@treeseed/sdk 0.8.0 → 0.8.2

package/dist/operations/services/hosting-audit.js

@@ -0,0 +1,642 @@
+import net from "node:net";
+import tls from "node:tls";
+import {
+  getTreeseedEnvironmentSuggestedValues,
+  validateTreeseedEnvironmentValues
+} from "../../platform/environment.js";
+import {
+  collectTreeseedConfigSeedValues,
+  collectTreeseedEnvironmentContext,
+  checkTreeseedProviderConnections
+} from "./config-runtime.js";
+import {
+  buildProvisioningSummary,
+  createBranchPreviewDeployTarget,
+  createPersistentDeployTarget,
+  loadDeployState
+} from "./deploy.js";
+import {
+  currentManagedBranch,
+  PRODUCTION_BRANCH,
+  STAGING_BRANCH
+} from "./git-workflow.js";
+import { loadCliDeployConfig } from "./runtime-tools.js";
+import {
+  collectTreeseedReconcileStatus,
+  reconcileTreeseedTarget
+} from "../../reconcile/index.js";
+const HOST_KINDS = ["repository", "web", "processing", "email"];
+const HOST_GROUPS = {
+  repository: /* @__PURE__ */ new Set(["auth", "github"]),
+  web: /* @__PURE__ */ new Set(["auth", "cloudflare", "hosting"]),
+  processing: /* @__PURE__ */ new Set(["auth", "railway", "hosting"]),
+  email: /* @__PURE__ */ new Set(["smtp"])
+};
+function hasValue(value) {
+  return typeof value === "string" && value.trim().length > 0;
+}
+function firstValue(values, keys) {
+  for (const key of keys) {
+    const value = values[key];
+    if (hasValue(value)) {
+      return value;
+    }
+  }
+  return void 0;
+}
+function nonEmptyEnvironmentValues(env = process.env) {
+  return Object.fromEntries(
+    Object.entries(env).filter(([, value]) => typeof value === "string" && value.trim().length > 0).map(([key, value]) => [key, String(value)])
+  );
+}
+function normalizeHostKinds(hostKinds) {
+  const selected = Array.isArray(hostKinds) && hostKinds.length > 0 ? hostKinds : HOST_KINDS;
+  const normalized = selected.map((kind) => String(kind).trim()).filter((kind) => HOST_KINDS.includes(kind));
+  return normalized.length > 0 ? [...new Set(normalized)] : HOST_KINDS;
+}
+function targetLabel(target) {
+  return target.kind === "branch" ? `preview:${target.branchName}` : target.scope;
+}
+function serializeTarget(target) {
+  return {
+    kind: target.kind,
+    ...target.kind === "branch" ? { branchName: target.branchName } : { scope: target.scope },
+    label: targetLabel(target)
+  };
+}
+function resolveTreeseedHostingAuditTarget({
+  tenantRoot,
+  environment = "current"
+}) {
+  if (environment === "local") {
+    return {
+      environment: "local",
+      scope: "local",
+      target: createPersistentDeployTarget("staging"),
+      branchName: null
+    };
+  }
+  if (environment === "staging") {
+    return {
+      environment: "staging",
+      scope: "staging",
+      target: createPersistentDeployTarget("staging"),
+      branchName: null
+    };
+  }
+  if (environment === "prod") {
+    return {
+      environment: "prod",
+      scope: "prod",
+      target: createPersistentDeployTarget("prod"),
+      branchName: null
+    };
+  }
+  const branchName = currentManagedBranch(tenantRoot);
+  if (branchName === PRODUCTION_BRANCH) {
+    return {
+      environment: "prod",
+      scope: "prod",
+      target: createPersistentDeployTarget("prod"),
+      branchName
+    };
+  }
+  if (branchName === STAGING_BRANCH) {
+    return {
+      environment: "staging",
+      scope: "staging",
+      target: createPersistentDeployTarget("staging"),
+      branchName
+    };
+  }
+  if (branchName) {
+    try {
+      const deployConfig = loadCliDeployConfig(tenantRoot);
+      const previewTarget = createBranchPreviewDeployTarget(branchName);
+      const previewState = loadDeployState(tenantRoot, deployConfig, { target: previewTarget });
+      if (previewState?.previewEnabled === true || previewState?.readiness?.initialized === true || hasValue(previewState?.lastDeployedUrl) || hasValue(previewState?.workerName)) {
+        return {
+          environment: "preview",
+          scope: "staging",
+          target: previewTarget,
+          branchName
+        };
+      }
+    } catch {
+    }
+  }
+  return {
+    environment: "staging",
+    scope: "staging",
+    target: createPersistentDeployTarget("staging"),
+    branchName
+  };
+}
+function normalizeAuditValues(values) {
+  const normalized = { ...values };
+  const githubToken = normalized.TREESEED_HOSTED_HUBS_GITHUB_TOKEN;
+  if (githubToken) {
+    normalized.GH_TOKEN = githubToken;
+    normalized.GITHUB_TOKEN = githubToken;
+  }
+  const cloudflareToken = normalized.CLOUDFLARE_API_TOKEN;
+  if (cloudflareToken) {
+    normalized.CLOUDFLARE_API_TOKEN = cloudflareToken;
+  }
+  const cloudflareAccount = normalized.CLOUDFLARE_ACCOUNT_ID;
+  if (cloudflareAccount) {
+    normalized.CLOUDFLARE_ACCOUNT_ID = cloudflareAccount;
+  }
+  const railwayToken = normalized.RAILWAY_API_TOKEN;
+  if (railwayToken) {
+    normalized.RAILWAY_API_TOKEN = railwayToken;
+  }
+  const railwayWorkspace = normalized.TREESEED_RAILWAY_WORKSPACE;
+  if (railwayWorkspace) {
+    normalized.TREESEED_RAILWAY_WORKSPACE = railwayWorkspace;
+  }
+  return normalized;
+}
+function configCheck({
+  id,
+  hostType,
+  provider,
+  status,
+  severity,
+  summary,
+  detail,
+  remediation
+}) {
+  return {
+    id,
+    hostType,
+    provider,
+    category: "config",
+    status,
+    severity,
+    summary,
+    ...detail ? { detail } : {},
+    ...remediation ? { remediation } : {}
+  };
+}
+function requiredKeyCheck(checks, values, {
+  id,
+  hostType,
+  provider,
+  keys,
+  label,
+  remediation
+}) {
+  const configured = firstValue(values, keys);
+  checks.push(configCheck({
+    id,
+    hostType,
+    provider,
+    status: configured ? "passed" : "failed",
+    severity: configured ? "info" : "critical",
+    summary: configured ? `${label} is configured.` : `${label} is missing.`,
+    detail: configured ? void 0 : `Expected one of: ${keys.join(", ")}.`,
+    remediation
+  }));
+}
+function appendManualConfigChecks(checks, values, hostKinds) {
+  if (hostKinds.includes("repository")) {
+    requiredKeyCheck(checks, values, {
+      id: "repository.github.owner",
+      hostType: "repository",
+      provider: "github",
+      keys: ["TREESEED_HOSTED_HUBS_GITHUB_OWNER"],
+      label: "Repository owner or organization",
+      remediation: "Set TREESEED_HOSTED_HUBS_GITHUB_OWNER for TreeSeed-managed hosted repositories."
+    });
+    requiredKeyCheck(checks, values, {
+      id: "repository.github.token",
+      hostType: "repository",
+      provider: "github",
+      keys: ["TREESEED_HOSTED_HUBS_GITHUB_TOKEN"],
+      label: "Repository provider token",
+      remediation: "Set TREESEED_HOSTED_HUBS_GITHUB_TOKEN for TreeSeed-managed hosted repositories, or provide a team-owned Repository Host session."
+    });
+  }
+  if (hostKinds.includes("web")) {
+    requiredKeyCheck(checks, values, {
+      id: "web.cloudflare.token",
+      hostType: "web",
+      provider: "cloudflare",
+      keys: ["CLOUDFLARE_API_TOKEN"],
+      label: "Web provider token",
+      remediation: "Set CLOUDFLARE_API_TOKEN for TreeSeed-managed Web hosting."
+    });
+    requiredKeyCheck(checks, values, {
+      id: "web.cloudflare.account",
+      hostType: "web",
+      provider: "cloudflare",
+      keys: ["CLOUDFLARE_ACCOUNT_ID"],
+      label: "Web provider account",
+      remediation: "Set CLOUDFLARE_ACCOUNT_ID for TreeSeed-managed Web hosting."
+    });
+  }
+  if (hostKinds.includes("processing")) {
+    requiredKeyCheck(checks, values, {
+      id: "processing.railway.token",
+      hostType: "processing",
+      provider: "railway",
+      keys: ["RAILWAY_API_TOKEN"],
+      label: "Processing provider token",
+      remediation: "Set RAILWAY_API_TOKEN for TreeSeed-managed Processing hosting."
+    });
+    requiredKeyCheck(checks, values, {
+      id: "processing.railway.workspace",
+      hostType: "processing",
+      provider: "railway",
+      keys: ["TREESEED_RAILWAY_WORKSPACE"],
+      label: "Processing provider workspace",
+      remediation: "Set TREESEED_RAILWAY_WORKSPACE for TreeSeed-managed Processing hosting."
+    });
+  }
+  if (hostKinds.includes("email")) {
+    requiredKeyCheck(checks, values, {
+      id: "email.smtp.host",
+      hostType: "email",
+      provider: "smtp",
+      keys: ["TREESEED_SMTP_HOST"],
+      label: "Email provider host",
+      remediation: "Set TREESEED_SMTP_HOST or configure a team-owned Email Host session."
+    });
+    requiredKeyCheck(checks, values, {
+      id: "email.smtp.port",
+      hostType: "email",
+      provider: "smtp",
+      keys: ["TREESEED_SMTP_PORT"],
+      label: "Email provider port",
+      remediation: "Set TREESEED_SMTP_PORT or configure a team-owned Email Host session."
+    });
+    requiredKeyCheck(checks, values, {
+      id: "email.smtp.from",
+      hostType: "email",
+      provider: "smtp",
+      keys: ["TREESEED_SMTP_FROM"],
+      label: "Email sender address",
+      remediation: "Set TREESEED_SMTP_FROM to a verified sender address."
+    });
+  }
+}
+function appendRegistryConfigChecks({
+  checks,
+  tenantRoot,
+  scope,
+  values,
+  hostKinds
+}) {
+  const registry = collectTreeseedEnvironmentContext(tenantRoot);
+  const selectedGroups = new Set(hostKinds.flatMap((kind) => [...HOST_GROUPS[kind]]));
+  const validation = validateTreeseedEnvironmentValues({
+    values,
+    scope,
+    purpose: "config",
+    deployConfig: registry.context.deployConfig,
+    tenantConfig: registry.context.tenantConfig,
+    plugins: registry.context.plugins
+  });
+  const selectedProblems = [...validation.missing, ...validation.invalid].filter((problem) => selectedGroups.has(problem.entry.group));
+  for (const problem of selectedProblems) {
+    const hostType = hostKinds.find((kind) => HOST_GROUPS[kind].has(problem.entry.group)) ?? "platform";
+    checks.push(configCheck({
+      id: `config.${problem.id}`,
+      hostType,
+      provider: problem.entry.group,
+      status: "failed",
+      severity: problem.entry.requirement === "optional" ? "warning" : "critical",
+      summary: `${problem.label} is ${problem.reason}.`,
+      detail: problem.message,
+      remediation: problem.entry.howToGet
+    }));
+  }
+  if (selectedProblems.length === 0) {
+    checks.push(configCheck({
+      id: "config.registry",
+      hostType: "platform",
+      provider: "treeseed",
+      status: "passed",
+      severity: "info",
+      summary: "Registered hosting environment values are complete."
+    }));
+  }
+}
+function providerConnectionChecks(report, hostKinds) {
+  const allowedProviders = /* @__PURE__ */ new Set();
+  if (hostKinds.includes("repository")) allowedProviders.add("github");
+  if (hostKinds.includes("web")) allowedProviders.add("cloudflare");
+  if (hostKinds.includes("processing")) allowedProviders.add("railway");
+  return report.checks.filter((check) => allowedProviders.has(check.provider)).map((check) => {
+    const hostType = check.provider === "github" ? "repository" : check.provider === "railway" ? "processing" : "web";
+    return {
+      id: `identity.${check.provider}`,
+      hostType,
+      provider: check.provider,
+      category: "identity",
+      status: check.ready ? "passed" : check.skipped ? "skipped" : "failed",
+      severity: check.ready || check.skipped ? "info" : "critical",
+      summary: check.ready ? `${check.provider} identity check passed.` : check.skipped ? `${check.provider} identity check skipped.` : `${check.provider} identity check failed.`,
+      detail: check.detail,
+      repairAvailable: false,
+      remediation: check.ready ? void 0 : `Confirm ${check.provider} credentials and provider CLI access for this environment.`
+    };
+  });
+}
+function reconcileSystemsForHostKinds(hostKinds) {
+  const systems = /* @__PURE__ */ new Set();
+  if (hostKinds.includes("repository")) systems.add("github");
+  if (hostKinds.includes("web")) {
+    systems.add("data");
+    systems.add("web");
+  }
+  if (hostKinds.includes("processing")) {
+    systems.add("api");
+    systems.add("agents");
+  }
+  return [...systems];
+}
+function reconcileStatusChecks(status, repairedIds = /* @__PURE__ */ new Set()) {
+  const checks = [];
+  for (const unit of status.units) {
+    const hostType = unit.provider === "github" ? "repository" : unit.provider === "railway" ? "processing" : "web";
+    const verified = unit.verification?.verified === true;
+    const id = `resource.${unit.provider}.${unit.unitType}.${unit.unitId}`;
+    const repaired = repairedIds.has(id);
+    checks.push({
+      id,
+      hostType,
+      provider: unit.provider,
+      category: "resource",
+      status: repaired ? "repaired" : verified ? "passed" : "failed",
+      severity: verified || repaired ? "info" : "critical",
+      summary: `${unit.provider}:${unit.unitType} ${verified || repaired ? "is ready" : "is not ready"}.`,
+      detail: [
+        unit.exists === false ? "Resource is missing." : null,
+        unit.verification?.missing?.length ? `missing: ${unit.verification.missing.join(", ")}` : null,
+        unit.verification?.drifted?.length ? `drifted: ${unit.verification.drifted.join(", ")}` : null,
+        unit.warnings?.length ? `warnings: ${unit.warnings.join("; ")}` : null
+      ].filter(Boolean).join(" ") || void 0,
+      resourceRef: unit.locators?.length ? unit.locators.join(", ") : unit.unitId,
+      repairAvailable: true,
+      repaired,
+      remediation: verified || repaired ? void 0 : "Run trsd audit hosting --repair to reconcile platform resources."
+    });
+  }
+  return checks;
+}
+async function checkSmtpReachability(values) {
+  const host = values.TREESEED_SMTP_HOST;
+  const port = Number(values.TREESEED_SMTP_PORT ?? 0);
+  const secure = /^(true|1|tls|ssl|465)$/iu.test(String(values.TREESEED_SMTP_SECURE ?? ""));
+  if (!host || !Number.isFinite(port) || port <= 0) {
+    return {
+      id: "connectivity.smtp",
+      hostType: "email",
+      provider: "smtp",
+      category: "connectivity",
+      status: "skipped",
+      severity: "warning",
+      summary: "Email connectivity check skipped.",
+      detail: "SMTP host and port are required before TreeSeed can test connectivity.",
+      remediation: "Configure SMTP host and port, then rerun the hosting audit."
+    };
+  }
+  return new Promise((resolve) => {
+    const socket = secure ? tls.connect({ host, port, servername: host, timeout: 5e3 }) : net.connect({ host, port, timeout: 5e3 });
+    let settled = false;
+    const finish = (check) => {
+      if (settled) return;
+      settled = true;
+      socket.destroy();
+      resolve(check);
+    };
+    socket.once("connect", () => finish({
+      id: "connectivity.smtp",
+      hostType: "email",
+      provider: "smtp",
+      category: "connectivity",
+      status: "passed",
+      severity: "info",
+      summary: "Email provider accepts a TCP connection.",
+      resourceRef: `${host}:${port}`
+    }));
+    socket.once("secureConnect", () => finish({
+      id: "connectivity.smtp",
+      hostType: "email",
+      provider: "smtp",
+      category: "connectivity",
+      status: "passed",
+      severity: "info",
+      summary: "Email provider accepts a TLS connection.",
+      resourceRef: `${host}:${port}`
+    }));
+    socket.once("timeout", () => finish({
+      id: "connectivity.smtp",
+      hostType: "email",
+      provider: "smtp",
+      category: "connectivity",
+      status: "failed",
+      severity: "critical",
+      summary: "Email provider connection timed out.",
+      resourceRef: `${host}:${port}`,
+      remediation: "Confirm SMTP host, port, firewall, and TLS mode."
+    }));
+    socket.once("error", (error) => finish({
+      id: "connectivity.smtp",
+      hostType: "email",
+      provider: "smtp",
+      category: "connectivity",
+      status: "failed",
+      severity: "critical",
+      summary: "Email provider connection failed.",
+      detail: error instanceof Error ? error.message : String(error),
+      resourceRef: `${host}:${port}`,
+      remediation: "Confirm SMTP host, port, firewall, and TLS mode."
+    }));
+  });
+}
+function summarizeReport(checks) {
+  const blockers = checks.filter((check) => check.status === "failed" && check.severity === "critical").map((check) => check.detail ? `${check.summary} ${check.detail}` : check.summary);
+  const warnings = checks.filter((check) => check.status === "warning" || check.status === "failed" && check.severity === "warning").map((check) => check.detail ? `${check.summary} ${check.detail}` : check.summary);
+  const missingConfig = checks.filter((check) => check.category === "config" && check.status === "failed").flatMap((check) => {
+    const detail = check.detail ?? "";
+    const match = detail.match(/Expected one of: ([^.]+)\./u);
+    const keys = match?.[1]?.split(",").map((key) => key.trim()).filter(Boolean) ?? [];
+    return keys.length > 0 ? keys.map((key) => ({
+      key,
+      hostType: check.hostType,
+      severity: check.severity,
+      summary: check.summary
+    })) : [{
+      key: check.id.replace(/^config\./u, ""),
+      hostType: check.hostType,
+      severity: check.severity,
+      summary: check.summary
+    }];
+  });
+  const nextActions = blockers.length > 0 ? [...new Set(checks.filter((check) => check.status === "failed").map((check) => check.remediation).filter((value) => typeof value === "string" && value.trim().length > 0))] : ["Hosting setup is ready for host saving and project launch."];
+  return { blockers, warnings, missingConfig, nextActions };
+}
+async function runTreeseedHostingAudit({
+  tenantRoot,
+  environment = "current",
+  repair = false,
+  env = process.env,
+  valuesOverlay = {},
+  hostKinds: requestedHostKinds,
+  write
+}) {
+  const resolved = resolveTreeseedHostingAuditTarget({ tenantRoot, environment });
+  const hostKinds = normalizeHostKinds(requestedHostKinds);
+  const deployConfig = loadCliDeployConfig(tenantRoot);
+  const seedValues = collectTreeseedConfigSeedValues(tenantRoot, resolved.scope, env, valuesOverlay);
+  const suggestedValues = getTreeseedEnvironmentSuggestedValues({
+    scope: resolved.scope,
+    purpose: "config",
+    deployConfig,
+    values: {
+      ...seedValues,
+      ...nonEmptyEnvironmentValues(env),
+      ...nonEmptyEnvironmentValues(valuesOverlay)
+    }
+  });
+  const values = normalizeAuditValues({
+    ...suggestedValues,
+    ...seedValues,
+    ...nonEmptyEnvironmentValues(env),
+    ...nonEmptyEnvironmentValues(valuesOverlay)
+  });
+  const checks = [];
+  appendManualConfigChecks(checks, values, hostKinds);
+  appendRegistryConfigChecks({ checks, tenantRoot, scope: resolved.scope, values, hostKinds });
+  const connectionReport = await checkTreeseedProviderConnections({
+    tenantRoot,
+    scope: resolved.scope,
+    env: values,
+    valuesOverlay: values
+  });
+  checks.push(...providerConnectionChecks(connectionReport, hostKinds));
+  if (hostKinds.includes("email")) {
+    checks.push(await checkSmtpReachability(values));
+  }
+  const systems = reconcileSystemsForHostKinds(hostKinds);
+  let resources = {};
+  let repaired = false;
+  if (resolved.environment !== "local" && systems.length > 0) {
+    try {
+      const state = loadDeployState(tenantRoot, deployConfig, { target: resolved.target });
+      resources = buildProvisioningSummary(deployConfig, state, resolved.target);
+    } catch (error) {
+      checks.push({
+        id: "resources.summary",
+        hostType: "platform",
+        provider: "treeseed",
+        category: "resource",
+        status: "warning",
+        severity: "warning",
+        summary: "Unable to load provisioning summary.",
+        detail: error instanceof Error ? error.message : String(error)
+      });
+    }
+    try {
+      const beforeStatus = await collectTreeseedReconcileStatus({
+        tenantRoot,
+        target: resolved.target,
+        env: values,
+        systems
+      });
+      let repairedIds = /* @__PURE__ */ new Set();
+      if (repair && beforeStatus.ready !== true) {
+        write?.("[audit][hosting] Repair mode enabled; reconciling platform provider resources.");
+        const repairResult = await reconcileTreeseedTarget({
+          tenantRoot,
+          target: resolved.target,
+          env: values,
+          systems,
+          write
+        });
+        repaired = repairResult.results.some((result) => result.action !== "none");
+        const afterStatus = await collectTreeseedReconcileStatus({
+          tenantRoot,
+          target: resolved.target,
+          env: values,
+          systems
+        });
+        repairedIds = new Set(afterStatus.units.filter((unit) => unit.verification?.verified === true).map((unit) => `resource.${unit.provider}.${unit.unitType}.${unit.unitId}`));
+        checks.push(...reconcileStatusChecks(afterStatus, repairedIds));
+      } else {
+        checks.push(...reconcileStatusChecks(beforeStatus));
+      }
+    } catch (error) {
+      checks.push({
+        id: "resources.reconcile-status",
+        hostType: "platform",
+        provider: "treeseed",
+        category: "resource",
+        status: "failed",
+        severity: "critical",
+        summary: repair ? "Hosting resource repair failed." : "Hosting resource readiness check failed.",
+        detail: error instanceof Error ? error.message : String(error),
+        repairAvailable: !repair,
+        remediation: repair ? "Inspect provider credentials and rerun the audit." : "Run trsd audit hosting --repair after fixing provider credentials."
+      });
+    }
+  } else if (resolved.environment === "local") {
+    checks.push({
+      id: "resources.local",
+      hostType: "platform",
+      provider: "treeseed",
+      category: "resource",
+      status: "skipped",
+      severity: "info",
+      summary: "Hosted provider resource checks are skipped for local audits."
+    });
+  }
+  const summary = summarizeReport(checks);
+  return {
+    ok: summary.blockers.length === 0,
+    environment: resolved.environment,
+    requestedEnvironment: environment,
+    repairMode: repair,
+    repaired,
+    target: serializeTarget(resolved.target),
+    hostKinds,
+    checkedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    checks,
+    missingConfig: summary.missingConfig,
+    resources,
+    warnings: summary.warnings,
+    blockers: summary.blockers,
+    nextActions: summary.nextActions
+  };
+}
+function formatTreeseedHostingAuditReport(report) {
+  const lines = [
+    `Treeseed hosting audit (${report.environment}, ${report.repairMode ? "repair" : "read-only"})`,
+    `Status: ${report.ok ? "ready" : "blocked"}`,
+    `Target: ${report.target.label}`,
+    "",
+    "Checks:",
+    ...report.checks.map((check) => {
+      const status = check.status.toUpperCase();
+      const resource = check.resourceRef ? ` [${check.resourceRef}]` : "";
+      const detail = check.detail ? ` ${check.detail}` : "";
+      return `  - ${status} ${check.hostType}/${check.provider}/${check.category}: ${check.summary}${resource}${detail}`;
+    })
+  ];
+  if (report.blockers.length > 0) {
+    lines.push("", "Blockers:", ...report.blockers.map((blocker) => `  - ${blocker}`));
+  }
+  if (report.warnings.length > 0) {
+    lines.push("", "Warnings:", ...report.warnings.map((warning) => `  - ${warning}`));
+  }
+  lines.push("", "Next actions:", ...report.nextActions.map((action) => `  - ${action}`));
+  return lines.join("\n");
+}
+export {
+  formatTreeseedHostingAuditReport,
+  resolveTreeseedHostingAuditTarget,
+  runTreeseedHostingAudit
+};

package/dist/operations/services/hub-launch.js

@@ -63,7 +63,7 @@ function defaultHubContentResolutionPolicy() {
 function planKnowledgeHubRepositories(intent, host) {
   const normalized = normalizeKnowledgeHubLaunchIntent(intent);
   const hubSlug = normalized.hub.slug;
-  const owner = normalized.repository?.owner ?? host?.organizationOrOwner ?? process.env.TREESEED_HOSTED_HUBS_GITHUB_OWNER ?? process.env.TREESEED_REPOSITORY_HOST_GITHUB_OWNER ?? process.env.GITHUB_REPOSITORY_OWNER ?? "treeseed-sites";
+  const owner = normalized.repository?.owner ?? host?.organizationOrOwner ?? process.env.TREESEED_HOSTED_HUBS_GITHUB_OWNER ?? "treeseed-sites";
   const topology = normalized.repository?.topology ?? "split_software_content";
   const visibility = normalized.repository?.visibility ?? host?.defaultVisibility ?? "private";
   if (topology === "combined_compatibility") {
@@ -154,7 +154,7 @@ function validateRepositoryHost(host) {
   };
 }
 async function createKnowledgeHubRepositories(input) {
-  const githubToken = process.env.TREESEED_HOSTED_HUBS_GITHUB_TOKEN || process.env.TREESEED_REPOSITORY_HOST_GITHUB_TOKEN || process.env.GH_TOKEN || process.env.GITHUB_TOKEN || "";
+  const githubToken = process.env.TREESEED_HOSTED_HUBS_GITHUB_TOKEN || "";
   const githubEnv = githubToken ? { ...process.env, GH_TOKEN: githubToken, GITHUB_TOKEN: githubToken } : process.env;
   const created = [];
   for (const repository of input.plan.repositories) {

package/dist/operations/services/hub-provider-launch.js

@@ -239,7 +239,7 @@ function applyManagedProjectDefaults(projectRoot, input) {
   const marketBaseUrl = normalizeBaseUrl(input.marketBaseUrl ?? envOrNull("TREESEED_MARKET_API_BASE_URL") ?? "https://knowledge.coop");
   const siteUrl = resolveManagedWebUrl(slug);
   const projectApiBaseUrl = normalizeBaseUrl(input.projectApiBaseUrl ?? resolveManagedApiUrl(slug));
-  const cloudflareAccountId = envOrNull("TREESEED_CLOUDFLARE_ACCOUNT_ID") ?? envOrNull("CLOUDFLARE_ACCOUNT_ID") ?? "replace-with-cloudflare-account-id";
+  const cloudflareAccountId = envOrNull("CLOUDFLARE_ACCOUNT_ID") ?? "replace-with-cloudflare-account-id";
   const runtimeMode = input.hostingMode === "managed" ? "treeseed_managed" : input.hostingMode === "hybrid" ? "byo_attached" : "none";
   const runtimeRegistration = input.hostingMode === "managed" ? "required" : input.hostingMode === "hybrid" ? "optional" : "none";
   const hubMode = input.hostingMode === "self_hosted" ? "customer_hosted" : "treeseed_hosted";
@@ -545,7 +545,7 @@ function buildCloudflareHostEnvironmentOverlay(input, scope) {
   for (const [key, value] of Object.entries(environmentConfig)) {
     overlayValue(overlay, key, value);
   }
-  overlay.CLOUDFLARE_ACCOUNT_ID = overlay.CLOUDFLARE_ACCOUNT_ID || overlay.TREESEED_CLOUDFLARE_ACCOUNT_ID || "";
+  overlay.CLOUDFLARE_ACCOUNT_ID = overlay.CLOUDFLARE_ACCOUNT_ID || "";
   overlayValue(overlay, "TREESEED_CLOUDFLARE_PAGES_PROJECT_NAME", overlay.TREESEED_CLOUDFLARE_PAGES_PROJECT_NAME || projectSlug);
   overlayValue(overlay, "TREESEED_CLOUDFLARE_PAGES_PREVIEW_PROJECT_NAME", overlay.TREESEED_CLOUDFLARE_PAGES_PREVIEW_PROJECT_NAME || `${projectSlug}-staging`);
   overlayValue(overlay, "TREESEED_CONTENT_BUCKET_NAME", overlay.TREESEED_CONTENT_BUCKET_NAME || `${projectSlug}-content`);
@@ -600,7 +600,7 @@ function scaffoldKnowledgeCoopSource(projectRoot, input) {
   });
 }
 function repositoryHostGitHubEnvOverlay() {
-  const token = process.env.TREESEED_HOSTED_HUBS_GITHUB_TOKEN || process.env.TREESEED_REPOSITORY_HOST_GITHUB_TOKEN || process.env.GH_TOKEN || process.env.GITHUB_TOKEN || "";
+  const token = process.env.TREESEED_HOSTED_HUBS_GITHUB_TOKEN || "";
   return token ? { ...process.env, GH_TOKEN: token, GITHUB_TOKEN: token } : process.env;
 }
 function prepareKnowledgeHubContentRepositoryRoot(sourceRoot, contentRoot, input) {
@@ -656,7 +656,7 @@ async function validateKnowledgeHubProviderLaunchPrerequisites(tenantRoot = proc
     ["TREESEED_API_WEB_SERVICE_ID"],
     ["TREESEED_API_WEB_SERVICE_SECRET"],
     ["TREESEED_API_WEB_ASSERTION_SECRET"],
-    ["CLOUDFLARE_ACCOUNT_ID", "TREESEED_CLOUDFLARE_ACCOUNT_ID"]
+    ["CLOUDFLARE_ACCOUNT_ID"]
   ];
   const missingConfig = requiredConfig.filter((group) => !group.some((name) => {
     const value = values[name];