@treeseed/sdk 0.5.3 → 0.6.0

package/dist/operations/services/key-agent.js

@@ -1,8 +1,8 @@
-import { spawnSync } from "node:child_process";
 import { createCipheriv, createDecipheriv, randomBytes, scryptSync, timingSafeEqual } from "node:crypto";
-import { existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, writeFileSync } from "node:fs";
+import { accessSync, chmodSync, constants as fsConstants, existsSync, lstatSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import { homedir } from "node:os";
-import { dirname, join, resolve } from "node:path";
+import { dirname, resolve } from "node:path";
+import { createConnection, createServer } from "node:net";
 const TRESEED_MACHINE_KEY_PASSPHRASE_ENV = "TREESEED_KEY_PASSPHRASE";
 const TRESEED_KEY_AGENT_IDLE_TIMEOUT_MS = 15 * 60 * 1e3;
 const TREESEED_KEY_AGENT_IDLE_TIMEOUT_MS = TRESEED_KEY_AGENT_IDLE_TIMEOUT_MS;
@@ -10,6 +10,7 @@ const TRESEED_WRAPPED_MACHINE_KEY_VERSION = 2;
 const TRESEED_WRAPPED_MACHINE_KEY_KIND = "treeseed-wrapped-machine-key";
 const TREESEED_MACHINE_KEY_PASSPHRASE_ENV = TRESEED_MACHINE_KEY_PASSPHRASE_ENV;
 const KEY_AGENT_SOCKET_RELATIVE_PATH = ".treeseed/run/key-agent.sock";
+const KEY_AGENT_REQUEST_TIMEOUT_MS = 3e3;
 const WRAPPED_KEY_KDF_PARAMS = {
   N: 1 << 14,
   r: 8,
@@ -29,55 +30,37 @@ class TreeseedKeyAgentError extends Error {
 function nowIso() {
   return (/* @__PURE__ */ new Date()).toISOString();
 }
-function ensureParent(filePath) {
-  mkdirSync(dirname(filePath), { recursive: true });
+function ensureDirectory(path, mode = 448) {
+  mkdirSync(path, { recursive: true, mode });
+  chmodSync(path, mode);
 }
-function ensureFifo(filePath) {
-  ensureParent(filePath);
-  if (existsSync(filePath)) {
-    const stats = statSync(filePath);
-    if (stats.isFIFO()) {
-      return;
-    }
-    rmSync(filePath, { force: true });
-  }
-  const result = spawnSync("mkfifo", [filePath], { stdio: "pipe", encoding: "utf8" });
-  if (result.status !== 0) {
-    throw new Error(result.stderr?.trim() || `Unable to create FIFO ${filePath}.`);
-  }
+function ensureParent(filePath) {
+  ensureDirectory(dirname(filePath), 448);
 }
 function pidFilePath(socketPath) {
   return `${socketPath}.pid`;
 }
-function responseFifoPath(socketPath) {
-  return join(mkdtempSync(resolve(dirname(socketPath), "key-agent-response-")), "response.fifo");
-}
-function writePidFile(socketPath) {
-  writeFileSync(pidFilePath(socketPath), `${process.pid}
-`, { mode: 384 });
-}
-function clearPidFile(socketPath) {
-  rmSync(pidFilePath(socketPath), { force: true });
-}
-function readAgentPid(socketPath) {
-  const pidPath = pidFilePath(socketPath);
-  if (!existsSync(pidPath)) {
-    return null;
-  }
-  const raw = readFileSync(pidPath, "utf8").trim();
-  const pid = Number.parseInt(raw, 10);
-  return Number.isFinite(pid) ? pid : null;
-}
-function agentProcessAlive(socketPath) {
-  const pid = readAgentPid(socketPath);
-  if (!pid) {
-    return false;
+function detectSocketKind(socketPath) {
+  if (!existsSync(socketPath)) {
+    return "missing";
   }
   try {
-    process.kill(pid, 0);
-    return true;
+    const stats = lstatSync(socketPath);
+    if (stats.isSocket()) {
+      return "socket";
+    }
+    if (stats.isFIFO()) {
+      return "fifo";
+    }
+    if (stats.isFile()) {
+      return "file";
+    }
+    if (stats.isDirectory()) {
+      return "directory";
+    }
+    return "other";
   } catch {
-    return false;
+    return "other";
   }
 }
 function createFingerprint(machineKey) {
@@ -199,21 +182,177 @@ function replaceWrappedMachineKey(keyPath, machineKey, passphrase) {
   writeWrappedMachineKeyFile(keyPath, payload);
   return payload;
 }
+function resolveRuntimeRoot() {
+  const xdgRuntimeDir = process.env.XDG_RUNTIME_DIR;
+  if (typeof xdgRuntimeDir === "string" && xdgRuntimeDir.trim().length > 0) {
+    try {
+      accessSync(xdgRuntimeDir, fsConstants.R_OK | fsConstants.W_OK | fsConstants.X_OK);
+      return resolve(xdgRuntimeDir, "treeseed");
+    } catch {
+    }
+  }
+  const homeRoot = process.env.HOME && process.env.HOME.trim().length > 0 ? process.env.HOME : homedir();
+  return resolve(homeRoot, dirname(KEY_AGENT_SOCKET_RELATIVE_PATH));
+}
 function getTreeseedKeyAgentPaths() {
   const homeRoot = process.env.HOME && process.env.HOME.trim().length > 0 ? process.env.HOME : homedir();
+  const runtimeRoot = resolveRuntimeRoot();
+  const socketPath = runtimeRoot === resolve(homeRoot, dirname(KEY_AGENT_SOCKET_RELATIVE_PATH)) ? resolve(homeRoot, KEY_AGENT_SOCKET_RELATIVE_PATH) : resolve(runtimeRoot, "key-agent.sock");
   return {
     homeRoot,
-    socketPath: resolve(homeRoot, KEY_AGENT_SOCKET_RELATIVE_PATH)
+    runtimeRoot,
+    socketPath,
+    pidPath: pidFilePath(socketPath)
+  };
+}
+function readAgentPid(socketPath) {
+  const pidPath = pidFilePath(socketPath);
+  if (!existsSync(pidPath)) {
+    return null;
+  }
+  const raw = readFileSync(pidPath, "utf8").trim();
+  const pid = Number.parseInt(raw, 10);
+  return Number.isFinite(pid) ? pid : null;
+}
+function writePidFile(socketPath) {
+  ensureParent(socketPath);
+  writeFileSync(pidFilePath(socketPath), `${process.pid}
+`, { mode: 384 });
+}
+function clearPidFile(socketPath) {
+  rmSync(pidFilePath(socketPath), { force: true });
+}
+function classifySocketError(error) {
+  const errno = "code" in error ? error.code : void 0;
+  if (errno === "ENOENT") {
+    return {
+      code: "daemon_unavailable",
+      message: "Treeseed key-agent socket is missing."
+    };
+  }
+  if (errno === "EACCES" || errno === "EPERM") {
+    return {
+      code: "permission_denied",
+      message: "Permission denied while connecting to the Treeseed key-agent socket."
+    };
+  }
+  if (errno === "ECONNREFUSED" || errno === "ECONNRESET") {
+    return {
+      code: "daemon_unavailable",
+      message: "Treeseed key-agent daemon is not accepting connections."
+    };
+  }
+  return {
+    code: "protocol_error",
+    message: error.message || "Treeseed key-agent request failed."
   };
 }
+async function requestTreeseedKeyAgentOverSocket(command, timeoutMs = KEY_AGENT_REQUEST_TIMEOUT_MS) {
+  return new Promise((resolvePromise, rejectPromise) => {
+    const socket = createConnection(command.socketPath);
+    let responseBuffer = "";
+    let settled = false;
+    const finalize = (callback) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      clearTimeout(timeoutHandle);
+      socket.removeAllListeners();
+      callback();
+    };
+    const timeoutHandle = setTimeout(() => {
+      socket.destroy();
+      rejectPromise(new TreeseedKeyAgentError("daemon_unavailable", "Timed out waiting for the Treeseed key-agent response.", {
+        socketPath: command.socketPath
+      }));
+    }, timeoutMs);
+    socket.setEncoding("utf8");
+    socket.on("connect", () => {
+      socket.write(`${JSON.stringify(command)}
+`);
+    });
+    socket.on("data", (chunk) => {
+      responseBuffer += chunk;
+      const newlineIndex = responseBuffer.indexOf("\n");
+      if (newlineIndex === -1) {
+        return;
+      }
+      const payload = responseBuffer.slice(0, newlineIndex).trim();
+      socket.end();
+      try {
+        const parsed = JSON.parse(payload || "{}");
+        finalize(() => resolvePromise(parsed));
+      } catch (error) {
+        finalize(() => rejectPromise(new TreeseedKeyAgentError("protocol_error", "Treeseed key-agent returned an invalid JSON response.", {
+          socketPath: command.socketPath,
+          cause: error instanceof Error ? error.message : String(error)
+        })));
+      }
+    });
+    socket.on("error", (error) => {
+      const classified = classifySocketError(error);
+      finalize(() => rejectPromise(new TreeseedKeyAgentError(classified.code, classified.message, {
+        socketPath: command.socketPath,
+        cause: error.message
+      })));
+    });
+    socket.on("end", () => {
+      if (!settled && responseBuffer.trim().length === 0) {
+        finalize(() => rejectPromise(new TreeseedKeyAgentError("protocol_error", "Treeseed key-agent closed the connection without returning a response.", {
+          socketPath: command.socketPath
+        })));
+      }
+    });
+  });
+}
+async function inspectTreeseedKeyAgentDiagnostics(socketPath) {
+  const socketKind = detectSocketKind(socketPath);
+  const diagnostics = {
+    socketPath,
+    pidPath: pidFilePath(socketPath),
+    socketPresent: socketKind !== "missing",
+    socketKind,
+    socketConnectable: false,
+    healthOk: false,
+    daemonPid: readAgentPid(socketPath),
+    lastError: null
+  };
+  if (!diagnostics.socketPresent) {
+    diagnostics.lastError = "socket_missing";
+    return diagnostics;
+  }
+  if (diagnostics.socketKind !== "socket") {
+    diagnostics.lastError = `stale_transport_${diagnostics.socketKind}`;
+    return diagnostics;
+  }
+  try {
+    const response = await requestTreeseedKeyAgentOverSocket({
+      command: "health",
+      keyPath: "",
+      socketPath,
+      idleTimeoutMs: TREESEED_KEY_AGENT_IDLE_TIMEOUT_MS
+    });
+    diagnostics.socketConnectable = true;
+    diagnostics.healthOk = response.ok;
+    if (!response.ok) {
+      diagnostics.lastError = response.message ?? response.code ?? "health_failed";
+    }
+    return diagnostics;
+  } catch (error) {
+    const classified = classifySocketError(error instanceof Error ? error : new Error(String(error)));
+    diagnostics.lastError = classified.message;
+    return diagnostics;
+  }
+}
 function createStatus(command, session) {
-  const wrapped = readWrappedMachineKeyFile(command.keyPath);
+  const wrapped = command.keyPath ? readWrappedMachineKeyFile(command.keyPath) : { exists: false, wrapped: null, migrationRequired: false };
   const idleRemainingMs = session.machineKey ? Math.max(0, session.idleTimeoutMs - (Date.now() - session.lastTouchedAt)) : 0;
   return {
     running: true,
     unlocked: Boolean(session.machineKey) && idleRemainingMs > 0,
     wrappedKeyPresent: wrapped.exists && Boolean(wrapped.wrapped),
-    migrationRequired: wrapped.migrationRequired,
+    migrationRequired: Boolean(wrapped.migrationRequired),
     keyPath: command.keyPath,
     socketPath: command.socketPath,
     idleTimeoutMs: session.idleTimeoutMs,
@@ -269,6 +408,7 @@ function ok(response = {}) {
   return { ok: true, ...response };
 }
 function fail(error, command) {
+  const wrappedState = command.keyPath ? readWrappedMachineKeyFile(command.keyPath) : { wrapped: null, migrationRequired: false };
   if (error instanceof TreeseedKeyAgentError) {
     return {
       ok: false,
@@ -277,8 +417,8 @@ function fail(error, command) {
       status: {
         running: true,
         unlocked: false,
-        wrappedKeyPresent: readWrappedMachineKeyFile(command.keyPath).wrapped !== null,
-        migrationRequired: readWrappedMachineKeyFile(command.keyPath).migrationRequired,
+        wrappedKeyPresent: wrappedState.wrapped !== null,
+        migrationRequired: Boolean(wrappedState.migrationRequired),
         keyPath: command.keyPath,
         socketPath: command.socketPath,
         idleTimeoutMs: command.idleTimeoutMs,
@@ -293,8 +433,8 @@ function fail(error, command) {
     status: {
       running: true,
       unlocked: false,
-      wrappedKeyPresent: readWrappedMachineKeyFile(command.keyPath).wrapped !== null,
-      migrationRequired: readWrappedMachineKeyFile(command.keyPath).migrationRequired,
+      wrappedKeyPresent: wrappedState.wrapped !== null,
+      migrationRequired: Boolean(wrappedState.migrationRequired),
       keyPath: command.keyPath,
       socketPath: command.socketPath,
       idleTimeoutMs: command.idleTimeoutMs,
@@ -304,6 +444,11 @@ function fail(error, command) {
 }
 function handleTreeseedKeyAgentCommand(command, session) {
   maybeExpireSession(session);
+  if (command.command === "health") {
+    return ok({
+      status: createStatus(command, session)
+    });
+  }
   if (command.command === "status") {
     return ok({ status: createStatus(command, session) });
   }
@@ -338,39 +483,33 @@ function handleTreeseedKeyAgentCommand(command, session) {
   });
 }
 async function requestTreeseedKeyAgent(command) {
-  if (!agentProcessAlive(command.socketPath) || !existsSync(command.socketPath)) {
-    throw new TreeseedKeyAgentError("daemon_unavailable", "Treeseed key-agent is not running.");
-  }
-  const responsePath = responseFifoPath(command.socketPath);
-  ensureFifo(responsePath);
-  try {
-    const responsePromise = Promise.resolve().then(() => readFileSync(responsePath, "utf8"));
-    writeFileSync(command.socketPath, `${JSON.stringify({ ...command, responsePath })}
-`, "utf8");
-    return JSON.parse((await responsePromise).trim() || "{}");
-  } finally {
-    rmSync(dirname(responsePath), { recursive: true, force: true });
+  const diagnostics = await inspectTreeseedKeyAgentDiagnostics(command.socketPath);
+  if (!diagnostics.healthOk && command.command !== "health") {
+    throw new TreeseedKeyAgentError("daemon_unavailable", diagnostics.lastError ?? "Treeseed key-agent is not running.", { diagnostics });
   }
+  return requestTreeseedKeyAgentOverSocket(command);
 }
 async function socketAlreadyServed(socketPath) {
-  return agentProcessAlive(socketPath) && existsSync(socketPath);
+  const diagnostics = await inspectTreeseedKeyAgentDiagnostics(socketPath);
+  return diagnostics.socketConnectable && diagnostics.healthOk;
 }
 async function removeStaleSocket(socketPath) {
   if (!existsSync(socketPath)) {
     return true;
   }
-  try {
-    if (await socketAlreadyServed(socketPath)) {
-      return false;
-    }
-    rmSync(socketPath, { force: true });
-    clearPidFile(socketPath);
-    return true;
-  } catch {
+  const socketKind = detectSocketKind(socketPath);
+  if (socketKind !== "socket") {
     rmSync(socketPath, { force: true });
     clearPidFile(socketPath);
     return true;
   }
+  const diagnostics = await inspectTreeseedKeyAgentDiagnostics(socketPath);
+  if (diagnostics.socketConnectable && diagnostics.healthOk) {
+    return false;
+  }
+  rmSync(socketPath, { force: true });
+  clearPidFile(socketPath);
+  return true;
 }
 async function startTreeseedKeyAgentServer(options) {
   const socketPath = options.socketPath ?? getTreeseedKeyAgentPaths().socketPath;
@@ -378,49 +517,71 @@ async function startTreeseedKeyAgentServer(options) {
   if (!canStart) {
     return;
   }
-  ensureFifo(socketPath);
-  writePidFile(socketPath);
+  ensureParent(socketPath);
   const session = {
     machineKey: null,
     lastTouchedAt: 0,
     idleTimeoutMs: options.idleTimeoutMs ?? TRESEED_KEY_AGENT_IDLE_TIMEOUT_MS
   };
-  process.on("exit", () => {
+  const cleanup = () => {
     try {
       rmSync(socketPath, { force: true });
       clearPidFile(socketPath);
     } catch {
     }
-  });
-  for (; ; ) {
-    const line = readFileSync(socketPath, "utf8").trim();
-    if (!line) {
-      continue;
-    }
-    try {
-      const parsed = JSON.parse(line);
-      const response = handleTreeseedKeyAgentCommand(parsed, session);
-      if (parsed.responsePath) {
-        writeFileSync(parsed.responsePath, `${JSON.stringify(response)}
-`, "utf8");
+  };
+  const server = createServer((connection) => {
+    let requestBuffer = "";
+    connection.setEncoding("utf8");
+    connection.on("data", (chunk) => {
+      requestBuffer += chunk;
+      const newlineIndex = requestBuffer.indexOf("\n");
+      if (newlineIndex === -1) {
+        return;
       }
-    } catch (error) {
-      const fallback = fail(error, {
-        command: "status",
-        keyPath: options.keyPath,
-        socketPath,
-        idleTimeoutMs: options.idleTimeoutMs ?? TRESEED_KEY_AGENT_IDLE_TIMEOUT_MS
-      });
+      const line = requestBuffer.slice(0, newlineIndex).trim();
+      requestBuffer = "";
+      let response;
       try {
         const parsed = JSON.parse(line);
-        if (parsed.responsePath) {
-          writeFileSync(parsed.responsePath, `${JSON.stringify(fallback)}
-`, "utf8");
-        }
-      } catch {
+        response = handleTreeseedKeyAgentCommand(parsed, session);
+      } catch (error) {
+        response = fail(error, {
+          command: "status",
+          keyPath: options.keyPath,
+          socketPath,
+          idleTimeoutMs: options.idleTimeoutMs ?? TRESEED_KEY_AGENT_IDLE_TIMEOUT_MS
+        });
       }
-    }
-  }
+      connection.end(`${JSON.stringify(response)}
+`);
+    });
+    connection.on("error", () => {
+      connection.destroy();
+    });
+  });
+  await new Promise((resolvePromise, rejectPromise) => {
+    server.once("error", (error) => {
+      rejectPromise(error);
+    });
+    server.listen(socketPath, () => {
+      chmodSync(socketPath, 384);
+      writePidFile(socketPath);
+      resolvePromise();
+    });
+  });
+  process.on("exit", cleanup);
+  process.on("SIGINT", () => {
+    cleanup();
+    process.exit(0);
+  });
+  process.on("SIGTERM", () => {
+    cleanup();
+    process.exit(0);
+  });
+  await new Promise(() => {
+  });
+  server.close();
 }
 function assertTreeseedKeyAgentResponse(response, fallback = "Treeseed secret session request failed.") {
   if (response.ok) {
@@ -429,7 +590,10 @@ function assertTreeseedKeyAgentResponse(response, fallback = "Treeseed secret se
   throw new TreeseedKeyAgentError(
     response.code ?? "unlock_failed",
     response.message ?? fallback,
-    response.status ? { status: response.status } : void 0
+    {
+      status: response.status,
+      diagnostics: response.diagnostics
+    }
   );
 }
 function rotateWrappedMachineKeyPassphrase(keyPath, machineKey, passphrase) {
@@ -464,6 +628,7 @@ export {
   assertTreeseedKeyAgentResponse,
   getTreeseedKeyAgentPaths,
   handleTreeseedKeyAgentCommand,
+  inspectTreeseedKeyAgentDiagnostics,
   machineKeysEqual,
   migrateLegacyProjectMachineKeyToWrapped,
   readWrappedMachineKeyFile,

package/dist/operations/services/knowledge-coop-launch.d.ts

@@ -1,5 +1,4 @@
 import { checkTreeseedProviderConnections } from './config-runtime.ts';
-import { provisionCloudflareResources, verifyProvisionedCloudflareResources } from './deploy.ts';
 import { configuredRailwayServices, deployRailwayService, ensureRailwayScheduledJobs, verifyRailwayScheduledJobs } from './railway-deploy.ts';
 import { buildKnowledgeCoopKnowledgePackPackage, buildKnowledgeCoopTemplatePackage } from './knowledge-coop-packaging.ts';
 export type KnowledgeCoopLaunchFailurePhase = 'repo_provision_failed' | 'content_bootstrap_failed' | 'workflow_bootstrap_failed' | 'hosting_registration_failed' | 'runtime_connection_failed';
@@ -63,7 +62,7 @@ export interface KnowledgeCoopManagedLaunchResult {
     };
     railway: {
         services: ReturnType<typeof configuredRailwayServices>;
-        deployments: ReturnType<typeof deployRailwayService>[];
+        deployments: Awaited<ReturnType<typeof deployRailwayService>>[];
         schedules: Awaited<ReturnType<typeof ensureRailwayScheduledJobs>>;
         verification: Awaited<ReturnType<typeof verifyRailwayScheduledJobs>>;
     };
@@ -86,5 +85,5 @@ export interface KnowledgeCoopLaunchPreflightReport {
         railway: boolean;
     };
 }
-export declare function validateKnowledgeCoopManagedLaunchPrerequisites(tenantRoot?: string): KnowledgeCoopLaunchPreflightReport;
+export declare function validateKnowledgeCoopManagedLaunchPrerequisites(tenantRoot?: string): Promise<KnowledgeCoopLaunchPreflightReport>;
 export declare function executeKnowledgeCoopManagedLaunch(input: KnowledgeCoopManagedLaunchInput): Promise<KnowledgeCoopManagedLaunchResult>;

package/dist/operations/services/knowledge-coop-launch.js

@@ -3,8 +3,9 @@ import { spawnSync } from "node:child_process";
 import { tmpdir } from "node:os";
 import { dirname, join, resolve } from "node:path";
 import { parse as parseYaml, stringify as stringifyYaml } from "yaml";
+import { collectTreeseedReconcileStatus, reconcileTreeseedTarget } from "../../reconcile/index.js";
 import { checkTreeseedProviderConnections, collectTreeseedConfigSeedValues } from "./config-runtime.js";
-import { provisionCloudflareResources, runRemoteD1Migrations, syncCloudflareSecrets, verifyProvisionedCloudflareResources, markDeploymentInitialized, finalizeDeploymentState } from "./deploy.js";
+import { createPersistentDeployTarget, runRemoteD1Migrations, finalizeDeploymentState } from "./deploy.js";
 import {
   createGitHubRepository,
   ensureGitHubDeployAutomation,
@@ -572,7 +573,7 @@ function scaffoldKnowledgeCoopSource(projectRoot, input) {
     env: templateCatalogEnv
   });
 }
-function validateKnowledgeCoopManagedLaunchPrerequisites(tenantRoot = process.cwd()) {
+async function validateKnowledgeCoopManagedLaunchPrerequisites(tenantRoot = process.cwd()) {
   const values = collectTreeseedConfigSeedValues(tenantRoot, "prod", process.env);
   const requiredConfig = [
     ["TREESEED_BETTER_AUTH_SECRET"],
@@ -589,7 +590,7 @@ function validateKnowledgeCoopManagedLaunchPrerequisites(tenantRoot = process.cw
     const value = values[name];
     return typeof value === "string" && value.trim().length > 0;
   })).map((group) => group.join(" or "));
-  const providerChecks = checkTreeseedProviderConnections({ tenantRoot, scope: "prod", env: process.env });
+  const providerChecks = await checkTreeseedProviderConnections({ tenantRoot, scope: "prod", env: process.env });
   const commands = {
     git: commandAvailable("git"),
     gh: commandAvailable("gh"),
@@ -606,7 +607,7 @@ function validateKnowledgeCoopManagedLaunchPrerequisites(tenantRoot = process.cw
 }
 async function executeKnowledgeCoopManagedLaunch(input) {
   const phases = [];
-  const preflight = validateKnowledgeCoopManagedLaunchPrerequisites(process.cwd());
+  const preflight = await validateKnowledgeCoopManagedLaunchPrerequisites(process.cwd());
   if (!preflight.ok) {
     throw new KnowledgeCoopLaunchError(
       "runtime_connection_failed",
@@ -619,7 +620,7 @@ async function executeKnowledgeCoopManagedLaunch(input) {
   const repoName = slugify(input.projectSlug, "project");
   try {
     appendPhase(phases, "repo_provision", "running", "Creating GitHub repository.");
-    const repository = createGitHubRepository({
+    const repository = await createGitHubRepository({
       owner: repoOwner,
       name: repoName,
       description: input.summary ?? `Knowledge Coop hub for ${input.projectName}`,
@@ -641,15 +642,25 @@ async function executeKnowledgeCoopManagedLaunch(input) {
       commitMessage: `Initialize ${input.projectName}`
     });
     pushDefaultWorkstreamBranch(workingRoot);
-    const workflows = ensureGitHubDeployAutomation(workingRoot);
+    const workflows = await ensureGitHubDeployAutomation(workingRoot);
     appendPhase(phases, "workflow_bootstrap", "completed", "Configured GitHub workflows, secrets, and variables.");
     appendPhase(phases, "hosting_registration", "running", "Provisioning Cloudflare resources and deploy state.");
-    const staging = provisionCloudflareResources(workingRoot, { scope: "staging" });
-    const prod = provisionCloudflareResources(workingRoot, { scope: "prod" });
-    syncCloudflareSecrets(workingRoot, { scope: "prod" });
+    const staging = await reconcileTreeseedTarget({
+      tenantRoot: workingRoot,
+      target: createPersistentDeployTarget("staging"),
+      env: process.env
+    });
+    const prod = await reconcileTreeseedTarget({
+      tenantRoot: workingRoot,
+      target: createPersistentDeployTarget("prod"),
+      env: process.env
+    });
     runRemoteD1Migrations(workingRoot, { scope: "prod" });
-    markDeploymentInitialized(workingRoot, { scope: "staging" });
-    const verification = verifyProvisionedCloudflareResources(workingRoot, { scope: "prod" });
+    const verification = await collectTreeseedReconcileStatus({
+      tenantRoot: workingRoot,
+      target: createPersistentDeployTarget("prod"),
+      env: process.env
+    });
     appendPhase(phases, "hosting_registration", "completed", "Provisioned Cloudflare resources.");
     const launchConfig = loadCliDeployConfig(workingRoot);
     const managedRuntime = launchConfig.runtime?.mode === "treeseed_managed";
@@ -661,7 +672,10 @@ async function executeKnowledgeCoopManagedLaunch(input) {
       appendPhase(phases, "runtime_connection", "running", "Deploying Railway services and registering runtime connectivity.");
       validateRailwayDeployPrerequisites(workingRoot, "prod");
       services = configuredRailwayServices(workingRoot, "prod");
-      deployments = services.map((service) => deployRailwayService(workingRoot, service));
+      deployments = [];
+      for (const service of services) {
+        deployments.push(await deployRailwayService(workingRoot, service));
+      }
       schedules = await ensureRailwayScheduledJobs(workingRoot, "prod");
       railwayVerification = await verifyRailwayScheduledJobs(workingRoot, "prod");
       finalizeDeploymentState(workingRoot, { scope: "prod", serviceResults: deployments });