@rizom/ops 0.2.0-alpha.7 → 0.2.0-alpha.70

package/dist/load-registry.d.ts

@@ -13,6 +13,21 @@ export interface ResolvedCohort {
     brainVersionOverride?: string;
     presetOverride?: PilotPreset;
     aiApiKeyOverride?: string;
+    gitSyncTokenOverride?: string;
+    mcpAuthTokenOverride?: string;
+}
+export interface ResolvedAnchorProfileSocialLink {
+    platform: "github" | "instagram" | "linkedin" | "email" | "website";
+    url: string;
+    label?: string;
+}
+export interface ResolvedAnchorProfile {
+    name: string;
+    description?: string;
+    website?: string;
+    email?: string;
+    story?: string;
+    socialLinks?: ResolvedAnchorProfileSocialLink[];
 }
 export interface ResolvedUserIdentity {
     handle: string;
@@ -23,7 +38,11 @@ export interface ResolvedUserIdentity {
     domain: string;
     contentRepo: string;
     discordEnabled: boolean;
+    discordAnchorUserId?: string;
     effectiveAiApiKey: string;
+    effectiveGitSyncToken: string;
+    effectiveMcpAuthToken: string;
+    anchorProfile: ResolvedAnchorProfile;
     snapshotStatus: SnapshotStatus;
 }
 export interface ResolvedUser extends ResolvedUserIdentity {
@@ -40,7 +59,4 @@ export interface PilotRegistry {
     cohorts: ResolvedCohort[];
     users: ResolvedUser[];
 }
-declare class PilotRegistryError extends Error {
-}
 export declare function loadPilotRegistry(rootDir: string, options?: LoadPilotRegistryOptions): Promise<PilotRegistry>;
-export { PilotRegistryError };

package/dist/observed-status.d.ts

@@ -1,4 +1,4 @@
-import type { FetchLike } from "@brains/utils/origin-ca";
+import type { FetchLike } from "@brains/deploy-support/origin-ca";
 import type { ObservedUserStatus, ResolvedUserIdentity } from "./load-registry";
 export interface LookupResult {
     address: string;

package/dist/onboard-user.d.ts

@@ -1,2 +1,2 @@
-import { type UserRunner } from "./reconcile-lib";
-export declare function onboardUser(rootDir: string, handle: string, runner?: UserRunner): Promise<void>;
+import { type UserRunner, type ContentRepoSyncOptions } from "./reconcile-lib";
+export declare function onboardUser(rootDir: string, handle: string, runner?: UserRunner, contentRepoOptions?: ContentRepoSyncOptions): Promise<void>;

package/dist/origin-ca.d.ts

@@ -1 +1 @@
-export { createOriginCertificateRequest, generateOriginKeyPair, issueCloudflareOriginCertificate, setCloudflareZoneSslStrict, type CloudflareOriginCaResult, type FetchLike, type OriginCertificateRequest, type OriginKeyPair, } from "@brains/utils/origin-ca";
+export { createOriginCertificateRequest, generateOriginKeyPair, issueCloudflareOriginCertificate, setCloudflareZoneSslStrict, type CloudflareOriginCaResult, type FetchLike, type OriginCertificateRequest, type OriginKeyPair, } from "@brains/deploy-support/origin-ca";

package/dist/parse-args.d.ts

@@ -6,6 +6,8 @@ export interface ParsedArgs {
         version?: boolean | undefined;
         dryRun?: boolean | undefined;
         pushTo?: string | undefined;
+        cohort?: string | undefined;
+        anchorId?: string | undefined;
     };
 }
 export declare function parseArgs(argv: string[]): ParsedArgs;

package/dist/push-secrets.d.ts

@@ -5,5 +5,5 @@ export interface PushSecretsOptions {
     runCommand?: RunCommand | undefined;
     logger?: ((message: string) => void) | undefined;
 }
-export declare function pushSecretsToBackend(target: PushTarget, secrets: readonly SecretPair[], options?: PushSecretsOptions): Promise<void>;
+export declare function pushSecretsToBackend(_target: PushTarget, secrets: readonly SecretPair[], options?: PushSecretsOptions): Promise<void>;
 export { normalizePushTarget };

package/dist/reconcile-all.d.ts

@@ -1,2 +1,2 @@
-import { type UserRunner } from "./reconcile-lib";
-export declare function reconcileAll(rootDir: string, runner?: UserRunner): Promise<void>;
+import { type UserRunner, type ContentRepoSyncOptions } from "./reconcile-lib";
+export declare function reconcileAll(rootDir: string, runner?: UserRunner, contentRepoOptions?: ContentRepoSyncOptions): Promise<void>;

package/dist/reconcile-cohort.d.ts

@@ -1,2 +1,2 @@
-import { type UserRunner } from "./reconcile-lib";
-export declare function reconcileCohort(rootDir: string, cohortId: string, runner?: UserRunner): Promise<void>;
+import { type UserRunner, type ContentRepoSyncOptions } from "./reconcile-lib";
+export declare function reconcileCohort(rootDir: string, cohortId: string, runner?: UserRunner, contentRepoOptions?: ContentRepoSyncOptions): Promise<void>;

package/dist/reconcile-lib.d.ts

@@ -1,7 +1,9 @@
+import { type ContentRepoSyncOptions } from "./content-repo";
 import { type PilotRegistry, type ResolvedUser } from "./load-registry";
 import type { UserRunner } from "./user-runner";
-export type { UserRunResult, UserRunner } from "./user-runner";
-export declare function runUsers(rootDir: string, registry: PilotRegistry, users: ResolvedUser[], runner?: UserRunner): Promise<void>;
+export type { ContentRepoSyncOptions } from "./content-repo";
+export type { ContentRepoFile, UserRunResult, UserRunner } from "./user-runner";
+export declare function runUsers(rootDir: string, registry: PilotRegistry, users: ResolvedUser[], runner?: UserRunner, contentRepoOptions?: ContentRepoSyncOptions): Promise<void>;
 export declare function findUser(rootDir: string, handle: string): Promise<{
     registry: PilotRegistry;
     user: ResolvedUser;

package/dist/run-command.d.ts

@@ -1,4 +1,4 @@
-import type { FetchLike } from "@brains/utils/origin-ca";
+import type { FetchLike } from "@brains/deploy-support/origin-ca";
 import type { LoadPilotRegistryOptions } from "./load-registry";
 import { type LookupHost } from "./observed-status";
 import type { ParsedArgs } from "./parse-args";
@@ -15,7 +15,6 @@ export interface CommandDependencies extends LoadPilotRegistryOptions {
     logger?: ((message: string) => void) | undefined;
     fetchImpl?: FetchLike | undefined;
     lookupHost?: LookupHost | undefined;
-    secretRunCommand?: OpsRunCommand | undefined;
     bootstrapRunCommand?: OpsRunCommand | undefined;
     sshKeygen?: SshKeygen | undefined;
 }

package/dist/run-subprocess.d.ts

@@ -1,5 +1,6 @@
 export type RunCommand = (command: string, args: string[], options?: {
     stdin?: string;
     env?: NodeJS.ProcessEnv;
+    cwd?: string;
 }) => Promise<void>;
 export declare const runSubprocess: RunCommand;

package/dist/schema.d.ts

@@ -3,6 +3,7 @@ export declare const presetSchema: z.ZodEnum<["core", "default", "pro"]>;
 export declare const exactVersionSchema: z.ZodString;
 export declare const handleSchema: z.ZodString;
 export declare const secretNameSchema: z.ZodString;
+export declare const agePublicKeySchema: z.ZodString;
 export declare const pilotSchema: z.ZodObject<{
     schemaVersion: z.ZodLiteral<1>;
     brainVersion: z.ZodString;
@@ -12,7 +13,12 @@ export declare const pilotSchema: z.ZodObject<{
     domainSuffix: z.ZodString;
     preset: z.ZodEnum<["core", "default", "pro"]>;
     aiApiKey: z.ZodString;
+    gitSyncToken: z.ZodString;
+    contentRepoAdminToken: z.ZodString;
+    mcpAuthToken: z.ZodString;
+    agePublicKey: z.ZodString;
 }, "strict", z.ZodTypeAny, {
+    agePublicKey: string;
     schemaVersion: 1;
     brainVersion: string;
     model: "rover";
@@ -21,7 +27,11 @@ export declare const pilotSchema: z.ZodObject<{
     domainSuffix: string;
     preset: "default" | "core" | "pro";
     aiApiKey: string;
+    gitSyncToken: string;
+    contentRepoAdminToken: string;
+    mcpAuthToken: string;
 }, {
+    agePublicKey: string;
     schemaVersion: 1;
     brainVersion: string;
     model: "rover";
@@ -30,53 +40,143 @@ export declare const pilotSchema: z.ZodObject<{
     domainSuffix: string;
     preset: "default" | "core" | "pro";
     aiApiKey: string;
+    gitSyncToken: string;
+    contentRepoAdminToken: string;
+    mcpAuthToken: string;
 }>;
 export declare const userSchema: z.ZodObject<{
     handle: z.ZodString;
     discord: z.ZodObject<{
         enabled: z.ZodBoolean;
+        anchorUserId: z.ZodOptional<z.ZodString>;
     }, "strict", z.ZodTypeAny, {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     }, {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     }>;
     aiApiKeyOverride: z.ZodOptional<z.ZodString>;
+    gitSyncTokenOverride: z.ZodOptional<z.ZodString>;
+    mcpAuthTokenOverride: z.ZodOptional<z.ZodString>;
+    anchorProfile: z.ZodOptional<z.ZodObject<{
+        name: z.ZodOptional<z.ZodString>;
+        description: z.ZodOptional<z.ZodString>;
+        website: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodString>;
+        story: z.ZodOptional<z.ZodString>;
+        socialLinks: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            platform: z.ZodEnum<["github", "instagram", "linkedin", "email", "website"]>;
+            url: z.ZodString;
+            label: z.ZodOptional<z.ZodString>;
+        }, "strict", z.ZodTypeAny, {
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            url: string;
+            label?: string | undefined;
+        }, {
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            url: string;
+            label?: string | undefined;
+        }>, "many">>;
+    }, "strict", z.ZodTypeAny, {
+        name?: string | undefined;
+        email?: string | undefined;
+        website?: string | undefined;
+        description?: string | undefined;
+        story?: string | undefined;
+        socialLinks?: {
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            url: string;
+            label?: string | undefined;
+        }[] | undefined;
+    }, {
+        name?: string | undefined;
+        email?: string | undefined;
+        website?: string | undefined;
+        description?: string | undefined;
+        story?: string | undefined;
+        socialLinks?: {
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            url: string;
+            label?: string | undefined;
+        }[] | undefined;
+    }>>;
 }, "strict", z.ZodTypeAny, {
     handle: string;
     discord: {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     };
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
+    anchorProfile?: {
+        name?: string | undefined;
+        email?: string | undefined;
+        website?: string | undefined;
+        description?: string | undefined;
+        story?: string | undefined;
+        socialLinks?: {
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            url: string;
+            label?: string | undefined;
+        }[] | undefined;
+    } | undefined;
 }, {
     handle: string;
     discord: {
         enabled: boolean;
+        anchorUserId?: string | undefined;
     };
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
+    anchorProfile?: {
+        name?: string | undefined;
+        email?: string | undefined;
+        website?: string | undefined;
+        description?: string | undefined;
+        story?: string | undefined;
+        socialLinks?: {
+            platform: "github" | "instagram" | "linkedin" | "email" | "website";
+            url: string;
+            label?: string | undefined;
+        }[] | undefined;
+    } | undefined;
 }>;
 export declare const cohortSchema: z.ZodEffects<z.ZodObject<{
     members: z.ZodArray<z.ZodString, "many">;
     brainVersionOverride: z.ZodOptional<z.ZodString>;
     presetOverride: z.ZodOptional<z.ZodEnum<["core", "default", "pro"]>>;
     aiApiKeyOverride: z.ZodOptional<z.ZodString>;
+    gitSyncTokenOverride: z.ZodOptional<z.ZodString>;
+    mcpAuthTokenOverride: z.ZodOptional<z.ZodString>;
 }, "strict", z.ZodTypeAny, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }>, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }, {
     members: string[];
     aiApiKeyOverride?: string | undefined;
+    gitSyncTokenOverride?: string | undefined;
+    mcpAuthTokenOverride?: string | undefined;
     brainVersionOverride?: string | undefined;
     presetOverride?: "default" | "core" | "pro" | undefined;
 }>;

package/dist/secrets-encrypt.d.ts

@@ -0,0 +1,32 @@
+import { z } from "@brains/utils";
+declare const encryptedUserSecretsSchema: z.ZodObject<{
+    gitSyncToken: z.ZodOptional<z.ZodString>;
+    mcpAuthToken: z.ZodOptional<z.ZodString>;
+    discordBotToken: z.ZodOptional<z.ZodString>;
+    aiApiKey: z.ZodOptional<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    aiApiKey?: string | undefined;
+    gitSyncToken?: string | undefined;
+    mcpAuthToken?: string | undefined;
+    discordBotToken?: string | undefined;
+}, {
+    aiApiKey?: string | undefined;
+    gitSyncToken?: string | undefined;
+    mcpAuthToken?: string | undefined;
+    discordBotToken?: string | undefined;
+}>;
+export type EncryptedUserSecrets = z.infer<typeof encryptedUserSecretsSchema>;
+export interface SecretsEncryptOptions {
+    env?: NodeJS.ProcessEnv | undefined;
+    logger?: ((message: string) => void) | undefined;
+    dryRun?: boolean | undefined;
+}
+export interface SecretsEncryptResult {
+    encryptedPath: string;
+    plaintextPath: string;
+    deletedPlaintext: boolean;
+    encryptedKeys: Array<keyof EncryptedUserSecrets>;
+    dryRun?: boolean | undefined;
+}
+export declare function encryptPilotSecrets(rootDir: string, handle: string, options?: SecretsEncryptOptions): Promise<SecretsEncryptResult>;
+export {};

package/dist/secrets-push.d.ts

@@ -10,4 +10,4 @@ export interface SecretsPushResult {
     skippedKeys: string[];
     dryRun?: boolean | undefined;
 }
-export declare function pushPilotSecrets(rootDir: string, handle: string, options?: SecretsPushOptions): Promise<SecretsPushResult>;
+export declare function pushPilotSecrets(rootDir: string, options?: SecretsPushOptions): Promise<SecretsPushResult>;

package/dist/ssh-key-bootstrap.d.ts

@@ -1,4 +1,4 @@
-import { type FetchLike } from "@brains/utils/origin-ca";
+import { type FetchLike } from "@brains/deploy-support/origin-ca";
 import { type RunCommand } from "./run-subprocess";
 export interface SshKeyBootstrapOptions {
     env?: NodeJS.ProcessEnv | undefined;

package/dist/user-add.d.ts

@@ -0,0 +1,15 @@
+export interface AddPilotUserOptions {
+    cohort: string;
+    anchorId?: string | undefined;
+}
+export interface AddPilotUserResult {
+    handle: string;
+    cohort: string;
+    userPath: string;
+    secretsTemplatePath: string;
+    cohortPath: string;
+    createdUser: boolean;
+    createdSecretsTemplate: boolean;
+    addedToCohort: boolean;
+}
+export declare function addPilotUser(rootDir: string, handle: string, options: AddPilotUserOptions): Promise<AddPilotUserResult>;

package/dist/user-runner.d.ts

@@ -1,6 +1,11 @@
 import type { ResolvedUser } from "./load-registry";
+export interface ContentRepoFile {
+    path: string;
+    content: string;
+}
 export interface UserRunResult {
     brainYaml?: string;
     envFile?: string;
+    contentRepoFiles?: ContentRepoFile[];
 }
 export type UserRunner = (user: ResolvedUser) => Promise<UserRunResult | void>;

package/package.json

@@ -4,7 +4,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "0.2.0-alpha.7",
+  "version": "0.2.0-alpha.70",
   "type": "module",
   "exports": {
     ".": {
@@ -32,10 +32,14 @@
     "typecheck": "tsc --noEmit",
     "lint": "eslint . --ext .ts",
     "lint:fix": "eslint . --ext .ts --fix",
-    "test": "bun test"
+    "test": "bun run build && bun test --timeout 20000",
+    "test:smoke": "bun run build && RUN_SMOKE_TESTS=1 bun test --timeout 60000"
+  },
+  "dependencies": {
+    "age-encryption": "^0.3.0"
   },
-  "dependencies": {},
   "devDependencies": {
+    "@brains/deploy-support": "workspace:*",
     "@brains/eslint-config": "workspace:*",
     "@brains/typescript-config": "workspace:*",
     "@brains/utils": "workspace:*",

package/templates/rover-pilot/.env.schema

@@ -4,18 +4,29 @@
 # ----------
 
 # AI provider
+# Shared GitHub secret by default; a per-user override may come from the decrypted
+# users/<handle>.secrets.yaml.age file at deploy time.
 # @required @sensitive
 AI_API_KEY=
 
 # Git sync
+# Comes from the decrypted users/<handle>.secrets.yaml.age file.
 # @required @sensitive
 GIT_SYNC_TOKEN=
 
+# Content repo administration
+# Local/operator secret only. Used by brains-ops to create missing GitHub repos;
+# do not deploy it into Rover runtime config.
+# @required @sensitive
+CONTENT_REPO_ADMIN_TOKEN=
+
 # MCP interface
+# Comes from the decrypted users/<handle>.secrets.yaml.age file.
 # @required @sensitive
 MCP_AUTH_TOKEN=
 
 # Discord (optional, per-user)
+# Comes from the decrypted users/<handle>.secrets.yaml.age file when enabled.
 # @sensitive
 DISCORD_BOT_TOKEN=
 

package/templates/rover-pilot/.github/workflows/build.yml

@@ -32,25 +32,25 @@ jobs:
           echo "IMAGE_REPOSITORY=ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}" >> "$GITHUB_ENV"
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Extract image metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: ${{ env.IMAGE_REPOSITORY }}
           tags: |
             type=raw,value=brain-${{ env.BRAIN_VERSION }}
 
       - name: Log in to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: deploy/Dockerfile