@rizom/ops 0.2.0-alpha.5 → 0.2.0-alpha.50

package/dist/load-registry.d.ts

@@ -13,6 +13,21 @@ export interface ResolvedCohort {
     brainVersionOverride?: string;
     presetOverride?: PilotPreset;
     aiApiKeyOverride?: string;
+    gitSyncTokenOverride?: string;
+    mcpAuthTokenOverride?: string;
+}
+export interface ResolvedAnchorProfileSocialLink {
+    platform: "github" | "instagram" | "linkedin" | "email" | "website";
+    url: string;
+    label?: string;
+}
+export interface ResolvedAnchorProfile {
+    name: string;
+    description?: string;
+    website?: string;
+    email?: string;
+    story?: string;
+    socialLinks?: ResolvedAnchorProfileSocialLink[];
 }
 export interface ResolvedUserIdentity {
     handle: string;
@@ -23,7 +38,11 @@ export interface ResolvedUserIdentity {
     domain: string;
     contentRepo: string;
     discordEnabled: boolean;
+    discordAnchorUserId?: string;
     effectiveAiApiKey: string;
+    effectiveGitSyncToken: string;
+    effectiveMcpAuthToken: string;
+    anchorProfile: ResolvedAnchorProfile;
     snapshotStatus: SnapshotStatus;
 }
 export interface ResolvedUser extends ResolvedUserIdentity {
@@ -40,7 +59,4 @@ export interface PilotRegistry {
     cohorts: ResolvedCohort[];
     users: ResolvedUser[];
 }
-declare class PilotRegistryError extends Error {
-}
 export declare function loadPilotRegistry(rootDir: string, options?: LoadPilotRegistryOptions): Promise<PilotRegistry>;
-export { PilotRegistryError };

package/dist/observed-status.d.ts

@@ -0,0 +1,12 @@
+import type { FetchLike } from "@brains/utils/origin-ca";
+import type { ObservedUserStatus, ResolvedUserIdentity } from "./load-registry";
+export interface LookupResult {
+    address: string;
+    family: number;
+}
+export type LookupHost = (hostname: string) => Promise<LookupResult>;
+export interface CreateObservedStatusResolverOptions {
+    fetchImpl?: FetchLike;
+    lookupHost?: LookupHost;
+}
+export declare function createObservedStatusResolver(options?: CreateObservedStatusResolverOptions): (user: ResolvedUserIdentity) => Promise<ObservedUserStatus>;

package/dist/onboard-user.d.ts

@@ -1,2 +1,2 @@
-import { type UserRunner } from "./reconcile-lib";
-export declare function onboardUser(rootDir: string, handle: string, runner?: UserRunner): Promise<void>;
+import { type UserRunner, type ContentRepoSyncOptions } from "./reconcile-lib";
+export declare function onboardUser(rootDir: string, handle: string, runner?: UserRunner, contentRepoOptions?: ContentRepoSyncOptions): Promise<void>;

package/dist/parse-args.d.ts

@@ -6,6 +6,8 @@ export interface ParsedArgs {
         version?: boolean | undefined;
         dryRun?: boolean | undefined;
         pushTo?: string | undefined;
+        cohort?: string | undefined;
+        anchorId?: string | undefined;
     };
 }
 export declare function parseArgs(argv: string[]): ParsedArgs;

package/dist/push-secrets.d.ts

@@ -5,5 +5,5 @@ export interface PushSecretsOptions {
     runCommand?: RunCommand | undefined;
     logger?: ((message: string) => void) | undefined;
 }
-export declare function pushSecretsToBackend(target: PushTarget, secrets: readonly SecretPair[], options?: PushSecretsOptions): Promise<void>;
+export declare function pushSecretsToBackend(_target: PushTarget, secrets: readonly SecretPair[], options?: PushSecretsOptions): Promise<void>;
 export { normalizePushTarget };

package/dist/reconcile-all.d.ts

@@ -1,2 +1,2 @@
-import { type UserRunner } from "./reconcile-lib";
-export declare function reconcileAll(rootDir: string, runner?: UserRunner): Promise<void>;
+import { type UserRunner, type ContentRepoSyncOptions } from "./reconcile-lib";
+export declare function reconcileAll(rootDir: string, runner?: UserRunner, contentRepoOptions?: ContentRepoSyncOptions): Promise<void>;

package/dist/reconcile-cohort.d.ts

@@ -1,2 +1,2 @@
-import { type UserRunner } from "./reconcile-lib";
-export declare function reconcileCohort(rootDir: string, cohortId: string, runner?: UserRunner): Promise<void>;
+import { type UserRunner, type ContentRepoSyncOptions } from "./reconcile-lib";
+export declare function reconcileCohort(rootDir: string, cohortId: string, runner?: UserRunner, contentRepoOptions?: ContentRepoSyncOptions): Promise<void>;

package/dist/reconcile-lib.d.ts

@@ -1,7 +1,9 @@
+import { type ContentRepoSyncOptions } from "./content-repo";
 import { type PilotRegistry, type ResolvedUser } from "./load-registry";
 import type { UserRunner } from "./user-runner";
-export type { UserRunResult, UserRunner } from "./user-runner";
-export declare function runUsers(rootDir: string, registry: PilotRegistry, users: ResolvedUser[], runner?: UserRunner): Promise<void>;
+export type { ContentRepoSyncOptions } from "./content-repo";
+export type { ContentRepoFile, UserRunResult, UserRunner } from "./user-runner";
+export declare function runUsers(rootDir: string, registry: PilotRegistry, users: ResolvedUser[], runner?: UserRunner, contentRepoOptions?: ContentRepoSyncOptions): Promise<void>;
 export declare function findUser(rootDir: string, handle: string): Promise<{
     registry: PilotRegistry;
     user: ResolvedUser;

package/dist/run-command.d.ts

@@ -1,5 +1,6 @@
 import type { FetchLike } from "@brains/utils/origin-ca";
 import type { LoadPilotRegistryOptions } from "./load-registry";
+import { type LookupHost } from "./observed-status";
 import type { ParsedArgs } from "./parse-args";
 import { type RunCommand as OpsRunCommand } from "./run-subprocess";
 import { type SshKeygen } from "./ssh-key-bootstrap";
@@ -13,7 +14,7 @@ export interface CommandDependencies extends LoadPilotRegistryOptions {
     env?: NodeJS.ProcessEnv | undefined;
     logger?: ((message: string) => void) | undefined;
     fetchImpl?: FetchLike | undefined;
-    secretRunCommand?: OpsRunCommand | undefined;
+    lookupHost?: LookupHost | undefined;
     bootstrapRunCommand?: OpsRunCommand | undefined;
     sshKeygen?: SshKeygen | undefined;
 }

package/dist/run-subprocess.d.ts

@@ -1,5 +1,6 @@
 export type RunCommand = (command: string, args: string[], options?: {
     stdin?: string;
     env?: NodeJS.ProcessEnv;
+    cwd?: string;
 }) => Promise<void>;
 export declare const runSubprocess: RunCommand;

package/dist/schema.d.ts

@@ -3,6 +3,7 @@ export declare const presetSchema: z.ZodEnum<["core", "default", "pro"]>;
 export declare const exactVersionSchema: z.ZodString;
 export declare const handleSchema: z.ZodString;
 export declare const secretNameSchema: z.ZodString;
+export declare const agePublicKeySchema: z.ZodString;
 export declare const pilotSchema: z.ZodObject<{
     schemaVersion: z.ZodLiteral<1>;
     brainVersion: z.ZodString;
@@ -12,7 +13,12 @@ export declare const pilotSchema: z.ZodObject<{
     domainSuffix: z.ZodString;
     preset: z.ZodEnum<["core", "default", "pro"]>;
     aiApiKey: z.ZodString;
+    gitSyncToken: z.ZodString;
+    contentRepoAdminToken: z.ZodString;
+    mcpAuthToken: z.ZodString;
+    agePublicKey: z.ZodString;
 }, "strict", z.ZodTypeAny, {
+    agePublicKey: string;
     schemaVersion: 1;
     brainVersion: string;
     model: "rover";
@@ -21,7 +27,11 @@ export declare const pilotSchema: z.ZodObject<{
     domainSuffix: string;
     preset: "default" | "core" | "pro";
     aiApiKey: string;
+    gitSyncToken: string;
+    contentRepoAdminToken: string;
+    mcpAuthToken: string;
 }, {
+    agePublicKey: string;
     schemaVersion: 1;
     brainVersion: string;
     model: "rover";
@@ -30,53 +40,143 @@ export declare const pilotSchema: z.ZodObject<{
     domainSuffix: string;
     preset: "default" | "core" | "pro";
     aiApiKey: string;
+    gitSyncToken: string;
+    contentRepoAdminToken: string;
+    mcpAuthToken: string;
 }>;
 export declare const userSchema: z.ZodObject<{
     handle: z.ZodString;
     discord: z.ZodObject<{
         enabled: z.ZodBoolean;
+        anchorUserId: z.ZodOptional<z.ZodString>;
     }, "strict", z.ZodTypeAny, {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     }, {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     }>;
     aiApiKeyOverride: z.ZodOptional<z.ZodString>;
+    gitSyncTokenOverride: z.ZodOptional<z.ZodString>;
+    mcpAuthTokenOverride: z.ZodOptional<z.ZodString>;
+    anchorProfile: z.ZodOptional<z.ZodObject<{
+        name: z.ZodOptional<z.ZodString>;
+        description: z.ZodOptional<z.ZodString>;
+        website: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodString>;
+        story: z.ZodOptional<z.ZodString>;
+        socialLinks: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            platform: z.ZodEnum<["github", "instagram", "linkedin", "email", "website"]>;
+            url: z.ZodString;
+            label: z.ZodOptional<z.ZodString>;
+        }, "strict", z.ZodTypeAny, {
+            url: string;
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            label?: string | undefined;
+        }, {
+            url: string;
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            label?: string | undefined;
+        }>, "many">>;
+    }, "strict", z.ZodTypeAny, {
+        name?: string | undefined;
+        email?: string | undefined;
+        website?: string | undefined;
+        description?: string | undefined;
+        story?: string | undefined;
+        socialLinks?: {
+            url: string;
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            label?: string | undefined;
+        }[] | undefined;
+    }, {
+        name?: string | undefined;
+        email?: string | undefined;
+        website?: string | undefined;
+        description?: string | undefined;
+        story?: string | undefined;
+        socialLinks?: {
+            url: string;
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            label?: string | undefined;
+        }[] | undefined;
+    }>>;
 }, "strict", z.ZodTypeAny, {
     handle: string;
     discord: {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     };
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
+    anchorProfile?: {
+        name?: string | undefined;
+        email?: string | undefined;
+        website?: string | undefined;
+        description?: string | undefined;
+        story?: string | undefined;
+        socialLinks?: {
+            url: string;
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            label?: string | undefined;
+        }[] | undefined;
+    } | undefined;
 }, {
     handle: string;
     discord: {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     };
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
+    anchorProfile?: {
+        name?: string | undefined;
+        email?: string | undefined;
+        website?: string | undefined;
+        description?: string | undefined;
+        story?: string | undefined;
+        socialLinks?: {
+            url: string;
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            label?: string | undefined;
+        }[] | undefined;
+    } | undefined;
 }>;
 export declare const cohortSchema: z.ZodEffects<z.ZodObject<{
     members: z.ZodArray<z.ZodString, "many">;
     brainVersionOverride: z.ZodOptional<z.ZodString>;
     presetOverride: z.ZodOptional<z.ZodEnum<["core", "default", "pro"]>>;
     aiApiKeyOverride: z.ZodOptional<z.ZodString>;
+    gitSyncTokenOverride: z.ZodOptional<z.ZodString>;
+    mcpAuthTokenOverride: z.ZodOptional<z.ZodString>;
 }, "strict", z.ZodTypeAny, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }>, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }>;

package/dist/secrets-encrypt.d.ts

@@ -0,0 +1,32 @@
+import { z } from "@brains/utils";
+declare const encryptedUserSecretsSchema: z.ZodObject<{
+    gitSyncToken: z.ZodOptional<z.ZodString>;
+    mcpAuthToken: z.ZodOptional<z.ZodString>;
+    discordBotToken: z.ZodOptional<z.ZodString>;
+    aiApiKey: z.ZodOptional<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    aiApiKey?: string | undefined;
+    gitSyncToken?: string | undefined;
+    mcpAuthToken?: string | undefined;
+    discordBotToken?: string | undefined;
+}, {
+    aiApiKey?: string | undefined;
+    gitSyncToken?: string | undefined;
+    mcpAuthToken?: string | undefined;
+    discordBotToken?: string | undefined;
+}>;
+export type EncryptedUserSecrets = z.infer<typeof encryptedUserSecretsSchema>;
+export interface SecretsEncryptOptions {
+    env?: NodeJS.ProcessEnv | undefined;
+    logger?: ((message: string) => void) | undefined;
+    dryRun?: boolean | undefined;
+}
+export interface SecretsEncryptResult {
+    encryptedPath: string;
+    plaintextPath: string;
+    deletedPlaintext: boolean;
+    encryptedKeys: Array<keyof EncryptedUserSecrets>;
+    dryRun?: boolean | undefined;
+}
+export declare function encryptPilotSecrets(rootDir: string, handle: string, options?: SecretsEncryptOptions): Promise<SecretsEncryptResult>;
+export {};

package/dist/secrets-push.d.ts

@@ -10,4 +10,4 @@ export interface SecretsPushResult {
     skippedKeys: string[];
     dryRun?: boolean | undefined;
 }
-export declare function pushPilotSecrets(rootDir: string, handle: string, options?: SecretsPushOptions): Promise<SecretsPushResult>;
+export declare function pushPilotSecrets(rootDir: string, options?: SecretsPushOptions): Promise<SecretsPushResult>;

package/dist/user-add.d.ts

@@ -0,0 +1,15 @@
+export interface AddPilotUserOptions {
+    cohort: string;
+    anchorId?: string | undefined;
+}
+export interface AddPilotUserResult {
+    handle: string;
+    cohort: string;
+    userPath: string;
+    secretsTemplatePath: string;
+    cohortPath: string;
+    createdUser: boolean;
+    createdSecretsTemplate: boolean;
+    addedToCohort: boolean;
+}
+export declare function addPilotUser(rootDir: string, handle: string, options: AddPilotUserOptions): Promise<AddPilotUserResult>;

package/dist/user-runner.d.ts

@@ -1,6 +1,11 @@
 import type { ResolvedUser } from "./load-registry";
+export interface ContentRepoFile {
+    path: string;
+    content: string;
+}
 export interface UserRunResult {
     brainYaml?: string;
     envFile?: string;
+    contentRepoFiles?: ContentRepoFile[];
 }
 export type UserRunner = (user: ResolvedUser) => Promise<UserRunResult | void>;

package/package.json

@@ -4,7 +4,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "0.2.0-alpha.5",
+  "version": "0.2.0-alpha.50",
   "type": "module",
   "exports": {
     ".": {
@@ -32,10 +32,13 @@
     "typecheck": "tsc --noEmit",
     "lint": "eslint . --ext .ts",
     "lint:fix": "eslint . --ext .ts --fix",
-    "test": "bun test"
+    "test": "bun test --timeout 20000"
+  },
+  "dependencies": {
+    "age-encryption": "^0.3.0"
   },
-  "dependencies": {},
   "devDependencies": {
+    "@brains/deploy-templates": "workspace:*",
     "@brains/eslint-config": "workspace:*",
     "@brains/typescript-config": "workspace:*",
     "@brains/utils": "workspace:*",

package/templates/rover-pilot/.env.schema

@@ -4,18 +4,29 @@
 # ----------
 
 # AI provider
+# Shared GitHub secret by default; a per-user override may come from the decrypted
+# users/<handle>.secrets.yaml.age file at deploy time.
 # @required @sensitive
 AI_API_KEY=
 
 # Git sync
+# Comes from the decrypted users/<handle>.secrets.yaml.age file.
 # @required @sensitive
 GIT_SYNC_TOKEN=
 
+# Content repo administration
+# Local/operator secret only. Used by brains-ops to create missing GitHub repos;
+# do not deploy it into Rover runtime config.
+# @required @sensitive
+CONTENT_REPO_ADMIN_TOKEN=
+
 # MCP interface
+# Comes from the decrypted users/<handle>.secrets.yaml.age file.
 # @required @sensitive
 MCP_AUTH_TOKEN=
 
 # Discord (optional, per-user)
+# Comes from the decrypted users/<handle>.secrets.yaml.age file when enabled.
 # @sensitive
 DISCORD_BOT_TOKEN=
 

package/templates/rover-pilot/.github/workflows/build.yml

@@ -54,6 +54,7 @@ jobs:
         with:
           context: .
           file: deploy/Dockerfile
+          target: fleet
           push: true
           build-args: |
             BRAIN_VERSION=${{ env.BRAIN_VERSION }}

package/templates/rover-pilot/.github/workflows/deploy.yml

@@ -12,8 +12,14 @@ on:
     paths:
       - users/*/.env
       - users/*/brain.yaml
+      - users/*/content/**
+      - users/*.secrets.yaml.age
       - deploy/**
       - .github/workflows/deploy.yml
+  workflow_run:
+    workflows: [Reconcile]
+    types: [completed]
+    branches: [main]
 
 permissions:
   contents: write
@@ -21,13 +27,16 @@ permissions:
 
 jobs:
   resolve_handles:
+    if: >
+      github.event_name != 'workflow_run' ||
+      github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
     outputs:
       handles_json: ${{ steps.resolve.outputs.handles_json }}
     steps:
       - uses: actions/checkout@v5
         with:
-          ref: ${{ github.sha }}
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.sha }}
           fetch-depth: 0
 
       - uses: oven-sh/setup-bun@v2
@@ -39,7 +48,7 @@ jobs:
         id: resolve
         env:
           HANDLE_INPUT: ${{ inputs.handle || '' }}
-          BEFORE_SHA: ${{ github.event.before || '' }}
+          BEFORE_SHA: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.event.before || '' }}
         run: bun deploy/scripts/resolve-deploy-handles.ts
 
   no_changes:
@@ -66,15 +75,25 @@ jobs:
     steps:
       - uses: actions/checkout@v5
         with:
-          ref: ${{ github.sha }}
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.sha }}
 
       - uses: oven-sh/setup-bun@v2
 
       - name: Install operator tooling
         run: bun install
 
+      - name: Decrypt user secrets
+        id: user_secrets
+        env:
+          AGE_SECRET_KEY: ${{ secrets.AGE_SECRET_KEY }}
+        run: bun deploy/scripts/decrypt-user-secrets.ts "$HANDLE"
+
       - name: Reconcile selected user config
-        run: bunx brains-ops onboard "$GITHUB_WORKSPACE" "$HANDLE"
+        env:
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+        run: |
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          bunx brains-ops onboard "$GITHUB_WORKSPACE" "$HANDLE"
 
       - name: Resolve generated user config
         id: user_config
@@ -82,10 +101,9 @@ jobs:
 
       - name: Validate selected secrets
         env:
-          AI_API_KEY: ${{ secrets[steps.user_config.outputs.ai_api_key_secret_name] }}
-          GIT_SYNC_TOKEN: ${{ secrets[steps.user_config.outputs.git_sync_token_secret_name] }}
-          MCP_AUTH_TOKEN: ${{ secrets[steps.user_config.outputs.mcp_auth_token_secret_name] }}
-          DISCORD_BOT_TOKEN: ${{ steps.user_config.outputs.discord_bot_token_secret_name != '' && secrets[steps.user_config.outputs.discord_bot_token_secret_name] || '' }}
+          SHARED_AI_API_KEY: ${{ secrets[steps.user_secrets.outputs.shared_ai_api_key_secret_name] }}
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+          SHARED_MCP_AUTH_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_mcp_auth_token_secret_name] }}
           HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }}
           HCLOUD_SSH_KEY_NAME: ${{ secrets.HCLOUD_SSH_KEY_NAME }}
           HCLOUD_SERVER_TYPE: ${{ secrets.HCLOUD_SERVER_TYPE }}
@@ -96,7 +114,19 @@ jobs:
           CF_ZONE_ID: ${{ secrets.CF_ZONE_ID }}
           CERTIFICATE_PEM: ${{ secrets.CERTIFICATE_PEM }}
           PRIVATE_KEY_PEM: ${{ secrets.PRIVATE_KEY_PEM }}
-        run: bun deploy/scripts/validate-secrets.ts
+        run: |
+          export AI_API_KEY="${AI_API_KEY:-$SHARED_AI_API_KEY}"
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          export MCP_AUTH_TOKEN="${MCP_AUTH_TOKEN:-$SHARED_MCP_AUTH_TOKEN}"
+          bun deploy/scripts/validate-secrets.ts
+
+      - name: Seed content repo
+        env:
+          CONTENT_REPO: ${{ steps.user_config.outputs.content_repo }}
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+        run: |
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          bun deploy/scripts/sync-content-repo.ts
 
       - name: Log in to GHCR
         uses: docker/login-action@v3
@@ -143,14 +173,17 @@ jobs:
 
       - name: Write .kamal/secrets
         env:
-          AI_API_KEY: ${{ secrets[steps.user_config.outputs.ai_api_key_secret_name] }}
-          GIT_SYNC_TOKEN: ${{ secrets[steps.user_config.outputs.git_sync_token_secret_name] }}
-          MCP_AUTH_TOKEN: ${{ secrets[steps.user_config.outputs.mcp_auth_token_secret_name] }}
-          DISCORD_BOT_TOKEN: ${{ steps.user_config.outputs.discord_bot_token_secret_name != '' && secrets[steps.user_config.outputs.discord_bot_token_secret_name] || '' }}
+          SHARED_AI_API_KEY: ${{ secrets[steps.user_secrets.outputs.shared_ai_api_key_secret_name] }}
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+          SHARED_MCP_AUTH_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_mcp_auth_token_secret_name] }}
           KAMAL_REGISTRY_PASSWORD: ${{ secrets.KAMAL_REGISTRY_PASSWORD }}
           CERTIFICATE_PEM: ${{ secrets.CERTIFICATE_PEM }}
           PRIVATE_KEY_PEM: ${{ secrets.PRIVATE_KEY_PEM }}
-        run: bun deploy/scripts/write-kamal-secrets.ts
+        run: |
+          export AI_API_KEY="${AI_API_KEY:-$SHARED_AI_API_KEY}"
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          export MCP_AUTH_TOKEN="${MCP_AUTH_TOKEN:-$SHARED_MCP_AUTH_TOKEN}"
+          bun deploy/scripts/write-kamal-secrets.ts
 
       - name: Provision server
         id: provision
@@ -167,8 +200,11 @@ jobs:
           CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
           CF_ZONE_ID: ${{ secrets.CF_ZONE_ID }}
           BRAIN_DOMAIN: ${{ steps.user_config.outputs.brain_domain }}
+          PREVIEW_DOMAIN: ${{ steps.user_config.outputs.preview_domain }}
           SERVER_IP: ${{ steps.provision.outputs.server_ip }}
-        run: bun deploy/scripts/update-dns.ts
+        run: |
+          bun deploy/scripts/update-dns.ts
+          BRAIN_DOMAIN="$PREVIEW_DOMAIN" bun deploy/scripts/update-dns.ts
 
       - name: Validate SSH key
         run: ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null
@@ -192,13 +228,21 @@ jobs:
         env:
           SERVER_IP: ${{ steps.provision.outputs.server_ip }}
           VERSION: brain-${{ steps.user_config.outputs.brain_version }}
+          IMAGE_REPOSITORY: ${{ steps.user_config.outputs.image_repository }}
+          REGISTRY_USERNAME: ${{ steps.user_config.outputs.registry_username }}
+          BRAIN_DOMAIN: ${{ steps.user_config.outputs.brain_domain }}
+          PREVIEW_DOMAIN: ${{ steps.user_config.outputs.preview_domain }}
+          BRAIN_YAML_PATH: ${{ steps.user_config.outputs.brain_yaml_path }}
         run: kamal setup --skip-push -c deploy/kamal/deploy.yml
 
       - name: Verify origin TLS
         env:
           SERVER_IP: ${{ steps.provision.outputs.server_ip }}
           BRAIN_DOMAIN: ${{ steps.user_config.outputs.brain_domain }}
-        run: curl -I -k --max-time 20 --resolve "$BRAIN_DOMAIN:443:$SERVER_IP" "https://$BRAIN_DOMAIN/health"
+          PREVIEW_DOMAIN: ${{ steps.user_config.outputs.preview_domain }}
+        run: |
+          curl -I -k --max-time 20 --resolve "$BRAIN_DOMAIN:443:$SERVER_IP" "https://$BRAIN_DOMAIN/health"
+          curl -I -k --max-time 20 --resolve "$PREVIEW_DOMAIN:443:$SERVER_IP" "https://$PREVIEW_DOMAIN/"
 
       - name: Upload generated config
         uses: actions/upload-artifact@v4
@@ -207,6 +251,7 @@ jobs:
           path: |
             users/${{ matrix.handle }}/brain.yaml
             users/${{ matrix.handle }}/.env
+            users/${{ matrix.handle }}/content
 
       - name: Dump remote proxy diagnostics
         if: failure()
@@ -233,7 +278,7 @@ jobs:
     steps:
       - uses: actions/checkout@v5
         with:
-          ref: ${{ github.sha }}
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.sha }}
 
       - uses: oven-sh/setup-bun@v2
 
@@ -255,8 +300,22 @@ jobs:
           if git diff --quiet -- users views; then
             exit 0
           fi
+
+          git fetch origin "${{ github.ref_name }}"
+          if git diff --quiet "origin/${{ github.ref_name }}" -- users views; then
+            exit 0
+          fi
+
+          patch_file="$(mktemp)"
+          git diff --binary -- users views > "$patch_file"
+          git reset --hard "origin/${{ github.ref_name }}"
+          git apply --3way --index "$patch_file"
+
+          if git diff --cached --quiet -- users views; then
+            exit 0
+          fi
+
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add users views
           git commit -m "chore(ops): reconcile generated config"
-          git push
+          git push origin HEAD:${{ github.ref_name }}

package/templates/rover-pilot/.github/workflows/reconcile.yml

@@ -38,8 +38,22 @@ jobs:
           if git diff --quiet -- views users; then
             exit 0
           fi
+
+          git fetch origin "${{ github.ref_name }}"
+          if git diff --quiet "origin/${{ github.ref_name }}" -- views users; then
+            exit 0
+          fi
+
+          patch_file="$(mktemp)"
+          git diff --binary -- views users > "$patch_file"
+          git reset --hard "origin/${{ github.ref_name }}"
+          git apply --3way --index "$patch_file"
+
+          if git diff --cached --quiet -- views users; then
+            exit 0
+          fi
+
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add views users
           git commit -m "chore(ops): reconcile pilot outputs"
-          git push
+          git push origin HEAD:${{ github.ref_name }}