@rizom/ops 0.2.0-alpha.4 → 0.2.0-alpha.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/brains-ops.js +87 -86
- package/dist/cert-bootstrap.d.ts +1 -1
- package/dist/deploy.js +64 -64
- package/dist/index.js +86 -85
- package/dist/observed-status.d.ts +12 -0
- package/dist/origin-ca.d.ts +1 -1
- package/dist/run-command.d.ts +3 -1
- package/dist/ssh-key-bootstrap.d.ts +1 -1
- package/package.json +1 -1
- package/templates/rover-pilot/.github/workflows/deploy.yml +4 -0
- package/templates/rover-pilot/README.md +1 -1
- package/templates/rover-pilot/deploy/kamal/deploy.yml +1 -1
- package/templates/rover-pilot/docs/onboarding-checklist.md +5 -2
- package/templates/rover-pilot/docs/operator-playbook.md +10 -0
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import type { FetchLike } from "@brains/utils/origin-ca";
|
|
2
|
+
import type { ObservedUserStatus, ResolvedUserIdentity } from "./load-registry";
|
|
3
|
+
export interface LookupResult {
|
|
4
|
+
address: string;
|
|
5
|
+
family: number;
|
|
6
|
+
}
|
|
7
|
+
export type LookupHost = (hostname: string) => Promise<LookupResult>;
|
|
8
|
+
export interface CreateObservedStatusResolverOptions {
|
|
9
|
+
fetchImpl?: FetchLike;
|
|
10
|
+
lookupHost?: LookupHost;
|
|
11
|
+
}
|
|
12
|
+
export declare function createObservedStatusResolver(options?: CreateObservedStatusResolverOptions): (user: ResolvedUserIdentity) => Promise<ObservedUserStatus>;
|
package/dist/origin-ca.d.ts
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
export { createOriginCertificateRequest, generateOriginKeyPair, issueCloudflareOriginCertificate, setCloudflareZoneSslStrict, type CloudflareOriginCaResult, type FetchLike, type OriginCertificateRequest, type OriginKeyPair, } from "@brains/utils";
|
|
1
|
+
export { createOriginCertificateRequest, generateOriginKeyPair, issueCloudflareOriginCertificate, setCloudflareZoneSslStrict, type CloudflareOriginCaResult, type FetchLike, type OriginCertificateRequest, type OriginKeyPair, } from "@brains/utils/origin-ca";
|
package/dist/run-command.d.ts
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
|
-
import type { FetchLike } from "@brains/utils";
|
|
1
|
+
import type { FetchLike } from "@brains/utils/origin-ca";
|
|
2
2
|
import type { LoadPilotRegistryOptions } from "./load-registry";
|
|
3
|
+
import { type LookupHost } from "./observed-status";
|
|
3
4
|
import type { ParsedArgs } from "./parse-args";
|
|
4
5
|
import { type RunCommand as OpsRunCommand } from "./run-subprocess";
|
|
5
6
|
import { type SshKeygen } from "./ssh-key-bootstrap";
|
|
@@ -13,6 +14,7 @@ export interface CommandDependencies extends LoadPilotRegistryOptions {
|
|
|
13
14
|
env?: NodeJS.ProcessEnv | undefined;
|
|
14
15
|
logger?: ((message: string) => void) | undefined;
|
|
15
16
|
fetchImpl?: FetchLike | undefined;
|
|
17
|
+
lookupHost?: LookupHost | undefined;
|
|
16
18
|
secretRunCommand?: OpsRunCommand | undefined;
|
|
17
19
|
bootstrapRunCommand?: OpsRunCommand | undefined;
|
|
18
20
|
sshKeygen?: SshKeygen | undefined;
|
package/package.json
CHANGED
|
@@ -192,6 +192,10 @@ jobs:
|
|
|
192
192
|
env:
|
|
193
193
|
SERVER_IP: ${{ steps.provision.outputs.server_ip }}
|
|
194
194
|
VERSION: brain-${{ steps.user_config.outputs.brain_version }}
|
|
195
|
+
IMAGE_REPOSITORY: ${{ steps.user_config.outputs.image_repository }}
|
|
196
|
+
REGISTRY_USERNAME: ${{ steps.user_config.outputs.registry_username }}
|
|
197
|
+
BRAIN_DOMAIN: ${{ steps.user_config.outputs.brain_domain }}
|
|
198
|
+
BRAIN_YAML_PATH: ${{ steps.user_config.outputs.brain_yaml_path }}
|
|
195
199
|
run: kamal setup --skip-push -c deploy/kamal/deploy.yml
|
|
196
200
|
|
|
197
201
|
- name: Verify origin TLS
|
|
@@ -36,7 +36,7 @@ When a push changes only deploy contract files, CI prints `No affected user conf
|
|
|
36
36
|
## Commands
|
|
37
37
|
|
|
38
38
|
- `brains-ops init <repo>`
|
|
39
|
-
- `brains-ops render <repo>`
|
|
39
|
+
- `brains-ops render <repo>` — regenerates `views/users.md` with live DNS, `/health`, and unauthenticated `/mcp` status checks
|
|
40
40
|
- `brains-ops onboard <repo> <handle>`
|
|
41
41
|
- `brains-ops ssh-key:bootstrap <repo>`
|
|
42
42
|
- `brains-ops cert:bootstrap <repo> <handle>`
|
|
@@ -9,5 +9,8 @@
|
|
|
9
9
|
7. Run `bunx brains-ops cert:bootstrap <repo> <handle> --push-to gh`.
|
|
10
10
|
8. Run `bunx brains-ops secrets:push <repo> <handle>`.
|
|
11
11
|
9. Run `bunx brains-ops onboard <repo> <handle>`.
|
|
12
|
-
10.
|
|
13
|
-
|
|
12
|
+
10. Verify the deployed rover core contract:
|
|
13
|
+
- `https://<handle>.rizom.ai/health` returns `200`
|
|
14
|
+
- unauthenticated `POST https://<handle>.rizom.ai/mcp` returns `401`
|
|
15
|
+
11. For fleet upgrades, edit `pilot.yaml.brainVersion` and push once; CI rebuilds the shared image tag, refreshes generated user env files, and redeploys affected users.
|
|
16
|
+
12. Hand the MCP connection details to the user.
|
|
@@ -53,6 +53,16 @@ When `@rizom/ops` changes the scaffolded deploy contract:
|
|
|
53
53
|
3. review the resulting changes to `.env.schema`, `deploy/scripts/`, and workflows in git
|
|
54
54
|
4. commit the updated deploy artifacts together
|
|
55
55
|
|
|
56
|
+
## Rover-core verification notes
|
|
57
|
+
|
|
58
|
+
Rover core is MCP-only. Do not expect the bare domain to serve a website.
|
|
59
|
+
|
|
60
|
+
Use these checks after deploy:
|
|
61
|
+
|
|
62
|
+
- `https://<handle>.rizom.ai/health` should return `200`
|
|
63
|
+
- unauthenticated `POST https://<handle>.rizom.ai/mcp` should return `401 Unauthorized: Bearer token required`
|
|
64
|
+
- a bare `GET /` may also return `401`; that is expected for rover core and does not indicate a bad deploy
|
|
65
|
+
|
|
56
66
|
## Recovery notes
|
|
57
67
|
|
|
58
68
|
Document known failure modes, recovery steps, and operator notes here.
|