fulldeploy.sh

@@ -29,25 +29,27 @@ echo "  mcpctl Full Deploy"
 echo "========================================"
 
 # --- Pre-flight: Pulumi drift check ---
+# Uses the kubernetes-deployment/scripts/pulumi.sh wrapper which pulls
+# PULUMI_CONFIG_PASSPHRASE from OpenBao at runtime, so the passphrase
+# never needs to live in .env or shell history. Falls back to a warning
+# if the wrapper isn't present (older clone of kubernetes-deployment).
 echo ""
 echo ">>> Pre-flight: checking for Pulumi infra drift"
 echo ""
-if [ -d "$PULUMI_DIR" ]; then
-  if [ -z "$PULUMI_CONFIG_PASSPHRASE" ]; then
-    echo "  WARNING: PULUMI_CONFIG_PASSPHRASE not set — skipping drift check."
-    echo "           Set it in .env or export it to enable."
-  else
-  preview_output=$(cd "$PULUMI_DIR" && pulumi preview --stack "$PULUMI_STACK" --non-interactive --diff 2>&1) || true
+if [ -d "$PULUMI_DIR" ] && [ -x "$PULUMI_DIR/scripts/pulumi.sh" ]; then
+  preview_output=$("$PULUMI_DIR/scripts/pulumi.sh" preview --stack "$PULUMI_STACK" --non-interactive --diff 2>&1) || true
   if echo "$preview_output" | grep -qE '^\s+[-+~]'; then
     echo "$preview_output"
     echo ""
     echo "ERROR: Pulumi detected infra changes that have not been applied."
-    echo "       Run: cd $PULUMI_DIR && pulumi up -s $PULUMI_STACK"
+    echo "       Run: $PULUMI_DIR/scripts/pulumi.sh up -s $PULUMI_STACK"
     echo "       Then re-run this script."
     exit 1
   fi
   echo "  No drift — infra is in sync."
-  fi # passphrase check
+elif [ -d "$PULUMI_DIR" ]; then
+  echo "  WARNING: $PULUMI_DIR/scripts/pulumi.sh not found or not executable —"
+  echo "           skipping drift check. Pull latest kubernetes-deployment."
 else
   echo "  WARNING: Pulumi repo not found at $PULUMI_DIR — skipping drift check."
 fi