@treeseed/sdk 0.6.2 → 0.6.4

package/dist/operations/services/config-runtime.js

@@ -1444,9 +1444,17 @@ function resolveTreeseedLaunchEnvironment({
   overrides = {}
 }) {
   warnDeprecatedTreeseedLocalEnvFiles(tenantRoot);
+  let machineValues = {};
+  try {
+    machineValues = resolveTreeseedMachineEnvironmentValues(tenantRoot, scope);
+  } catch (error) {
+    if (!(error instanceof TreeseedKeyAgentError)) {
+      throw error;
+    }
+  }
+  const scopedValues = scope === "local" ? { ...baseEnv, ...machineValues } : { ...machineValues, ...baseEnv };
   return {
-    ...baseEnv,
-    ...resolveTreeseedMachineEnvironmentValues(tenantRoot, scope),
+    ...scopedValues,
     ...overrides
   };
 }
@@ -1467,7 +1475,7 @@ function formatTreeseedConfigEnvironmentReport({ tenantRoot, scope, env = proces
 function applyTreeseedEnvironmentToProcess({ tenantRoot, scope, override = false }) {
   let resolvedValues = {};
   try {
-    resolvedValues = resolveTreeseedLaunchEnvironment({ tenantRoot, scope, baseEnv: {} });
+    resolvedValues = resolveTreeseedLaunchEnvironment({ tenantRoot, scope });
   } catch (error) {
     if (!(error instanceof TreeseedKeyAgentError)) {
       throw error;
@@ -1893,10 +1901,14 @@ async function syncTreeseedGitHubEnvironment({
   } : {};
   const githubClient = createGitHubApiClient({ env: ghEnv });
   const environment = scope === "prod" ? "production" : scope;
+  const deploymentBranch = scope === "prod" ? PRODUCTION_BRANCH : scope === "staging" ? STAGING_BRANCH : null;
   const progress = (message, stream = "stdout") => onProgress?.(message, stream);
   if (!dryRun) {
     progress(`[${scope}][github][environment] Ensuring GitHub environment ${environment} exists...`);
-    await ensureGitHubActionsEnvironment(repository, environment, { client: githubClient });
+    await ensureGitHubActionsEnvironment(repository, environment, {
+      client: githubClient,
+      branchName: deploymentBranch
+    });
   }
   progress(`[${scope}][github][sync] Loading existing GitHub secrets and variables...`);
   const [secretNames, variableNames] = dryRun ? [/* @__PURE__ */ new Set(), /* @__PURE__ */ new Set()] : await Promise.all([
@@ -1913,10 +1925,9 @@ async function syncTreeseedGitHubEnvironment({
     if (!value) {
       continue;
     }
-    if (entry.targets.includes("github-secret")) {
+    if (entry.sensitivity === "secret") {
       items.push({ kind: "secret", name: entry.id, value, existed: secretNames.has(entry.id) });
-    }
-    if (entry.targets.includes("github-variable")) {
+    } else {
       items.push({ kind: "variable", name: entry.id, value, existed: variableNames.has(entry.id) });
     }
   }
@@ -2245,7 +2256,7 @@ function configGroupRank(group) {
 }
 function listRelevantTreeseedConfigEntries(registry, scope) {
   return registry.entries.filter(
-    (entry) => entry.scopes.includes(scope) && (!entry.isRelevant || entry.isRelevant(registry.context, scope, "config") || Boolean(entry.onboardingFeature))
+    (entry) => entry.visibility !== "system" && entry.scopes.includes(scope) && (!entry.isRelevant || entry.isRelevant(registry.context, scope, "config") || Boolean(entry.onboardingFeature))
   ).sort((left, right) => {
     const leftRequired = isTreeseedEnvironmentEntryRequired(left, registry.context, scope, "config");
     const rightRequired = isTreeseedEnvironmentEntryRequired(right, registry.context, scope, "config");

package/dist/operations/services/github-api.d.ts

@@ -66,8 +66,9 @@ export declare function listGitHubRepositoryVariableNames(repository: string | {
 export declare function ensureGitHubActionsEnvironment(repository: string | {
     owner: string;
     name: string;
-}, environmentName: string, { client }?: {
+}, environmentName: string, { client, branchName, }?: {
     client?: GitHubApiClient;
+    branchName?: string | null;
 }): Promise<{
     repository: string;
     environment: string;

package/dist/operations/services/github-api.js

@@ -220,19 +220,88 @@ async function listGitHubRepositoryVariableNames(repository, { client = createGi
     throw normalizeGitHubApiError(error, `Unable to list GitHub variables for ${owner}/${name}`);
   }
 }
-async function ensureGitHubActionsEnvironment(repository, environmentName, { client = createGitHubApiClient() } = {}) {
+async function ensureGitHubActionsEnvironment(repository, environmentName, {
+  client = createGitHubApiClient(),
+  branchName
+} = {}) {
   const { owner, name: repo } = typeof repository === "string" ? parseGitHubRepositorySlug(repository) : repository;
   try {
     await withGitHubApiRetries(() => client.request("PUT /repos/{owner}/{repo}/environments/{environment_name}", {
       owner,
       repo,
-      environment_name: environmentName
+      environment_name: environmentName,
+      ...branchName ? {
+        deployment_branch_policy: {
+          protected_branches: false,
+          custom_branch_policies: true
+        }
+      } : {}
     }));
+    if (branchName) {
+      await ensureGitHubEnvironmentBranchPolicy(client, {
+        owner,
+        repo,
+        environmentName,
+        branchName
+      });
+    }
     return { repository: `${owner}/${repo}`, environment: environmentName };
   } catch (error) {
     throw normalizeGitHubApiError(error, `Unable to ensure GitHub environment ${environmentName} for ${owner}/${repo}`);
   }
 }
+async function ensureGitHubEnvironmentBranchPolicy(client, {
+  owner,
+  repo,
+  environmentName,
+  branchName
+}) {
+  const response = await withGitHubApiRetries(() => client.request(
+    "GET /repos/{owner}/{repo}/environments/{environment_name}/deployment-branch-policies",
+    {
+      owner,
+      repo,
+      environment_name: environmentName,
+      per_page: 100
+    }
+  ));
+  const policies = Array.isArray(response.data?.branch_policies) ? response.data.branch_policies : [];
+  const desired = policies.find((policy) => policy.name === branchName && (policy.type ?? "branch") === "branch");
+  for (const policy of policies) {
+    if (!policy.id || policy.name === branchName && (policy.type ?? "branch") === "branch") {
+      continue;
+    }
+    await withGitHubApiRetries(() => client.request(
+      "DELETE /repos/{owner}/{repo}/environments/{environment_name}/deployment-branch-policies/{branch_policy_id}",
+      {
+        owner,
+        repo,
+        environment_name: environmentName,
+        branch_policy_id: policy.id
+      }
+    ));
+  }
+  if (desired) {
+    return;
+  }
+  try {
+    await withGitHubApiRetries(() => client.request(
+      "POST /repos/{owner}/{repo}/environments/{environment_name}/deployment-branch-policies",
+      {
+        owner,
+        repo,
+        environment_name: environmentName,
+        name: branchName,
+        type: "branch"
+      }
+    ));
+  } catch (error) {
+    if (error && typeof error === "object" && error.status === 303) {
+      return;
+    }
+    throw error;
+  }
+}
 async function paginateGitHubEnvironmentNames(client, route, params) {
   const paginate = client.paginate;
   return await paginateNames(() => paginate(route, {

package/dist/operations/services/project-platform.js

@@ -12,7 +12,7 @@ import {
   signEditorialPreviewToken
 } from "../../platform/published-content.js";
 import { createPublishedContentPipeline } from "../../platform/published-content-pipeline.js";
-import { collectTreeseedReconcileStatus, reconcileTreeseedTarget } from "../../reconcile/index.js";
+import { collectTreeseedReconcileStatus, reconcileTreeseedTarget, resolveTreeseedBootstrapSelection } from "../../reconcile/index.js";
 import { loadTreeseedManifest } from "../../platform/tenant-config.js";
 import { applyTreeseedEnvironmentToProcess } from "./config-runtime.js";
 import {
@@ -40,6 +40,7 @@ import { loadCliDeployConfig, packageScriptPath, resolveWranglerBin } from "./ru
 import { CloudflareQueuePullClient, CloudflareQueuePushClient } from "../../remote.js";
 import { runPrefixedCommand, runTreeseedBootstrapDag, sleep, writeTreeseedBootstrapLine } from "./bootstrap-runner.js";
 import { runTenantDeployPreflight } from "./save-deploy-preflight.js";
+const PROJECT_PLATFORM_BOOTSTRAP_SYSTEMS = ["data", "web", "api", "agents"];
 function stableHash(value) {
   return createHash("sha256").update(value).digest("hex");
 }
@@ -90,6 +91,30 @@ function runNodeScript(tenantRoot, scriptName, scriptArgs = []) {
     throw new Error(`${scriptName} failed.`);
   }
 }
+function resolveProjectPlatformBootstrapSystems(options, siteConfig = loadCliDeployConfig(options.tenantRoot)) {
+  if (options.bootstrapSystems && options.bootstrapSystems.length > 0) {
+    return [...options.bootstrapSystems];
+  }
+  const selection = resolveTreeseedBootstrapSelection({
+    deployConfig: siteConfig,
+    env: { ...process.env, ...options.env ?? {} },
+    systems: PROJECT_PLATFORM_BOOTSTRAP_SYSTEMS,
+    skipUnavailable: true
+  });
+  for (const skipped of selection.skipped) {
+    writeTreeseedBootstrapLine(
+      options.write,
+      {
+        scope: options.scope,
+        system: skipped.system,
+        task: "availability",
+        stage: "skip"
+      },
+      skipped.reason
+    );
+  }
+  return selection.runnable.filter((system) => system !== "github");
+}
 function runWrangler(tenantRoot, args, extraEnv = {}, options = {}) {
   const result = spawnSync(process.execPath, [resolveWranglerBin(), ...args], {
     cwd: tenantRoot,
@@ -818,18 +843,24 @@ async function provisionProjectPlatform(options) {
   const reporter = resolveReporter(options.tenantRoot, options.reporter);
   const target = createPersistentDeployTarget(options.scope === "local" ? "staging" : options.scope);
   const siteConfig = loadCliDeployConfig(options.tenantRoot);
+  const bootstrapSystems = resolveProjectPlatformBootstrapSystems(options, siteConfig);
+  const selectedSystems = new Set(bootstrapSystems);
+  const env = { ...process.env, ...options.env ?? {} };
   const summary = await reconcileTreeseedTarget({
     tenantRoot: options.tenantRoot,
     target,
-    env: process.env
+    env,
+    systems: bootstrapSystems
   });
   const verification = await collectTreeseedReconcileStatus({
     tenantRoot: options.tenantRoot,
     target,
-    env: process.env
+    env,
+    systems: bootstrapSystems
   });
   ensureGeneratedWranglerConfig(options.tenantRoot, { target });
-  const railwayValidation = options.scope === "local" ? validateRailwayServiceConfiguration(options.tenantRoot, options.scope) : validateRailwayDeployPrerequisites(options.tenantRoot, options.scope);
+  const shouldValidateRailway = selectedSystems.has("api") || selectedSystems.has("agents");
+  const railwayValidation = shouldValidateRailway ? options.scope === "local" ? validateRailwayServiceConfiguration(options.tenantRoot, options.scope) : validateRailwayDeployPrerequisites(options.tenantRoot, options.scope, { env }) : { services: [] };
   const railwaySchedules = [];
   const railwayScheduleVerification = {
     ok: true,
@@ -969,7 +1000,8 @@ async function deployProjectPlatform(options) {
   const reporter = resolveReporter(options.tenantRoot, options.reporter);
   const commitSha = currentCommit(options.tenantRoot);
   const branchName = currentRef(options.tenantRoot);
-  const selectedSystems = new Set(options.bootstrapSystems ?? ["data", "web", "api", "agents"]);
+  const bootstrapSystems = resolveProjectPlatformBootstrapSystems(options);
+  const selectedSystems = new Set(bootstrapSystems);
   const execution = options.bootstrapExecution ?? "parallel";
   const write = options.write;
   const env = { ...process.env, ...options.env ?? {} };
@@ -983,7 +1015,7 @@ async function deployProjectPlatform(options) {
     metadata: { scope: options.scope }
   });
   if (!options.skipProvision) {
-    await provisionProjectPlatform({ ...options, reporter });
+    await provisionProjectPlatform({ ...options, reporter, bootstrapSystems });
   }
   const nodes = [];
   let cloudflareContext = null;

package/dist/platform/env.yaml

@@ -748,6 +748,7 @@ entries:
   TREESEED_RAILWAY_PROJECT_ID:
     label: Railway project ID
     group: hosting
+    visibility: system
     description: Railway project identifier used by runtime scaling and reconciliation helpers for the active environment.
     howToGet: Copy the project ID from Railway when automatic worker scaling is enabled.
     sensitivity: plain
@@ -770,6 +771,7 @@ entries:
   TREESEED_RAILWAY_ENVIRONMENT_ID:
     label: Railway environment ID
     group: hosting
+    visibility: system
     description: Railway environment identifier used by the runtime scaler when adjusting worker replicas.
     howToGet: Copy the environment ID from Railway for the matching staging or production environment.
     sensitivity: plain
@@ -792,6 +794,7 @@ entries:
   TREESEED_RAILWAY_WORKER_SERVICE_ID:
     label: Railway worker service ID
     group: hosting
+    visibility: system
     description: Railway service identifier for the scalable worker pool that the manager adjusts at runtime.
     howToGet: Copy the worker service ID from Railway after the hosted project environment is provisioned.
     sensitivity: plain

package/dist/platform/environment.d.ts

@@ -7,6 +7,7 @@ export declare const TREESEED_ENVIRONMENT_PURPOSES: readonly ["dev", "save", "de
 export declare const TREESEED_ENVIRONMENT_SENSITIVITY: readonly ["secret", "plain", "derived"];
 export declare const TREESEED_ENVIRONMENT_STORAGE: readonly ["scoped", "shared"];
 export declare const TREESEED_CONFIG_STARTUP_PROFILES: readonly ["core", "optional", "advanced"];
+export declare const TREESEED_ENVIRONMENT_VISIBILITY: readonly ["user", "system"];
 export type TreeseedEnvironmentScope = (typeof TREESEED_ENVIRONMENT_SCOPES)[number];
 export type TreeseedEnvironmentRequirement = (typeof TREESEED_ENVIRONMENT_REQUIREMENTS)[number];
 export type TreeseedEnvironmentTarget = (typeof TREESEED_ENVIRONMENT_TARGETS)[number];
@@ -14,6 +15,7 @@ export type TreeseedEnvironmentPurpose = (typeof TREESEED_ENVIRONMENT_PURPOSES)[
 export type TreeseedEnvironmentSensitivity = (typeof TREESEED_ENVIRONMENT_SENSITIVITY)[number];
 export type TreeseedEnvironmentStorage = (typeof TREESEED_ENVIRONMENT_STORAGE)[number];
 export type TreeseedConfigStartupProfile = (typeof TREESEED_CONFIG_STARTUP_PROFILES)[number];
+export type TreeseedEnvironmentVisibility = (typeof TREESEED_ENVIRONMENT_VISIBILITY)[number];
 export type TreeseedEnvironmentValidation = {
     kind: 'string' | 'nonempty' | 'url' | 'email';
     minLength?: number;
@@ -68,6 +70,7 @@ export type TreeseedEnvironmentEntry = {
     cluster?: string;
     onboardingFeature?: string;
     startupProfile?: TreeseedConfigStartupProfile;
+    visibility?: TreeseedEnvironmentVisibility;
     description: string;
     howToGet: string;
     sensitivity: TreeseedEnvironmentSensitivity;
@@ -87,6 +90,7 @@ export type TreeseedEnvironmentEntryYaml = Omit<TreeseedEnvironmentEntry, 'id' |
     cluster?: string;
     onboardingFeature?: string;
     startupProfile?: TreeseedConfigStartupProfile;
+    visibility?: TreeseedEnvironmentVisibility;
     defaultValueRef?: string;
     localDefaultValueRef?: string;
     relevanceRef?: string;

package/dist/platform/environment.js

@@ -24,6 +24,7 @@ const TREESEED_ENVIRONMENT_PURPOSES = ["dev", "save", "deploy", "destroy", "conf
 const TREESEED_ENVIRONMENT_SENSITIVITY = ["secret", "plain", "derived"];
 const TREESEED_ENVIRONMENT_STORAGE = ["scoped", "shared"];
 const TREESEED_CONFIG_STARTUP_PROFILES = ["core", "optional", "advanced"];
+const TREESEED_ENVIRONMENT_VISIBILITY = ["user", "system"];
 const moduleDir = dirname(fileURLToPath(import.meta.url));
 function resolveCoreEnvironmentPath() {
   const candidates = [
@@ -367,6 +368,7 @@ function materializeEntry(id, entry) {
     id,
     cluster: entry.cluster ?? `${entry.group}:${id}`,
     onboardingFeature: entry.onboardingFeature,
+    visibility: entry.visibility ?? "user",
     startupProfile: entry.startupProfile ?? (entry.onboardingFeature ? "optional" : entry.group === "auth" || entry.id === "TREESEED_FORM_TOKEN_SECRET" || entry.group === "local-development" ? "core" : "advanced"),
     storage: entry.storage ?? "scoped",
     defaultValue: resolveNamedValueResolver(entry.defaultValueRef),
@@ -578,6 +580,7 @@ export {
   TREESEED_ENVIRONMENT_SENSITIVITY,
   TREESEED_ENVIRONMENT_STORAGE,
   TREESEED_ENVIRONMENT_TARGETS,
+  TREESEED_ENVIRONMENT_VISIBILITY,
   getTreeseedEnvironmentSuggestedValues,
   isTreeseedEnvironmentEntryRelevant,
   isTreeseedEnvironmentEntryRequired,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@treeseed/sdk",
-  "version": "0.6.2",
+  "version": "0.6.4",
   "description": "Shared Treeseed SDK for content-backed and D1-backed object models.",
   "license": "AGPL-3.0-only",
   "repository": {