Cloud-gate v1: apps/api, hosted alchemy state, Polar subs, landing + demo studio

.beads/export-state.json

@@ -1 +1 @@
-{"last_dolt_commit":"gti423bd3bhcledmn7g16da4sho428d8","timestamp":"2026-04-23T20:46:24.660646-07:00","issues":51,"memories":0}
+{"last_dolt_commit":"seovg8a6i7ompl8m58c6ckvt5grfi0rl","timestamp":"2026-04-24T21:08:54.011323-07:00","issues":52,"memories":0}

.github/workflows/deploy-api.yaml

@@ -0,0 +1,123 @@
+name: deploy-api
+
+# Deploys apps/api to Fly.
+#
+# Linux runners because skopeo-nix2container doesn't build on darwin (upstream
+# bug in the vendored go.podman.io path). The whole container pipeline — build,
+# push, deploy — runs on ubuntu-latest where the standard nix2container
+# toolchain works without patches.
+#
+# Triggers:
+#   - push to main touching apps/api/** or packages/api/**
+#   - manual via workflow_dispatch
+
+on:
+  push:
+    # Include feature branches matching feat/cloud-gate-* so we can verify
+    # the deploy pipeline before merging to main. Production deploys still
+    # gate on main.
+    branches: [main, "feat/cloud-gate-**"]
+    paths:
+      - "apps/api/**"
+      - "packages/api/**"
+      - "packages/auth/**"
+      - "packages/db/**"
+      - "packages/gen/env/**"
+      - ".sops.yaml"
+      - ".stack/config.nix"
+      - ".stack/config.apps.nix"
+      - "nix/**"
+      - ".github/workflows/deploy-api.yaml"
+  workflow_dispatch:
+    inputs:
+      skip_build:
+        description: "Skip container build/push (deploy last-pushed image)"
+        type: boolean
+        default: false
+
+concurrency:
+  group: deploy-api-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    env:
+      FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
+      SOPS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY_DEV }}
+      # mkAppDir reads .output via this absolute path so freshly-built
+      # untracked output (apps/api/.output/server/index.mjs) lands in the
+      # nix store. Must be visible to BOTH `nix build` and the push step
+      # (each re-evaluates the flake separately) — set at job scope so
+      # the derivation hash matches across steps.
+      STACKPANEL_ROOT_ABSOLUTE: ${{ github.workspace }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            accept-flake-config = true
+
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - uses: superfly/flyctl-actions/setup-flyctl@master
+
+      - name: Install sops
+        run: |
+          curl -LO https://github.com/getsops/sops/releases/download/v3.11.0/sops-v3.11.0.linux.amd64
+          chmod +x sops-v3.11.0.linux.amd64
+          sudo mv sops-v3.11.0.linux.amd64 /usr/local/bin/sops
+
+      - name: Stage Fly secrets from SOPS
+        run: bash apps/api/scripts/push-secrets.sh
+
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: 1.3.11
+
+      - name: Build api bundle (produces apps/api/.output for the container)
+        if: inputs.skip_build != true
+        run: |
+          bun install --frozen-lockfile
+          cd apps/api && bun run build
+
+      - name: Build container image
+        if: inputs.skip_build != true
+        run: nix build --impure .#packages.x86_64-linux.container-api
+
+      - name: Push container image to Fly registry
+        if: inputs.skip_build != true
+        run: |
+          nix run --impure .#copy-container-api -- \
+            docker://registry.fly.io/ \
+            --dest-creds "x:${FLY_API_TOKEN}"
+
+      - name: Deploy
+        run: |
+          flyctl deploy \
+            --config apps/api/fly.toml \
+            --app stackpanel-api \
+            --image registry.fly.io/stackpanel-api:latest \
+            --wait-timeout 300
+
+      - name: Verify health
+        run: |
+          curl -fsS --retry 5 --retry-delay 5 \
+            https://stackpanel-api.fly.dev/health
+
+      # Idempotent ACME cert + Cloudflare A/AAAA records pointing at the
+      # Fly app's IPs. Skipped on dev (the .fly.dev hostname is enough)
+      # and only kicks in for production / staging / pr-N stages — see
+      # apps/api/alchemy.run.ts.
+      - name: Bind public hostname
+        if: github.ref_name == 'main' || github.ref_name == 'develop' || github.event_name == 'pull_request'
+        env:
+          FLY_IO_API_KEY: ${{ secrets.FLY_API_TOKEN }}
+          STAGE: ${{ github.ref_name == 'main' && 'production' || github.ref_name == 'develop' && 'staging' || format('pr-{0}', github.event.pull_request.number) }}
+        working-directory: apps/api
+        run: bunx alchemy-effect deploy --stage "$STAGE"
+

.github/workflows/deploy-docs.yaml

@@ -99,10 +99,14 @@ jobs:
           # SOPS AGE key used by `loadAppEnv` (sops-age) to decrypt the
           # generated per-app payloads. `production` uses the prod key;
           # everything else (staging, pr-*, dev) uses the dev key.
-          SOPS_AGE_KEY: ${{ needs.stage.outputs.stage == 'production' && secrets.SECRETS_AGE_KEY_PROD || secrets.SECRETS_AGE_KEY_DEV }}
+          # All stages encrypt with the github_actions age recipient
+          # (SECRETS_AGE_KEY_DEV's pubkey). The previous prod/dev split
+          # was stale — SECRETS_AGE_KEY_PROD's pubkey isn't on the prod
+          # payloads, so production deploys failed at decrypt time.
+          SOPS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY_DEV }}
         run: |
           set -euo pipefail
-          bunx alchemy-effect deploy --stage ${{ needs.stage.outputs.stage }}
+          bunx alchemy-effect deploy --stage ${{ needs.stage.outputs.stage }} --yes
       - name: Comment preview URL on PR
         if: github.event_name == 'pull_request'
         uses: marocchino/sticky-pull-request-comment@v2
@@ -139,7 +143,7 @@ jobs:
           SOPS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY_DEV }}
         run: |
           set -euo pipefail
-          bunx alchemy-effect destroy --stage ${{ needs.stage.outputs.stage }}
+          bunx alchemy-effect destroy --stage ${{ needs.stage.outputs.stage }} --yes
       - name: Delete cached alchemy state
         if: always()
         env:

.github/workflows/deploy-web.yaml

@@ -96,7 +96,11 @@ jobs:
           # SOPS AGE key used by `loadAppEnv` (sops-age) to decrypt the
           # generated per-app payloads. `production` uses the prod key;
           # everything else (staging, pr-*, dev) uses the dev key.
-          SOPS_AGE_KEY: ${{ needs.stage.outputs.stage == 'production' && secrets.SECRETS_AGE_KEY_PROD || secrets.SECRETS_AGE_KEY_DEV }}
+          # All stages encrypt with the github_actions age recipient
+          # (SECRETS_AGE_KEY_DEV's pubkey). The previous prod/dev split
+          # was stale — SECRETS_AGE_KEY_PROD's pubkey isn't on the prod
+          # payloads, so production deploys failed at decrypt time.
+          SOPS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY_DEV }}
         run: |
           set -euo pipefail
           bunx alchemy-effect deploy --stage ${{ needs.stage.outputs.stage }} --yes

.gitignore

@@ -1,8 +1,11 @@
 .artifacts
 release.tar.gz
-.stackpanel-root
+# `.stackpanel-root` holds a single "." so the stackpanel-root flake
+# input resolves to the flake source dir across machines. Must be
+# tracked so the flake input can read it during pure evaluation.
 *.local.json
 .worktrees/
+.patch-work/
 # Dependencies
 node_modules
 .pnp

.sops.yaml

@@ -13,7 +13,7 @@ keys:
   - &coopmoney_3 age1dwqnyurvm7vasf9n7alduzmg79nczkuafknr8x3l4jnzwnuzzydqj0y92p
   - &coopmoney_4 age1dx6u86w8d242tvjesz362caf4lcatw24ldd0hj9qn7xhqw0s0c5qus8wxt
   - &fkb032 age1h0nv9lwkkhd9y0rlf832g3lualvjafqpyvlkgf8d0cn6c4zg959qkrfzt3
-  - &github_actions age1eqcj2g0fdekj2wpqp4y0fg9c5myydjdt9zlr5scr0grk6fxszymqkpw5jf
+  - &github_actions age1d9h9mm3u5qalmpl2pf62pyzqj8t654n435emn93rutv0cg9sr32sg64fdj
   - &jjkoh95 age1fm7zr0ea3d589tkgcz2klqgnajduzkr25e8tnhh7qxzuleqxq3yq3c0s3t
   - &keyservice age16wuzuxnkcgfuxzvzgk5e5a5f6hhs386adjewyv54m9esr4yj6uuslpn6tp
   - &local age16rkvks3tljju3y6xu0l7luhjzx634et97g3xe58xf2dgfn2865rqkq6t8f

.stack/config.apps.nix

@@ -47,6 +47,43 @@ let
   };
 in
 {
+  # apps/api
+  api = {
+    name = "api";
+    description = "Cloud API (Better-Auth, Polar webhooks, hosted alchemy state).";
+    path = "apps/api";
+    type = "bun";
+
+    bun.generateFiles = false;
+
+    env = {
+      PORT = {
+        value = "3000";
+      };
+    }
+    // envs.shared;
+
+    container = {
+      enable = true;
+      type = "bun";
+      port = 3000;
+    };
+
+    deployment = {
+      enable = true;
+      host = "fly";
+      fly = {
+        appName = "stackpanel-api";
+        region = "iad";
+        memory = "512mb";
+        cpus = 1;
+        autoStop = "stop";
+        minMachines = 1;
+        forceHttps = true;
+      };
+    };
+  };
+
   # apps/docs
   docs = {
     name = "docs";

.stack/config.nix

@@ -144,7 +144,13 @@
       warnIfMissing = true;
     };
     settings = {
-      backend = "nix2container";
+      # dockerTools emits a standard docker-archive tarball that the
+      # system skopeo can push without patches. nix2container's
+      # skopeo-nix2container currently fails to build against skopeo 1.20
+      # (upstream patches `vendor/go.podman.io/image/v5` but that path no
+      # longer exists in the vendored tree). Switch back once the
+      # upstream bug is fixed.
+      backend = "dockerTools";
     };
   };
 
@@ -304,6 +310,31 @@
         secret = true;
         sops = "/dev/postgres-url";
       };
+
+      # Fly api deploy secrets — routed through the CI-accessible deploy
+      # scope so the deploy workflow can decrypt them. push-secrets.sh
+      # reads from the rendered deploy payload, not shared.sops.yaml
+      # directly (which is encrypted only for human users' AGE keys).
+      BETTER_AUTH_SECRET = {
+        secret = true;
+        sops = "/shared/better-auth-secret";
+      };
+      POLAR_ACCESS_TOKEN = {
+        secret = true;
+        sops = "/shared/polar-access-token";
+      };
+      POLAR_WEBHOOK_SECRET = {
+        secret = true;
+        sops = "/shared/polar-webhook-secret";
+      };
+      POLAR_PRO_PRODUCT_ID_PRODUCTION = {
+        secret = true;
+        sops = "/shared/polar-pro-product-id-production";
+      };
+      POLAR_FREE_PRODUCT_ID_PRODUCTION = {
+        secret = true;
+        sops = "/shared/polar-free-product-id-production";
+      };
     };
   };
 
@@ -749,10 +780,13 @@
         };
         local = {
           public-key = "age16rkvks3tljju3y6xu0l7luhjzx634et97g3xe58xf2dgfn2865rqkq6t8f";
-          tags = [ "dev" ];
+          tags = [
+            "dev"
+            "deploy"
+          ];
         };
         github-actions = {
-          public-key = "age1eqcj2g0fdekj2wpqp4y0fg9c5myydjdt9zlr5scr0grk6fxszymqkpw5jf";
+          public-key = "age1d9h9mm3u5qalmpl2pf62pyzqj8t654n435emn93rutv0cg9sr32sg64fdj";
           tags = [
             "dev"
             "staging"