@treeseed/sdk 0.6.1 → 0.6.3

package/dist/platform/env.yaml

@@ -23,6 +23,70 @@ entries:
     sourcePriority:
       - machine-config
       - process-env
+  TREESEED_GITHUB_OWNER:
+    label: GitHub repository owner
+    group: github
+    description: GitHub user or organization that owns the Treeseed repository used for bootstrap, CI/CD, and environment sync.
+    howToGet: Treeseed suggests this from the origin remote when available. Otherwise enter the GitHub user or organization that should own the repository.
+    sensitivity: plain
+    targets:
+      - local-runtime
+    scopes:
+      - local
+    storage: scoped
+    requirement: required
+    purposes:
+      - config
+    validation:
+      kind: nonempty
+    sourcePriority:
+      - machine-config
+      - process-env
+    defaultValueRef: githubOwnerDefault
+  TREESEED_GITHUB_REPOSITORY_NAME:
+    label: GitHub repository name
+    group: github
+    description: GitHub repository name Treeseed should verify or create before GitHub bootstrap.
+    howToGet: Treeseed suggests this from the origin remote when available and otherwise defaults it from the site slug.
+    sensitivity: plain
+    targets:
+      - local-runtime
+    scopes:
+      - local
+    storage: scoped
+    requirement: required
+    purposes:
+      - config
+    validation:
+      kind: nonempty
+    sourcePriority:
+      - machine-config
+      - process-env
+    defaultValueRef: githubRepositoryNameDefault
+  TREESEED_GITHUB_REPOSITORY_VISIBILITY:
+    label: GitHub repository visibility
+    group: github
+    description: Visibility to use if Treeseed needs to create the GitHub repository during bootstrap.
+    howToGet: Choose private, public, or internal. Treeseed defaults new repositories to private.
+    sensitivity: plain
+    targets:
+      - local-runtime
+    scopes:
+      - local
+    storage: scoped
+    requirement: optional
+    purposes:
+      - config
+    validation:
+      kind: enum
+      values:
+        - private
+        - public
+        - internal
+    sourcePriority:
+      - machine-config
+      - process-env
+    defaultValueRef: githubRepositoryVisibilityDefault
   CLOUDFLARE_API_TOKEN:
     label: Cloudflare API token
     group: auth
@@ -33,7 +97,6 @@ entries:
       - local-runtime
       - github-secret
     scopes:
-      - local
       - staging
       - prod
     storage: shared
@@ -53,13 +116,13 @@ entries:
     label: Railway API token
     group: auth
     description: Primary Railway token for user or workspace scoped access, including project creation and most Treeseed-managed Railway flows.
-    howToGet: In Railway, create a user or workspace API token that can create and manage the target project, then paste it here. Treeseed also accepts the legacy alias RAILWAY_API_KEY from process env.
+    howToGet: In Railway, create a user or workspace API token that can create and manage the target project, then paste it here.
     sensitivity: secret
     targets:
       - local-runtime
+      - github-secret
       - railway-secret
     scopes:
-      - local
       - staging
       - prod
     storage: shared
@@ -83,10 +146,8 @@ entries:
     howToGet: In Railway, use the workspace slug or name shown in the workspace switcher. Treeseed defaults this repository to knowledge-coop unless you override it here.
     sensitivity: plain
     targets:
-      - local-runtime
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: shared
@@ -108,9 +169,9 @@ entries:
     group: cloudflare
     description: Identifies the Cloudflare account Treeseed should provision and deploy into.
     howToGet: In the Cloudflare dashboard, open Workers & Pages or Account Home and copy the account ID.
+    startupProfile: core
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - config-file
     scopes:
@@ -251,12 +312,10 @@ entries:
     howToGet: Treeseed can derive this from the hosting block in treeseed.site.yaml. Override it only when the runtime environment must force a different deployment profile.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
       - config-file
     scopes:
-      - local
       - staging
       - prod
     storage: shared
@@ -282,12 +341,10 @@ entries:
     howToGet: Treeseed can derive this from the hosting block in treeseed.site.yaml.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
       - config-file
     scopes:
-      - local
       - staging
       - prod
     storage: shared
@@ -312,17 +369,14 @@ entries:
     howToGet: Use the hosted market API URL if Treeseed manages the project for you. Self-hosted deployments should only set this when registration with the market control plane is enabled.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: shared
     requirement: conditional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -341,17 +395,14 @@ entries:
     howToGet: Treeseed defaults this to the site slug unless you need a different hosted team identifier.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: shared
     requirement: conditional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -369,17 +420,14 @@ entries:
     howToGet: Treeseed defaults this to the site slug unless you need a different hosted project identifier.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: shared
     requirement: conditional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -397,17 +445,14 @@ entries:
     howToGet: Generate or rotate this token from the market control plane after connecting a project environment.
     sensitivity: secret
     targets:
-      - local-runtime
       - github-secret
       - railway-secret
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: conditional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -423,17 +468,14 @@ entries:
     howToGet: Set this to 0 for scale-to-zero by default unless the project requires warm workers.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: conditional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -450,17 +492,14 @@ entries:
     howToGet: Choose a value that reflects your budget and expected concurrency ceiling.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: conditional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -477,17 +516,14 @@ entries:
     howToGet: Start with 1 for conservative scaling, then raise it only after observing stable worker latency.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: conditional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -504,17 +540,14 @@ entries:
     howToGet: Start with 60 seconds to prevent worker thrash in lightly bursty environments.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: conditional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -531,17 +564,14 @@ entries:
     howToGet: Use the project team's operating timezone, such as America/New_York.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: optional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -557,17 +587,14 @@ entries:
     howToGet: Provide a JSON value like [{"days":[1,2,3,4,5],"startTime":"09:00","endTime":"17:00"}].
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: optional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -583,17 +610,14 @@ entries:
     howToGet: Choose the daily throughput ceiling that matches the team's Copilot and infrastructure budget.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: optional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -609,17 +633,14 @@ entries:
     howToGet: Start small so queue top-ups stay budget-aware and incremental.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: optional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -635,17 +656,14 @@ entries:
     howToGet: Set this lower than or equal to the daily task-credit budget.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: optional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -661,17 +679,14 @@ entries:
     howToGet: Leave unset to use the default objective/question/note/page/book/knowledge set.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: optional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -687,17 +702,14 @@ entries:
     howToGet: Provide a JSON value such as [{"type":"question","credits":3}].
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: optional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -713,17 +725,14 @@ entries:
     howToGet: Set this to railway for hosted projects or noop/manual for self-hosted environments without automatic scale control.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: optional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -739,21 +748,19 @@ entries:
   TREESEED_RAILWAY_PROJECT_ID:
     label: Railway project ID
     group: hosting
+    visibility: system
     description: Railway project identifier used by runtime scaling and reconciliation helpers for the active environment.
     howToGet: Copy the project ID from Railway when automatic worker scaling is enabled.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: optional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -764,21 +771,19 @@ entries:
   TREESEED_RAILWAY_ENVIRONMENT_ID:
     label: Railway environment ID
     group: hosting
+    visibility: system
     description: Railway environment identifier used by the runtime scaler when adjusting worker replicas.
     howToGet: Copy the environment ID from Railway for the matching staging or production environment.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: optional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -789,21 +794,19 @@ entries:
   TREESEED_RAILWAY_WORKER_SERVICE_ID:
     label: Railway worker service ID
     group: hosting
+    visibility: system
     description: Railway service identifier for the scalable worker pool that the manager adjusts at runtime.
     howToGet: Copy the worker service ID from Railway after the hosted project environment is provisioned.
     sensitivity: plain
     targets:
-      - local-runtime
       - github-variable
       - railway-var
     scopes:
-      - local
       - staging
       - prod
     storage: scoped
     requirement: optional
     purposes:
-      - dev
       - deploy
       - config
     validation:
@@ -842,6 +845,7 @@ entries:
       - process-env
     defaultValueRef: generatedSecret
     localDefaultValueRef: generatedSecret
+    relevanceRef: formsEnabled
   TREESEED_PUBLIC_TURNSTILE_SITE_KEY:
     label: Turnstile site key
     group: forms
@@ -850,18 +854,14 @@ entries:
     howToGet: Create a Turnstile widget in Cloudflare Turnstile and copy the site key.
     sensitivity: plain
     targets:
-      - local-runtime
-      - local-cloudflare
       - github-variable
       - cloudflare-var
     scopes:
-      - local
       - staging
       - prod
     storage: shared
     requirement: conditional
     purposes:
-      - dev
       - save
       - deploy
       - config
@@ -880,18 +880,14 @@ entries:
     howToGet: Create a Turnstile widget in Cloudflare Turnstile and copy the secret key.
     sensitivity: secret
     targets:
-      - local-runtime
-      - local-cloudflare
       - github-secret
       - cloudflare-secret
     scopes:
-      - local
       - staging
       - prod
     storage: shared
     requirement: conditional
     purposes:
-      - dev
       - save
       - deploy
       - config
@@ -902,27 +898,6 @@ entries:
       - process-env
     relevanceRef: turnstileEnabled
     requiredWhenRef: turnstileNonLocal
-  TREESEED_PUBLIC_FORMS_LOCAL_BYPASS_TURNSTILE:
-    label: Local Turnstile bypass
-    group: local-development
-    description: Lets contributors edit content and exercise forms locally without a live Turnstile widget.
-    howToGet: Treeseed defaults this to true for local development. You can switch it off if you want to test with real Turnstile keys locally.
-    sensitivity: plain
-    targets:
-      - local-runtime
-      - local-cloudflare
-    scopes:
-      - local
-    requirement: optional
-    purposes:
-      - dev
-      - config
-    validation:
-      kind: boolean
-    sourcePriority:
-      - machine-config
-      - process-env
-    localDefaultValueRef: localFormsBypassDefault
   TREESEED_SMTP_HOST:
     label: SMTP host
     group: smtp

package/dist/platform/environment.d.ts

@@ -7,6 +7,7 @@ export declare const TREESEED_ENVIRONMENT_PURPOSES: readonly ["dev", "save", "de
 export declare const TREESEED_ENVIRONMENT_SENSITIVITY: readonly ["secret", "plain", "derived"];
 export declare const TREESEED_ENVIRONMENT_STORAGE: readonly ["scoped", "shared"];
 export declare const TREESEED_CONFIG_STARTUP_PROFILES: readonly ["core", "optional", "advanced"];
+export declare const TREESEED_ENVIRONMENT_VISIBILITY: readonly ["user", "system"];
 export type TreeseedEnvironmentScope = (typeof TREESEED_ENVIRONMENT_SCOPES)[number];
 export type TreeseedEnvironmentRequirement = (typeof TREESEED_ENVIRONMENT_REQUIREMENTS)[number];
 export type TreeseedEnvironmentTarget = (typeof TREESEED_ENVIRONMENT_TARGETS)[number];
@@ -14,6 +15,7 @@ export type TreeseedEnvironmentPurpose = (typeof TREESEED_ENVIRONMENT_PURPOSES)[
 export type TreeseedEnvironmentSensitivity = (typeof TREESEED_ENVIRONMENT_SENSITIVITY)[number];
 export type TreeseedEnvironmentStorage = (typeof TREESEED_ENVIRONMENT_STORAGE)[number];
 export type TreeseedConfigStartupProfile = (typeof TREESEED_CONFIG_STARTUP_PROFILES)[number];
+export type TreeseedEnvironmentVisibility = (typeof TREESEED_ENVIRONMENT_VISIBILITY)[number];
 export type TreeseedEnvironmentValidation = {
     kind: 'string' | 'nonempty' | 'url' | 'email';
     minLength?: number;
@@ -68,6 +70,7 @@ export type TreeseedEnvironmentEntry = {
     cluster?: string;
     onboardingFeature?: string;
     startupProfile?: TreeseedConfigStartupProfile;
+    visibility?: TreeseedEnvironmentVisibility;
     description: string;
     howToGet: string;
     sensitivity: TreeseedEnvironmentSensitivity;
@@ -87,6 +90,7 @@ export type TreeseedEnvironmentEntryYaml = Omit<TreeseedEnvironmentEntry, 'id' |
     cluster?: string;
     onboardingFeature?: string;
     startupProfile?: TreeseedConfigStartupProfile;
+    visibility?: TreeseedEnvironmentVisibility;
     defaultValueRef?: string;
     localDefaultValueRef?: string;
     relevanceRef?: string;

package/dist/platform/environment.js

@@ -1,4 +1,5 @@
 import { randomBytes } from "node:crypto";
+import { spawnSync } from "node:child_process";
 import { existsSync, readFileSync } from "node:fs";
 import { dirname, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
@@ -23,6 +24,7 @@ const TREESEED_ENVIRONMENT_PURPOSES = ["dev", "save", "deploy", "destroy", "conf
 const TREESEED_ENVIRONMENT_SENSITIVITY = ["secret", "plain", "derived"];
 const TREESEED_ENVIRONMENT_STORAGE = ["scoped", "shared"];
 const TREESEED_CONFIG_STARTUP_PROFILES = ["core", "optional", "advanced"];
+const TREESEED_ENVIRONMENT_VISIBILITY = ["user", "system"];
 const moduleDir = dirname(fileURLToPath(import.meta.url));
 function resolveCoreEnvironmentPath() {
   const candidates = [
@@ -47,6 +49,21 @@ function turnstileEnabled(context) {
 function smtpEnabled(context) {
   return context.deployConfig.smtp?.enabled === true;
 }
+function platformSurfaceEnabled(context, surface) {
+  return context.deployConfig.surfaces?.[surface]?.enabled !== false;
+}
+function managedServiceEnabled(context, service) {
+  return context.deployConfig.services?.[service]?.enabled !== false;
+}
+function webSurfaceEnabled(context) {
+  return platformSurfaceEnabled(context, "web");
+}
+function apiSurfaceEnabled(context) {
+  return platformSurfaceEnabled(context, "api") && managedServiceEnabled(context, "api");
+}
+function formsEnabled(context) {
+  return webSurfaceEnabled(context) && (context.deployConfig.providers?.forms ?? "store_only") !== "none";
+}
 function railwayManagedEnabled(context) {
   if (context.deployConfig.runtime?.mode === "treeseed_managed") {
     return true;
@@ -183,6 +200,35 @@ function resolveHostedProjectId(context) {
 function resolveRailwayWorkspaceDefault() {
   return "knowledge-coop";
 }
+function parseGitHubRepositorySlugFromRemote(remoteUrl) {
+  const normalized = String(remoteUrl ?? "").trim();
+  const sshMatch = normalized.match(/^git@github\.com:([^/]+)\/(.+?)(?:\.git)?$/u);
+  if (sshMatch) {
+    return { owner: sshMatch[1], name: sshMatch[2] };
+  }
+  const httpsMatch = normalized.match(/^https:\/\/github\.com\/([^/]+)\/(.+?)(?:\.git)?$/u);
+  if (httpsMatch) {
+    return { owner: httpsMatch[1], name: httpsMatch[2] };
+  }
+  return null;
+}
+function resolveGitHubOriginRepository(context) {
+  const result = spawnSync("git", ["remote", "get-url", "origin"], {
+    cwd: context.tenantRoot,
+    stdio: "pipe",
+    encoding: "utf8"
+  });
+  if (result.status !== 0) {
+    return null;
+  }
+  return parseGitHubRepositorySlugFromRemote(result.stdout);
+}
+function resolveGitHubOwnerDefault(context) {
+  return resolveGitHubOriginRepository(context)?.owner;
+}
+function resolveGitHubRepositoryNameDefault(context) {
+  return resolveGitHubOriginRepository(context)?.name || context.deployConfig.slug;
+}
 const VALUE_RESOLVERS = {
   generatedSecret: () => generatedSecret(),
   localFormsBypassDefault: () => "true",
@@ -206,6 +252,9 @@ const VALUE_RESOLVERS = {
   hostingTeamIdDefault: (context) => resolveHostedTeamId(context),
   hostingProjectIdDefault: (context) => resolveHostedProjectId(context),
   railwayWorkspaceDefault: () => resolveRailwayWorkspaceDefault(),
+  githubOwnerDefault: (context) => resolveGitHubOwnerDefault(context),
+  githubRepositoryNameDefault: (context) => resolveGitHubRepositoryNameDefault(context),
+  githubRepositoryVisibilityDefault: () => "private",
   agentPoolMinWorkersDefault: () => "0",
   agentPoolMaxWorkersDefault: () => "2",
   agentPoolTargetQueueDepthDefault: () => "1",
@@ -224,6 +273,9 @@ const PREDICATES = {
   turnstileNonLocal: (context, scope) => turnstileEnabled(context) && scope !== "local",
   smtpEnabled: (context) => smtpEnabled(context),
   smtpNonLocal: (context, scope) => smtpEnabled(context) && scope !== "local",
+  webSurfaceEnabled: (context) => webSurfaceEnabled(context),
+  apiSurfaceEnabled: (context) => apiSurfaceEnabled(context),
+  formsEnabled: (context) => formsEnabled(context),
   railwayManagedEnabled: (context) => railwayManagedEnabled(context),
   hubTreeseedHosted: (context) => resolveHubMode(context) === "treeseed_hosted",
   hubCustomerHosted: (context) => resolveHubMode(context) === "customer_hosted",
@@ -316,6 +368,7 @@ function materializeEntry(id, entry) {
     id,
     cluster: entry.cluster ?? `${entry.group}:${id}`,
     onboardingFeature: entry.onboardingFeature,
+    visibility: entry.visibility ?? "user",
     startupProfile: entry.startupProfile ?? (entry.onboardingFeature ? "optional" : entry.group === "auth" || entry.id === "TREESEED_FORM_TOKEN_SECRET" || entry.group === "local-development" ? "core" : "advanced"),
     storage: entry.storage ?? "scoped",
     defaultValue: resolveNamedValueResolver(entry.defaultValueRef),
@@ -527,6 +580,7 @@ export {
   TREESEED_ENVIRONMENT_SENSITIVITY,
   TREESEED_ENVIRONMENT_STORAGE,
   TREESEED_ENVIRONMENT_TARGETS,
+  TREESEED_ENVIRONMENT_VISIBILITY,
   getTreeseedEnvironmentSuggestedValues,
   isTreeseedEnvironmentEntryRelevant,
   isTreeseedEnvironmentEntryRequired,