npm - @rizom/ops - Versions diffs - 0.2.0-alpha.3 → 0.2.0-alpha.5 - Mend

@rizom/ops 0.2.0-alpha.3 → 0.2.0-alpha.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/README.md +2 -0
package/dist/brains-ops.js +119 -114
package/dist/cert-bootstrap.d.ts +22 -0
package/dist/deploy.js +48 -48
package/dist/index.d.ts +2 -0
package/dist/index.js +103 -98
package/dist/origin-ca.d.ts +1 -0
package/dist/parse-args.d.ts +1 -0
package/dist/push-secrets.d.ts +9 -0
package/dist/push-target.d.ts +2 -0
package/dist/run-command.d.ts +7 -2
package/dist/run-subprocess.d.ts +5 -0
package/dist/schema.d.ts +6 -6
package/dist/secrets-push.d.ts +1 -4
package/dist/ssh-key-bootstrap.d.ts +26 -0
package/package.json +1 -1
package/templates/rover-pilot/README.md +2 -0
package/templates/rover-pilot/docs/onboarding-checklist.md +6 -4
package/templates/rover-pilot/docs/operator-playbook.md +11 -0

package/dist/origin-ca.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export { createOriginCertificateRequest, generateOriginKeyPair, issueCloudflareOriginCertificate, setCloudflareZoneSslStrict, type CloudflareOriginCaResult, type FetchLike, type OriginCertificateRequest, type OriginKeyPair, } from "@brains/utils/origin-ca";

package/dist/parse-args.d.ts CHANGED Viewed

@@ -5,6 +5,7 @@ export interface ParsedArgs {
         help?: boolean | undefined;
         version?: boolean | undefined;
         dryRun?: boolean | undefined;
+        pushTo?: string | undefined;
     };
 }
 export declare function parseArgs(argv: string[]): ParsedArgs;

package/dist/push-secrets.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import { normalizePushTarget, type PushTarget } from "./push-target";
+import { type RunCommand } from "./run-subprocess";
+export type SecretPair = readonly [name: string, value: string];
+export interface PushSecretsOptions {
+    runCommand?: RunCommand | undefined;
+    logger?: ((message: string) => void) | undefined;
+}
+export declare function pushSecretsToBackend(target: PushTarget, secrets: readonly SecretPair[], options?: PushSecretsOptions): Promise<void>;
+export { normalizePushTarget };

package/dist/push-target.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export type PushTarget = "gh";
2	+ export declare function normalizePushTarget(value?: string): PushTarget \| undefined;

package/dist/run-command.d.ts CHANGED Viewed

@@ -1,6 +1,8 @@
+import type { FetchLike } from "@brains/utils/origin-ca";
 import type { LoadPilotRegistryOptions } from "./load-registry";
 import type { ParsedArgs } from "./parse-args";
-import { type RunCommand as SecretRunCommand } from "./secrets-push";
+import { type RunCommand as OpsRunCommand } from "./run-subprocess";
+import { type SshKeygen } from "./ssh-key-bootstrap";
 import type { UserRunner } from "./user-runner";
 export interface CommandResult {
     success: boolean;
@@ -10,6 +12,9 @@ export interface CommandDependencies extends LoadPilotRegistryOptions {
     runner?: UserRunner;
     env?: NodeJS.ProcessEnv | undefined;
     logger?: ((message: string) => void) | undefined;
-    secretRunCommand?: SecretRunCommand | undefined;
+    fetchImpl?: FetchLike | undefined;
+    secretRunCommand?: OpsRunCommand | undefined;
+    bootstrapRunCommand?: OpsRunCommand | undefined;
+    sshKeygen?: SshKeygen | undefined;
 }
 export declare function runCommand(parsed: ParsedArgs, dependencies?: CommandDependencies): Promise<CommandResult>;

package/dist/run-subprocess.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export type RunCommand = (command: string, args: string[], options?: {
+    stdin?: string;
+    env?: NodeJS.ProcessEnv;
+}) => Promise<void>;
+export declare const runSubprocess: RunCommand;

package/dist/schema.d.ts CHANGED Viewed

@@ -19,7 +19,7 @@ export declare const pilotSchema: z.ZodObject<{
     githubOrg: string;
     contentRepoPrefix: string;
     domainSuffix: string;
-    preset: "core" | "default" | "pro";
+    preset: "default" | "core" | "pro";
     aiApiKey: string;
 }, {
     schemaVersion: 1;
@@ -28,7 +28,7 @@ export declare const pilotSchema: z.ZodObject<{
     githubOrg: string;
     contentRepoPrefix: string;
     domainSuffix: string;
-    preset: "core" | "default" | "pro";
+    preset: "default" | "core" | "pro";
     aiApiKey: string;
 }>;
 export declare const userSchema: z.ZodObject<{
@@ -63,22 +63,22 @@ export declare const cohortSchema: z.ZodEffects<z.ZodObject<{
     members: string[];
     aiApiKeyOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
-    presetOverride?: "core" | "default" | "pro" | undefined;
+    presetOverride?: "default" | "core" | "pro" | undefined;
 }, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
-    presetOverride?: "core" | "default" | "pro" | undefined;
+    presetOverride?: "default" | "core" | "pro" | undefined;
 }>, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
-    presetOverride?: "core" | "default" | "pro" | undefined;
+    presetOverride?: "default" | "core" | "pro" | undefined;
 }, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
-    presetOverride?: "core" | "default" | "pro" | undefined;
+    presetOverride?: "default" | "core" | "pro" | undefined;
 }>;
 export type PilotConfig = z.infer<typeof pilotSchema>;
 export type UserConfig = z.infer<typeof userSchema>;

package/dist/secrets-push.d.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import { type RunCommand } from "./run-subprocess";
 export interface SecretsPushOptions {
     env?: NodeJS.ProcessEnv | undefined;
     logger?: ((message: string) => void) | undefined;
@@ -9,8 +10,4 @@ export interface SecretsPushResult {
     skippedKeys: string[];
     dryRun?: boolean | undefined;
 }
-export type RunCommand = (command: string, args: string[], options?: {
-    stdin?: string;
-    env?: NodeJS.ProcessEnv;
-}) => Promise<void>;
 export declare function pushPilotSecrets(rootDir: string, handle: string, options?: SecretsPushOptions): Promise<SecretsPushResult>;

package/dist/ssh-key-bootstrap.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { type FetchLike } from "@brains/utils/origin-ca";
+import { type RunCommand } from "./run-subprocess";
+export interface SshKeyBootstrapOptions {
+    env?: NodeJS.ProcessEnv | undefined;
+    fetchImpl?: FetchLike | undefined;
+    logger?: (message: string) => void;
+    pushTo?: string | undefined;
+    runCommand?: RunCommand | undefined;
+    sshKeygen?: SshKeygen | undefined;
+}
+export interface SshKeyBootstrapResult {
+    createdHetznerKey: boolean;
+    createdLocalKey: boolean;
+    privateKeyPath: string;
+    publicKeyPath: string;
+    sshKeyName: string;
+}
+export interface SshKeygen {
+    createEd25519KeyPair: (privateKeyPath: string, comment: string) => void;
+    derivePublicKey: (privateKeyPath: string) => string;
+}
+export declare function runPilotSshKeyBootstrap(rootDir: string, options?: SshKeyBootstrapOptions): Promise<{
+    success: boolean;
+    message?: string;
+}>;
+export declare function bootstrapPilotSshKey(rootDir: string, options?: SshKeyBootstrapOptions): Promise<SshKeyBootstrapResult>;

package/package.json CHANGED Viewed

@@ -4,7 +4,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "0.2.0-alpha.3",
+  "version": "0.2.0-alpha.5",
   "type": "module",
   "exports": {
     ".": {

package/templates/rover-pilot/README.md CHANGED Viewed

@@ -38,6 +38,8 @@ When a push changes only deploy contract files, CI prints `No affected user conf
 - `brains-ops init <repo>`
 - `brains-ops render <repo>`
 - `brains-ops onboard <repo> <handle>`
+- `brains-ops ssh-key:bootstrap <repo>`
+- `brains-ops cert:bootstrap <repo> <handle>`
 - `brains-ops secrets:push <repo> <handle>`
 - `brains-ops reconcile-cohort <repo> <cohort>`
 - `brains-ops reconcile-all <repo>`

package/templates/rover-pilot/docs/onboarding-checklist.md CHANGED Viewed

@@ -5,7 +5,9 @@
 3. Add or edit `users/<handle>.yaml`.
 4. Add the user to a cohort in `cohorts/*.yaml`.
 5. Run `bunx brains-ops render <repo>`.
-6. Run `bunx brains-ops secrets:push <repo> <handle>`.
-7. Run `bunx brains-ops onboard <repo> <handle>`.
-8. For fleet upgrades, edit `pilot.yaml.brainVersion` and push once; CI rebuilds the shared image tag, refreshes generated user env files, and redeploys affected users.
-9. Hand the MCP connection details to the user.
+6. Run `bunx brains-ops ssh-key:bootstrap <repo> --push-to gh`.
+7. Run `bunx brains-ops cert:bootstrap <repo> <handle> --push-to gh`.
+8. Run `bunx brains-ops secrets:push <repo> <handle>`.
+9. Run `bunx brains-ops onboard <repo> <handle>`.
+10. For fleet upgrades, edit `pilot.yaml.brainVersion` and push once; CI rebuilds the shared image tag, refreshes generated user env files, and redeploys affected users.
+11. Hand the MCP connection details to the user.

package/templates/rover-pilot/docs/operator-playbook.md CHANGED Viewed

@@ -33,6 +33,17 @@ When a push changes only deploy contract files and no generated `users/<handle>/
 They are scaffolded from `@rizom/ops`, then versioned in this repo like any other deploy contract.
+## Bootstrap flow
+For a new pilot user, the operator bootstrap order is:
+1. `bunx brains-ops ssh-key:bootstrap <repo> --push-to gh`
+2. `bunx brains-ops cert:bootstrap <repo> <handle> --push-to gh`
+3. `bunx brains-ops secrets:push <repo> <handle>`
+4. `bunx brains-ops onboard <repo> <handle>`
+`brains-ops cert:bootstrap` writes local cert artifacts under `.brains-ops/`, which stays repo-local and ignored by git.
 ## Upgrading operator behavior
 When `@rizom/ops` changes the scaffolded deploy contract: