ci: detect drift between source SOPS YAMLs and embedded @gen/env payloads

[cooper (czxtm)]

Summary

Closes stackpanel-04d. Adds a GitHub Actions check that fails the build if anyone edits a SOPS source file (.stack/secrets/vars/*.sops.yaml, etc.) without re-running codegen and committing the regenerated embedded payloads under packages/gen/env/.

This is the bug class that ate ~half a day on PRs #15/#17/#18:

• loaders.deploy() at runtime reads from packages/gen/env/src/runtime/generated-payloads/_envs/deploy.ts, not from .stack/secrets/vars/shared.sops.yaml directly.
• That embedded snapshot is generated by stackpanel codegen build env, which only runs on devshell entry.
• chore: rekey, sops set, himitsu set, etc. all silently drift the embedded payload from the source.
• After the Cloudflare token rotation in PR chore(secrets): rotate cloudflare_api_token to scoped Workers-Edit token #17, the embedded payload at main HEAD continued decrypting to the old cfat_KJ57… token and every CI deploy 401'd until the regen was committed (cf01361 on main, 7b62e2c on PR demo: drive Studio against MSW via endpoint swap (no /demo route) #15).

What this changes

A single new workflow (.github/workflows/secrets-codegen-check.yml):

1. Triggers on PR/push touching any source-of-truth path — SOPS YAMLs, Nix env declarations, codegen implementation, or the generated outputs themselves.

2. Enters the Nix devshell (which writes .stack/gen/codegen/env-manifest.json and runs codegen as part of the shell-hook).

3. Re-runs stackpanel codegen build explicitly with the same SOPS_AGE_KEY the deploy workflows use — belt-and-braces guarantee the build was run with the right decrypt key.

4. git diff --quiet against:

   • packages/gen/env/data/_envs/
   • packages/gen/env/src/runtime/generated-payloads/_envs/

   The diff is deliberately scoped to just the embedded runtime payloads. The typed env wrappers under src/<app>/ get cosmetic churn on every devshell entry and aren't on the deploy hot path.

5. On drift: surfaces the file list inline and tells the contributor exactly what to run (nix develop --impure --command stackpanel codegen build) and what to commit.

Test plan

Verified locally inside the devshell on this branch:

• Clean tree → check passes ("OK: embedded SOPS payloads are in sync").
• Simulated sops set edit on cloudflare_api_token → check fails with the expected file list (packages/gen/env/data/_envs/deploy.sops.json, packages/gen/env/src/runtime/generated-payloads/_envs/deploy.ts).
• Restoring source from HEAD → next codegen run produces no diff.

CI verification will happen automatically on this PR.

Notes

• The check runs in parallel with the deploy workflows; it adds zero latency to a successful deploy.
• Cachix (devenv + darkmatter) keeps the devshell entry fast; first-run cold cache is ~3-5 min, subsequent runs are seconds.
• Future improvement (filed as a separate beads issue if needed): also wire this into the existing pre-commit git-hooks pipeline so contributors get the same feedback locally before pushing.

[cursor]

PR Summary

Low Risk
Low risk: adds a new CI workflow and updates internal issue tracking, without changing runtime or secret-handling code paths. Main impact is potential CI noise/time if codegen is non-deterministic or Nix/caches are flaky.

Overview
Adds a new GitHub Actions workflow (secrets-codegen-check.yml) that re-enters the Nix devshell, re-runs stackpanel codegen build with the repo’s SOPS age key, and fails CI if the embedded runtime secret payloads under packages/gen/env/{data/_envs,src/runtime/generated-payloads/_envs} would change (preventing stale secrets from being deployed).

Updates .beads/issues.jsonl with new/updated tracking issues documenting the secret-drift class and related deploy blockers.

^{Reviewed by Cursor Bugbot for commit 9020ad6. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Drift check misses per-app encrypted runtime payloads
  • Updated the workflow drift-check target paths to diff the full packages/gen/env/data and packages/gen/env/src/runtime/generated-payloads trees so per-app encrypted payload drift is detected.

Or push these changes by commenting:

@cursor push 102850f4d5

Preview (102850f4d5)

diff --git a/.github/workflows/secrets-codegen-check.yml b/.github/workflows/secrets-codegen-check.yml
--- a/.github/workflows/secrets-codegen-check.yml
+++ b/.github/workflows/secrets-codegen-check.yml
@@ -115,8 +115,8 @@
           # stackpanel-04d for the rationale: the ONLY drift class that broke
           # production was the embedded encrypted payload + its TS wrapper.
           target_paths=(
-            packages/gen/env/data/_envs
-            packages/gen/env/src/runtime/generated-payloads/_envs
+            packages/gen/env/data
+            packages/gen/env/src/runtime/generated-payloads
           )
 
           if git diff --quiet -- "${target_paths[@]}"; then

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit 9020ad6. Configure here.}

[cursor]

Drift check misses per-app encrypted runtime payloads

High Severity

The target_paths array only covers the _envs/ subdirectories, but the repository has per-app encrypted payloads under packages/gen/env/src/runtime/generated-payloads/api/, web/, docs/, stackpanel-go/ and companion data files under packages/gen/env/data/dev/, prod/, staging/. These are real encrypted runtime payloads loaded via loadGeneratedPayload() in registry.ts — not the "typed env wrappers under src/<app>/" that get cosmetic churn (those live at src/exports/). A SOPS source rotation affecting per-app secrets like POSTGRES_URL would leave per-app payloads stale while this check passes silently — the same bug class the workflow was built to prevent.

 

^{Reviewed by Cursor Bugbot for commit 9020ad6. Configure here.}