@rizom/ops 0.2.0-alpha.11 → 0.2.0-alpha.13

package/dist/load-registry.d.ts

@@ -13,6 +13,21 @@ export interface ResolvedCohort {
     brainVersionOverride?: string;
     presetOverride?: PilotPreset;
     aiApiKeyOverride?: string;
+    gitSyncTokenOverride?: string;
+    mcpAuthTokenOverride?: string;
+}
+export interface ResolvedAnchorProfileSocialLink {
+    platform: "github" | "instagram" | "linkedin" | "email" | "website";
+    url: string;
+    label?: string;
+}
+export interface ResolvedAnchorProfile {
+    name: string;
+    description?: string;
+    website?: string;
+    email?: string;
+    story?: string;
+    socialLinks?: ResolvedAnchorProfileSocialLink[];
 }
 export interface ResolvedUserIdentity {
     handle: string;
@@ -23,7 +38,11 @@ export interface ResolvedUserIdentity {
     domain: string;
     contentRepo: string;
     discordEnabled: boolean;
+    discordAnchorUserId?: string;
     effectiveAiApiKey: string;
+    effectiveGitSyncToken: string;
+    effectiveMcpAuthToken: string;
+    anchorProfile: ResolvedAnchorProfile;
     snapshotStatus: SnapshotStatus;
 }
 export interface ResolvedUser extends ResolvedUserIdentity {
@@ -40,7 +59,4 @@ export interface PilotRegistry {
     cohorts: ResolvedCohort[];
     users: ResolvedUser[];
 }
-declare class PilotRegistryError extends Error {
-}
 export declare function loadPilotRegistry(rootDir: string, options?: LoadPilotRegistryOptions): Promise<PilotRegistry>;
-export { PilotRegistryError };

package/dist/onboard-user.d.ts

@@ -1,2 +1,2 @@
-import { type UserRunner } from "./reconcile-lib";
-export declare function onboardUser(rootDir: string, handle: string, runner?: UserRunner): Promise<void>;
+import { type UserRunner, type ContentRepoSyncOptions } from "./reconcile-lib";
+export declare function onboardUser(rootDir: string, handle: string, runner?: UserRunner, contentRepoOptions?: ContentRepoSyncOptions): Promise<void>;

package/dist/push-secrets.d.ts

@@ -5,5 +5,5 @@ export interface PushSecretsOptions {
     runCommand?: RunCommand | undefined;
     logger?: ((message: string) => void) | undefined;
 }
-export declare function pushSecretsToBackend(target: PushTarget, secrets: readonly SecretPair[], options?: PushSecretsOptions): Promise<void>;
+export declare function pushSecretsToBackend(_target: PushTarget, secrets: readonly SecretPair[], options?: PushSecretsOptions): Promise<void>;
 export { normalizePushTarget };

package/dist/reconcile-all.d.ts

@@ -1,2 +1,2 @@
-import { type UserRunner } from "./reconcile-lib";
-export declare function reconcileAll(rootDir: string, runner?: UserRunner): Promise<void>;
+import { type UserRunner, type ContentRepoSyncOptions } from "./reconcile-lib";
+export declare function reconcileAll(rootDir: string, runner?: UserRunner, contentRepoOptions?: ContentRepoSyncOptions): Promise<void>;

package/dist/reconcile-cohort.d.ts

@@ -1,2 +1,2 @@
-import { type UserRunner } from "./reconcile-lib";
-export declare function reconcileCohort(rootDir: string, cohortId: string, runner?: UserRunner): Promise<void>;
+import { type UserRunner, type ContentRepoSyncOptions } from "./reconcile-lib";
+export declare function reconcileCohort(rootDir: string, cohortId: string, runner?: UserRunner, contentRepoOptions?: ContentRepoSyncOptions): Promise<void>;

package/dist/reconcile-lib.d.ts

@@ -1,7 +1,9 @@
+import { type ContentRepoSyncOptions } from "./content-repo";
 import { type PilotRegistry, type ResolvedUser } from "./load-registry";
 import type { UserRunner } from "./user-runner";
-export type { UserRunResult, UserRunner } from "./user-runner";
-export declare function runUsers(rootDir: string, registry: PilotRegistry, users: ResolvedUser[], runner?: UserRunner): Promise<void>;
+export type { ContentRepoSyncOptions } from "./content-repo";
+export type { ContentRepoFile, UserRunResult, UserRunner } from "./user-runner";
+export declare function runUsers(rootDir: string, registry: PilotRegistry, users: ResolvedUser[], runner?: UserRunner, contentRepoOptions?: ContentRepoSyncOptions): Promise<void>;
 export declare function findUser(rootDir: string, handle: string): Promise<{
     registry: PilotRegistry;
     user: ResolvedUser;

package/dist/run-command.d.ts

@@ -15,7 +15,6 @@ export interface CommandDependencies extends LoadPilotRegistryOptions {
     logger?: ((message: string) => void) | undefined;
     fetchImpl?: FetchLike | undefined;
     lookupHost?: LookupHost | undefined;
-    secretRunCommand?: OpsRunCommand | undefined;
     bootstrapRunCommand?: OpsRunCommand | undefined;
     sshKeygen?: SshKeygen | undefined;
 }

package/dist/run-subprocess.d.ts

@@ -1,5 +1,6 @@
 export type RunCommand = (command: string, args: string[], options?: {
     stdin?: string;
     env?: NodeJS.ProcessEnv;
+    cwd?: string;
 }) => Promise<void>;
 export declare const runSubprocess: RunCommand;

package/dist/schema.d.ts

@@ -3,6 +3,7 @@ export declare const presetSchema: z.ZodEnum<["core", "default", "pro"]>;
 export declare const exactVersionSchema: z.ZodString;
 export declare const handleSchema: z.ZodString;
 export declare const secretNameSchema: z.ZodString;
+export declare const agePublicKeySchema: z.ZodString;
 export declare const pilotSchema: z.ZodObject<{
     schemaVersion: z.ZodLiteral<1>;
     brainVersion: z.ZodString;
@@ -12,7 +13,11 @@ export declare const pilotSchema: z.ZodObject<{
     domainSuffix: z.ZodString;
     preset: z.ZodEnum<["core", "default", "pro"]>;
     aiApiKey: z.ZodString;
+    gitSyncToken: z.ZodString;
+    mcpAuthToken: z.ZodString;
+    agePublicKey: z.ZodString;
 }, "strict", z.ZodTypeAny, {
+    agePublicKey: string;
     schemaVersion: 1;
     brainVersion: string;
     model: "rover";
@@ -21,7 +26,10 @@ export declare const pilotSchema: z.ZodObject<{
     domainSuffix: string;
     preset: "default" | "core" | "pro";
     aiApiKey: string;
+    gitSyncToken: string;
+    mcpAuthToken: string;
 }, {
+    agePublicKey: string;
     schemaVersion: 1;
     brainVersion: string;
     model: "rover";
@@ -30,53 +38,142 @@ export declare const pilotSchema: z.ZodObject<{
     domainSuffix: string;
     preset: "default" | "core" | "pro";
     aiApiKey: string;
+    gitSyncToken: string;
+    mcpAuthToken: string;
 }>;
 export declare const userSchema: z.ZodObject<{
     handle: z.ZodString;
     discord: z.ZodObject<{
         enabled: z.ZodBoolean;
+        anchorUserId: z.ZodOptional<z.ZodString>;
     }, "strict", z.ZodTypeAny, {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     }, {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     }>;
     aiApiKeyOverride: z.ZodOptional<z.ZodString>;
+    gitSyncTokenOverride: z.ZodOptional<z.ZodString>;
+    mcpAuthTokenOverride: z.ZodOptional<z.ZodString>;
+    anchorProfile: z.ZodOptional<z.ZodObject<{
+        name: z.ZodOptional<z.ZodString>;
+        description: z.ZodOptional<z.ZodString>;
+        website: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodString>;
+        story: z.ZodOptional<z.ZodString>;
+        socialLinks: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            platform: z.ZodEnum<["github", "instagram", "linkedin", "email", "website"]>;
+            url: z.ZodString;
+            label: z.ZodOptional<z.ZodString>;
+        }, "strict", z.ZodTypeAny, {
+            url: string;
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            label?: string | undefined;
+        }, {
+            url: string;
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            label?: string | undefined;
+        }>, "many">>;
+    }, "strict", z.ZodTypeAny, {
+        name?: string | undefined;
+        email?: string | undefined;
+        website?: string | undefined;
+        description?: string | undefined;
+        story?: string | undefined;
+        socialLinks?: {
+            url: string;
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            label?: string | undefined;
+        }[] | undefined;
+    }, {
+        name?: string | undefined;
+        email?: string | undefined;
+        website?: string | undefined;
+        description?: string | undefined;
+        story?: string | undefined;
+        socialLinks?: {
+            url: string;
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            label?: string | undefined;
+        }[] | undefined;
+    }>>;
 }, "strict", z.ZodTypeAny, {
     handle: string;
     discord: {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     };
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
+    anchorProfile?: {
+        name?: string | undefined;
+        email?: string | undefined;
+        website?: string | undefined;
+        description?: string | undefined;
+        story?: string | undefined;
+        socialLinks?: {
+            url: string;
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            label?: string | undefined;
+        }[] | undefined;
+    } | undefined;
 }, {
     handle: string;
     discord: {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     };
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
+    anchorProfile?: {
+        name?: string | undefined;
+        email?: string | undefined;
+        website?: string | undefined;
+        description?: string | undefined;
+        story?: string | undefined;
+        socialLinks?: {
+            url: string;
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            label?: string | undefined;
+        }[] | undefined;
+    } | undefined;
 }>;
 export declare const cohortSchema: z.ZodEffects<z.ZodObject<{
     members: z.ZodArray<z.ZodString, "many">;
     brainVersionOverride: z.ZodOptional<z.ZodString>;
     presetOverride: z.ZodOptional<z.ZodEnum<["core", "default", "pro"]>>;
     aiApiKeyOverride: z.ZodOptional<z.ZodString>;
+    gitSyncTokenOverride: z.ZodOptional<z.ZodString>;
+    mcpAuthTokenOverride: z.ZodOptional<z.ZodString>;
 }, "strict", z.ZodTypeAny, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }>, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }>;

package/dist/secrets-encrypt.d.ts

@@ -0,0 +1,32 @@
+import { z } from "@brains/utils";
+declare const encryptedUserSecretsSchema: z.ZodObject<{
+    gitSyncToken: z.ZodOptional<z.ZodString>;
+    mcpAuthToken: z.ZodOptional<z.ZodString>;
+    discordBotToken: z.ZodOptional<z.ZodString>;
+    aiApiKey: z.ZodOptional<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    aiApiKey?: string | undefined;
+    gitSyncToken?: string | undefined;
+    mcpAuthToken?: string | undefined;
+    discordBotToken?: string | undefined;
+}, {
+    aiApiKey?: string | undefined;
+    gitSyncToken?: string | undefined;
+    mcpAuthToken?: string | undefined;
+    discordBotToken?: string | undefined;
+}>;
+export type EncryptedUserSecrets = z.infer<typeof encryptedUserSecretsSchema>;
+export interface SecretsEncryptOptions {
+    env?: NodeJS.ProcessEnv | undefined;
+    logger?: ((message: string) => void) | undefined;
+    dryRun?: boolean | undefined;
+}
+export interface SecretsEncryptResult {
+    encryptedPath: string;
+    plaintextPath: string;
+    deletedPlaintext: boolean;
+    encryptedKeys: Array<keyof EncryptedUserSecrets>;
+    dryRun?: boolean | undefined;
+}
+export declare function encryptPilotSecrets(rootDir: string, handle: string, options?: SecretsEncryptOptions): Promise<SecretsEncryptResult>;
+export {};

package/dist/user-runner.d.ts

@@ -1,6 +1,11 @@
 import type { ResolvedUser } from "./load-registry";
+export interface ContentRepoFile {
+    path: string;
+    content: string;
+}
 export interface UserRunResult {
     brainYaml?: string;
     envFile?: string;
+    contentRepoFiles?: ContentRepoFile[];
 }
 export type UserRunner = (user: ResolvedUser) => Promise<UserRunResult | void>;

package/package.json

@@ -4,7 +4,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "0.2.0-alpha.11",
+  "version": "0.2.0-alpha.13",
   "type": "module",
   "exports": {
     ".": {
@@ -32,9 +32,11 @@
     "typecheck": "tsc --noEmit",
     "lint": "eslint . --ext .ts",
     "lint:fix": "eslint . --ext .ts --fix",
-    "test": "bun test"
+    "test": "bun test --timeout 20000"
+  },
+  "dependencies": {
+    "age-encryption": "^0.3.0"
   },
-  "dependencies": {},
   "devDependencies": {
     "@brains/eslint-config": "workspace:*",
     "@brains/typescript-config": "workspace:*",

package/templates/rover-pilot/.env.schema

@@ -4,18 +4,23 @@
 # ----------
 
 # AI provider
+# Shared GitHub secret by default; a per-user override may come from the decrypted
+# users/<handle>.secrets.yaml.age file at deploy time.
 # @required @sensitive
 AI_API_KEY=
 
 # Git sync
+# Comes from the decrypted users/<handle>.secrets.yaml.age file.
 # @required @sensitive
 GIT_SYNC_TOKEN=
 
 # MCP interface
+# Comes from the decrypted users/<handle>.secrets.yaml.age file.
 # @required @sensitive
 MCP_AUTH_TOKEN=
 
 # Discord (optional, per-user)
+# Comes from the decrypted users/<handle>.secrets.yaml.age file when enabled.
 # @sensitive
 DISCORD_BOT_TOKEN=
 

package/templates/rover-pilot/.github/workflows/deploy.yml

@@ -12,6 +12,8 @@ on:
     paths:
       - users/*/.env
       - users/*/brain.yaml
+      - users/*/content/**
+      - users/*.secrets.yaml.age
       - deploy/**
       - .github/workflows/deploy.yml
 
@@ -73,8 +75,18 @@ jobs:
       - name: Install operator tooling
         run: bun install
 
+      - name: Decrypt user secrets
+        id: user_secrets
+        env:
+          AGE_SECRET_KEY: ${{ secrets.AGE_SECRET_KEY }}
+        run: bun deploy/scripts/decrypt-user-secrets.ts "$HANDLE"
+
       - name: Reconcile selected user config
-        run: bunx brains-ops onboard "$GITHUB_WORKSPACE" "$HANDLE"
+        env:
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+        run: |
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          bunx brains-ops onboard "$GITHUB_WORKSPACE" "$HANDLE"
 
       - name: Resolve generated user config
         id: user_config
@@ -82,10 +94,9 @@ jobs:
 
       - name: Validate selected secrets
         env:
-          AI_API_KEY: ${{ secrets[steps.user_config.outputs.ai_api_key_secret_name] }}
-          GIT_SYNC_TOKEN: ${{ secrets[steps.user_config.outputs.git_sync_token_secret_name] }}
-          MCP_AUTH_TOKEN: ${{ secrets[steps.user_config.outputs.mcp_auth_token_secret_name] }}
-          DISCORD_BOT_TOKEN: ${{ steps.user_config.outputs.discord_bot_token_secret_name != '' && secrets[steps.user_config.outputs.discord_bot_token_secret_name] || '' }}
+          SHARED_AI_API_KEY: ${{ secrets[steps.user_secrets.outputs.shared_ai_api_key_secret_name] }}
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+          SHARED_MCP_AUTH_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_mcp_auth_token_secret_name] }}
           HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }}
           HCLOUD_SSH_KEY_NAME: ${{ secrets.HCLOUD_SSH_KEY_NAME }}
           HCLOUD_SERVER_TYPE: ${{ secrets.HCLOUD_SERVER_TYPE }}
@@ -96,7 +107,19 @@ jobs:
           CF_ZONE_ID: ${{ secrets.CF_ZONE_ID }}
           CERTIFICATE_PEM: ${{ secrets.CERTIFICATE_PEM }}
           PRIVATE_KEY_PEM: ${{ secrets.PRIVATE_KEY_PEM }}
-        run: bun deploy/scripts/validate-secrets.ts
+        run: |
+          export AI_API_KEY="${AI_API_KEY:-$SHARED_AI_API_KEY}"
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          export MCP_AUTH_TOKEN="${MCP_AUTH_TOKEN:-$SHARED_MCP_AUTH_TOKEN}"
+          bun deploy/scripts/validate-secrets.ts
+
+      - name: Seed content repo
+        env:
+          CONTENT_REPO: ${{ steps.user_config.outputs.content_repo }}
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+        run: |
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          bun deploy/scripts/sync-content-repo.ts
 
       - name: Log in to GHCR
         uses: docker/login-action@v3
@@ -143,14 +166,17 @@ jobs:
 
       - name: Write .kamal/secrets
         env:
-          AI_API_KEY: ${{ secrets[steps.user_config.outputs.ai_api_key_secret_name] }}
-          GIT_SYNC_TOKEN: ${{ secrets[steps.user_config.outputs.git_sync_token_secret_name] }}
-          MCP_AUTH_TOKEN: ${{ secrets[steps.user_config.outputs.mcp_auth_token_secret_name] }}
-          DISCORD_BOT_TOKEN: ${{ steps.user_config.outputs.discord_bot_token_secret_name != '' && secrets[steps.user_config.outputs.discord_bot_token_secret_name] || '' }}
+          SHARED_AI_API_KEY: ${{ secrets[steps.user_secrets.outputs.shared_ai_api_key_secret_name] }}
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+          SHARED_MCP_AUTH_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_mcp_auth_token_secret_name] }}
           KAMAL_REGISTRY_PASSWORD: ${{ secrets.KAMAL_REGISTRY_PASSWORD }}
           CERTIFICATE_PEM: ${{ secrets.CERTIFICATE_PEM }}
           PRIVATE_KEY_PEM: ${{ secrets.PRIVATE_KEY_PEM }}
-        run: bun deploy/scripts/write-kamal-secrets.ts
+        run: |
+          export AI_API_KEY="${AI_API_KEY:-$SHARED_AI_API_KEY}"
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          export MCP_AUTH_TOKEN="${MCP_AUTH_TOKEN:-$SHARED_MCP_AUTH_TOKEN}"
+          bun deploy/scripts/write-kamal-secrets.ts
 
       - name: Provision server
         id: provision
@@ -167,10 +193,11 @@ jobs:
           CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
           CF_ZONE_ID: ${{ secrets.CF_ZONE_ID }}
           BRAIN_DOMAIN: ${{ steps.user_config.outputs.brain_domain }}
+          PREVIEW_DOMAIN: ${{ steps.user_config.outputs.preview_domain }}
           SERVER_IP: ${{ steps.provision.outputs.server_ip }}
         run: |
           bun deploy/scripts/update-dns.ts
-          BRAIN_DOMAIN="preview.$BRAIN_DOMAIN" bun deploy/scripts/update-dns.ts
+          BRAIN_DOMAIN="$PREVIEW_DOMAIN" bun deploy/scripts/update-dns.ts
 
       - name: Validate SSH key
         run: ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null
@@ -197,6 +224,7 @@ jobs:
           IMAGE_REPOSITORY: ${{ steps.user_config.outputs.image_repository }}
           REGISTRY_USERNAME: ${{ steps.user_config.outputs.registry_username }}
           BRAIN_DOMAIN: ${{ steps.user_config.outputs.brain_domain }}
+          PREVIEW_DOMAIN: ${{ steps.user_config.outputs.preview_domain }}
           BRAIN_YAML_PATH: ${{ steps.user_config.outputs.brain_yaml_path }}
         run: kamal setup --skip-push -c deploy/kamal/deploy.yml
 
@@ -204,7 +232,10 @@ jobs:
         env:
           SERVER_IP: ${{ steps.provision.outputs.server_ip }}
           BRAIN_DOMAIN: ${{ steps.user_config.outputs.brain_domain }}
-        run: curl -I -k --max-time 20 --resolve "$BRAIN_DOMAIN:443:$SERVER_IP" "https://$BRAIN_DOMAIN/health"
+          PREVIEW_DOMAIN: ${{ steps.user_config.outputs.preview_domain }}
+        run: |
+          curl -I -k --max-time 20 --resolve "$BRAIN_DOMAIN:443:$SERVER_IP" "https://$BRAIN_DOMAIN/health"
+          curl -I -k --max-time 20 --resolve "$PREVIEW_DOMAIN:443:$SERVER_IP" "https://$PREVIEW_DOMAIN/"
 
       - name: Upload generated config
         uses: actions/upload-artifact@v4
@@ -213,6 +244,7 @@ jobs:
           path: |
             users/${{ matrix.handle }}/brain.yaml
             users/${{ matrix.handle }}/.env
+            users/${{ matrix.handle }}/content
 
       - name: Dump remote proxy diagnostics
         if: failure()

package/templates/rover-pilot/README.md

@@ -38,8 +38,9 @@ When a push changes only deploy contract files, CI prints `No affected user conf
 - `brains-ops init <repo>`
 - `brains-ops render <repo>` — regenerates `views/users.md` with live DNS, `/health`, and unauthenticated `/mcp` status checks
 - `brains-ops onboard <repo> <handle>`
+- `brains-ops age-key:bootstrap <repo>`
 - `brains-ops ssh-key:bootstrap <repo>`
-- `brains-ops cert:bootstrap <repo> <handle>`
-- `brains-ops secrets:push <repo> <handle>`
+- `brains-ops cert:bootstrap <repo>`
+- `brains-ops secrets:encrypt <repo> <handle>`
 - `brains-ops reconcile-cohort <repo> <cohort>`
 - `brains-ops reconcile-all <repo>`

package/templates/rover-pilot/deploy/Caddyfile

@@ -1,7 +1,7 @@
 # Internal Caddy — path-based routing to brain services.
 # kamal-proxy terminates TLS externally; this runs inside the container.
 :80 {
-	@preview host preview.*
+	@preview host *-preview.*
 	handle @preview {
 		reverse_proxy localhost:4321
 

package/templates/rover-pilot/deploy/kamal/deploy.yml

@@ -12,7 +12,7 @@ proxy:
     private_key_pem: PRIVATE_KEY_PEM
   hosts:
     - <%= ENV['BRAIN_DOMAIN'] %>
-    - preview.<%= ENV['BRAIN_DOMAIN'] %>
+    - <%= ENV['PREVIEW_DOMAIN'] %>
   app_port: 80
   healthcheck:
     path: /health

package/templates/rover-pilot/deploy/scripts/decrypt-user-secrets.ts

@@ -0,0 +1,83 @@
+import { readFileSync } from "node:fs";
+
+import { Decrypter, armor } from "age-encryption";
+
+import { requireEnv, writeGitHubEnv, writeGitHubOutput } from "./helpers";
+
+const handle = process.argv[2] ?? requireEnv("HANDLE");
+const ageSecretKey = extractAgeIdentity(requireEnv("AGE_SECRET_KEY"));
+const encryptedPath = `users/${handle}.secrets.yaml.age`;
+
+const armored = readFileSync(encryptedPath, "utf8");
+const decoded = armor.decode(armored);
+
+const decrypter = new Decrypter();
+decrypter.addIdentity(ageSecretKey);
+
+const plaintext = await decrypter.decrypt(decoded, "text");
+const secrets = parseFlatYaml(plaintext);
+const pilot = parseFlatYaml(readFileSync("pilot.yaml", "utf8"));
+
+writeGitHubEnv("AI_API_KEY", secrets["aiApiKey"] ?? "");
+writeGitHubEnv("GIT_SYNC_TOKEN", secrets["gitSyncToken"] ?? "");
+writeGitHubEnv("MCP_AUTH_TOKEN", secrets["mcpAuthToken"] ?? "");
+writeGitHubEnv("DISCORD_BOT_TOKEN", secrets["discordBotToken"] ?? "");
+
+writeGitHubOutput(
+  "shared_ai_api_key_secret_name",
+  requireFlatValue(pilot, "aiApiKey", "pilot.yaml"),
+);
+writeGitHubOutput(
+  "shared_git_sync_token_secret_name",
+  requireFlatValue(pilot, "gitSyncToken", "pilot.yaml"),
+);
+writeGitHubOutput(
+  "shared_mcp_auth_token_secret_name",
+  requireFlatValue(pilot, "mcpAuthToken", "pilot.yaml"),
+);
+
+function extractAgeIdentity(contents: string): string {
+  const line = contents
+    .split(/\r?\n/)
+    .map((entry) => entry.trim())
+    .find((entry) => entry.startsWith("AGE-SECRET-KEY-"));
+
+  if (!line) {
+    throw new Error("Missing AGE-SECRET-KEY in AGE_SECRET_KEY");
+  }
+
+  return line;
+}
+
+function parseFlatYaml(contents: string): Record<string, string> {
+  const result: Record<string, string> = {};
+
+  for (const rawLine of contents.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#")) {
+      continue;
+    }
+
+    const match = line.match(/^([A-Za-z0-9_]+):\s*(.*)$/);
+    if (!match) {
+      continue;
+    }
+
+    const [, key, rawValue] = match;
+    result[key] = rawValue.replace(/^['"]|['"]$/g, "");
+  }
+
+  return result;
+}
+
+function requireFlatValue(
+  values: Record<string, string>,
+  key: string,
+  label: string,
+): string {
+  const value = values[key];
+  if (!value) {
+    throw new Error(`Missing ${key} in ${label}`);
+  }
+  return value;
+}

package/templates/rover-pilot/deploy/scripts/provision-server.ts

@@ -101,7 +101,7 @@ while (server.status !== "running" || !server.public_net?.ipv4?.ip) {
   server = await getServer(server.id);
 }
 
-const serverIp = server.public_net?.ipv4?.ip;
+const serverIp = server.public_net.ipv4.ip;
 if (!serverIp) {
   throw new Error(`Server ${server.id} running but has no IPv4 address`);
 }

package/templates/rover-pilot/deploy/scripts/resolve-deploy-handles.ts

@@ -32,7 +32,9 @@ const handles = [
     diffOutput
       .split(/\r?\n/)
       .map((path) => {
-        const match = path.match(/^users\/([^/]+)\/(?:\.env|brain\.yaml)$/);
+        const match =
+          path.match(/^users\/([^/]+)\/(?:\.env|brain\.yaml|content\/.*)$/) ??
+          path.match(/^users\/([^/]+)\.secrets\.yaml\.age$/);
         return match?.[1] ?? null;
       })
       .filter((handle): handle is string => handle !== null)