deploy-update

[lbedner]

No description provided.

[Copilot]

Pull request overview

Updates the docs deployment configuration and hardens several template surfaces (auth, org invites, payment redirects), while introducing a new “ops” adapter layer + DNS CLI for operator-driven provisioning tasks.

Changes:

• Migrate documentation hosting to docs.aegis-stack.io (MkDocs site_url, docs/CNAME, and local static-serve helper target).
• Tighten security defaults and operator surfaces in the project template (auth response models + resend-verification endpoint + rate limits, admin-gating for worker/scheduler/metrics/comms/task-history endpoints, invite TTL + role-capped invites, safer signup model).
• Add new ops subsystem for email-domain setup + registrar interactions, plus a dns CLI backed by Porkbun/Resend adapters.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
README.md	Adds loading="lazy" to integration logos to reduce initial render cost.
mkdocs.yml	Updates site_url to the new custom docs domain.
Makefile	Adds docs-static target to build once and serve static docs locally.
docs/CNAME	Configures GitHub Pages custom domain for docs.
aegis/templates/copier-aegis-project/{{ project_slug }}/tests/conftest.py.jinja	Adds authenticated_client and ensures auth_headers fixture exists even in DB-less stacks.
aegis/templates/copier-aegis-project/{{ project_slug }}/tests/api/test_worker_endpoints.py.jinja	Ensures worker endpoint tests send auth headers and override DB dep when needed.
aegis/templates/copier-aegis-project/{{ project_slug }}/tests/api/test_scheduler_endpoints.py.jinja	Ensures scheduler endpoint tests send auth headers and override DB dep when needed.
aegis/templates/copier-aegis-project/{{ project_slug }}/tests/api/test_payment_endpoints.py	Updates checkout URL precedence tests (now expecting relative URLs).
aegis/templates/copier-aegis-project/{{ project_slug }}/tests/api/test_comms_endpoints.py.jinja	Gates send endpoints in tests with auth headers and DB override in auth+DB stacks.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/payment/schemas.py	Adds redirect URL validation intended to prevent off-domain redirects.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/ops/types.py	Introduces ops wire dataclasses for DNS/mail provisioning flows.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/ops/protocols.py	Defines registrar/mail-provider adapter protocols.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/ops/email_setup.py	Adds end-to-end email domain setup orchestrator.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/ops/audit.py	Adds append-only audit writer for ops runs under .aegis/.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/ops/adapters/resend.py	Implements Resend mail-provider adapter (domain add + verification polling).
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/ops/adapters/porkbun.py	Implements Porkbun registrar adapter for DNS record management.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/ops/adapters/init.py	Documents the ops adapter package purpose.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/ops/init.py	Introduces the ops package and its intended extension pattern.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/auth/user_service.py.jinja	Hardcodes new-user is_active=True in line with narrowed UserCreate.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/auth/invite_service.py.jinja	Filters/blocks expired org invites on sweep + accept paths.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/models/user.py.jinja	Adds typed response models and narrows UserCreate fields to reduce privilege leakage.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/models/org.py.jinja	Adds invite expiry + removes invite token from list responses.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/integrations/main.py	Resolves Flet assets_dir to an absolute path to ensure overrides load.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/core/config.py.jinja	Adds SECRET_KEY placeholder guard, resend-verification rate-limit settings, and Porkbun/base-domain settings.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/frontend/main.py.jinja	Replaces dashboard logo image with shared BrandMark.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/frontend/dashboard/modals/payment_modal.py	Improves payment modal “mode” display when provider isn’t configured.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/frontend/controls/brand_mark.py.jinja	Adds shared brand mark control for auth shell + dashboard header.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/frontend/controls/auth/auth_shell.py.jinja	Switches auth shell branding to use BrandMark.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/security/rate_limit.py	Adds a separate resend-verification rate limiter + dependency.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/api/worker.py.jinja	Makes worker task endpoints admin-gated when auth is enabled.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/api/task_history.py.jinja	Makes task-history endpoints admin-gated when auth is enabled.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/api/scheduler.py.jinja	Makes scheduler endpoints admin-gated when auth is enabled.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/api/orgs/router.py.jinja	Caps invited role by caller role to prevent privilege escalation.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/api/metrics.py.jinja	Makes metrics endpoints admin-gated when auth is enabled.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/api/deps.py.jinja	Wires resend-verification rate limit dependency into deps exports.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/api/comms/router.py.jinja	Gates paid comms send endpoints behind admin/auth.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/api/auth/router.py.jinja	Adds typed responses, hides lockout enumeration, and adds resend-verification endpoint + rate limiting.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/cli/main.py.jinja	Registers new dns CLI subcommand.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/cli/dns.py	Adds DNS CLI commands backed by Porkbun adapter and deploy.yml IP discovery.
aegis/core/services.py	Registers resend_verification_rate_limit symbol wiring for auth service template wiring.
.gitignore	Ignores .docs-static/ build output.
.github/workflows/security.yml	Ignores a markdown advisory with no upstream fix version yet.