@rizom/ops 0.2.0-alpha.12 → 0.2.0-alpha.14

package/dist/load-registry.d.ts

@@ -13,6 +13,8 @@ export interface ResolvedCohort {
     brainVersionOverride?: string;
     presetOverride?: PilotPreset;
     aiApiKeyOverride?: string;
+    gitSyncTokenOverride?: string;
+    mcpAuthTokenOverride?: string;
 }
 export interface ResolvedAnchorProfileSocialLink {
     platform: "github" | "instagram" | "linkedin" | "email" | "website";
@@ -36,7 +38,10 @@ export interface ResolvedUserIdentity {
     domain: string;
     contentRepo: string;
     discordEnabled: boolean;
+    discordAnchorUserId?: string;
     effectiveAiApiKey: string;
+    effectiveGitSyncToken: string;
+    effectiveMcpAuthToken: string;
     anchorProfile: ResolvedAnchorProfile;
     snapshotStatus: SnapshotStatus;
 }
@@ -54,7 +59,4 @@ export interface PilotRegistry {
     cohorts: ResolvedCohort[];
     users: ResolvedUser[];
 }
-declare class PilotRegistryError extends Error {
-}
 export declare function loadPilotRegistry(rootDir: string, options?: LoadPilotRegistryOptions): Promise<PilotRegistry>;
-export { PilotRegistryError };

package/dist/push-secrets.d.ts

@@ -5,5 +5,5 @@ export interface PushSecretsOptions {
     runCommand?: RunCommand | undefined;
     logger?: ((message: string) => void) | undefined;
 }
-export declare function pushSecretsToBackend(target: PushTarget, secrets: readonly SecretPair[], options?: PushSecretsOptions): Promise<void>;
+export declare function pushSecretsToBackend(_target: PushTarget, secrets: readonly SecretPair[], options?: PushSecretsOptions): Promise<void>;
 export { normalizePushTarget };

package/dist/run-command.d.ts

@@ -15,7 +15,6 @@ export interface CommandDependencies extends LoadPilotRegistryOptions {
     logger?: ((message: string) => void) | undefined;
     fetchImpl?: FetchLike | undefined;
     lookupHost?: LookupHost | undefined;
-    secretRunCommand?: OpsRunCommand | undefined;
     bootstrapRunCommand?: OpsRunCommand | undefined;
     sshKeygen?: SshKeygen | undefined;
 }

package/dist/schema.d.ts

@@ -3,6 +3,7 @@ export declare const presetSchema: z.ZodEnum<["core", "default", "pro"]>;
 export declare const exactVersionSchema: z.ZodString;
 export declare const handleSchema: z.ZodString;
 export declare const secretNameSchema: z.ZodString;
+export declare const agePublicKeySchema: z.ZodString;
 export declare const pilotSchema: z.ZodObject<{
     schemaVersion: z.ZodLiteral<1>;
     brainVersion: z.ZodString;
@@ -12,7 +13,11 @@ export declare const pilotSchema: z.ZodObject<{
     domainSuffix: z.ZodString;
     preset: z.ZodEnum<["core", "default", "pro"]>;
     aiApiKey: z.ZodString;
+    gitSyncToken: z.ZodString;
+    mcpAuthToken: z.ZodString;
+    agePublicKey: z.ZodString;
 }, "strict", z.ZodTypeAny, {
+    agePublicKey: string;
     schemaVersion: 1;
     brainVersion: string;
     model: "rover";
@@ -21,7 +26,10 @@ export declare const pilotSchema: z.ZodObject<{
     domainSuffix: string;
     preset: "default" | "core" | "pro";
     aiApiKey: string;
+    gitSyncToken: string;
+    mcpAuthToken: string;
 }, {
+    agePublicKey: string;
     schemaVersion: 1;
     brainVersion: string;
     model: "rover";
@@ -30,17 +38,24 @@ export declare const pilotSchema: z.ZodObject<{
     domainSuffix: string;
     preset: "default" | "core" | "pro";
     aiApiKey: string;
+    gitSyncToken: string;
+    mcpAuthToken: string;
 }>;
 export declare const userSchema: z.ZodObject<{
     handle: z.ZodString;
     discord: z.ZodObject<{
         enabled: z.ZodBoolean;
+        anchorUserId: z.ZodOptional<z.ZodString>;
     }, "strict", z.ZodTypeAny, {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     }, {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     }>;
     aiApiKeyOverride: z.ZodOptional<z.ZodString>;
+    gitSyncTokenOverride: z.ZodOptional<z.ZodString>;
+    mcpAuthTokenOverride: z.ZodOptional<z.ZodString>;
     anchorProfile: z.ZodOptional<z.ZodObject<{
         name: z.ZodOptional<z.ZodString>;
         description: z.ZodOptional<z.ZodString>;
@@ -61,9 +76,9 @@ export declare const userSchema: z.ZodObject<{
             label?: string | undefined;
         }>, "many">>;
     }, "strict", z.ZodTypeAny, {
+        name?: string | undefined;
         email?: string | undefined;
         website?: string | undefined;
-        name?: string | undefined;
         description?: string | undefined;
         story?: string | undefined;
         socialLinks?: {
@@ -72,9 +87,9 @@ export declare const userSchema: z.ZodObject<{
             label?: string | undefined;
         }[] | undefined;
     }, {
+        name?: string | undefined;
         email?: string | undefined;
         website?: string | undefined;
-        name?: string | undefined;
         description?: string | undefined;
         story?: string | undefined;
         socialLinks?: {
@@ -87,12 +102,15 @@ export declare const userSchema: z.ZodObject<{
     handle: string;
     discord: {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     };
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     anchorProfile?: {
+        name?: string | undefined;
         email?: string | undefined;
         website?: string | undefined;
-        name?: string | undefined;
         description?: string | undefined;
         story?: string | undefined;
         socialLinks?: {
@@ -105,12 +123,15 @@ export declare const userSchema: z.ZodObject<{
     handle: string;
     discord: {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     };
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     anchorProfile?: {
+        name?: string | undefined;
         email?: string | undefined;
         website?: string | undefined;
-        name?: string | undefined;
         description?: string | undefined;
         story?: string | undefined;
         socialLinks?: {
@@ -125,24 +146,34 @@ export declare const cohortSchema: z.ZodEffects<z.ZodObject<{
     brainVersionOverride: z.ZodOptional<z.ZodString>;
     presetOverride: z.ZodOptional<z.ZodEnum<["core", "default", "pro"]>>;
     aiApiKeyOverride: z.ZodOptional<z.ZodString>;
+    gitSyncTokenOverride: z.ZodOptional<z.ZodString>;
+    mcpAuthTokenOverride: z.ZodOptional<z.ZodString>;
 }, "strict", z.ZodTypeAny, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }>, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }>;

package/dist/secrets-encrypt.d.ts

@@ -0,0 +1,32 @@
+import { z } from "@brains/utils";
+declare const encryptedUserSecretsSchema: z.ZodObject<{
+    gitSyncToken: z.ZodOptional<z.ZodString>;
+    mcpAuthToken: z.ZodOptional<z.ZodString>;
+    discordBotToken: z.ZodOptional<z.ZodString>;
+    aiApiKey: z.ZodOptional<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    aiApiKey?: string | undefined;
+    gitSyncToken?: string | undefined;
+    mcpAuthToken?: string | undefined;
+    discordBotToken?: string | undefined;
+}, {
+    aiApiKey?: string | undefined;
+    gitSyncToken?: string | undefined;
+    mcpAuthToken?: string | undefined;
+    discordBotToken?: string | undefined;
+}>;
+export type EncryptedUserSecrets = z.infer<typeof encryptedUserSecretsSchema>;
+export interface SecretsEncryptOptions {
+    env?: NodeJS.ProcessEnv | undefined;
+    logger?: ((message: string) => void) | undefined;
+    dryRun?: boolean | undefined;
+}
+export interface SecretsEncryptResult {
+    encryptedPath: string;
+    plaintextPath: string;
+    deletedPlaintext: boolean;
+    encryptedKeys: Array<keyof EncryptedUserSecrets>;
+    dryRun?: boolean | undefined;
+}
+export declare function encryptPilotSecrets(rootDir: string, handle: string, options?: SecretsEncryptOptions): Promise<SecretsEncryptResult>;
+export {};

package/dist/secrets-push.d.ts

@@ -10,4 +10,4 @@ export interface SecretsPushResult {
     skippedKeys: string[];
     dryRun?: boolean | undefined;
 }
-export declare function pushPilotSecrets(rootDir: string, handle: string, options?: SecretsPushOptions): Promise<SecretsPushResult>;
+export declare function pushPilotSecrets(rootDir: string, options?: SecretsPushOptions): Promise<SecretsPushResult>;

package/package.json

@@ -4,7 +4,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "0.2.0-alpha.12",
+  "version": "0.2.0-alpha.14",
   "type": "module",
   "exports": {
     ".": {
@@ -32,9 +32,11 @@
     "typecheck": "tsc --noEmit",
     "lint": "eslint . --ext .ts",
     "lint:fix": "eslint . --ext .ts --fix",
-    "test": "bun test"
+    "test": "bun test --timeout 20000"
+  },
+  "dependencies": {
+    "age-encryption": "^0.3.0"
   },
-  "dependencies": {},
   "devDependencies": {
     "@brains/eslint-config": "workspace:*",
     "@brains/typescript-config": "workspace:*",

package/templates/rover-pilot/.env.schema

@@ -4,18 +4,23 @@
 # ----------
 
 # AI provider
+# Shared GitHub secret by default; a per-user override may come from the decrypted
+# users/<handle>.secrets.yaml.age file at deploy time.
 # @required @sensitive
 AI_API_KEY=
 
 # Git sync
+# Comes from the decrypted users/<handle>.secrets.yaml.age file.
 # @required @sensitive
 GIT_SYNC_TOKEN=
 
 # MCP interface
+# Comes from the decrypted users/<handle>.secrets.yaml.age file.
 # @required @sensitive
 MCP_AUTH_TOKEN=
 
 # Discord (optional, per-user)
+# Comes from the decrypted users/<handle>.secrets.yaml.age file when enabled.
 # @sensitive
 DISCORD_BOT_TOKEN=
 

package/templates/rover-pilot/.github/workflows/deploy.yml

@@ -13,6 +13,7 @@ on:
       - users/*/.env
       - users/*/brain.yaml
       - users/*/content/**
+      - users/*.secrets.yaml.age
       - deploy/**
       - .github/workflows/deploy.yml
 
@@ -74,16 +75,18 @@ jobs:
       - name: Install operator tooling
         run: bun install
 
-      - name: Resolve selected user secret names
-        id: user_secret_names
-        run: |
-          HANDLE_SUFFIX="$(printf '%s' "$HANDLE" | tr '[:lower:]-' '[:upper:]_')"
-          echo "git_sync_token_secret_name=GIT_SYNC_TOKEN_${HANDLE_SUFFIX}" >> "$GITHUB_OUTPUT"
+      - name: Decrypt user secrets
+        id: user_secrets
+        env:
+          AGE_SECRET_KEY: ${{ secrets.AGE_SECRET_KEY }}
+        run: bun deploy/scripts/decrypt-user-secrets.ts "$HANDLE"
 
       - name: Reconcile selected user config
         env:
-          GIT_SYNC_TOKEN: ${{ secrets[steps.user_secret_names.outputs.git_sync_token_secret_name] }}
-        run: bunx brains-ops onboard "$GITHUB_WORKSPACE" "$HANDLE"
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+        run: |
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          bunx brains-ops onboard "$GITHUB_WORKSPACE" "$HANDLE"
 
       - name: Resolve generated user config
         id: user_config
@@ -91,10 +94,9 @@ jobs:
 
       - name: Validate selected secrets
         env:
-          AI_API_KEY: ${{ secrets[steps.user_config.outputs.ai_api_key_secret_name] }}
-          GIT_SYNC_TOKEN: ${{ secrets[steps.user_config.outputs.git_sync_token_secret_name] }}
-          MCP_AUTH_TOKEN: ${{ secrets[steps.user_config.outputs.mcp_auth_token_secret_name] }}
-          DISCORD_BOT_TOKEN: ${{ steps.user_config.outputs.discord_bot_token_secret_name != '' && secrets[steps.user_config.outputs.discord_bot_token_secret_name] || '' }}
+          SHARED_AI_API_KEY: ${{ secrets[steps.user_secrets.outputs.shared_ai_api_key_secret_name] }}
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+          SHARED_MCP_AUTH_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_mcp_auth_token_secret_name] }}
           HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }}
           HCLOUD_SSH_KEY_NAME: ${{ secrets.HCLOUD_SSH_KEY_NAME }}
           HCLOUD_SERVER_TYPE: ${{ secrets.HCLOUD_SERVER_TYPE }}
@@ -105,13 +107,19 @@ jobs:
           CF_ZONE_ID: ${{ secrets.CF_ZONE_ID }}
           CERTIFICATE_PEM: ${{ secrets.CERTIFICATE_PEM }}
           PRIVATE_KEY_PEM: ${{ secrets.PRIVATE_KEY_PEM }}
-        run: bun deploy/scripts/validate-secrets.ts
+        run: |
+          export AI_API_KEY="${AI_API_KEY:-$SHARED_AI_API_KEY}"
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          export MCP_AUTH_TOKEN="${MCP_AUTH_TOKEN:-$SHARED_MCP_AUTH_TOKEN}"
+          bun deploy/scripts/validate-secrets.ts
 
       - name: Seed content repo
         env:
           CONTENT_REPO: ${{ steps.user_config.outputs.content_repo }}
-          GIT_SYNC_TOKEN: ${{ secrets[steps.user_config.outputs.git_sync_token_secret_name] }}
-        run: bun deploy/scripts/sync-content-repo.ts
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+        run: |
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          bun deploy/scripts/sync-content-repo.ts
 
       - name: Log in to GHCR
         uses: docker/login-action@v3
@@ -158,14 +166,17 @@ jobs:
 
       - name: Write .kamal/secrets
         env:
-          AI_API_KEY: ${{ secrets[steps.user_config.outputs.ai_api_key_secret_name] }}
-          GIT_SYNC_TOKEN: ${{ secrets[steps.user_config.outputs.git_sync_token_secret_name] }}
-          MCP_AUTH_TOKEN: ${{ secrets[steps.user_config.outputs.mcp_auth_token_secret_name] }}
-          DISCORD_BOT_TOKEN: ${{ steps.user_config.outputs.discord_bot_token_secret_name != '' && secrets[steps.user_config.outputs.discord_bot_token_secret_name] || '' }}
+          SHARED_AI_API_KEY: ${{ secrets[steps.user_secrets.outputs.shared_ai_api_key_secret_name] }}
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+          SHARED_MCP_AUTH_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_mcp_auth_token_secret_name] }}
           KAMAL_REGISTRY_PASSWORD: ${{ secrets.KAMAL_REGISTRY_PASSWORD }}
           CERTIFICATE_PEM: ${{ secrets.CERTIFICATE_PEM }}
           PRIVATE_KEY_PEM: ${{ secrets.PRIVATE_KEY_PEM }}
-        run: bun deploy/scripts/write-kamal-secrets.ts
+        run: |
+          export AI_API_KEY="${AI_API_KEY:-$SHARED_AI_API_KEY}"
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          export MCP_AUTH_TOKEN="${MCP_AUTH_TOKEN:-$SHARED_MCP_AUTH_TOKEN}"
+          bun deploy/scripts/write-kamal-secrets.ts
 
       - name: Provision server
         id: provision
@@ -182,10 +193,11 @@ jobs:
           CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
           CF_ZONE_ID: ${{ secrets.CF_ZONE_ID }}
           BRAIN_DOMAIN: ${{ steps.user_config.outputs.brain_domain }}
+          PREVIEW_DOMAIN: ${{ steps.user_config.outputs.preview_domain }}
           SERVER_IP: ${{ steps.provision.outputs.server_ip }}
         run: |
           bun deploy/scripts/update-dns.ts
-          BRAIN_DOMAIN="preview.$BRAIN_DOMAIN" bun deploy/scripts/update-dns.ts
+          BRAIN_DOMAIN="$PREVIEW_DOMAIN" bun deploy/scripts/update-dns.ts
 
       - name: Validate SSH key
         run: ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null
@@ -212,6 +224,7 @@ jobs:
           IMAGE_REPOSITORY: ${{ steps.user_config.outputs.image_repository }}
           REGISTRY_USERNAME: ${{ steps.user_config.outputs.registry_username }}
           BRAIN_DOMAIN: ${{ steps.user_config.outputs.brain_domain }}
+          PREVIEW_DOMAIN: ${{ steps.user_config.outputs.preview_domain }}
           BRAIN_YAML_PATH: ${{ steps.user_config.outputs.brain_yaml_path }}
         run: kamal setup --skip-push -c deploy/kamal/deploy.yml
 
@@ -219,7 +232,10 @@ jobs:
         env:
           SERVER_IP: ${{ steps.provision.outputs.server_ip }}
           BRAIN_DOMAIN: ${{ steps.user_config.outputs.brain_domain }}
-        run: curl -I -k --max-time 20 --resolve "$BRAIN_DOMAIN:443:$SERVER_IP" "https://$BRAIN_DOMAIN/health"
+          PREVIEW_DOMAIN: ${{ steps.user_config.outputs.preview_domain }}
+        run: |
+          curl -I -k --max-time 20 --resolve "$BRAIN_DOMAIN:443:$SERVER_IP" "https://$BRAIN_DOMAIN/health"
+          curl -I -k --max-time 20 --resolve "$PREVIEW_DOMAIN:443:$SERVER_IP" "https://$PREVIEW_DOMAIN/"
 
       - name: Upload generated config
         uses: actions/upload-artifact@v4

package/templates/rover-pilot/README.md

@@ -38,8 +38,9 @@ When a push changes only deploy contract files, CI prints `No affected user conf
 - `brains-ops init <repo>`
 - `brains-ops render <repo>` — regenerates `views/users.md` with live DNS, `/health`, and unauthenticated `/mcp` status checks
 - `brains-ops onboard <repo> <handle>`
+- `brains-ops age-key:bootstrap <repo>`
 - `brains-ops ssh-key:bootstrap <repo>`
-- `brains-ops cert:bootstrap <repo> <handle>`
-- `brains-ops secrets:push <repo> <handle>`
+- `brains-ops cert:bootstrap <repo>`
+- `brains-ops secrets:encrypt <repo> <handle>`
 - `brains-ops reconcile-cohort <repo> <cohort>`
 - `brains-ops reconcile-all <repo>`

package/templates/rover-pilot/deploy/Caddyfile

@@ -1,7 +1,7 @@
 # Internal Caddy — path-based routing to brain services.
 # kamal-proxy terminates TLS externally; this runs inside the container.
 :80 {
-	@preview host preview.*
+	@preview host *-preview.*
 	handle @preview {
 		reverse_proxy localhost:4321
 

package/templates/rover-pilot/deploy/kamal/deploy.yml

@@ -12,7 +12,7 @@ proxy:
     private_key_pem: PRIVATE_KEY_PEM
   hosts:
     - <%= ENV['BRAIN_DOMAIN'] %>
-    - preview.<%= ENV['BRAIN_DOMAIN'] %>
+    - <%= ENV['PREVIEW_DOMAIN'] %>
   app_port: 80
   healthcheck:
     path: /health

package/templates/rover-pilot/deploy/scripts/decrypt-user-secrets.ts

@@ -0,0 +1,83 @@
+import { readFileSync } from "node:fs";
+
+import { Decrypter, armor } from "age-encryption";
+
+import { requireEnv, writeGitHubEnv, writeGitHubOutput } from "./helpers";
+
+const handle = process.argv[2] ?? requireEnv("HANDLE");
+const ageSecretKey = extractAgeIdentity(requireEnv("AGE_SECRET_KEY"));
+const encryptedPath = `users/${handle}.secrets.yaml.age`;
+
+const armored = readFileSync(encryptedPath, "utf8");
+const decoded = armor.decode(armored);
+
+const decrypter = new Decrypter();
+decrypter.addIdentity(ageSecretKey);
+
+const plaintext = await decrypter.decrypt(decoded, "text");
+const secrets = parseFlatYaml(plaintext);
+const pilot = parseFlatYaml(readFileSync("pilot.yaml", "utf8"));
+
+writeGitHubEnv("AI_API_KEY", secrets["aiApiKey"] ?? "");
+writeGitHubEnv("GIT_SYNC_TOKEN", secrets["gitSyncToken"] ?? "");
+writeGitHubEnv("MCP_AUTH_TOKEN", secrets["mcpAuthToken"] ?? "");
+writeGitHubEnv("DISCORD_BOT_TOKEN", secrets["discordBotToken"] ?? "");
+
+writeGitHubOutput(
+  "shared_ai_api_key_secret_name",
+  requireFlatValue(pilot, "aiApiKey", "pilot.yaml"),
+);
+writeGitHubOutput(
+  "shared_git_sync_token_secret_name",
+  requireFlatValue(pilot, "gitSyncToken", "pilot.yaml"),
+);
+writeGitHubOutput(
+  "shared_mcp_auth_token_secret_name",
+  requireFlatValue(pilot, "mcpAuthToken", "pilot.yaml"),
+);
+
+function extractAgeIdentity(contents: string): string {
+  const line = contents
+    .split(/\r?\n/)
+    .map((entry) => entry.trim())
+    .find((entry) => entry.startsWith("AGE-SECRET-KEY-"));
+
+  if (!line) {
+    throw new Error("Missing AGE-SECRET-KEY in AGE_SECRET_KEY");
+  }
+
+  return line;
+}
+
+function parseFlatYaml(contents: string): Record<string, string> {
+  const result: Record<string, string> = {};
+
+  for (const rawLine of contents.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#")) {
+      continue;
+    }
+
+    const match = line.match(/^([A-Za-z0-9_]+):\s*(.*)$/);
+    if (!match) {
+      continue;
+    }
+
+    const [, key, rawValue] = match;
+    result[key] = rawValue.replace(/^['"]|['"]$/g, "");
+  }
+
+  return result;
+}
+
+function requireFlatValue(
+  values: Record<string, string>,
+  key: string,
+  label: string,
+): string {
+  const value = values[key];
+  if (!value) {
+    throw new Error(`Missing ${key} in ${label}`);
+  }
+  return value;
+}

package/templates/rover-pilot/deploy/scripts/provision-server.ts

@@ -101,7 +101,7 @@ while (server.status !== "running" || !server.public_net?.ipv4?.ip) {
   server = await getServer(server.id);
 }
 
-const serverIp = server.public_net?.ipv4?.ip;
+const serverIp = server.public_net.ipv4.ip;
 if (!serverIp) {
   throw new Error(`Server ${server.id} running but has no IPv4 address`);
 }

package/templates/rover-pilot/deploy/scripts/resolve-deploy-handles.ts

@@ -32,9 +32,9 @@ const handles = [
     diffOutput
       .split(/\r?\n/)
       .map((path) => {
-        const match = path.match(
-          /^users\/([^/]+)\/(?:\.env|brain\.yaml|content\/.*)$/,
-        );
+        const match =
+          path.match(/^users\/([^/]+)\/(?:\.env|brain\.yaml|content\/.*)$/) ??
+          path.match(/^users\/([^/]+)\.secrets\.yaml\.age$/);
         return match?.[1] ?? null;
       })
       .filter((handle): handle is string => handle !== null)

package/templates/rover-pilot/deploy/scripts/resolve-user-config.ts

@@ -1,4 +1,5 @@
 import { readFileSync } from "node:fs";
+
 import { parseEnvFile, requireEnv, writeGitHubOutput } from "./helpers";
 
 const handle = requireEnv("HANDLE");
@@ -12,32 +13,31 @@ const repositoryOwner = repository.split("/")[0] ?? "";
 const brainYaml = readFileSync(brainYamlPath, "utf8");
 const domainMatch = brainYaml.match(/^domain:\s*(.+)$/m);
 const brainDomain = domainMatch?.[1]?.trim().replace(/^['"]|['"]$/g, "") ?? "";
-
 if (!brainDomain) {
   throw new Error(`Missing domain in ${brainYamlPath}`);
 }
 
+const zone =
+  brainDomain.startsWith(`${handle}.`) && brainDomain.length > handle.length + 1
+    ? brainDomain.slice(handle.length + 1)
+    : "";
+if (!zone) {
+  throw new Error(`Could not derive preview domain from ${brainDomain}`);
+}
+const previewDomain = `${handle}-preview.${zone}`;
+
 const outputs: Record<string, string> = {
   brain_version: envEntries["BRAIN_VERSION"] ?? "",
-  ai_api_key_secret_name: envEntries["AI_API_KEY_SECRET"] ?? "",
-  git_sync_token_secret_name: envEntries["GIT_SYNC_TOKEN_SECRET"] ?? "",
-  mcp_auth_token_secret_name: envEntries["MCP_AUTH_TOKEN_SECRET"] ?? "",
-  discord_bot_token_secret_name: envEntries["DISCORD_BOT_TOKEN_SECRET"] ?? "",
   content_repo: envEntries["CONTENT_REPO"] ?? "",
   brain_domain: brainDomain,
+  preview_domain: previewDomain,
   brain_yaml_path: brainYamlPath,
   instance_name: `rover-${handle}`,
   image_repository: `ghcr.io/${repository}`,
   registry_username: repositoryOwner,
 };
 
-const required = [
-  "brain_version",
-  "ai_api_key_secret_name",
-  "git_sync_token_secret_name",
-  "mcp_auth_token_secret_name",
-  "registry_username",
-];
+const required = ["brain_version", "registry_username"];
 for (const key of required) {
   if (!outputs[key]) {
     throw new Error(`Missing ${key} (derived from ${envPath})`);

package/templates/rover-pilot/docs/onboarding-checklist.md

@@ -1,17 +1,26 @@
 # Onboarding Checklist
 
 1. Run `bun install` so the repo uses its pinned `@rizom/ops` version.
-2. Fill in `pilot.yaml`.
-3. Add or edit `users/<handle>.yaml`.
-4. Add the user to a cohort in `cohorts/*.yaml`.
-5. Run `bunx brains-ops render <repo>`.
-6. Run `bunx brains-ops ssh-key:bootstrap <repo> --push-to gh`.
-7. Run `bunx brains-ops cert:bootstrap <repo> <handle> --push-to gh`.
-8. Run `bunx brains-ops secrets:push <repo> <handle>`.
-9. Run `bunx brains-ops onboard <repo> <handle>`.
-10. Verify the deployed rover core contract:
+2. Run `bunx brains-ops age-key:bootstrap <repo> --push-to gh`.
+3. Fill in `pilot.yaml`.
+   - keep your pinned `brainVersion`
+   - confirm shared selectors for `aiApiKey`, `gitSyncToken`, and `mcpAuthToken`
+   - confirm `agePublicKey`
+4. Add or edit `users/<handle>.yaml`.
+   - Discord is enabled by default for pilot users
+   - if the user should be an anchor there, set `discord.anchorUserId` to their Discord user ID
+5. Add the user to a cohort in `cohorts/*.yaml`.
+6. Run `bunx brains-ops render <repo>`.
+7. Run `bunx brains-ops ssh-key:bootstrap <repo> --push-to gh`.
+8. Run `bunx brains-ops cert:bootstrap <repo> --push-to gh`.
+9. Keep raw user secret material locally for now (`.env.local`, file-backed env vars, or equivalent local inputs).
+10. Run `bunx brains-ops secrets:encrypt <repo> <handle>`.
+11. Commit and push `users/<handle>.secrets.yaml.age`.
+12. Run `bunx brains-ops onboard <repo> <handle>`.
+13. Verify the deployed rover core contract:
     - `https://<handle>.rizom.ai/health` returns `200`
     - unauthenticated `POST https://<handle>.rizom.ai/mcp` returns `401`
-11. For fleet upgrades, edit `pilot.yaml.brainVersion` and push once; CI rebuilds the shared image tag, refreshes generated user env files, and redeploys affected users.
-12. Hand the MCP connection details to the user.
-13. Send `docs/user-onboarding.md` to the user as the pilot handoff guide.
+14. For fleet upgrades, edit `pilot.yaml.brainVersion` and push once; CI rebuilds the shared image tag, refreshes generated user env files, and redeploys affected users.
+15. Hand the Discord setup details to the user. If they need direct client access, also hand over the MCP connection details.
+16. If you are also giving them a content repo workflow, describe it first as a normal git repo of markdown/text files; mention Obsidian only as an optional editor.
+17. Send `docs/user-onboarding.md` to the user as the pilot handoff guide.