@rizom/ops 0.2.0-alpha.0 → 0.2.0-alpha.2

package/dist/parse-args.d.ts

@@ -4,6 +4,7 @@ export interface ParsedArgs {
     flags: {
         help?: boolean | undefined;
         version?: boolean | undefined;
+        dryRun?: boolean | undefined;
     };
 }
 export declare function parseArgs(argv: string[]): ParsedArgs;

package/dist/run-command.d.ts

@@ -1,5 +1,6 @@
 import type { LoadPilotRegistryOptions } from "./load-registry";
 import type { ParsedArgs } from "./parse-args";
+import { type RunCommand as SecretRunCommand } from "./secrets-push";
 import type { UserRunner } from "./user-runner";
 export interface CommandResult {
     success: boolean;
@@ -7,5 +8,8 @@ export interface CommandResult {
 }
 export interface CommandDependencies extends LoadPilotRegistryOptions {
     runner?: UserRunner;
+    env?: NodeJS.ProcessEnv | undefined;
+    logger?: ((message: string) => void) | undefined;
+    secretRunCommand?: SecretRunCommand | undefined;
 }
 export declare function runCommand(parsed: ParsedArgs, dependencies?: CommandDependencies): Promise<CommandResult>;

package/dist/secrets-push.d.ts

@@ -0,0 +1,16 @@
+export interface SecretsPushOptions {
+    env?: NodeJS.ProcessEnv | undefined;
+    logger?: ((message: string) => void) | undefined;
+    dryRun?: boolean | undefined;
+    runCommand?: RunCommand | undefined;
+}
+export interface SecretsPushResult {
+    pushedKeys: string[];
+    skippedKeys: string[];
+    dryRun?: boolean | undefined;
+}
+export type RunCommand = (command: string, args: string[], options?: {
+    stdin?: string;
+    env?: NodeJS.ProcessEnv;
+}) => Promise<void>;
+export declare function pushPilotSecrets(rootDir: string, handle: string, options?: SecretsPushOptions): Promise<SecretsPushResult>;

package/package.json

@@ -4,7 +4,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "0.2.0-alpha.0",
+  "version": "0.2.0-alpha.2",
   "type": "module",
   "exports": {
     ".": {
@@ -12,7 +12,7 @@
       "import": "./dist/index.js"
     },
     "./deploy": {
-      "bun": "./src/entries/deploy.ts",
+      "bun": "./dist/deploy.js",
       "types": "./dist/deploy.d.ts",
       "import": "./dist/deploy.js"
     }

package/templates/rover-pilot/.github/workflows/deploy.yml

@@ -28,6 +28,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           ref: ${{ github.sha }}
+          fetch-depth: 0
 
       - uses: oven-sh/setup-bun@v2
 

package/templates/rover-pilot/README.md

@@ -38,5 +38,6 @@ When a push changes only deploy contract files, CI prints `No affected user conf
 - `brains-ops init <repo>`
 - `brains-ops render <repo>`
 - `brains-ops onboard <repo> <handle>`
+- `brains-ops secrets:push <repo> <handle>`
 - `brains-ops reconcile-cohort <repo> <cohort>`
 - `brains-ops reconcile-all <repo>`

package/templates/rover-pilot/deploy/scripts/provision-server.ts

@@ -0,0 +1,109 @@
+import {
+  readJsonResponse,
+  requireEnv,
+  writeGitHubOutput,
+  writeGitHubEnv,
+} from "./helpers";
+
+const token = requireEnv("HCLOUD_TOKEN");
+const instanceName = requireEnv("INSTANCE_NAME");
+const sshKeyName = requireEnv("HCLOUD_SSH_KEY_NAME");
+const serverType = requireEnv("HCLOUD_SERVER_TYPE");
+const location = requireEnv("HCLOUD_LOCATION");
+
+const headers: Record<string, string> = {
+  Authorization: `Bearer ${token}`,
+  "Content-Type": "application/json",
+};
+const baseUrl = "https://api.hetzner.cloud/v1";
+const labelSelector = `brain=${instanceName}`;
+const MAX_POLLS = 30;
+const POLL_INTERVAL_MS = 10_000;
+
+interface HetznerServer {
+  id: number;
+  status: string;
+  public_net?: { ipv4?: { ip?: string } };
+}
+
+function sleep(ms: number): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+async function listServers(): Promise<HetznerServer[]> {
+  const url = `${baseUrl}/servers?label_selector=${encodeURIComponent(labelSelector)}`;
+  const response = await fetch(url, { headers });
+  const payload = (await readJsonResponse(
+    response,
+    "Hetzner server lookup",
+  )) as {
+    servers?: HetznerServer[];
+  };
+  if (!response.ok || !payload.servers) {
+    throw new Error(`Hetzner server lookup failed: ${JSON.stringify(payload)}`);
+  }
+  return payload.servers;
+}
+
+async function createServer(): Promise<HetznerServer> {
+  const response = await fetch(`${baseUrl}/servers`, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({
+      name: instanceName,
+      server_type: serverType,
+      image: "ubuntu-22.04",
+      location,
+      ssh_keys: [sshKeyName],
+      labels: { brain: instanceName },
+    }),
+  });
+  const payload = (await readJsonResponse(
+    response,
+    "Hetzner server create",
+  )) as {
+    server?: HetznerServer;
+  };
+  if (!response.ok || !payload.server) {
+    throw new Error(`Hetzner server create failed: ${JSON.stringify(payload)}`);
+  }
+  return payload.server;
+}
+
+async function getServer(id: number): Promise<HetznerServer> {
+  const response = await fetch(`${baseUrl}/servers/${id}`, { headers });
+  const payload = (await readJsonResponse(response, "Hetzner server poll")) as {
+    server?: HetznerServer;
+  };
+  if (!response.ok || !payload.server) {
+    throw new Error(`Hetzner server poll failed: ${JSON.stringify(payload)}`);
+  }
+  return payload.server;
+}
+
+let server: HetznerServer | undefined = (await listServers())[0];
+server ??= await createServer();
+
+let polls = 0;
+while (server.status !== "running" || !server.public_net?.ipv4?.ip) {
+  if (++polls > MAX_POLLS) {
+    throw new Error(
+      `Server ${server.id} did not become ready after ${(MAX_POLLS * POLL_INTERVAL_MS) / 1000}s (status: ${server.status})`,
+    );
+  }
+  if (server.status === "error") {
+    throw new Error(`Server ${server.id} entered error state`);
+  }
+  console.log(
+    `Waiting for server ${server.id} (status: ${server.status}, poll ${polls}/${MAX_POLLS})...`,
+  );
+  await sleep(POLL_INTERVAL_MS);
+  server = await getServer(server.id);
+}
+
+const serverIp = server.public_net?.ipv4?.ip;
+if (!serverIp) {
+  throw new Error(`Server ${server.id} running but has no IPv4 address`);
+}
+writeGitHubOutput("server_ip", serverIp);
+writeGitHubEnv("SERVER_IP", serverIp);

package/templates/rover-pilot/deploy/scripts/update-dns.ts

@@ -0,0 +1,55 @@
+import { readJsonResponse, requireEnv } from "./helpers";
+
+const token = requireEnv("CF_API_TOKEN");
+const zoneId = requireEnv("CF_ZONE_ID");
+const domain = requireEnv("BRAIN_DOMAIN");
+const serverIp = requireEnv("SERVER_IP");
+
+const headers: Record<string, string> = {
+  Authorization: `Bearer ${token}`,
+  "Content-Type": "application/json",
+};
+const baseUrl = "https://api.cloudflare.com/client/v4";
+
+interface CloudflareResult {
+  success: boolean;
+  result?: Array<{ id: string }>;
+}
+
+async function upsertRecord(name: string): Promise<void> {
+  const lookupUrl = `${baseUrl}/zones/${zoneId}/dns_records?type=A&name=${encodeURIComponent(name)}`;
+  const lookup = await fetch(lookupUrl, { headers });
+  const payload = (await readJsonResponse(
+    lookup,
+    "Cloudflare DNS lookup",
+  )) as CloudflareResult;
+  if (!lookup.ok || !payload.success) {
+    throw new Error(`Cloudflare DNS lookup failed: ${JSON.stringify(payload)}`);
+  }
+
+  const existing = payload.result?.[0];
+  const url = existing
+    ? `${baseUrl}/zones/${zoneId}/dns_records/${existing.id}`
+    : `${baseUrl}/zones/${zoneId}/dns_records`;
+
+  const response = await fetch(url, {
+    method: existing ? "PUT" : "POST",
+    headers,
+    body: JSON.stringify({
+      type: "A",
+      name,
+      content: serverIp,
+      ttl: 1,
+      proxied: true,
+    }),
+  });
+  const result = (await readJsonResponse(
+    response,
+    "Cloudflare DNS upsert",
+  )) as CloudflareResult;
+  if (!response.ok || !result.success) {
+    throw new Error(`Cloudflare DNS upsert failed: ${JSON.stringify(result)}`);
+  }
+}
+
+await upsertRecord(domain);

package/templates/rover-pilot/deploy/scripts/validate-secrets.ts

@@ -0,0 +1,19 @@
+import { readFileSync } from "node:fs";
+import { parseEnvSchema } from "./helpers";
+
+const envSchemaPath = ".env.schema";
+const schema = parseEnvSchema(readFileSync(envSchemaPath, "utf8"));
+const requiredKeys = schema
+  .filter((entry) => entry.required)
+  .map((entry) => entry.key);
+
+const missing: string[] = [];
+for (const key of requiredKeys) {
+  if (!process.env[key]) {
+    missing.push(key);
+  }
+}
+
+if (missing.length > 0) {
+  throw new Error(`Missing required secrets: ${missing.join(", ")}`);
+}

package/templates/rover-pilot/deploy/scripts/write-kamal-secrets.ts

@@ -0,0 +1,18 @@
+import { mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { parseEnvSchema } from "./helpers";
+
+const envSchemaPath = ".env.schema";
+const schema = parseEnvSchema(readFileSync(envSchemaPath, "utf8"));
+const sensitiveKeys = schema
+  .filter((entry) => entry.sensitive)
+  .map((entry) => entry.key);
+
+const lines: string[] = [];
+for (const name of sensitiveKeys) {
+  const value = process.env[name] ?? "";
+  const escaped = String(value).replace(/'/g, "'\\''");
+  lines.push(`${name}='${escaped}'`);
+}
+
+mkdirSync(".kamal", { recursive: true });
+writeFileSync(".kamal/secrets", lines.join("\n") + "\n");

package/templates/rover-pilot/deploy/scripts/write-ssh-key.ts

@@ -0,0 +1,17 @@
+import { mkdirSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { requireEnv } from "./helpers";
+
+const privateKey = requireEnv("KAMAL_SSH_PRIVATE_KEY");
+
+let normalized = privateKey.replace(/\r\n/g, "\n").replace(/\\n/g, "\n");
+if (!normalized.endsWith("\n")) {
+  normalized += "\n";
+}
+
+const sshDir = join(process.env["HOME"] ?? "/root", ".ssh");
+mkdirSync(sshDir, { recursive: true });
+writeFileSync(join(sshDir, "id_ed25519"), normalized, {
+  encoding: "utf8",
+  mode: 0o600,
+});

package/templates/rover-pilot/docs/onboarding-checklist.md

@@ -5,6 +5,7 @@
 3. Add or edit `users/<handle>.yaml`.
 4. Add the user to a cohort in `cohorts/*.yaml`.
 5. Run `bunx brains-ops render <repo>`.
-6. Run `bunx brains-ops onboard <repo> <handle>`.
-7. For fleet upgrades, edit `pilot.yaml.brainVersion` and push once; CI rebuilds the shared image tag, refreshes generated user env files, and redeploys affected users.
-8. Hand the MCP connection details to the user.
+6. Run `bunx brains-ops secrets:push <repo> <handle>`.
+7. Run `bunx brains-ops onboard <repo> <handle>`.
+8. For fleet upgrades, edit `pilot.yaml.brainVersion` and push once; CI rebuilds the shared image tag, refreshes generated user env files, and redeploys affected users.
+9. Hand the MCP connection details to the user.