@rizom/ops 0.2.0-alpha.8 → 0.2.0-alpha.80

package/templates/rover-pilot/.github/workflows/deploy.yml

@@ -12,8 +12,14 @@ on:
     paths:
       - users/*/.env
       - users/*/brain.yaml
+      - users/*/content/**
+      - users/*.secrets.yaml.age
       - deploy/**
       - .github/workflows/deploy.yml
+  workflow_run:
+    workflows: [Reconcile]
+    types: [completed]
+    branches: [main]
 
 permissions:
   contents: write
@@ -21,13 +27,16 @@ permissions:
 
 jobs:
   resolve_handles:
+    if: >
+      github.event_name != 'workflow_run' ||
+      github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
     outputs:
       handles_json: ${{ steps.resolve.outputs.handles_json }}
     steps:
       - uses: actions/checkout@v5
         with:
-          ref: ${{ github.sha }}
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.sha }}
           fetch-depth: 0
 
       - uses: oven-sh/setup-bun@v2
@@ -39,7 +48,7 @@ jobs:
         id: resolve
         env:
           HANDLE_INPUT: ${{ inputs.handle || '' }}
-          BEFORE_SHA: ${{ github.event.before || '' }}
+          BEFORE_SHA: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.event.before || '' }}
         run: bun deploy/scripts/resolve-deploy-handles.ts
 
   no_changes:
@@ -66,15 +75,25 @@ jobs:
     steps:
       - uses: actions/checkout@v5
         with:
-          ref: ${{ github.sha }}
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.sha }}
 
       - uses: oven-sh/setup-bun@v2
 
       - name: Install operator tooling
         run: bun install
 
+      - name: Decrypt user secrets
+        id: user_secrets
+        env:
+          AGE_SECRET_KEY: ${{ secrets.AGE_SECRET_KEY }}
+        run: bun deploy/scripts/decrypt-user-secrets.ts "$HANDLE"
+
       - name: Reconcile selected user config
-        run: bunx brains-ops onboard "$GITHUB_WORKSPACE" "$HANDLE"
+        env:
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+        run: |
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          bunx brains-ops onboard "$GITHUB_WORKSPACE" "$HANDLE"
 
       - name: Resolve generated user config
         id: user_config
@@ -82,10 +101,10 @@ jobs:
 
       - name: Validate selected secrets
         env:
-          AI_API_KEY: ${{ secrets[steps.user_config.outputs.ai_api_key_secret_name] }}
-          GIT_SYNC_TOKEN: ${{ secrets[steps.user_config.outputs.git_sync_token_secret_name] }}
-          MCP_AUTH_TOKEN: ${{ secrets[steps.user_config.outputs.mcp_auth_token_secret_name] }}
-          DISCORD_BOT_TOKEN: ${{ steps.user_config.outputs.discord_bot_token_secret_name != '' && secrets[steps.user_config.outputs.discord_bot_token_secret_name] || '' }}
+          SHARED_AI_API_KEY: ${{ secrets[steps.user_secrets.outputs.shared_ai_api_key_secret_name] }}
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+          SETUP_EMAIL_API_KEY: ${{ secrets.SETUP_EMAIL_API_KEY }}
+          SETUP_EMAIL_FROM: ${{ secrets.SETUP_EMAIL_FROM }}
           HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }}
           HCLOUD_SSH_KEY_NAME: ${{ secrets.HCLOUD_SSH_KEY_NAME }}
           HCLOUD_SERVER_TYPE: ${{ secrets.HCLOUD_SERVER_TYPE }}
@@ -96,10 +115,21 @@ jobs:
           CF_ZONE_ID: ${{ secrets.CF_ZONE_ID }}
           CERTIFICATE_PEM: ${{ secrets.CERTIFICATE_PEM }}
           PRIVATE_KEY_PEM: ${{ secrets.PRIVATE_KEY_PEM }}
-        run: bun deploy/scripts/validate-secrets.ts
+        run: |
+          export AI_API_KEY="${AI_API_KEY:-$SHARED_AI_API_KEY}"
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          bun deploy/scripts/validate-secrets.ts
+
+      - name: Seed content repo
+        env:
+          CONTENT_REPO: ${{ steps.user_config.outputs.content_repo }}
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+        run: |
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          bun deploy/scripts/sync-content-repo.ts
 
       - name: Log in to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -143,14 +173,17 @@ jobs:
 
       - name: Write .kamal/secrets
         env:
-          AI_API_KEY: ${{ secrets[steps.user_config.outputs.ai_api_key_secret_name] }}
-          GIT_SYNC_TOKEN: ${{ secrets[steps.user_config.outputs.git_sync_token_secret_name] }}
-          MCP_AUTH_TOKEN: ${{ secrets[steps.user_config.outputs.mcp_auth_token_secret_name] }}
-          DISCORD_BOT_TOKEN: ${{ steps.user_config.outputs.discord_bot_token_secret_name != '' && secrets[steps.user_config.outputs.discord_bot_token_secret_name] || '' }}
+          SHARED_AI_API_KEY: ${{ secrets[steps.user_secrets.outputs.shared_ai_api_key_secret_name] }}
+          SHARED_GIT_SYNC_TOKEN: ${{ secrets[steps.user_secrets.outputs.shared_git_sync_token_secret_name] }}
+          SETUP_EMAIL_API_KEY: ${{ secrets.SETUP_EMAIL_API_KEY }}
+          SETUP_EMAIL_FROM: ${{ secrets.SETUP_EMAIL_FROM }}
           KAMAL_REGISTRY_PASSWORD: ${{ secrets.KAMAL_REGISTRY_PASSWORD }}
           CERTIFICATE_PEM: ${{ secrets.CERTIFICATE_PEM }}
           PRIVATE_KEY_PEM: ${{ secrets.PRIVATE_KEY_PEM }}
-        run: bun deploy/scripts/write-kamal-secrets.ts
+        run: |
+          export AI_API_KEY="${AI_API_KEY:-$SHARED_AI_API_KEY}"
+          export GIT_SYNC_TOKEN="${GIT_SYNC_TOKEN:-$SHARED_GIT_SYNC_TOKEN}"
+          bun deploy/scripts/write-kamal-secrets.ts
 
       - name: Provision server
         id: provision
@@ -167,10 +200,11 @@ jobs:
           CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
           CF_ZONE_ID: ${{ secrets.CF_ZONE_ID }}
           BRAIN_DOMAIN: ${{ steps.user_config.outputs.brain_domain }}
+          PREVIEW_DOMAIN: ${{ steps.user_config.outputs.preview_domain }}
           SERVER_IP: ${{ steps.provision.outputs.server_ip }}
         run: |
           bun deploy/scripts/update-dns.ts
-          BRAIN_DOMAIN="preview.$BRAIN_DOMAIN" bun deploy/scripts/update-dns.ts
+          BRAIN_DOMAIN="$PREVIEW_DOMAIN" bun deploy/scripts/update-dns.ts
 
       - name: Validate SSH key
         run: ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null
@@ -197,6 +231,7 @@ jobs:
           IMAGE_REPOSITORY: ${{ steps.user_config.outputs.image_repository }}
           REGISTRY_USERNAME: ${{ steps.user_config.outputs.registry_username }}
           BRAIN_DOMAIN: ${{ steps.user_config.outputs.brain_domain }}
+          PREVIEW_DOMAIN: ${{ steps.user_config.outputs.preview_domain }}
           BRAIN_YAML_PATH: ${{ steps.user_config.outputs.brain_yaml_path }}
         run: kamal setup --skip-push -c deploy/kamal/deploy.yml
 
@@ -204,7 +239,10 @@ jobs:
         env:
           SERVER_IP: ${{ steps.provision.outputs.server_ip }}
           BRAIN_DOMAIN: ${{ steps.user_config.outputs.brain_domain }}
-        run: curl -I -k --max-time 20 --resolve "$BRAIN_DOMAIN:443:$SERVER_IP" "https://$BRAIN_DOMAIN/health"
+          PREVIEW_DOMAIN: ${{ steps.user_config.outputs.preview_domain }}
+        run: |
+          curl -I -k --max-time 20 --resolve "$BRAIN_DOMAIN:443:$SERVER_IP" "https://$BRAIN_DOMAIN/health"
+          curl -I -k --max-time 20 --resolve "$PREVIEW_DOMAIN:443:$SERVER_IP" "https://$PREVIEW_DOMAIN/"
 
       - name: Upload generated config
         uses: actions/upload-artifact@v4
@@ -213,6 +251,7 @@ jobs:
           path: |
             users/${{ matrix.handle }}/brain.yaml
             users/${{ matrix.handle }}/.env
+            users/${{ matrix.handle }}/content
 
       - name: Dump remote proxy diagnostics
         if: failure()
@@ -239,7 +278,7 @@ jobs:
     steps:
       - uses: actions/checkout@v5
         with:
-          ref: ${{ github.sha }}
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.sha }}
 
       - uses: oven-sh/setup-bun@v2
 
@@ -261,8 +300,22 @@ jobs:
           if git diff --quiet -- users views; then
             exit 0
           fi
+
+          git fetch origin "${{ github.ref_name }}"
+          if git diff --quiet "origin/${{ github.ref_name }}" -- users views; then
+            exit 0
+          fi
+
+          patch_file="$(mktemp)"
+          git diff --binary -- users views > "$patch_file"
+          git reset --hard "origin/${{ github.ref_name }}"
+          git apply --3way --index "$patch_file"
+
+          if git diff --cached --quiet -- users views; then
+            exit 0
+          fi
+
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add users views
           git commit -m "chore(ops): reconcile generated config"
-          git push
+          git push origin HEAD:${{ github.ref_name }}

package/templates/rover-pilot/.github/workflows/reconcile.yml

@@ -38,8 +38,22 @@ jobs:
           if git diff --quiet -- views users; then
             exit 0
           fi
+
+          git fetch origin "${{ github.ref_name }}"
+          if git diff --quiet "origin/${{ github.ref_name }}" -- views users; then
+            exit 0
+          fi
+
+          patch_file="$(mktemp)"
+          git diff --binary -- views users > "$patch_file"
+          git reset --hard "origin/${{ github.ref_name }}"
+          git apply --3way --index "$patch_file"
+
+          if git diff --cached --quiet -- views users; then
+            exit 0
+          fi
+
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add views users
           git commit -m "chore(ops): reconcile pilot outputs"
-          git push
+          git push origin HEAD:${{ github.ref_name }}

package/templates/rover-pilot/README.md

@@ -29,6 +29,7 @@ The repo also checks in its deploy contract:
 - `.github/workflows/*`
 
 `.env.schema` is the single source of truth for required and sensitive deploy vars.
+Use separate GitHub tokens: `CONTENT_REPO_ADMIN_TOKEN` for operator-side content repo creation/checks, and `GIT_SYNC_TOKEN` for runtime directory-sync git access.
 The shared pilot image tag is `brain-${brainVersion}` end to end.
 When `pilot.yaml.brainVersion` changes and you push, CI rebuilds the shared tag, refreshes generated user env files, and redeploys affected users.
 When a push changes only deploy contract files, CI prints `No affected user configs; skipping deploy.` and stops before Kamal.
@@ -37,9 +38,11 @@ When a push changes only deploy contract files, CI prints `No affected user conf
 
 - `brains-ops init <repo>`
 - `brains-ops render <repo>` — regenerates `views/users.md` with live DNS, `/health`, and unauthenticated `/mcp` status checks
-- `brains-ops onboard <repo> <handle>`
+- `brains-ops user:add <repo> <handle> --cohort <cohort>` — scaffolds a user file, per-user secrets template, and cohort membership
+- `brains-ops onboard <repo> <handle>` — creates/seeds the user's content repo with separate admin and sync tokens
+- `brains-ops age-key:bootstrap <repo>`
 - `brains-ops ssh-key:bootstrap <repo>`
-- `brains-ops cert:bootstrap <repo> <handle>`
-- `brains-ops secrets:push <repo> <handle>`
+- `brains-ops cert:bootstrap <repo>`
+- `brains-ops secrets:encrypt <repo> <handle>`
 - `brains-ops reconcile-cohort <repo> <cohort>`
 - `brains-ops reconcile-all <repo>`

package/templates/rover-pilot/deploy/scripts/decrypt-user-secrets.ts

@@ -0,0 +1,78 @@
+import { readFileSync } from "node:fs";
+
+import { Decrypter, armor } from "age-encryption";
+
+import { requireEnv, writeGitHubEnv, writeGitHubOutput } from "./helpers";
+
+const handle = process.argv[2] ?? requireEnv("HANDLE");
+const ageSecretKey = extractAgeIdentity(requireEnv("AGE_SECRET_KEY"));
+const encryptedPath = `users/${handle}.secrets.yaml.age`;
+
+const armored = readFileSync(encryptedPath, "utf8");
+const decoded = armor.decode(armored);
+
+const decrypter = new Decrypter();
+decrypter.addIdentity(ageSecretKey);
+
+const plaintext = await decrypter.decrypt(decoded, "text");
+const secrets = parseFlatYaml(plaintext);
+const pilot = parseFlatYaml(readFileSync("pilot.yaml", "utf8"));
+
+writeGitHubEnv("AI_API_KEY", secrets["aiApiKey"] ?? "");
+writeGitHubEnv("GIT_SYNC_TOKEN", secrets["gitSyncToken"] ?? "");
+writeGitHubEnv("DISCORD_BOT_TOKEN", secrets["discordBotToken"] ?? "");
+
+writeGitHubOutput(
+  "shared_ai_api_key_secret_name",
+  requireFlatValue(pilot, "aiApiKey", "pilot.yaml"),
+);
+writeGitHubOutput(
+  "shared_git_sync_token_secret_name",
+  requireFlatValue(pilot, "gitSyncToken", "pilot.yaml"),
+);
+
+function extractAgeIdentity(contents: string): string {
+  const line = contents
+    .split(/\r?\n/)
+    .map((entry) => entry.trim())
+    .find((entry) => entry.startsWith("AGE-SECRET-KEY-"));
+
+  if (!line) {
+    throw new Error("Missing AGE-SECRET-KEY in AGE_SECRET_KEY");
+  }
+
+  return line;
+}
+
+function parseFlatYaml(contents: string): Record<string, string> {
+  const result: Record<string, string> = {};
+
+  for (const rawLine of contents.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#")) {
+      continue;
+    }
+
+    const match = line.match(/^([A-Za-z0-9_]+):\s*(.*)$/);
+    if (!match) {
+      continue;
+    }
+
+    const [, key, rawValue] = match;
+    result[key] = rawValue.replace(/^['"]|['"]$/g, "");
+  }
+
+  return result;
+}
+
+function requireFlatValue(
+  values: Record<string, string>,
+  key: string,
+  label: string,
+): string {
+  const value = values[key];
+  if (!value) {
+    throw new Error(`Missing ${key} in ${label}`);
+  }
+  return value;
+}

package/templates/rover-pilot/deploy/scripts/provision-server.ts

@@ -101,7 +101,7 @@ while (server.status !== "running" || !server.public_net?.ipv4?.ip) {
   server = await getServer(server.id);
 }
 
-const serverIp = server.public_net?.ipv4?.ip;
+const serverIp = server.public_net.ipv4.ip;
 if (!serverIp) {
   throw new Error(`Server ${server.id} running but has no IPv4 address`);
 }

package/templates/rover-pilot/deploy/scripts/resolve-deploy-handles.ts

@@ -9,14 +9,23 @@ if (eventName === "workflow_dispatch") {
   process.exit(0);
 }
 
-if (eventName !== "push") {
+if (eventName !== "push" && eventName !== "workflow_run") {
   throw new Error(`Unsupported GITHUB_EVENT_NAME: ${eventName}`);
 }
 
 const beforeSha = requireEnv("BEFORE_SHA");
-const currentSha = requireEnv("GITHUB_SHA");
+const currentSha =
+  eventName === "workflow_run"
+    ? execFileSync("git", ["rev-parse", "HEAD"], {
+        encoding: "utf8",
+      }).trim()
+    : requireEnv("GITHUB_SHA");
 
-if (!isUsableGitRevision(beforeSha) || !isUsableGitRevision(currentSha)) {
+if (
+  !isUsableGitRevision(beforeSha) ||
+  !isUsableGitRevision(currentSha) ||
+  beforeSha === currentSha
+) {
   writeGitHubOutput("handles_json", JSON.stringify([]));
   process.exit(0);
 }
@@ -32,7 +41,9 @@ const handles = [
     diffOutput
       .split(/\r?\n/)
       .map((path) => {
-        const match = path.match(/^users\/([^/]+)\/(?:\.env|brain\.yaml)$/);
+        const match =
+          path.match(/^users\/([^/]+)\/(?:\.env|brain\.yaml|content\/.*)$/) ??
+          path.match(/^users\/([^/]+)\.secrets\.yaml\.age$/);
         return match?.[1] ?? null;
       })
       .filter((handle): handle is string => handle !== null)

package/templates/rover-pilot/deploy/scripts/resolve-user-config.ts

@@ -1,4 +1,5 @@
 import { readFileSync } from "node:fs";
+
 import { parseEnvFile, requireEnv, writeGitHubOutput } from "./helpers";
 
 const handle = requireEnv("HANDLE");
@@ -12,32 +13,31 @@ const repositoryOwner = repository.split("/")[0] ?? "";
 const brainYaml = readFileSync(brainYamlPath, "utf8");
 const domainMatch = brainYaml.match(/^domain:\s*(.+)$/m);
 const brainDomain = domainMatch?.[1]?.trim().replace(/^['"]|['"]$/g, "") ?? "";
-
 if (!brainDomain) {
   throw new Error(`Missing domain in ${brainYamlPath}`);
 }
 
+const zone =
+  brainDomain.startsWith(`${handle}.`) && brainDomain.length > handle.length + 1
+    ? brainDomain.slice(handle.length + 1)
+    : "";
+if (!zone) {
+  throw new Error(`Could not derive preview domain from ${brainDomain}`);
+}
+const previewDomain = `${handle}-preview.${zone}`;
+
 const outputs: Record<string, string> = {
   brain_version: envEntries["BRAIN_VERSION"] ?? "",
-  ai_api_key_secret_name: envEntries["AI_API_KEY_SECRET"] ?? "",
-  git_sync_token_secret_name: envEntries["GIT_SYNC_TOKEN_SECRET"] ?? "",
-  mcp_auth_token_secret_name: envEntries["MCP_AUTH_TOKEN_SECRET"] ?? "",
-  discord_bot_token_secret_name: envEntries["DISCORD_BOT_TOKEN_SECRET"] ?? "",
   content_repo: envEntries["CONTENT_REPO"] ?? "",
   brain_domain: brainDomain,
+  preview_domain: previewDomain,
   brain_yaml_path: brainYamlPath,
   instance_name: `rover-${handle}`,
   image_repository: `ghcr.io/${repository}`,
   registry_username: repositoryOwner,
 };
 
-const required = [
-  "brain_version",
-  "ai_api_key_secret_name",
-  "git_sync_token_secret_name",
-  "mcp_auth_token_secret_name",
-  "registry_username",
-];
+const required = ["brain_version", "registry_username"];
 for (const key of required) {
   if (!outputs[key]) {
     throw new Error(`Missing ${key} (derived from ${envPath})`);

package/templates/rover-pilot/deploy/scripts/sync-content-repo.ts

@@ -0,0 +1,179 @@
+import { cp, mkdtemp, mkdir, readFile, readdir } from "node:fs/promises";
+import { existsSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { dirname, join } from "node:path";
+import { execFileSync } from "node:child_process";
+import { readJsonResponse, requireEnv } from "./helpers";
+
+const handle = requireEnv("HANDLE");
+const contentRepo = requireEnv("CONTENT_REPO");
+const token = requireEnv("GIT_SYNC_TOKEN");
+const sourceDir = join("users", handle, "content");
+
+if (!existsSync(sourceDir)) {
+  process.exit(0);
+}
+
+const { owner, repo } = parseRepoSlug(contentRepo);
+await ensureGitHubRepo({ owner, repo, token });
+
+const tempRoot = await mkdtemp(join(tmpdir(), "brains-ops-content-"));
+const checkoutDir = join(tempRoot, "repo");
+const remoteUrl = buildAuthenticatedRemoteUrl(owner, repo, token);
+
+runGit(["clone", remoteUrl, checkoutDir]);
+runGit(["-C", checkoutDir, "checkout", "-B", "main"]);
+
+const copiedFiles = await copyMissingFiles(sourceDir, checkoutDir);
+if (copiedFiles === 0) {
+  process.exit(0);
+}
+
+runGit(["-C", checkoutDir, "config", "user.name", "brains-ops[bot]"]);
+runGit([
+  "-C",
+  checkoutDir,
+  "config",
+  "user.email",
+  "41898282+github-actions[bot]@users.noreply.github.com",
+]);
+runGit(["-C", checkoutDir, "add", "."]);
+
+if (hasNoStagedChanges(checkoutDir)) {
+  process.exit(0);
+}
+
+runGit([
+  "-C",
+  checkoutDir,
+  "commit",
+  "-m",
+  `chore(content): seed ${handle} anchor profile`,
+]);
+runGit(["-C", checkoutDir, "push", "origin", "HEAD:main"]);
+
+const STALE_ANCHOR_PROFILE_MARKERS = [
+  "name: Your Name Here",
+  "Delete this and write your own",
+];
+
+interface EnsureGitHubRepoOptions {
+  owner: string;
+  repo: string;
+  token: string;
+}
+
+interface GitHubRepoResponse {
+  clone_url?: string;
+  private?: boolean;
+}
+
+async function ensureGitHubRepo(
+  options: EnsureGitHubRepoOptions,
+): Promise<void> {
+  const headers = {
+    Authorization: `Bearer ${options.token}`,
+    Accept: "application/vnd.github+json",
+    "Content-Type": "application/json",
+  };
+  const repoUrl = `https://api.github.com/repos/${options.owner}/${options.repo}`;
+  const repoResponse = await fetch(repoUrl, { headers });
+
+  if (repoResponse.ok) {
+    await readJsonResponse(repoResponse, "GitHub repo lookup");
+    return;
+  }
+
+  if (repoResponse.status !== 404) {
+    const payload = await readJsonResponse(repoResponse, "GitHub repo lookup");
+    throw new Error(`GitHub repo lookup failed: ${JSON.stringify(payload)}`);
+  }
+
+  const createResponse = await fetch(
+    `https://api.github.com/orgs/${options.owner}/repos`,
+    {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        name: options.repo,
+        private: true,
+        auto_init: false,
+      }),
+    },
+  );
+  const payload = (await readJsonResponse(
+    createResponse,
+    "GitHub repo create",
+  )) as GitHubRepoResponse;
+
+  if (!createResponse.ok) {
+    throw new Error(`GitHub repo create failed: ${JSON.stringify(payload)}`);
+  }
+}
+
+function parseRepoSlug(contentRepo: string): { owner: string; repo: string } {
+  const [owner, repo] = contentRepo.split("/");
+  if (!owner || !repo) {
+    throw new Error(`Invalid CONTENT_REPO: ${contentRepo}`);
+  }
+  return { owner, repo };
+}
+
+function buildAuthenticatedRemoteUrl(
+  owner: string,
+  repo: string,
+  token: string,
+): string {
+  return `https://x-access-token:${encodeURIComponent(token)}@github.com/${owner}/${repo}.git`;
+}
+
+function runGit(args: string[]): void {
+  execFileSync("git", args, { stdio: "inherit" });
+}
+
+function hasNoStagedChanges(checkoutDir: string): boolean {
+  try {
+    execFileSync("git", ["-C", checkoutDir, "diff", "--cached", "--quiet"], {
+      stdio: "ignore",
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function copyMissingFiles(
+  sourceDir: string,
+  targetDir: string,
+): Promise<number> {
+  const entries = await readdir(sourceDir, { withFileTypes: true });
+  let copiedFiles = 0;
+
+  for (const entry of entries) {
+    const sourcePath = join(sourceDir, entry.name);
+    const targetPath = join(targetDir, entry.name);
+
+    if (entry.isDirectory()) {
+      await mkdir(targetPath, { recursive: true });
+      copiedFiles += await copyMissingFiles(sourcePath, targetPath);
+      continue;
+    }
+
+    const existing = await readFile(targetPath, "utf8").catch(() => undefined);
+    if (existing !== undefined && !isStaleAnchorProfile(existing)) {
+      continue;
+    }
+
+    await mkdir(dirname(targetPath), { recursive: true });
+    await cp(sourcePath, targetPath, { force: true });
+    copiedFiles += existing === (await readFile(sourcePath, "utf8")) ? 0 : 1;
+  }
+
+  return copiedFiles;
+}
+
+function isStaleAnchorProfile(content: string): boolean {
+  return STALE_ANCHOR_PROFILE_MARKERS.some((marker) =>
+    content.includes(marker),
+  );
+}

package/templates/rover-pilot/deploy/scripts/update-dns.ts

@@ -16,8 +16,11 @@ interface CloudflareResult {
   result?: Array<{ id: string }>;
 }
 
-async function upsertRecord(name: string): Promise<void> {
-  const lookupUrl = `${baseUrl}/zones/${zoneId}/dns_records?type=A&name=${encodeURIComponent(name)}`;
+async function findRecordId(
+  name: string,
+  type: "A" | "CNAME",
+): Promise<string | undefined> {
+  const lookupUrl = `${baseUrl}/zones/${zoneId}/dns_records?type=${type}&name=${encodeURIComponent(name)}`;
   const lookup = await fetch(lookupUrl, { headers });
   const payload = (await readJsonResponse(
     lookup,
@@ -27,9 +30,16 @@ async function upsertRecord(name: string): Promise<void> {
     throw new Error(`Cloudflare DNS lookup failed: ${JSON.stringify(payload)}`);
   }
 
-  const existing = payload.result?.[0];
+  return payload.result?.[0]?.id;
+}
+
+async function upsertRecord(name: string): Promise<void> {
+  // Prefer an existing A record. If the hostname currently has a CNAME,
+  // replace that CNAME in-place so deploys can claim legacy www aliases.
+  const existing =
+    (await findRecordId(name, "A")) ?? (await findRecordId(name, "CNAME"));
   const url = existing
-    ? `${baseUrl}/zones/${zoneId}/dns_records/${existing.id}`
+    ? `${baseUrl}/zones/${zoneId}/dns_records/${existing}`
     : `${baseUrl}/zones/${zoneId}/dns_records`;
 
   const response = await fetch(url, {