@treeseed/sdk 0.6.1 → 0.6.3

package/dist/operations/services/config-runtime.js

@@ -6,6 +6,7 @@ import { spawn, spawnSync } from "node:child_process";
 import { parse as parseYaml, stringify as stringifyYaml } from "yaml";
 import {
   getTreeseedEnvironmentSuggestedValues,
+  isTreeseedEnvironmentEntryRelevant,
   isTreeseedEnvironmentEntryRequired,
   resolveTreeseedEnvironmentRegistry,
   TREESEED_ENVIRONMENT_SCOPES,
@@ -19,8 +20,15 @@ import {
   loadDeployState,
   syncCloudflareSecrets
 } from "./deploy.js";
-import { collectTreeseedReconcileStatus, reconcileTreeseedTarget } from "../../reconcile/index.js";
-import { maybeResolveGitHubRepositorySlug } from "./github-automation.js";
+import {
+  collectTreeseedReconcileStatus,
+  reconcileTreeseedTarget,
+  resolveTreeseedBootstrapSelection
+} from "../../reconcile/index.js";
+import {
+  ensureGitHubBootstrapRepository,
+  maybeResolveGitHubRepositorySlug
+} from "./github-automation.js";
 import {
   buildRailwayCommandEnv
 } from "./railway-deploy.js";
@@ -30,12 +38,12 @@ import {
 } from "./railway-api.js";
 import {
   createGitHubApiClient,
+  ensureGitHubActionsEnvironment,
   ensureGitHubBranchFromBase,
-  listGitHubRepositorySecretNames,
-  listGitHubRepositoryVariableNames,
-  upsertGitHubRepositorySecret,
-  upsertGitHubRepositoryVariable,
-  upsertGitHubRepositoryVariableWithGhCli
+  listGitHubEnvironmentSecretNames,
+  listGitHubEnvironmentVariableNames,
+  upsertGitHubEnvironmentSecret,
+  upsertGitHubEnvironmentVariable
 } from "./github-api.js";
 import { loadCliDeployConfig, packageScriptPath, resolveWranglerBin, withProcessCwd } from "./runtime-tools.js";
 import { PRODUCTION_BRANCH, STAGING_BRANCH } from "./git-workflow.js";
@@ -53,9 +61,6 @@ import {
 } from "./key-agent.js";
 import { TREESEED_MACHINE_KEY_PASSPHRASE_ENV as TREESEED_MACHINE_KEY_PASSPHRASE_ENV2, TreeseedKeyAgentError as TreeseedKeyAgentError2 } from "./key-agent.js";
 const MACHINE_CONFIG_RELATIVE_PATH = ".treeseed/config/machine.yaml";
-const LEGACY_ENVIRONMENT_ALIASES = {
-  RAILWAY_API_KEY: "RAILWAY_API_TOKEN"
-};
 const MACHINE_KEY_HOME_RELATIVE_PATH = ".treeseed/config/machine.key";
 const LEGACY_MACHINE_KEY_RELATIVE_PATH = ".treeseed/config/machine.key";
 const REMOTE_AUTH_RELATIVE_PATH = ".treeseed/config/remote-auth.json";
@@ -72,8 +77,8 @@ const DEPRECATED_LOCAL_ENV_FILES = [".env.local", ".dev.vars"];
 const warnedDeprecatedLocalEnvRoots = /* @__PURE__ */ new Set();
 const inlineTreeseedSecretSessions = /* @__PURE__ */ new Map();
 const railwayConnectionCheckCache = /* @__PURE__ */ new Map();
-function filterEnvironmentValuesByRegistry(values, registry) {
-  const registeredKeys = new Set(registry.entries.map((entry) => entry.id));
+function filterEnvironmentValuesByRegistry(values, registry, scope, purpose = "config") {
+  const registeredKeys = new Set(registry.entries.filter((entry) => isTreeseedEnvironmentEntryRelevant(entry, registry.context, scope, purpose)).map((entry) => entry.id));
   return Object.fromEntries(
     Object.entries(values).filter(([key]) => registeredKeys.has(key))
   );
@@ -1399,21 +1404,15 @@ function collectTreeseedConfigSeedValues(tenantRoot, scope, env = process.env) {
       throw error;
     }
   }
-  const normalizedEnv = { ...env };
-  for (const [legacyKey, canonicalKey] of Object.entries(LEGACY_ENVIRONMENT_ALIASES)) {
-    if ((!normalizedEnv[canonicalKey] || String(normalizedEnv[canonicalKey]).length === 0) && normalizedEnv[legacyKey]) {
-      normalizedEnv[canonicalKey] = normalizedEnv[legacyKey];
-    }
-  }
   return filterEnvironmentValuesByRegistry({
     ...machineValues,
-    ...Object.fromEntries(Object.entries(normalizedEnv).map(([key, value]) => [key, value ?? void 0]))
-  }, registry);
+    ...Object.fromEntries(Object.entries(env).map(([key, value]) => [key, value ?? void 0]))
+  }, registry, scope);
 }
 function collectTreeseedConfigSeedValueSources(tenantRoot, scope, env = process.env) {
   warnDeprecatedTreeseedLocalEnvFiles(tenantRoot);
   const registry = collectTreeseedEnvironmentContext(tenantRoot);
-  const registeredKeys = new Set(registry.entries.map((entry) => entry.id));
+  const registeredKeys = new Set(registry.entries.filter((entry) => isTreeseedEnvironmentEntryRelevant(entry, registry.context, scope, "config")).map((entry) => entry.id));
   const values = {};
   const sources = {};
   const merge = (source, entries) => {
@@ -1856,8 +1855,31 @@ function formatTreeseedProviderConnectionFailures(reports) {
 function writeProviderConnectionReport(write, report) {
   write(formatTreeseedProviderConnectionReport(report));
 }
-async function syncTreeseedGitHubEnvironment({ tenantRoot, scope = "prod", dryRun = false } = {}) {
-  const repository = maybeResolveGitHubRepositorySlug(tenantRoot);
+async function runBounded(items, limit, worker) {
+  const concurrency = Math.max(1, Math.min(limit, items.length || 1));
+  let nextIndex = 0;
+  const workers = Array.from({ length: concurrency }, async () => {
+    for (; ; ) {
+      const index = nextIndex;
+      nextIndex += 1;
+      if (index >= items.length) {
+        return;
+      }
+      await worker(items[index], index);
+    }
+  });
+  await Promise.all(workers);
+}
+async function syncTreeseedGitHubEnvironment({
+  tenantRoot,
+  scope = "prod",
+  dryRun = false,
+  repository: repositoryInput,
+  execution = "parallel",
+  concurrency = 4,
+  onProgress
+}) {
+  const repository = repositoryInput ?? maybeResolveGitHubRepositorySlug(tenantRoot);
   if (!repository) {
     throw new Error("Unable to determine the GitHub repository from the origin remote.");
   }
@@ -1870,41 +1892,63 @@ async function syncTreeseedGitHubEnvironment({ tenantRoot, scope = "prod", dryRu
     GITHUB_TOKEN: ghToken
   } : {};
   const githubClient = createGitHubApiClient({ env: ghEnv });
-  const secretNames = await listGitHubRepositorySecretNames(repository, { client: githubClient });
-  const variableNames = await listGitHubRepositoryVariableNames(repository, { client: githubClient });
+  const environment = scope === "prod" ? "production" : scope;
+  const deploymentBranch = scope === "prod" ? PRODUCTION_BRANCH : scope === "staging" ? STAGING_BRANCH : null;
+  const progress = (message, stream = "stdout") => onProgress?.(message, stream);
+  if (!dryRun) {
+    progress(`[${scope}][github][environment] Ensuring GitHub environment ${environment} exists...`);
+    await ensureGitHubActionsEnvironment(repository, environment, {
+      client: githubClient,
+      branchName: deploymentBranch
+    });
+  }
+  progress(`[${scope}][github][sync] Loading existing GitHub secrets and variables...`);
+  const [secretNames, variableNames] = dryRun ? [/* @__PURE__ */ new Set(), /* @__PURE__ */ new Set()] : await Promise.all([
+    listGitHubEnvironmentSecretNames(repository, environment, { client: githubClient }),
+    listGitHubEnvironmentVariableNames(repository, environment, { client: githubClient })
+  ]);
   const synced = {
     secrets: [],
     variables: []
   };
+  const items = [];
   for (const entry of relevant) {
     const value = values[entry.id];
     if (!value) {
       continue;
     }
-    if (entry.targets.includes("github-secret")) {
-      if (!dryRun) {
-        await upsertGitHubRepositorySecret(repository, entry.id, value, { client: githubClient });
-      }
-      synced.secrets.push({ name: entry.id, existed: secretNames.has(entry.id) });
+    if (entry.sensitivity === "secret") {
+      items.push({ kind: "secret", name: entry.id, value, existed: secretNames.has(entry.id) });
+    } else {
+      items.push({ kind: "variable", name: entry.id, value, existed: variableNames.has(entry.id) });
     }
-    if (entry.targets.includes("github-variable")) {
-      if (!dryRun) {
-        try {
-          upsertGitHubRepositoryVariableWithGhCli(repository, entry.id, value, { env: ghEnv });
-        } catch (error) {
-          const message = error instanceof Error ? error.message : String(error ?? "");
-          if (!/not found|ENOENT|timed out|timeout|aborted|gh api exited/iu.test(message)) {
-            throw error;
-          }
-          await upsertGitHubRepositoryVariable(repository, entry.id, value, { client: githubClient });
-        }
+  }
+  let completed = 0;
+  const total = items.length;
+  progress(`[${scope}][github][sync] Syncing GitHub environment ${environment}: 0/${total} items...`);
+  const limit = execution === "sequential" ? 1 : concurrency;
+  await runBounded(items, limit, async (item) => {
+    if (!dryRun) {
+      if (item.kind === "secret") {
+        await upsertGitHubEnvironmentSecret(repository, environment, item.name, item.value, { client: githubClient });
+      } else {
+        await upsertGitHubEnvironmentVariable(repository, environment, item.name, item.value, { client: githubClient });
       }
-      synced.variables.push({ name: entry.id, existed: variableNames.has(entry.id) });
     }
-  }
+    completed += 1;
+    const action = item.existed ? "updated" : "created";
+    progress(`[${scope}][github][${item.kind}] ${action} ${item.name} (${completed}/${total})`);
+    if (item.kind === "secret") {
+      synced.secrets.push({ name: item.name, existed: item.existed });
+    } else {
+      synced.variables.push({ name: item.name, existed: item.existed });
+    }
+  });
+  progress(`[${scope}][github][sync] Complete: ${synced.secrets.length} secrets, ${synced.variables.length} variables, ${total} total.`);
   return {
     repository,
     scope,
+    environment,
     ...synced
   };
 }
@@ -1990,7 +2034,7 @@ async function initializeTreeseedPersistentEnvironment({ tenantRoot, scope = "pr
     secrets: summary.results.filter((result) => result.unit.provider === "cloudflare").flatMap((result) => Object.keys(result.resourceLocators ?? {}))
   };
 }
-async function summarizePersistentReadiness(tenantRoot, scope, validation, connectionChecks, env = process.env, { includeReconcileStatus = true } = {}) {
+async function summarizePersistentReadiness(tenantRoot, scope, validation, connectionChecks, env = process.env, { includeReconcileStatus = true, systems } = {}) {
   const validationProblems = [...validation.missing, ...validation.invalid];
   const validationBlockers = validationProblems.map((problem) => problem.message);
   const connectionReady = connectionChecks.every((check) => check.ready || check.skipped);
@@ -2051,7 +2095,8 @@ async function summarizePersistentReadiness(tenantRoot, scope, validation, conne
   const reconcile = await collectTreeseedReconcileStatus({
     tenantRoot,
     target: createPersistentDeployTarget(scope),
-    env
+    env,
+    systems
   });
   const provisioned = reconcile.ready;
   const deployable = configured && provisioned && connectionReady;
@@ -2165,21 +2210,31 @@ function createConfigReadiness(values, validation) {
     ...(validation?.invalid ?? []).map((problem) => problem.id)
   ]);
   const validConfigValue = (key) => hasConfigValue(values, key) && !invalidIds.has(key);
-  const cloudflareReady = validConfigValue("CLOUDFLARE_API_TOKEN");
-  const railwayReady = validConfigValue("RAILWAY_API_TOKEN");
-  const localDevelopmentIssues = [
+  const configProblems = [
     ...validation?.missing ?? [],
     ...validation?.invalid ?? []
+  ];
+  const providerIssues = (provider) => configProblems.filter((problem) => {
+    if (provider === "github") {
+      return problem.id === "GH_TOKEN" || problem.id === "GITHUB_TOKEN" || problem.entry.group === "github";
+    }
+    if (provider === "cloudflare") {
+      return problem.id.startsWith("CLOUDFLARE_") || problem.id.includes("TURNSTILE") || problem.entry.group === "cloudflare";
+    }
+    return problem.id.startsWith("RAILWAY_") || problem.entry.group === "railway";
+  });
+  const localDevelopmentIssues = [
+    ...configProblems
   ].filter((problem) => problem.entry.group === "local-development");
   return {
     github: {
       configured: validConfigValue("GH_TOKEN")
     },
     cloudflare: {
-      configured: cloudflareReady
+      configured: providerIssues("cloudflare").length === 0
     },
     railway: {
-      configured: railwayReady
+      configured: providerIssues("railway").length === 0
     },
     localDevelopment: {
       configured: localDevelopmentIssues.length === 0
@@ -2193,7 +2248,7 @@ function configGroupRank(group) {
 }
 function listRelevantTreeseedConfigEntries(registry, scope) {
   return registry.entries.filter(
-    (entry) => entry.scopes.includes(scope) && (!entry.isRelevant || entry.isRelevant(registry.context, scope, "config") || Boolean(entry.onboardingFeature))
+    (entry) => entry.visibility !== "system" && entry.scopes.includes(scope) && (!entry.isRelevant || entry.isRelevant(registry.context, scope, "config") || Boolean(entry.onboardingFeature))
   ).sort((left, right) => {
     const leftRequired = isTreeseedEnvironmentEntryRequired(left, registry.context, scope, "config");
     const rightRequired = isTreeseedEnvironmentEntryRequired(right, registry.context, scope, "config");
@@ -2363,6 +2418,37 @@ function applyTreeseedConfigValues({
     sharedStorageMigrations
   };
 }
+function configProblemBootstrapSystems(problem) {
+  switch (problem?.id) {
+    case "GH_TOKEN":
+    case "GITHUB_TOKEN":
+      return ["github"];
+    case "CLOUDFLARE_API_TOKEN":
+    case "CLOUDFLARE_ACCOUNT_ID":
+    case "CLOUDFLARE_ZONE_ID":
+      return ["data", "web"];
+    case "RAILWAY_API_TOKEN":
+    case "TREESEED_RAILWAY_WORKSPACE":
+      return ["api", "agents"];
+    default:
+      return null;
+  }
+}
+function filterValidationForBootstrapSystems(validation, runnableSystems) {
+  const runnable = new Set(runnableSystems);
+  const keepProblem = (problem) => {
+    const systems = configProblemBootstrapSystems(problem);
+    return !systems || systems.some((system) => runnable.has(system));
+  };
+  const missing = validation.missing.filter(keepProblem);
+  const invalid = validation.invalid.filter(keepProblem);
+  return {
+    ...validation,
+    ok: missing.length === 0 && invalid.length === 0,
+    missing,
+    invalid
+  };
+}
 async function finalizeTreeseedConfig({
   tenantRoot,
   scopes = [...TREESEED_ENVIRONMENT_SCOPES],
@@ -2370,6 +2456,9 @@ async function finalizeTreeseedConfig({
   env = process.env,
   checkConnections = true,
   initializePersistent = true,
+  systems,
+  skipUnavailable,
+  bootstrapExecution = "parallel",
   onProgress
 }) {
   const registry = collectTreeseedEnvironmentContext(tenantRoot);
@@ -2381,17 +2470,39 @@ async function finalizeTreeseedConfig({
     resourceInventoryByScope: {},
     connectionChecks: [],
     validationByScope: {},
-    readinessByScope: {}
+    bootstrapSystemsByScope: {},
+    githubRepository: null,
+    readinessByScope: {},
+    bootstrapExecution
   };
-  const progress = (message) => {
+  const progress = (message, stream = "stdout") => {
     if (typeof onProgress === "function") {
-      onProgress(message);
+      onProgress(message, stream);
     }
   };
   progress(`Validating configuration for ${scopes.join(", ")}...`);
   const scopeSeedValues = Object.fromEntries(
     scopes.map((scope) => [scope, collectTreeseedConfigSeedValues(tenantRoot, scope, env)])
   );
+  for (const scope of scopes) {
+    const selection = resolveTreeseedBootstrapSelection({
+      deployConfig: registry.context.deployConfig,
+      env: scopeSeedValues[scope],
+      systems: scope === "local" ? ["github"] : systems,
+      skipUnavailable: scope === "local" ? true : skipUnavailable
+    });
+    summary.bootstrapSystemsByScope[scope] = selection;
+    const strictUnavailable = selection.unavailable.filter(
+      (status) => !selection.skipped.some((skipped) => skipped.system === status.system && skipped.reason === status.reason)
+    );
+    if (initializePersistent && strictUnavailable.length > 0) {
+      throw new Error(`Treeseed bootstrap cannot run the selected systems for ${scope}:
+- ${strictUnavailable.map((status) => `${status.system}: ${status.reason}`).join("\n- ")}`);
+    }
+    for (const skipped of selection.skipped) {
+      progress(`[${scope}][${skipped.system}][skip] ${skipped.reason}`);
+    }
+  }
   for (const scope of scopes) {
     const seedValues = scopeSeedValues[scope];
     const suggestedValues = getTreeseedEnvironmentSuggestedValues({
@@ -2413,7 +2524,7 @@ async function finalizeTreeseedConfig({
       tenantConfig: registry.context.tenantConfig,
       plugins: registry.context.plugins
     });
-    summary.validationByScope[scope] = validation;
+    summary.validationByScope[scope] = initializePersistent ? filterValidationForBootstrapSystems(validation, summary.bootstrapSystemsByScope[scope].runnable) : validation;
     if (checkConnections) {
       progress(`Checking provider connectivity for ${scope}...`);
       summary.connectionChecks.push(await checkTreeseedProviderConnections({ tenantRoot, scope, env: seedValues }));
@@ -2436,7 +2547,10 @@ async function finalizeTreeseedConfig({
       summary.validationByScope[scope],
       summary.connectionChecks.find((report) => report.scope === scope)?.checks ?? [],
       scopeSeedValues[scope],
-      { includeReconcileStatus: !initializePersistent }
+      {
+        includeReconcileStatus: initializePersistent && summary.bootstrapSystemsByScope[scope].runnable.some((system) => system !== "github"),
+        systems: summary.bootstrapSystemsByScope[scope].runnable.filter((system) => system !== "github")
+      }
     );
   }
   const invalidScopes = scopes.filter((scope) => summary.validationByScope[scope]?.ok !== true);
@@ -2449,39 +2563,66 @@ async function finalizeTreeseedConfig({
   }
   progress("Syncing managed service settings from treeseed.site.yaml...");
   syncManagedServiceSettingsFromDeployConfig(tenantRoot);
+  const githubSelected = scopes.some((scope) => scope !== "local" && summary.bootstrapSystemsByScope[scope].runnable.includes("github"));
+  let githubRepository = maybeResolveGitHubRepositorySlug(tenantRoot);
+  if (githubSelected && initializePersistent) {
+    const localSeedValues = collectTreeseedConfigSeedValues(tenantRoot, "local", env);
+    const localSuggestedValues = getTreeseedEnvironmentSuggestedValues({
+      scope: "local",
+      purpose: "config",
+      deployConfig: registry.context.deployConfig,
+      tenantConfig: registry.context.tenantConfig,
+      plugins: registry.context.plugins,
+      values: localSeedValues
+    });
+    const repositoryBootstrap = await ensureGitHubBootstrapRepository(tenantRoot, {
+      values: {
+        ...localSuggestedValues,
+        ...localSeedValues
+      },
+      defaultName: registry.context.deployConfig.slug,
+      onProgress: (line) => progress(line)
+    });
+    summary.githubRepository = repositoryBootstrap;
+    githubRepository = repositoryBootstrap.repository;
+  }
   if (initializePersistent) {
     for (const scope of scopes) {
       if (scope === "local") {
         continue;
       }
-      progress(`Deriving desired units for ${scope}...`);
-      const initialized = await reconcileTreeseedTarget({
-        tenantRoot,
-        target: createPersistentDeployTarget(scope),
-        env: scopeSeedValues[scope],
-        write: progress
-      });
-      summary.reconciled.push({
-        scope,
-        target: scope,
-        units: initialized.units.length,
-        actions: initialized.results.map((result) => ({
-          unitId: result.unit.unitId,
-          unitType: result.unit.unitType,
-          provider: result.unit.provider,
-          action: result.action,
-          verified: result.verification?.verified === true,
-          missing: result.verification?.missing ?? [],
-          drifted: result.verification?.drifted ?? []
-        }))
-      });
-      if (scope === "staging") {
-        progress(`Ensuring ${STAGING_BRANCH} exists on origin from ${PRODUCTION_BRANCH}...`);
-        const repository = maybeResolveGitHubRepositorySlug(tenantRoot);
-        if (!repository) {
+      const selection = summary.bootstrapSystemsByScope[scope];
+      const reconcileSystems = selection.runnable.filter((system) => system !== "github");
+      if (reconcileSystems.length > 0) {
+        progress(`[${scope}][bootstrap][plan] Deriving desired units for ${reconcileSystems.join(", ")}...`);
+        const initialized = await reconcileTreeseedTarget({
+          tenantRoot,
+          target: createPersistentDeployTarget(scope),
+          env: scopeSeedValues[scope],
+          systems: reconcileSystems,
+          write: (line) => progress(`[${scope}][reconcile] ${line}`)
+        });
+        summary.reconciled.push({
+          scope,
+          target: scope,
+          units: initialized.units.length,
+          actions: initialized.results.map((result) => ({
+            unitId: result.unit.unitId,
+            unitType: result.unit.unitType,
+            provider: result.unit.provider,
+            action: result.action,
+            verified: result.verification?.verified === true,
+            missing: result.verification?.missing ?? [],
+            drifted: result.verification?.drifted ?? []
+          }))
+        });
+      }
+      if (scope === "staging" && selection.runnable.includes("github")) {
+        progress(`[${scope}][github][branch] Ensuring ${STAGING_BRANCH} exists on origin from ${PRODUCTION_BRANCH}...`);
+        if (!githubRepository) {
           throw new Error("Unable to determine the GitHub repository from the origin remote for staging branch bootstrap.");
         }
-        const branchBootstrap = await ensureGitHubBranchFromBase(repository, STAGING_BRANCH, {
+        const branchBootstrap = await ensureGitHubBranchFromBase(githubRepository, STAGING_BRANCH, {
           baseBranch: PRODUCTION_BRANCH,
           client: createGitHubApiClient({
             env: scopeSeedValues[scope]
@@ -2493,57 +2634,88 @@ async function finalizeTreeseedConfig({
           result: {}
         });
       }
-      progress(`Deploying ${scope}...`);
-      applyTreeseedEnvironmentToProcess({ tenantRoot, scope, override: true });
-      process.env.TREESEED_RAILWAY_WORKSPACE = process.env.TREESEED_RAILWAY_WORKSPACE || scopeSeedValues[scope].TREESEED_RAILWAY_WORKSPACE || resolveRailwayWorkspace(scopeSeedValues[scope]);
-      const { deployProjectPlatform } = await import("./project-platform.js");
-      const deployResult = await deployProjectPlatform({
-        tenantRoot,
-        scope,
-        skipProvision: true
-      });
-      const deployEntry = summary.deployed.find((entry) => entry.scope === scope);
-      if (deployEntry) {
-        deployEntry.result = deployResult;
-      } else {
-        summary.deployed.push({
+      const deploySystems = selection.runnable.filter((system) => system === "data" || system === "web" || system === "api" || system === "agents");
+      if (deploySystems.length > 0) {
+        progress(`[${scope}][bootstrap][deploy] Deploying ${deploySystems.join(", ")}...`);
+        applyTreeseedEnvironmentToProcess({ tenantRoot, scope, override: true });
+        process.env.TREESEED_RAILWAY_WORKSPACE = process.env.TREESEED_RAILWAY_WORKSPACE || scopeSeedValues[scope].TREESEED_RAILWAY_WORKSPACE || resolveRailwayWorkspace(scopeSeedValues[scope]);
+        const { deployProjectPlatform } = await import("./project-platform.js");
+        const deployResult = await deployProjectPlatform({
+          tenantRoot,
           scope,
-          branchBootstrap: null,
-          result: deployResult
+          skipProvision: true,
+          bootstrapSystems: deploySystems,
+          bootstrapExecution,
+          env: scopeSeedValues[scope],
+          write: (line, stream) => progress(line, stream)
         });
+        const deployEntry = summary.deployed.find((entry) => entry.scope === scope);
+        if (deployEntry) {
+          deployEntry.result = deployResult;
+        } else {
+          summary.deployed.push({
+            scope,
+            branchBootstrap: null,
+            result: deployResult
+          });
+        }
+        progress(`[${scope}][bootstrap][verify] Re-verifying after deployment...`);
+        const finalized = await reconcileTreeseedTarget({
+          tenantRoot,
+          target: createPersistentDeployTarget(scope),
+          env: scopeSeedValues[scope],
+          systems: reconcileSystems,
+          write: (line) => progress(`[${scope}][verify] ${line}`)
+        });
+        const index = summary.reconciled.findIndex((entry) => entry.scope === scope);
+        const nextSummary = {
+          scope,
+          target: scope,
+          units: finalized.units.length,
+          actions: finalized.results.map((result) => ({
+            unitId: result.unit.unitId,
+            unitType: result.unit.unitType,
+            provider: result.unit.provider,
+            action: result.action,
+            verified: result.verification?.verified === true,
+            missing: result.verification?.missing ?? [],
+            drifted: result.verification?.drifted ?? []
+          }))
+        };
+        if (index >= 0) {
+          summary.reconciled[index] = nextSummary;
+        } else {
+          summary.reconciled.push(nextSummary);
+        }
       }
-      progress(`Re-verifying ${scope} after deployment...`);
-      const finalized = await reconcileTreeseedTarget({
+    }
+  }
+  if (sync === "github" || sync === "all") {
+    const githubScopes = scopes.filter((scope) => scope !== "local" && summary.bootstrapSystemsByScope[scope].runnable.includes("github"));
+    const syncScope = async (scope) => {
+      progress(`[${scope}][github][sync] Syncing GitHub environment...`);
+      return await syncTreeseedGitHubEnvironment({
         tenantRoot,
-        target: createPersistentDeployTarget(scope),
-        env: scopeSeedValues[scope],
-        write: progress
-      });
-      const index = summary.reconciled.findIndex((entry) => entry.scope === scope);
-      const nextSummary = {
         scope,
-        target: scope,
-        units: finalized.units.length,
-        actions: finalized.results.map((result) => ({
-          unitId: result.unit.unitId,
-          unitType: result.unit.unitType,
-          provider: result.unit.provider,
-          action: result.action,
-          verified: result.verification?.verified === true,
-          missing: result.verification?.missing ?? [],
-          drifted: result.verification?.drifted ?? []
-        }))
-      };
-      if (index >= 0) {
-        summary.reconciled[index] = nextSummary;
-      } else {
-        summary.reconciled.push(nextSummary);
+        repository: githubRepository,
+        execution: bootstrapExecution,
+        onProgress: progress
+      });
+    };
+    const githubResults = [];
+    if (bootstrapExecution === "sequential") {
+      for (const scope of githubScopes) {
+        githubResults.push(await syncScope(scope));
       }
+    } else {
+      githubResults.push(...await Promise.all(githubScopes.map((scope) => syncScope(scope))));
     }
-  }
-  if (sync === "github" || sync === "all") {
-    progress(`Syncing GitHub environment for ${scopes.at(-1) ?? "prod"}...`);
-    summary.synced.github = await syncTreeseedGitHubEnvironment({ tenantRoot, scope: scopes.at(-1) ?? "prod" });
+    summary.synced.github = {
+      scopes: githubResults,
+      repository: githubResults[0]?.repository ?? githubRepository ?? maybeResolveGitHubRepositorySlug(tenantRoot),
+      secrets: githubResults.flatMap((entry) => entry.secrets),
+      variables: githubResults.flatMap((entry) => entry.variables)
+    };
   }
   for (const scope of scopes) {
     const reconciled = summary.reconciled.find((entry) => entry.scope === scope) ?? null;
@@ -2557,7 +2729,11 @@ async function finalizeTreeseedConfig({
       scope,
       summary.validationByScope[scope],
       summary.connectionChecks.find((report) => report.scope === scope)?.checks ?? [],
-      env
+      scopeSeedValues[scope],
+      {
+        includeReconcileStatus: initializePersistent && summary.bootstrapSystemsByScope[scope].runnable.some((system) => system !== "github"),
+        systems: summary.bootstrapSystemsByScope[scope].runnable.filter((system) => system !== "github")
+      }
     );
   }
   return summary;

package/dist/operations/services/github-api.d.ts

@@ -63,18 +63,52 @@ export declare function listGitHubRepositoryVariableNames(repository: string | {
 }, { client }?: {
     client?: GitHubApiClient;
 }): Promise<Set<string>>;
+export declare function ensureGitHubActionsEnvironment(repository: string | {
+    owner: string;
+    name: string;
+}, environmentName: string, { client, branchName, }?: {
+    client?: GitHubApiClient;
+    branchName?: string | null;
+}): Promise<{
+    repository: string;
+    environment: string;
+}>;
+export declare function listGitHubEnvironmentSecretNames(repository: string | {
+    owner: string;
+    name: string;
+}, environmentName: string, { client }?: {
+    client?: GitHubApiClient;
+}): Promise<Set<string>>;
+export declare function listGitHubEnvironmentVariableNames(repository: string | {
+    owner: string;
+    name: string;
+}, environmentName: string, { client }?: {
+    client?: GitHubApiClient;
+}): Promise<Set<string>>;
 export declare function upsertGitHubRepositorySecret(repository: string | {
     owner: string;
     name: string;
 }, name: string, value: string, { client }?: {
     client?: GitHubApiClient;
 }): Promise<void>;
+export declare function upsertGitHubEnvironmentSecret(repository: string | {
+    owner: string;
+    name: string;
+}, environmentName: string, name: string, value: string, { client }?: {
+    client?: GitHubApiClient;
+}): Promise<void>;
 export declare function upsertGitHubRepositoryVariable(repository: string | {
     owner: string;
     name: string;
 }, name: string, value: string, { client }?: {
     client?: GitHubApiClient;
 }): Promise<void>;
+export declare function upsertGitHubEnvironmentVariable(repository: string | {
+    owner: string;
+    name: string;
+}, environmentName: string, name: string, value: string, { client }?: {
+    client?: GitHubApiClient;
+}): Promise<void>;
 export declare function upsertGitHubRepositoryVariableWithGhCli(repository: string | {
     owner: string;
     name: string;