJournalStep(root, workflowRun.runId, "cleanup-root", () => {
@@ -3813,6 +4036,7 @@ async function workflowStage(helpers, input) {
           rootRepo,
           stagingWait,
           releaseCandidate,
+          applicationSelection,
           previewCleanup,
           lockfileValidation: rootMerge?.lockfileValidation ?? null,
           lockfileInstall: rootMerge?.lockfileInstall ?? null,
@@ -3923,10 +4147,19 @@ async function workflowRelease(helpers, input) {
         level,
         repairVersionLine: effectiveInput.repairVersionLine === true
       });
+      const plannedReadiness = collectTreeseedDeploymentReadiness({
+        tenantRoot: root,
+        environment: "prod",
+        appId: singleSelectedWorkflowAppId(plannedRelease.applicationSelection)
+      });
+      if (!isResume) {
+        blockers.push(...plannedReadiness.checks.filter((check) => check.status === "failed").map((check) => `${check.id}: ${check.message}${check.remediation ? ` Remediation: ${check.remediation}` : ""}`));
+      }
       plannedRelease.blockers = blockers;
       if (executionMode === "plan") {
         return buildWorkflowResult("release", root, {
           ...plannedRelease,
+          readiness: plannedReadiness,
           ciMode,
           fresh: input.fresh === true,
           freshArchivedRuns: [],
@@ -4011,6 +4244,16 @@ async function workflowRelease(helpers, input) {
         const rootVersion = String(releasePlan.rootVersion);
         applyTreeseedEnvironmentToProcess({ tenantRoot: root, scope: "staging", override: true });
         assertReleaseGitHubAutomationReady(root, effectiveSelectedPackageNames, ciMode);
+        const productionReadiness = collectTreeseedDeploymentReadiness({ tenantRoot: root, environment: "prod" });
+        if (!productionReadiness.ok) {
+          workflowError(
+            "release",
+            "validation_failed",
+            `Deployment readiness failed for prod:
+${productionReadiness.checks.filter((check) => check.status === "failed").map((check) => `${check.id}: ${check.message}${check.remediation ? ` Remediation: ${check.remediation}` : ""}`).join("\n")}`,
+            { details: { readiness: productionReadiness } }
+          );
+        }
         const stagingGateResult = resumeAtRootGates ? completedJournalStepData(root, workflowRun.runId, "release-staging-gates") : await executeJournalStep(root, workflowRun.runId, "release-staging-gates", () => {
           helpers.write("[release][workflow] Verifying current staging gates before production release.");
           const packageGates = checkedOutWorkspacePackageRepos(root).filter((pkg) => effectiveSelectedPackageNames.has(pkg.name)).map((pkg) => ({
@@ -4119,9 +4362,12 @@ async function workflowRelease(helpers, input) {
           }).then((workflowGates) => ({ workflowGates })));
           const hostedDeploymentState2 = recordHostedDeploymentStatesFromRootGates(root, rootRelease2, rootWorkflowGateResult2?.workflowGates);
           ensureWorkflowWorkspaceLinks(root, helpers, effectiveInput.workspaceLinks ?? "auto");
-          const hostingAudit2 = await runReadOnlyHostingAuditForWorkflow("release", root, helpers, "prod", {
+          const applicationSelection2 = selectWorkflowApplications(root, { changedPaths: ["treeseed.site.yaml"] });
+          const hostingAudit2 = await runWorkflowHostedResourceVerification("release", root, helpers, "prod", {
             enabled: true,
-            strict: false
+            strict: effectiveInput.verifyDeployedResources === true,
+            live: effectiveInput.verifyDeployedResources === true,
+            appId: singleSelectedWorkflowAppId(applicationSelection2)
           });
           const releaseBackMerge2 = await executeJournalStep(root, workflowRun.runId, "release-back-merge", () => backMergeRootProductionIntoStaging(root, false, {
             version: rootVersion,
@@ -4144,6 +4390,7 @@ async function workflowRelease(helpers, input) {
             productionBranch: PRODUCTION_BRANCH,
             touchedPackages: [],
             packageSelection: { changed: [], dependents: [], selected: [] },
+            applicationSelection: applicationSelection2,
             publishWait: [],
             repos: [],
             rootRepo,
@@ -4249,7 +4496,8 @@ async function workflowRelease(helpers, input) {
                 changelog,
                 extraLines: [`Package: ${pkg.name}`]
               }),
-              pushTarget: true
+              pushTarget: true,
+              allowUnrelatedHistories: true
             });
             const tag = ensureReleaseTag(pkg.dir, tagName, mergeResult.commitSha, releaseAdminMessage({
               subject: `release: ${tagName}`,
@@ -4430,9 +4678,12 @@ async function workflowRelease(helpers, input) {
         }).then((workflowGates) => ({ workflowGates })));
         const hostedDeploymentState = recordHostedDeploymentStatesFromRootGates(root, rootRelease, rootWorkflowGateResult?.workflowGates);
         ensureWorkflowWorkspaceLinks(root, helpers, effectiveInput.workspaceLinks ?? "auto");
-        const hostingAudit = await runReadOnlyHostingAuditForWorkflow("release", root, helpers, "prod", {
+        const applicationSelection = releasePlan.applicationSelection;
+        const hostingAudit = await runWorkflowHostedResourceVerification("release", root, helpers, "prod", {
           enabled: true,
-          strict: false
+          strict: effectiveInput.verifyDeployedResources === true,
+          live: effectiveInput.verifyDeployedResources === true,
+          appId: singleSelectedWorkflowAppId(applicationSelection)
         });
         const releaseBackMerge = await executeJournalStep(root, workflowRun.runId, "release-back-merge", () => backMergeRootProductionIntoStaging(root, true, {
           version: rootVersion,
@@ -4465,6 +4716,7 @@ async function workflowRelease(helpers, input) {
           productionBranch: PRODUCTION_BRANCH,
           touchedPackages: effectivePackageSelection.selected,
           packageSelection: effectivePackageSelection,
+          applicationSelection,
           replacedDevReferences,
           releaseInstalls,
           devTagCleanup,
@@ -4720,6 +4972,7 @@ async function workflowDestroy(helpers, input) {
       const dryRun = executionMode === "plan";
       const force = input.force === true;
       const deleteData = input.deleteData === true;
+      const sweepTreeseed = input.sweepTreeseed === true;
       const destroyRemote = input.destroyRemote !== false;
       const destroyLocal = input.destroyLocal !== false;
       const removeBuildArtifacts = input.removeBuildArtifacts === true;
@@ -4733,6 +4986,7 @@ async function workflowDestroy(helpers, input) {
         dryRun,
         force,
         deleteData,
+        sweepTreeseed,
         destroyRemote,
         destroyLocal,
         removeBuildArtifacts,
@@ -4743,12 +4997,13 @@ async function workflowDestroy(helpers, input) {
         },
         plannedSteps: [
           ...destroyRemote ? [{ id: "destroy-remote", description: `Destroy remote ${scope} resources` }] : [],
+          ...sweepTreeseed ? [{ id: "sweep-treeseed-resources", description: "Sweep TreeSeed-owned provider resources across persistent environments" }] : [],
           ...destroyLocal ? [{ id: "cleanup-local", description: `Clean local ${scope} state${removeBuildArtifacts ? " and build artifacts" : ""}` }] : []
         ],
         remoteResult: null
       };
       if (executionMode === "plan") {
-        const plannedRemoteResult = destroyRemote ? await destroyTreeseedEnvironmentResources(tenantRoot, { dryRun: true, force, deleteData, target }) : null;
+        const plannedRemoteResult = destroyRemote ? await destroyTreeseedEnvironmentResources(tenantRoot, { dryRun: true, force, deleteData, sweepTreeseed, target }) : null;
         return buildWorkflowResult(
           "destroy",
           tenantRoot,
@@ -4759,7 +5014,7 @@ async function workflowDestroy(helpers, input) {
           {
             executionMode,
             nextSteps: createNextSteps([
-              { operation: "destroy", reason: "Run without --plan to destroy the selected environment.", input: { environment: scope, force, deleteData, removeBuildArtifacts } },
+              { operation: "destroy", reason: "Run without --plan to destroy the selected environment.", input: { environment: scope, force, deleteData, sweepTreeseed, removeBuildArtifacts } },
               { operation: "status", reason: "Confirm the current environment state before making destructive changes." }
             ])
           }
@@ -4772,6 +5027,7 @@ async function workflowDestroy(helpers, input) {
           environment: scope,
           force,
           deleteData,
+          sweepTreeseed,
           destroyRemote,
           destroyLocal,
           removeBuildArtifacts
@@ -4801,7 +5057,7 @@ async function workflowDestroy(helpers, input) {
         if (!confirmed) {
           workflowError("destroy", "confirmation_required", `Destroy confirmation required. Re-run with confirm="${expectedConfirmation}".`);
         }
-        const remoteResult = destroyRemote ? await executeJournalStep(root, workflowRun.runId, "destroy-remote", () => destroyTreeseedEnvironmentResources(tenantRoot, { dryRun: false, force, deleteData, target })) : null;
+        const remoteResult = destroyRemote ? await executeJournalStep(root, workflowRun.runId, "destroy-remote", () => destroyTreeseedEnvironmentResources(tenantRoot, { dryRun: false, force, deleteData, sweepTreeseed, target })) : null;
         if (!destroyRemote) {
           skipJournalStep(root, workflowRun.runId, "destroy-remote", { skippedReason: "destroyRemote=false" });
         }