One config file, fully resumable
oap.env is the single source of truth and the state store: there is no state database. Every key is classified by provenance (user-supplied, generated, provider-produced, derived), and re-running any phase reconciles against oap.env plus live cloud / cluster state.
Wraps upstream setup.sh, never reimplements it
The cluster and platform phases shell out to the forked repo's own platform/infra/hetzner/setup.sh (Phase 1 and Phase 2), bridging oap.env into a 0600 cleartext .env and shredding it after. The delta versus a hand-run is exactly the named automation gaps plus fork-and-parameterize.
No-click GitHub App plus Rauthy OIDC
A single GitHub App is registered via the App Manifest flow, doubling as Rauthy's upstream login provider. The identity phase creates the four Rauthy OIDC clients (SPA, server, deployd M2M, knowledge-sweeper) via the admin API.
Secrets encrypted at rest with SOPS plus age
oap.env is SOPS-encrypted using the operator's existing age key, with encrypted_regex scoping encryption to secret-classed keys only so non-secret config stays diffable. It falls back to plaintext with a loud warning when sops / age are absent.