@treeseed/sdk 0.8.1 → 0.8.2

package/dist/operations/services/managed-host-security.d.ts

@@ -0,0 +1,13 @@
+import type { TreeseedDeployConfig } from '../../platform/contracts.ts';
+export declare const MANAGED_HOST_DIRECT_CI_OPT_IN_ENV = "TREESEED_ALLOW_MANAGED_HOST_DIRECT_CI_SECRETS";
+export declare function allowsManagedHostDirectCiSecrets(env?: Record<string, string | undefined>): boolean;
+export declare function isTreeseedManagedHostedProject(deployConfig: Pick<TreeseedDeployConfig, 'hosting' | 'hub' | 'runtime'> | null | undefined): boolean;
+export declare function usesManagedHostOperationRequests(deployConfig: Pick<TreeseedDeployConfig, 'hosting' | 'hub' | 'runtime'> | null | undefined, env?: Record<string, string | undefined>): boolean;
+export declare function filterManagedHostGitHubEnvironment(required: {
+    secrets: string[];
+    variables: string[];
+}): {
+    secrets: never[];
+    variables: string[];
+};
+export declare function shouldExposeManagedHostRuntimeSecret(deployConfig: Pick<TreeseedDeployConfig, 'hosting' | 'hub' | 'runtime'> | null | undefined, _secretName: string, env?: Record<string, string | undefined>): boolean;

package/dist/operations/services/managed-host-security.js

@@ -0,0 +1,53 @@
+const MANAGED_HOST_DIRECT_CI_OPT_IN_ENV = "TREESEED_ALLOW_MANAGED_HOST_DIRECT_CI_SECRETS";
+const SAFE_MANAGED_HOST_CI_VARIABLES = /* @__PURE__ */ new Set([
+  "TREESEED_CATALOG_MARKET_API_BASE_URLS",
+  "TREESEED_CENTRAL_MARKET_API_BASE_URL",
+  "TREESEED_HOSTING_KIND",
+  "TREESEED_HOSTING_REGISTRATION",
+  "TREESEED_HOSTING_TEAM_ID",
+  "TREESEED_MARKET_API_BASE_URL",
+  "TREESEED_PROJECT_ID"
+]);
+const MANAGED_HOST_FORBIDDEN_VARIABLE_PREFIXES = [
+  "CLOUDFLARE_",
+  "RAILWAY_",
+  "TREESEED_API_",
+  "TREESEED_AUTH_",
+  "TREESEED_CLOUDFLARE_",
+  "TREESEED_RAILWAY_",
+  "TREESEED_SMTP_",
+  "TREESEED_TURNSTILE_",
+  "TREESEED_WEB_"
+];
+function allowsManagedHostDirectCiSecrets(env = process.env) {
+  const value = env[MANAGED_HOST_DIRECT_CI_OPT_IN_ENV];
+  return value === "1" || value === "true" || value === "yes";
+}
+function isTreeseedManagedHostedProject(deployConfig) {
+  return deployConfig?.hosting?.kind === "hosted_project" && deployConfig?.hub?.mode === "treeseed_hosted" && deployConfig?.runtime?.mode === "treeseed_managed";
+}
+function usesManagedHostOperationRequests(deployConfig, env = process.env) {
+  return isTreeseedManagedHostedProject(deployConfig) && !allowsManagedHostDirectCiSecrets(env);
+}
+function filterManagedHostGitHubEnvironment(required) {
+  return {
+    secrets: [],
+    variables: required.variables.filter((name) => {
+      if (SAFE_MANAGED_HOST_CI_VARIABLES.has(name)) {
+        return true;
+      }
+      return !MANAGED_HOST_FORBIDDEN_VARIABLE_PREFIXES.some((prefix) => name.startsWith(prefix));
+    })
+  };
+}
+function shouldExposeManagedHostRuntimeSecret(deployConfig, _secretName, env = process.env) {
+  return !usesManagedHostOperationRequests(deployConfig, env);
+}
+export {
+  MANAGED_HOST_DIRECT_CI_OPT_IN_ENV,
+  allowsManagedHostDirectCiSecrets,
+  filterManagedHostGitHubEnvironment,
+  isTreeseedManagedHostedProject,
+  shouldExposeManagedHostRuntimeSecret,
+  usesManagedHostOperationRequests
+};

package/dist/platform/env.yaml

@@ -87,6 +87,55 @@ entries:
       - machine-config
       - process-env
     defaultValueRef: githubRepositoryVisibilityDefault
+  TREESEED_HOSTED_HUBS_GITHUB_OWNER:
+    label: Hosted repository owner
+    group: github
+    description: GitHub user or organization where TreeSeed-managed hosted hub repositories are created.
+    howToGet: Enter the GitHub organization or owner dedicated to hosted Knowledge Hub repositories. This can be different from the Market source repository owner.
+    sensitivity: plain
+    targets:
+      - local-runtime
+      - railway-var
+    scopes:
+      - staging
+      - prod
+    storage: shared
+    requirement: conditional
+    relevanceRef: marketControlPlaneEnabled
+    requiredWhenRef: marketControlPlaneEnabled
+    purposes:
+      - config
+      - deploy
+    validation:
+      kind: nonempty
+    sourcePriority:
+      - machine-config
+      - process-env
+  TREESEED_HOSTED_HUBS_GITHUB_TOKEN:
+    label: Hosted repository access token
+    group: github
+    description: GitHub token used only by TreeSeed-controlled workers to create and configure TreeSeed-managed hosted hub repositories.
+    howToGet: Create a GitHub token or app credential for the hosted hub repository owner with repository create/configure permissions, then store it here. Do not sync this value to team repositories or GitHub Actions secrets.
+    sensitivity: secret
+    targets:
+      - local-runtime
+      - railway-secret
+    scopes:
+      - staging
+      - prod
+    storage: shared
+    requirement: conditional
+    relevanceRef: marketControlPlaneEnabled
+    requiredWhenRef: marketControlPlaneEnabled
+    purposes:
+      - config
+      - deploy
+    validation:
+      kind: nonempty
+      minLength: 8
+    sourcePriority:
+      - machine-config
+      - process-env
   CLOUDFLARE_API_TOKEN:
     label: Cloudflare API token
     group: auth

package/dist/reconcile/builtin-adapters.js

@@ -34,6 +34,7 @@ import {
   runRailway,
   validateRailwayDeployPrerequisites
 } from "../operations/services/railway-deploy.js";
+import { shouldExposeManagedHostRuntimeSecret } from "../operations/services/managed-host-security.js";
 import {
   ensureRailwayEnvironment,
   ensureRailwayProject,
@@ -492,7 +493,7 @@ function collectCloudflareEnvironmentSync(input) {
     const value = typeof values[entry.id] === "string" ? values[entry.id] : "";
     if (entry.targets.includes("cloudflare-secret")) {
       const secretValue = value || (typeof generatedSecrets[entry.id] === "string" ? generatedSecrets[entry.id] : "");
-      if (secretValue) {
+      if (secretValue && shouldExposeManagedHostRuntimeSecret(input.context.deployConfig, entry.id)) {
         secrets[entry.id] = secretValue;
         secretNames.add(entry.id);
       }
@@ -503,7 +504,7 @@ function collectCloudflareEnvironmentSync(input) {
     }
   }
   for (const [key, value] of Object.entries(generatedSecrets)) {
-    if (typeof value === "string" && value.length > 0) {
+    if (typeof value === "string" && value.length > 0 && shouldExposeManagedHostRuntimeSecret(input.context.deployConfig, key)) {
       secrets[key] = value;
       secretNames.add(key);
     }
@@ -1528,12 +1529,12 @@ function collectRailwayEnvironmentSync(input) {
   const registry = collectTreeseedEnvironmentContext(input.context.tenantRoot);
   const state = loadDeployState(input.context.tenantRoot, input.context.deployConfig, { target: toDeployTarget(input.context.target) });
   const secrets = Object.fromEntries(
-    registry.entries.filter((entry) => entry.scopes.includes(scope) && entry.targets.includes("railway-secret")).map((entry) => [entry.id, values[entry.id]]).filter(([, value]) => typeof value === "string" && value.length > 0)
+    registry.entries.filter((entry) => entry.scopes.includes(scope) && entry.targets.includes("railway-secret") && shouldExposeManagedHostRuntimeSecret(input.context.deployConfig, entry.id)).map((entry) => [entry.id, values[entry.id]]).filter(([, value]) => typeof value === "string" && value.length > 0)
   );
   const variables = Object.fromEntries(
     registry.entries.filter((entry) => entry.scopes.includes(scope) && entry.targets.includes("railway-var")).map((entry) => [entry.id, values[entry.id]]).filter(([, value]) => typeof value === "string" && value.length > 0)
   );
-  if (typeof values.CLOUDFLARE_API_TOKEN === "string" && values.CLOUDFLARE_API_TOKEN.length > 0) {
+  if (typeof values.CLOUDFLARE_API_TOKEN === "string" && values.CLOUDFLARE_API_TOKEN.length > 0 && shouldExposeManagedHostRuntimeSecret(input.context.deployConfig, "CLOUDFLARE_API_TOKEN")) {
     secrets.CLOUDFLARE_API_TOKEN = values.CLOUDFLARE_API_TOKEN;
   }
   if (typeof values.CLOUDFLARE_ACCOUNT_ID === "string" && values.CLOUDFLARE_ACCOUNT_ID.length > 0) {

package/dist/workflow/operations.d.ts

@@ -424,6 +424,7 @@ export declare function workflowSave(helpers: WorkflowOperationHelpers, input: T
         cached: boolean;
     }[];
     releaseCandidate: ReleaseCandidateReport | null;
+    hostingAudit: import("../workflow-support.ts").TreeseedHostingAuditReport | null;
 } & {
     finalState?: WorkflowStatePayload;
 }>>;
@@ -566,6 +567,7 @@ export declare function workflowClose(helpers: WorkflowOperationHelpers, input:
             cached: boolean;
         }[];
         releaseCandidate: ReleaseCandidateReport | null;
+        hostingAudit: import("../workflow-support.ts").TreeseedHostingAuditReport | null;
     } & {
         finalState?: WorkflowStatePayload;
     }) | null;
@@ -749,6 +751,7 @@ export declare function workflowStage(helpers: WorkflowOperationHelpers, input:
             cached: boolean;
         }[];
         releaseCandidate: ReleaseCandidateReport | null;
+        hostingAudit: import("../workflow-support.ts").TreeseedHostingAuditReport | null;
     } & {
         finalState?: WorkflowStatePayload;
     }) | null;
@@ -777,6 +780,7 @@ export declare function workflowStage(helpers: WorkflowOperationHelpers, input:
     workspaceLinks: import("../operations/services/workspace-dependency-mode.ts").WorkspaceDependencyModeReport;
     ciMode: "hosted" | "off";
     workflowGates: any;
+    hostingAudit: import("../workflow-support.ts").TreeseedHostingAuditReport | null;
     worktreeCleanup: {
         removed: boolean;
         reason: string;
@@ -974,6 +978,7 @@ export declare function workflowRelease(helpers: WorkflowOperationHelpers, input
         timeoutSeconds: number | null;
         cached: boolean;
     }[];
+    hostingAudit: import("../workflow-support.ts").TreeseedHostingAuditReport | null;
 } & {
     finalState?: WorkflowStatePayload;
 }> | TreeseedWorkflowResult<{
@@ -1104,6 +1109,7 @@ export declare function workflowRelease(helpers: WorkflowOperationHelpers, input
         timeoutSeconds: number | null;
         cached: boolean;
     })[];
+    hostingAudit: import("../workflow-support.ts").TreeseedHostingAuditReport | null;
 } & {
     finalState?: WorkflowStatePayload;
 }>>;

package/dist/workflow/operations.js

@@ -124,6 +124,7 @@ import {
   workspacePackages,
   workspaceRoot
 } from "../operations/services/workspace-tools.js";
+import { runTreeseedHostingAudit } from "../operations/services/hosting-audit.js";
 import { resolveTreeseedWorkflowState } from "../workflow-state.js";
 import { createTreeseedReconcileRegistry, deriveTreeseedDesiredUnits, filterTreeseedDesiredUnitsByBootstrapSystems, planTreeseedReconciliation, resolveTreeseedBootstrapSelection, reconcileTreeseedTarget } from "../reconcile/index.js";
 import {
@@ -631,6 +632,25 @@ function buildWorkflowResult(operation, cwd, payload, options = {}) {
     errors: options.errors ?? []
   };
 }
+async function runReadOnlyHostingAuditForWorkflow(operation, root, helpers, environment, options = { enabled: true }) {
+  if (!options.enabled) {
+    return null;
+  }
+  helpers.write(`[workflow][hosting-audit] Running read-only hosting audit for ${environment}.`);
+  const report = await runTreeseedHostingAudit({
+    tenantRoot: root,
+    environment,
+    repair: false,
+    env: helpers.context.env,
+    write: (line) => helpers.write(line)
+  });
+  if (options.strict && !report.ok) {
+    workflowError(operation, "validation_failed", `Hosting audit failed for ${report.environment}: ${report.blockers.join("\n")}`, {
+      details: { hostingAudit: report }
+    });
+  }
+  return report;
+}
 function normalizeExecutionMode(input) {
   return input?.plan === true || input?.dryRun === true ? "plan" : "execute";
 }
@@ -3025,6 +3045,13 @@ async function workflowSave(helpers, input) {
             };
           }
         }
+        const hostingAudit = await runReadOnlyHostingAuditForWorkflow(
+          "save",
+          root,
+          helpers,
+          scope === "prod" ? "prod" : scope === "local" ? "local" : "staging",
+          { enabled: effectiveInput.verifyDeployedResources === true, strict: true }
+        );
         const payload = {
           mode: saveResult?.mode ?? mode,
           branch,
@@ -3052,6 +3079,7 @@ async function workflowSave(helpers, input) {
           verifyMode: effectiveInput.verifyMode ?? "fast",
           workflowGates: saveWorkflowGates?.workflowGates ?? [],
           releaseCandidate,
+          hostingAudit,
           ...worktreePayload(root, effectiveInput.worktreeMode)
         };
         completeWorkflowRun(root, workflowRun.runId, payload);
@@ -3549,6 +3577,13 @@ async function workflowStage(helpers, input) {
           blockers: []
         });
         const releaseCandidate = await executeJournalStep(root, workflowRun.runId, "release-candidate", () => runReleaseCandidateForPlan("stage", root, stageReleasePlan));
+        const hostingAudit = await runReadOnlyHostingAuditForWorkflow(
+          "stage",
+          root,
+          helpers,
+          "staging",
+          { enabled: effectiveInput.verifyDeployedResources === true, strict: true }
+        );
         const previewCleanup = effectiveInput.deletePreview === false ? (skipJournalStep(root, workflowRun.runId, "preview-cleanup", { performed: false }), { performed: false }) : await executeJournalStep(root, workflowRun.runId, "preview-cleanup", () => destroyPreviewIfPresent(root, featureBranch));
         const rootCleanup = await executeJournalStep(root, workflowRun.runId, "cleanup-root", () => {
           const deprecatedTag = createDeprecatedTaskTag(repoDir, featureBranch, `stage: ${message}`);
@@ -3605,6 +3640,7 @@ async function workflowStage(helpers, input) {
           workspaceLinks,
           ciMode,
           workflowGates: stagingWait.workflowGates,
+          hostingAudit,
           worktreeCleanup,
           worktreeMode: effectiveInput.worktreeMode ?? "auto",
           managedWorktree,
@@ -3861,6 +3897,10 @@ async function workflowRelease(helpers, input) {
             onProgress: (line, stream) => helpers.write(line, stream)
           }).then((workflowGates) => ({ workflowGates })));
           const hostedDeploymentState2 = recordHostedDeploymentStatesFromRootGates(root, rootRelease2, rootWorkflowGateResult2?.workflowGates);
+          const hostingAudit2 = await runReadOnlyHostingAuditForWorkflow("release", root, helpers, "prod", {
+            enabled: true,
+            strict: false
+          });
           const releaseBackMerge2 = await executeJournalStep(root, workflowRun.runId, "release-back-merge", () => backMergeRootProductionIntoStaging(root, false, {
             version: rootVersion,
             changelog: rootRelease2?.changelog ?? null
@@ -3893,6 +3933,7 @@ async function workflowRelease(helpers, input) {
             workspaceLinks: workspaceLinks2,
             ciMode,
             workflowGates: rootWorkflowGateResult2?.workflowGates ?? [],
+            hostingAudit: hostingAudit2,
             ...worktreePayload(root, effectiveInput.worktreeMode)
           };
           completeWorkflowRun(root, workflowRun.runId, payload2);
@@ -4162,6 +4203,10 @@ async function workflowRelease(helpers, input) {
           onProgress: (line, stream) => helpers.write(line, stream)
         }).then((workflowGates) => ({ workflowGates })));
         const hostedDeploymentState = recordHostedDeploymentStatesFromRootGates(root, rootRelease, rootWorkflowGateResult?.workflowGates);
+        const hostingAudit = await runReadOnlyHostingAuditForWorkflow("release", root, helpers, "prod", {
+          enabled: true,
+          strict: false
+        });
         const releaseBackMerge = await executeJournalStep(root, workflowRun.runId, "release-back-merge", () => backMergeRootProductionIntoStaging(root, true, {
           version: rootVersion,
           changelog: rootRelease?.changelog ?? null,
@@ -4214,6 +4259,7 @@ async function workflowRelease(helpers, input) {
             ...packageReports.flatMap((report) => report.workflowGates),
             ...Array.isArray(rootWorkflowGateResult?.workflowGates) ? rootWorkflowGateResult.workflowGates : []
           ],
+          hostingAudit,
           ...worktreePayload(root, effectiveInput.worktreeMode)
         };
         completeWorkflowRun(root, workflowRun.runId, payload);

package/dist/workflow-support.d.ts

@@ -1,5 +1,6 @@
 export { applyTreeseedConfigValues, applyTreeseedEnvironmentToProcess, applyTreeseedSafeRepairs, assertTreeseedCommandEnvironment, checkTreeseedProviderConnections, clearTreeseedRemoteSession, collectTreeseedConfigContext, collectTreeseedPrintEnvReport, createDefaultTreeseedMachineConfig, ensureTreeseedActVerificationTooling, ensureTreeseedSecretSessionForConfig, ensureTreeseedGitignoreEntries, getTreeseedMachineConfigPaths, loadTreeseedMachineConfig, listRelevantTreeseedConfigEntries, finalizeTreeseedConfig, inspectTreeseedKeyAgentTransportDiagnostic, inspectTreeseedPassphraseEnvDiagnostic, listDeprecatedTreeseedLocalEnvFiles, inspectTreeseedKeyAgentStatus, lockTreeseedSecretSession, migrateTreeseedMachineKeyToWrapped, resolveTreeseedMachineEnvironmentValues, resolveTreeseedLaunchEnvironment, resolveTreeseedRemoteConfig, resolveTreeseedRemoteSession, rotateTreeseedMachineKey, rotateTreeseedMachineKeyPassphrase, setTreeseedRemoteSession, TREESEED_MACHINE_KEY_PASSPHRASE_ENV, TreeseedKeyAgentError, updateTreeseedDeployConfigFeatureToggles, unlockTreeseedSecretSessionFromEnv, unlockTreeseedSecretSessionInteractive, unlockTreeseedSecretSessionWithPassphrase, withTreeseedKeyAgentAutopromptDisabled, warnDeprecatedTreeseedLocalEnvFiles, writeTreeseedMachineConfig, } from './operations/services/config-runtime.ts';
 export { exportTreeseedCodebase } from './operations/services/export-runtime.ts';
+export { formatTreeseedHostingAuditReport, resolveTreeseedHostingAuditTarget, runTreeseedHostingAudit, type TreeseedHostingAuditCheck, type TreeseedHostingAuditEnvironment, type TreeseedHostingAuditHostKind, type TreeseedHostingAuditReport, } from './operations/services/hosting-audit.ts';
 export { assertDeploymentInitialized, cleanupDestroyedState, createBranchPreviewDeployTarget, createPersistentDeployTarget, deployTargetLabel, destroyCloudflareResources, ensureGeneratedWranglerConfig, finalizeDeploymentState, loadDeployState, printDeploySummary, printDestroySummary, provisionCloudflareResources, runRemoteD1Migrations, syncCloudflareSecrets, validateDeployPrerequisites, validateDestroyPrerequisites, } from './operations/services/deploy.ts';
 export { assertCleanWorktree, assertFeatureBranch, branchExists, checkoutBranch, createDeprecatedTaskTag, createFeatureBranchFromStaging, currentManagedBranch, deleteLocalBranch, deleteRemoteBranch, ensureLocalBranchTracking, gitWorkflowRoot, listTaskBranches, mergeCurrentBranchIntoStaging, mergeStagingIntoMain, prepareReleaseBranches, PRODUCTION_BRANCH, pushBranch, remoteBranchExists, STAGING_BRANCH, syncBranchWithOrigin, waitForStagingAutomation, } from './operations/services/git-workflow.ts';
 export { dockerIsAvailable, stopKnownMailpitContainers, type TreeseedMailpitContainer, } from './operations/services/mailpit-runtime.ts';

package/dist/workflow-support.js

@@ -39,6 +39,11 @@ import {
   writeTreeseedMachineConfig
 } from "./operations/services/config-runtime.js";
 import { exportTreeseedCodebase } from "./operations/services/export-runtime.js";
+import {
+  formatTreeseedHostingAuditReport,
+  resolveTreeseedHostingAuditTarget,
+  runTreeseedHostingAudit
+} from "./operations/services/hosting-audit.js";
 import {
   assertDeploymentInitialized,
   cleanupDestroyedState,
@@ -228,6 +233,7 @@ export {
   formatMergeConflictReport,
   formatTreeseedDependencyFailureDetails,
   formatTreeseedDependencyReport,
+  formatTreeseedHostingAuditReport,
   getRailwayAuthProfile,
   getTreeseedMachineConfigPaths,
   gitStatusPorcelain,
@@ -272,6 +278,7 @@ export {
   resolveRailwayApiUrl,
   resolveRailwayWorkspace,
   resolveRailwayWorkspaceContext,
+  resolveTreeseedHostingAuditTarget,
   resolveTreeseedLaunchEnvironment,
   resolveTreeseedMachineEnvironmentValues,
   resolveTreeseedRemoteConfig,
@@ -285,6 +292,7 @@ export {
   runRemoteD1Migrations,
   runTenantDeployPreflight,
   runTreeseedCopilotTask,
+  runTreeseedHostingAudit,
   runWorkspaceReleasePreflight,
   runWorkspaceSavePreflight,
   setTreeseedRemoteSession,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@treeseed/sdk",
-  "version": "0.8.1",
+  "version": "0.8.2",
   "description": "Shared Treeseed SDK for content-backed and D1-backed object models.",
   "license": "AGPL-3.0-only",
   "repository": {

package/templates/github/deploy.managed.workflow.yml

@@ -0,0 +1,208 @@
+name: Treeseed Managed Hosted Project
+
+on:
+  workflow_dispatch:
+    inputs:
+      project_id:
+        description: Treeseed project id recorded in the Market control plane
+        required: false
+        type: string
+      environment:
+        description: Target environment
+        required: true
+        default: staging
+        type: choice
+        options:
+          - staging
+          - prod
+      action_kind:
+        description: Requested managed operation
+        required: true
+        default: deploy_code
+        type: choice
+        options:
+          - provision
+          - deploy_code
+          - publish_content
+          - monitor
+  push:
+    branches:
+      - staging
+      - main
+  release:
+    types: [published]
+
+concurrency:
+  group: treeseed-managed-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  classify:
+    runs-on: ubuntu-latest
+    outputs:
+      scope: ${{ steps.classify.outputs.scope }}
+      workflow_action: ${{ steps.classify.outputs.workflow_action }}
+      code_changed: ${{ steps.classify.outputs.code_changed }}
+      content_changed: ${{ steps.classify.outputs.content_changed }}
+      release_tag: ${{ steps.classify.outputs.release_tag }}
+    steps:
+      - name: Classify change
+        id: classify
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            scope="${{ inputs.environment }}"
+            workflow_action="${{ inputs.action_kind }}"
+            code_changed=$([[ "${workflow_action}" == "deploy_code" ]] && echo "true" || echo "false")
+            content_changed=$([[ "${workflow_action}" == "publish_content" ]] && echo "true" || echo "false")
+            release_tag="false"
+          elif [[ "${{ github.event_name }}" == "release" ]]; then
+            scope="prod"
+            workflow_action="deploy_code"
+            code_changed="true"
+            content_changed="false"
+            release_tag="true"
+          elif [[ "${{ github.ref_name }}" == "main" ]]; then
+            scope="prod"
+            workflow_action="deploy_code"
+            code_changed="true"
+            content_changed="false"
+            release_tag="false"
+          else
+            scope="staging"
+            workflow_action="deploy_code"
+            code_changed="true"
+            content_changed="false"
+            release_tag="false"
+          fi
+          echo "scope=${scope}" >> "${GITHUB_OUTPUT}"
+          echo "workflow_action=${workflow_action}" >> "${GITHUB_OUTPUT}"
+          echo "code_changed=${code_changed}" >> "${GITHUB_OUTPUT}"
+          echo "content_changed=${content_changed}" >> "${GITHUB_OUTPUT}"
+          echo "release_tag=${release_tag}" >> "${GITHUB_OUTPUT}"
+
+  verify:
+    runs-on: ubuntu-latest
+    needs: classify
+    permissions:
+      contents: read
+    __WORKING_DIRECTORY_BLOCK__
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+          cache-dependency-path: __CACHE_DEPENDENCY_PATH__
+
+      - name: Install dependencies
+        shell: bash
+        run: npm ci --ignore-scripts
+
+      - name: Build workspace package artifacts
+        shell: bash
+        run: |
+          set -euo pipefail
+          for dir in packages/sdk packages/core packages/cli; do
+            if test -f "${dir}/package.json"; then
+              npm --prefix "${dir}" run build:dist
+            fi
+          done
+
+      - name: Verify workspace
+        shell: bash
+        run: |
+          set -euo pipefail
+          npm run verify:local
+
+  request-managed-operation:
+    runs-on: ubuntu-latest
+    needs:
+      - classify
+      - verify
+    if: |
+      needs.classify.outputs.workflow_action == 'provision' ||
+      needs.classify.outputs.workflow_action == 'deploy_code' ||
+      needs.classify.outputs.workflow_action == 'publish_content' ||
+      needs.classify.outputs.workflow_action == 'monitor' ||
+      needs.classify.outputs.code_changed == 'true' ||
+      needs.classify.outputs.content_changed == 'true' ||
+      needs.classify.outputs.release_tag == 'true'
+    permissions:
+      contents: read
+      id-token: write
+    environment: ${{ needs.classify.outputs.scope == 'prod' && 'production' || 'staging' }}
+    env:
+      TREESEED_MARKET_API_BASE_URL: ${{ vars.TREESEED_MARKET_API_BASE_URL || vars.TREESEED_CENTRAL_MARKET_API_BASE_URL || 'https://api.treeseed.ai' }}
+      TREESEED_PROJECT_ID: ${{ inputs.project_id || vars.TREESEED_PROJECT_ID }}
+      TREESEED_WORKFLOW_ACTION: ${{ needs.classify.outputs.workflow_action }}
+      TREESEED_WORKFLOW_ENVIRONMENT: ${{ needs.classify.outputs.scope }}
+    steps:
+      - name: Request TreeSeed managed operation
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [[ -z "${TREESEED_PROJECT_ID}" ]]; then
+            echo "TREESEED_PROJECT_ID is required for managed TreeSeed operations."
+            exit 1
+          fi
+          audience="treeseed:${TREESEED_PROJECT_ID}"
+          oidc_json="$(curl -fsSL -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=${audience}")"
+          oidc_token="$(node -e "const fs=require('node:fs'); const data=JSON.parse(fs.readFileSync(0,'utf8')); process.stdout.write(data.value || '')" <<< "${oidc_json}")"
+          if [[ -z "${oidc_token}" ]]; then
+            echo "GitHub did not return an OIDC token."
+            exit 1
+          fi
+          request_json="$(OIDC_TOKEN="${oidc_token}" node --input-type=module <<'NODE'
+          const payload = {
+            oidcToken: process.env.OIDC_TOKEN,
+            actionKind: process.env.TREESEED_WORKFLOW_ACTION,
+            environment: process.env.TREESEED_WORKFLOW_ENVIRONMENT,
+            repository: process.env.GITHUB_REPOSITORY,
+            ref: process.env.GITHUB_REF,
+            refName: process.env.GITHUB_REF_NAME,
+            sha: process.env.GITHUB_SHA,
+            workflow: process.env.GITHUB_WORKFLOW,
+            workflowRef: process.env.GITHUB_WORKFLOW_REF,
+            runId: process.env.GITHUB_RUN_ID,
+            runAttempt: process.env.GITHUB_RUN_ATTEMPT,
+          };
+          process.stdout.write(JSON.stringify(payload));
+          NODE
+          )"
+          response="$(curl -fsSL -X POST "${TREESEED_MARKET_API_BASE_URL%/}/v1/projects/${TREESEED_PROJECT_ID}/ci/oidc/exchange" \
+            -H "content-type: application/json" \
+            --data "${request_json}")"
+          node -e "const r=JSON.parse(process.argv[1]); if (!r.ok) { throw new Error(r.error || 'TreeSeed operation request failed'); } console.log('Requested TreeSeed job ' + r.payload.job.id + ' (' + r.payload.job.status + ')');" "${response}"
+          echo "${response}" > treeseed-operation.json
+
+      - name: Wait for TreeSeed managed operation
+        shell: bash
+        run: |
+          set -euo pipefail
+          job_id="$(node -e "const r=require('./treeseed-operation.json'); process.stdout.write(r.payload.job.id)")"
+          operation_token="$(node -e "const r=require('./treeseed-operation.json'); process.stdout.write(r.payload.operationToken || '')")"
+          if [[ -z "${operation_token}" ]]; then
+            echo "TreeSeed did not return an operation status token."
+            exit 1
+          fi
+          for attempt in $(seq 1 180); do
+            status_json="$(curl -fsSL "${TREESEED_MARKET_API_BASE_URL%/}/v1/projects/${TREESEED_PROJECT_ID}/ci/jobs/${job_id}" \
+              -H "authorization: Bearer ${operation_token}")"
+            status="$(node -e "const r=JSON.parse(process.argv[1]); process.stdout.write(r.payload.job.status)" "${status_json}")"
+            echo "TreeSeed job ${job_id}: ${status}"
+            if [[ "${status}" == "succeeded" ]]; then
+              exit 0
+            fi
+            if [[ "${status}" == "failed" || "${status}" == "cancelled" ]]; then
+              node -e "const r=JSON.parse(process.argv[1]); console.error(JSON.stringify(r.payload.job.error || {}, null, 2));" "${status_json}"
+              exit 1
+            fi
+            sleep 10
+          done
+          echo "Timed out waiting for TreeSeed job ${job_id}."
+          exit 1