@decocms/start 2.30.1 → 3.0.0

package/.github/workflows/preview.yml

@@ -1,118 +1,168 @@
 name: preview (central)
 
-# Reusable workflow that uploads a preview version (alias) for any storefront
-# repo registered under `deploy/sites/<repo-name>.jsonc`.
+# Reusable workflow that uploads a preview Worker version (alias) for any
+# storefront repo. Worker name is the storefront repo basename by convention;
+# there is no per-site registry. The preview is gated by the `decocms-deployer`
+# GitHub App being installed on the target storefront repo.
 #
-# Caller usage (in customer repo, `.github/workflows/preview.yml`):
+# v3 architecture (D6.2): triggered via `workflow_dispatch` from the storefront,
+# authenticated as the `decocms-deployer` GitHub App. CF secrets resolve from
+# this repo's plain repo secrets and never leave decocms/deco-start.
+#
+# Caller usage (in the storefront repo, `.github/workflows/preview.yml`):
 #
 #   on:
-#     repository_dispatch:
-#       types: [preview-deploy]
 #     pull_request:
 #       types: [opened, synchronize, reopened]
 #     push:
 #       branches: ['env/**']
 #   permissions:
 #     contents: read
-#     pull-requests: write
-#     statuses: write
 #   jobs:
-#     preview:
-#       uses: decocms/deco-start/.github/workflows/preview.yml@v2
-#       secrets: inherit
+#     trigger:
+#       runs-on: ubuntu-latest
+#       steps:
+#         - id: meta
+#           run: |
+#             if [ "${{ github.event_name }}" = "pull_request" ]; then
+#               echo "alias=pr-${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
+#               echo "sha=${{ github.event.pull_request.head.sha }}" >> "$GITHUB_OUTPUT"
+#             else
+#               REF="${GITHUB_REF#refs/heads/env/}"
+#               echo "alias=$(echo "$REF" | sed 's|[^a-z0-9-]|-|g')" >> "$GITHUB_OUTPUT"
+#               echo "sha=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+#             fi
+#         - uses: actions/create-github-app-token@v1
+#           id: app-token
+#           with:
+#             app-id: ${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
+#             private-key: ${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
+#             owner: decocms
+#             repositories: deco-start
+#         - env:
+#             GH_TOKEN: ${{ steps.app-token.outputs.token }}
+#           run: |
+#             gh workflow run preview.yml \
+#               --repo decocms/deco-start \
+#               --ref v3 \
+#               -f site_owner=${GITHUB_REPOSITORY%%/*} \
+#               -f site_name=${GITHUB_REPOSITORY##*/} \
+#               -f site_sha=${{ steps.meta.outputs.sha }} \
+#               -f alias=${{ steps.meta.outputs.alias }} \
+#               -f pr_number=${{ github.event.pull_request.number || '' }}
 #
-# Same secret model as deploy.yml: `CLOUDFLARE_*` resolve from this repo's
-# `production` environment, not from the caller. See deploy.yml for details.
+# Note on forks: pull_request runs from forked repos cannot access repo
+# secrets (incl. DECOCMS_DEPLOYER_APP_*), so they cannot trigger previews.
 
 on:
-  workflow_call: {}
+  workflow_dispatch:
+    inputs:
+      site_owner:
+        description: "GitHub org of the storefront. Defaults to deco-sites."
+        type: string
+        required: false
+        default: deco-sites
+      site_name:
+        description: "Storefront repo basename. Becomes the Cloudflare worker name."
+        type: string
+        required: true
+      site_sha:
+        description: "Commit sha to build & preview. Trusted as-is (preview alias has no production blast radius)."
+        type: string
+        required: true
+      alias:
+        description: "Preview alias name (e.g. pr-123, feature-foo). Must match wrangler alias rules."
+        type: string
+        required: true
+      pr_number:
+        description: "Optional PR number on the storefront repo. If set, the preview URL is commented back on the PR."
+        type: string
+        required: false
+        default: ""
 
 permissions:
   contents: read
-  pull-requests: write
-  statuses: write
 
 concurrency:
-  group: preview-${{ github.repository }}-${{ github.event.client_payload.ref || github.head_ref || github.ref_name }}
+  group: preview-${{ inputs.site_owner }}-${{ inputs.site_name }}-${{ inputs.alias }}
   cancel-in-progress: true
 
 jobs:
   preview:
     runs-on: ubuntu-latest
-    environment: production
     steps:
-      - name: Resolve ref
-        id: resolve
+      - name: Checkout deco-start (template + scripts)
+        uses: actions/checkout@v4
+
+      - name: Validate alias format
+        env:
+          ALIAS: ${{ inputs.alias }}
         run: |
-          if [ "${{ github.event_name }}" = "repository_dispatch" ]; then
-            echo "ref=${{ github.event.client_payload.ref }}" >> "$GITHUB_OUTPUT"
-          else
-            echo "ref=${{ github.head_ref || github.ref_name }}" >> "$GITHUB_OUTPUT"
+          set -euo pipefail
+          if ! echo "$ALIAS" | grep -Eq '^[a-z0-9][a-z0-9-]{0,62}$'; then
+            echo "::error::Invalid alias '$ALIAS'. Must be lowercase alphanumeric/hyphens, max 63 chars, start with alphanumeric."
+            exit 1
           fi
 
-      - uses: actions/checkout@v4
+      - name: Mint App token for storefront checkout
+        id: app-token
+        uses: actions/create-github-app-token@v1
         with:
-          ref: ${{ steps.resolve.outputs.ref }}
+          app-id: ${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
+          private-key: ${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
+          owner: ${{ inputs.site_owner }}
+          repositories: ${{ inputs.site_name }}
 
-      - name: Resolve deco-start ref + site identity
-        id: meta
-        run: |
-          WF_REF="${{ github.workflow_ref }}"
-          REF="${WF_REF##*@}"
-          REF="${REF#refs/tags/}"
-          REF="${REF#refs/heads/}"
-          echo "deco_start_ref=$REF" >> "$GITHUB_OUTPUT"
-          echo "site_name=${GITHUB_REPOSITORY#*/}" >> "$GITHUB_OUTPUT"
-
-      - name: Checkout deco-start registry at the same ref
+      - name: Checkout storefront at requested sha
         uses: actions/checkout@v4
         with:
-          repository: decocms/deco-start
-          ref: ${{ steps.meta.outputs.deco_start_ref }}
-          path: .deco-start
+          repository: ${{ inputs.site_owner }}/${{ inputs.site_name }}
+          ref: ${{ inputs.site_sha }}
+          token: ${{ steps.app-token.outputs.token }}
+          path: site
+          fetch-depth: 1
 
       - uses: actions/setup-node@v4
         with:
           node-version: 22
 
-      - name: Compute preview alias
-        id: alias
-        run: |
-          REF="${{ steps.resolve.outputs.ref }}"
-          if echo "$REF" | grep -q '^env/'; then
-            ALIAS=$(echo "$REF" | sed 's|^env/||')
-          elif [ "${{ github.event_name }}" = "pull_request" ]; then
-            ALIAS="pr-${{ github.event.pull_request.number }}"
-          else
-            ALIAS=$(echo "$REF" | sed 's|[^a-z0-9-]|-|g')
-          fi
-          echo "alias=$ALIAS" >> "$GITHUB_OUTPUT"
+      - name: Restore npm cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: npm-${{ runner.os }}-${{ hashFiles('site/package-lock.json') }}
+          restore-keys: npm-${{ runner.os }}-
 
       - name: Install dependencies
-        run: npm install
+        working-directory: site
+        run: |
+          if [ ! -f package-lock.json ]; then
+            npm install --package-lock-only
+          fi
+          npm ci
 
       - name: Build
+        working-directory: site
         run: npm run build
 
-      - name: Resolve site manifest
-        id: site
-        run: node .deco-start/scripts/deploy/resolve-site.mjs
+      - name: Generate wrangler.jsonc from template
+        working-directory: site
         env:
-          DECO_START_PATH: .deco-start
-          SITE_NAME: ${{ steps.meta.outputs.site_name }}
-
-      - name: Generate wrangler.jsonc
-        run: node .deco-start/scripts/deploy/build-wrangler-config.mjs
-        env:
-          DECO_START_PATH: .deco-start
-          SITE_NAME: ${{ steps.meta.outputs.site_name }}
-          OUTPUT_PATH: ./wrangler.jsonc
+          DECO_START_PATH: "${{ github.workspace }}"
+          WORKER_NAME: ${{ inputs.site_name }}
+          OUTPUT_PATH: "./wrangler.jsonc"
+        run: node "$DECO_START_PATH/scripts/deploy/build-wrangler-config.mjs"
 
       - name: Upload preview version
         id: deploy
+        working-directory: site
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          ALIAS: ${{ inputs.alias }}
         run: |
           set +e
-          OUTPUT=$(npx wrangler versions upload --preview-alias ${{ steps.alias.outputs.alias }} 2>&1)
+          OUTPUT=$(npx wrangler versions upload --preview-alias "$ALIAS" 2>&1)
           EXIT_CODE=$?
           set -e
           echo "$OUTPUT"
@@ -124,19 +174,27 @@ jobs:
           ALIAS_URL=$(echo "$OUTPUT" | grep 'Version Preview Alias URL:' | sed 's/.*Version Preview Alias URL: //')
           echo "preview_url=${PREVIEW_URL}" >> "$GITHUB_OUTPUT"
           echo "alias_url=${ALIAS_URL}" >> "$GITHUB_OUTPUT"
-        env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
 
-      - name: Comment preview URL on PR
-        if: github.event_name == 'pull_request'
-        uses: marocchino/sticky-pull-request-comment@v2
+      - name: Mint App token for PR comment
+        id: comment-token
+        if: inputs.pr_number != ''
+        uses: actions/create-github-app-token@v1
         with:
-          header: preview-url
-          message: |
-            ### Preview deployed
-
-            | | URL |
-            |---|---|
-            | **Version** | ${{ steps.deploy.outputs.preview_url }} |
-            | **Alias** | ${{ steps.deploy.outputs.alias_url }} |
+          app-id: ${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
+          private-key: ${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
+          owner: ${{ inputs.site_owner }}
+          repositories: ${{ inputs.site_name }}
+          permission-pull-requests: write
+
+      - name: Comment preview URL on storefront PR
+        if: inputs.pr_number != ''
+        env:
+          GH_TOKEN: ${{ steps.comment-token.outputs.token }}
+          REPO: ${{ inputs.site_owner }}/${{ inputs.site_name }}
+          PR_NUMBER: ${{ inputs.pr_number }}
+          PREVIEW_URL: ${{ steps.deploy.outputs.preview_url }}
+          ALIAS_URL: ${{ steps.deploy.outputs.alias_url }}
+        run: |
+          set -euo pipefail
+          BODY=$(printf '### Preview deployed\n\n| | URL |\n|---|---|\n| **Version** | %s |\n| **Alias** | %s |\n' "$PREVIEW_URL" "$ALIAS_URL")
+          gh pr comment "$PR_NUMBER" --repo "$REPO" --body "$BODY"

package/.github/workflows/sync-secrets.yml

@@ -1,102 +1,96 @@
 name: sync-secrets (central)
 
-# Reusable workflow. Reconciles the caller's `SECRET_*` GitHub repo secrets
-# with the Cloudflare Worker's runtime secrets (with the prefix stripped).
+# Reusable workflow. Reconciles the per-storefront `SECRET_*` values stored in
+# this repo's `<site_name>-secrets` GitHub Environment with the Cloudflare
+# Worker's runtime secrets (with the `SECRET_` prefix stripped).
 #
 # Examples:
-#   SECRET_STRIPE_KEY in GitHub  ->  STRIPE_KEY on the worker
+#   SECRET_STRIPE_KEY in deco-start env  ->  STRIPE_KEY on the worker
 #
-# Defaults to dry-run; the caller must pass `mode: apply` to actually write.
-# Orphans on the worker (present on worker but not in GitHub as SECRET_*) are
+# v3 architecture (D6.2 / S1): SECRET_* values live in deco-start environments
+# named `<site_name>-secrets` (e.g. `baggagio-tanstack-secrets`). Site teams
+# get per-environment edit/approve permissions via GitHub Environment
+# protection rules, enforced by GitHub itself. CF credentials never leave
+# decocms/deco-start, AND site secrets never leave decocms/deco-start either.
+# The storefront repo holds zero credentials.
+#
+# Defaults to dry-run; the caller must pass `mode=apply` to actually write.
+# Orphans on the worker (present on worker but not in the env as SECRET_*) are
 # warned about, never deleted.
 #
-# Caller usage (in customer repo, `.github/workflows/sync-secrets.yml`):
+# Caller usage (in the storefront repo, `.github/workflows/sync-secrets.yml`):
 #
 #   on:
 #     workflow_dispatch:
 #       inputs:
 #         mode:
-#           description: "dry-run | apply"
-#           required: true
-#           default: "dry-run"
 #           type: choice
 #           options: [dry-run, apply]
+#           default: dry-run
+#   permissions:
+#     contents: read
 #   jobs:
-#     sync:
-#       uses: decocms/deco-start/.github/workflows/sync-secrets.yml@v2
-#       with:
-#         mode: ${{ inputs.mode }}
-#       secrets: inherit
-#
-# Two distinct secret classes flow through this job:
-#   - `CLOUDFLARE_API_TOKEN` / `CLOUDFLARE_ACCOUNT_ID` -> resolved from this
-#     repo's `production` environment (via `environment:` below). NEVER from
-#     the caller storefront. Same model as deploy.yml / preview.yml.
-#   - `SECRET_*` -> inherited from the caller storefront via `secrets: inherit`
-#     in the caller stub. These ARE site-owned and get pushed to the worker
-#     as runtime secrets (with the `SECRET_` prefix stripped).
-# `secrets: inherit` is therefore REQUIRED on the caller side for this
-# workflow specifically (unlike deploy.yml / preview.yml where it's just
-# tolerated).
+#     trigger:
+#       runs-on: ubuntu-latest
+#       steps:
+#         - uses: actions/create-github-app-token@v1
+#           id: app-token
+#           with:
+#             app-id: ${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
+#             private-key: ${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
+#             owner: decocms
+#             repositories: deco-start
+#         - env:
+#             GH_TOKEN: ${{ steps.app-token.outputs.token }}
+#           run: |
+#             gh workflow run sync-secrets.yml \
+#               --repo decocms/deco-start \
+#               --ref v3 \
+#               -f site_name=${GITHUB_REPOSITORY##*/} \
+#               -f mode=${{ inputs.mode }}
 
 on:
-  workflow_call:
+  workflow_dispatch:
     inputs:
+      site_name:
+        description: "Storefront repo basename. Becomes the Cloudflare worker name AND the environment name (`<site_name>-secrets`)."
+        type: string
+        required: true
       mode:
         description: "dry-run = print diff only | apply = set secrets on worker"
-        required: false
         type: string
+        required: false
         default: "dry-run"
 
 permissions:
   contents: read
 
 concurrency:
-  group: sync-secrets-${{ github.repository }}
+  group: sync-secrets-${{ inputs.site_name }}
   cancel-in-progress: false
 
 jobs:
   sync:
     runs-on: ubuntu-latest
-    environment: production
+    # Dynamic per-storefront environment. Site teams get edit/approve
+    # permissions on their own environment via GitHub Environment protection
+    # rules (set up in this repo's Settings -> Environments).
+    environment: ${{ inputs.site_name }}-secrets
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Resolve deco-start ref + site identity
-        id: meta
-        run: |
-          WF_REF="${{ github.workflow_ref }}"
-          REF="${WF_REF##*@}"
-          REF="${REF#refs/tags/}"
-          REF="${REF#refs/heads/}"
-          echo "deco_start_ref=$REF" >> "$GITHUB_OUTPUT"
-          echo "site_name=${GITHUB_REPOSITORY#*/}" >> "$GITHUB_OUTPUT"
-
-      - name: Checkout deco-start registry at the same ref
+      - name: Checkout deco-start (template + scripts)
         uses: actions/checkout@v4
-        with:
-          repository: decocms/deco-start
-          ref: ${{ steps.meta.outputs.deco_start_ref }}
-          path: .deco-start
+
+      - name: Generate wrangler.jsonc (so wrangler knows which worker to target)
+        env:
+          DECO_START_PATH: "."
+          WORKER_NAME: ${{ inputs.site_name }}
+          OUTPUT_PATH: "./wrangler.jsonc"
+        run: node scripts/deploy/build-wrangler-config.mjs
 
       - uses: actions/setup-node@v4
         with:
           node-version: 22
 
-      - name: Resolve site manifest
-        id: site
-        run: node .deco-start/scripts/deploy/resolve-site.mjs
-        env:
-          DECO_START_PATH: .deco-start
-          SITE_NAME: ${{ steps.meta.outputs.site_name }}
-
-      - name: Generate wrangler.jsonc
-        run: node .deco-start/scripts/deploy/build-wrangler-config.mjs
-        env:
-          DECO_START_PATH: .deco-start
-          SITE_NAME: ${{ steps.meta.outputs.site_name }}
-          OUTPUT_PATH: ./wrangler.jsonc
-
       - name: Install wrangler
         run: npm install --no-save wrangler@4
 
@@ -104,12 +98,13 @@ jobs:
         env:
           CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          # ALL_SECRETS includes both repo secrets (CLOUDFLARE_*) AND
+          # environment secrets (SECRET_*) because we're bound to the env.
           ALL_SECRETS: ${{ toJSON(secrets) }}
           MODE: ${{ inputs.mode }}
         run: |
           set -euo pipefail
 
-          # Build desired-state map from SECRET_* entries.
           desired_json=$(printf '%s' "$ALL_SECRETS" | jq '
             to_entries
             | map(select(.key | startswith("SECRET_")))
@@ -119,7 +114,6 @@ jobs:
 
           desired_names=$(printf '%s' "$desired_json" | jq -r 'keys[]' | sort)
 
-          # Validate names before any side effect.
           while IFS= read -r name; do
             [ -z "$name" ] && continue
             if ! [[ "$name" =~ ^[A-Z][A-Z0-9_]{0,63}$ ]]; then
@@ -128,24 +122,22 @@ jobs:
             fi
           done <<< "$desired_names"
 
-          # Snapshot what's currently on the worker.
           existing=$(npx wrangler secret list --format=json | jq -r '.[].name' | sort)
 
-          # Diff
           to_set="$desired_names"
           orphans=$(comm -23 <(printf '%s\n' "$existing") <(printf '%s\n' "$desired_names") || true)
 
           {
-            echo "## Diff"
+            echo "## Diff for ${{ inputs.site_name }}"
             echo ""
-            echo "### Will set (from SECRET_* in GitHub):"
+            echo "### Will set (from SECRET_* in \`${{ inputs.site_name }}-secrets\` environment):"
             if [ -z "$to_set" ]; then
-              echo "  (none)"
+              echo "  (none -- environment has no SECRET_* values)"
             else
               echo "$to_set" | sed 's/^/  + /'
             fi
             echo ""
-            echo "### Orphans (on worker, not in GitHub as SECRET_*):"
+            echo "### Orphans (on worker, not in env as SECRET_*):"
             if [ -z "$orphans" ]; then
               echo "  (none)"
             else
@@ -157,7 +149,7 @@ jobs:
           } | tee -a "$GITHUB_STEP_SUMMARY"
 
           if [ -n "$orphans" ]; then
-            echo "::warning::${orphans//$'\n'/, } exist on the worker but not in GitHub as SECRET_*. Not deleting."
+            echo "::warning::${orphans//$'\n'/, } exist on the worker but not in env as SECRET_*. Not deleting."
           fi
 
           if [ "$MODE" = "dry-run" ]; then
@@ -165,7 +157,6 @@ jobs:
             exit 0
           fi
 
-          # Apply
           if [ -z "$to_set" ]; then
             echo "Nothing to apply."
             exit 0

package/CODEOWNERS

@@ -1,14 +1,12 @@
 # CODEOWNERS for decocms/deco-start
 #
-# `deploy/` is the trust boundary for the central deploy pipeline. The files
-# under `deploy/sites/` immutably bind a customer repo to a Cloudflare worker;
-# `deploy/wrangler-template.jsonc` is the canonical wrangler config every site
-# inherits. A bad PR here can misroute a deploy or change every site's runtime
-# configuration in one shot. Only the platform team approves changes.
+# `deploy/wrangler-template.jsonc` is the canonical wrangler config every
+# storefront inherits. A bad PR here can change every site's runtime config in
+# one shot. Only the platform team approves changes.
 #
-# The central reusable workflows are in the same trust boundary: they decide
-# how every site is built and deployed.
-deploy/                       @vibe-dex
+# The central reusable workflows under `.github/workflows/` are in the same
+# trust boundary: they decide how every site is built and deployed.
+deploy/                              @vibe-dex
 .github/workflows/deploy.yml         @vibe-dex
 .github/workflows/preview.yml        @vibe-dex
 .github/workflows/sync-secrets.yml   @vibe-dex

package/MIGRATION_TOOLING_PLAN.md

@@ -118,7 +118,8 @@ this plan.
 | 2026-05-01 | **D4 — Site-local apps: local by default, promote at 3** | Site-specific apps live in `src/apps/local/` until ≥3 sites use them, then promote to `@decocms/apps`. |
 | 2026-05-01 | **D5 — Failed migrations: rm -rf and re-run** | No `--restart` mode. Half-migrated sites are throwaways. Failure modes get documented in skills, not encoded as escape hatches. |
 | 2026-05-07 | **D6 — Deploy / preview / secrets pipelines: centralize in `deco-start`** | At 6 sites the "1-minute copy" of `deploy.yml` / `preview.yml` / `wrangler.jsonc` had already produced unintended drift (lebiscuit missing 2 workflows, miess missing `account_id`, casaevideo's `loadtest:tail` worker name out of sync with its wrangler config). All sites now consume reusable workflows from `decocms/deco-start@v2` and a per-site registry under [`deploy/sites/<repo>.jsonc`](./deploy/) deep-merged on top of [`deploy/wrangler-template.jsonc`](./deploy/wrangler-template.jsonc) at deploy time. Customer repos hold only ~5-line caller workflows; `wrangler.jsonc` is generated and gitignored. The repo→worker binding is the trust boundary that prevents one site's commits from misrouting onto another site's worker (the central workflow ignores caller `inputs:` for identity and derives the site name from `${{ github.repository }}`). See [`deploy/README.md`](./deploy/README.md) for the contract. |
-| 2026-05-07 | **D6.1 — Cloudflare credentials never leave `deco-start`** | Same-day refinement of D6 after the first central deploy on `baggagio-tanstack` failed with `Secret CLOUDFLARE_API_TOKEN is required, but not provided while calling`. The original D6 design used `secrets: inherit` from the storefront stub and required `CLOUDFLARE_*` to live in the `deco-sites` org, which broke the principle that *the only secrets a storefront repo holds are the secrets that go into wrangler secrets, not the ones used to deploy*. Refinement: the central `deploy.yml` / `preview.yml` / `sync-secrets.yml` jobs declare `environment: production`, which makes `${{ secrets.CLOUDFLARE_* }}` resolve from the called repo (`decocms/deco-start`'s `production` GitHub Environment) instead of the caller's repo secrets. Storefronts now hold only their own `SECRET_*` runtime secrets; `sync-secrets` inherits those via `secrets: inherit` and pushes them as worker secrets. The trust boundary becomes two-tier: even a fully compromised storefront repo has no path to the Cloudflare credential, and even a compromised storefront cannot misroute *its own* deploy onto another site's worker because `worker_name` comes from the CODEOWNERS-protected registry, not caller input. See [`deploy/README.md`](./deploy/README.md) "Where Cloudflare credentials live" section. |
+| 2026-05-07 | **D6.1 — Cloudflare credentials never leave `deco-start`** | Same-day refinement of D6 after the first central deploy on `baggagio-tanstack` failed with `Secret CLOUDFLARE_API_TOKEN is required, but not provided while calling`. The original D6 design used `secrets: inherit` from the storefront stub and required `CLOUDFLARE_*` to live in the `deco-sites` org, which broke the principle that *the only secrets a storefront repo holds are the secrets that go into wrangler secrets, not the ones used to deploy*. First-pass refinement: the central `deploy.yml` / `preview.yml` / `sync-secrets.yml` jobs declared `environment: production` to try to make `${{ secrets.CLOUDFLARE_* }}` resolve from `decocms/deco-start`'s `production` Environment. **Found broken empirically on 2026-05-07** — the deployment registers in the *caller* repo, not the called workflow's repo, so the environment lookup uses the caller's `production` env (auto-created with no secrets). Superseded by D6.2 the same evening. |
+| 2026-05-07 | **D6.2 — App-mediated dispatch + no per-site registry (supersedes D6 + D6.1)** | After D6.1's `environment:` mechanism was empirically shown not to work cross-repo, the architecture pivoted: a `decocms-deployer` GitHub App is installed on `decocms/deco-start` (`actions:write`) and on each storefront repo (`contents:read`, optionally `pull-requests:write`). The storefront caller stub mints a short-lived App-installation token and calls `gh workflow run deploy.yml --repo decocms/deco-start --ref v3 -f site_owner=… -f site_name=…`. The central workflow runs in `decocms/deco-start`'s context, so `CLOUDFLARE_API_TOKEN` / `CLOUDFLARE_ACCOUNT_ID` are ordinary repo secrets. For runtime `SECRET_*` values, each storefront has a `<site_name>-secrets` GitHub Environment in `decocms/deco-start` (S1 design); `sync-secrets.yml` binds to that environment and pushes to `wrangler secret put`. The per-site registry under `deploy/sites/<repo>.jsonc` was dropped entirely (Pure C): worker name = repo basename by convention; the App being installed on the storefront repo is the deploy authorization gate; rare per-worker derived fields (like AE dataset name) use `$WORKER_*` substitution tokens in the template. Force-rollback is impossible for production deploys because the central workflow ignores caller-supplied `site_sha` and resolves the storefront's current default-branch HEAD itself. See [`deploy/README.md`](./deploy/README.md) for the full trust model. **Operational migrations required by Pure C:** `miess-01-tanstack` repo's worker shifts from `miess-tanstack` to `miess-01-tanstack` (CF-side cutover); `lebiscuit-tanstack` AE dataset shifts from `deco_metrics_lebiscuit` to `deco_metrics_lebiscuit_tanstack` (orphans old data). |
 
 The full text of the constitutional rule (loaded into every agent
 session for this repo) lives at
@@ -1677,15 +1678,19 @@ props. One broken section never takes the page down.
   `regen-blocks.yml` and its `wrangler.jsonc` lacked `account_id`,
   lebiscuit's preview workflow swallowed `wrangler` exit codes, and
   casaevideo's `loadtest:tail` referenced a worker name that didn't
-  match its `wrangler.jsonc`. **Resolved 2026-05-07 via D6:** all
-  workflows + wrangler config are centralized in
+  match its `wrangler.jsonc`. **Resolved 2026-05-07 via D6 → D6.1 →
+  D6.2:** all workflows + wrangler config are centralized in
   [`deco-start/.github/workflows/`](./.github/workflows/) and
-  [`deco-start/deploy/`](./deploy/). New-site onboarding is now: open a
-  PR adding `deploy/sites/<repo>.jsonc` to deco-start, then drop the
-  ~5-line caller workflows into the new site's repo. No `wrangler.jsonc`
-  is committed to the site repo — `deco-wrangler gen`
-  (a `bin` shipped from `@decocms/start`) materializes it from the
-  central registry on demand for local dev and CI alike.
+  [`deco-start/deploy/`](./deploy/), and storefront caller stubs use
+  a `decocms-deployer` GitHub App to trigger them via `workflow_dispatch`
+  with no Cloudflare credentials in the storefront repo. New-site
+  onboarding is now: install the `decocms-deployer` App on the new
+  storefront repo, drop the ~15-line caller workflows in, push to main.
+  No `deploy/sites/<repo>.jsonc` PR is needed — worker name is the
+  repo basename by convention. No `wrangler.jsonc` is committed to the
+  site repo — `deco-wrangler gen` (a `bin` shipped from `@decocms/start`)
+  materializes it from the central template on demand for local dev
+  and CI alike.
 
 #### Counter-evidence the user-rule asks for