Skip to content
Rig Docs

Story: Rig teardown

Hook

Section titled “Hook”

What the rig builds, the rig removes. Teardown is not an afterthought — it’s the same GitOps loop, the same acceptance gates, the same agent workflow. The difference is the direction: instead of adding resources, you’re removing them.

In April 2026, the operator decided carrots.dashecorp.com had served its purpose as a bootstrap test. The teardown: three PRs, zero manual console actions, and a clean state that OpenTofu confirmed with 0 to add, 0 to change, 0 to destroy.

The teardown issue

Section titled “The teardown issue”

The operator filed dashecorp/infra#130: “Teardown carrots.dashecorp.com — remove Pages project, DNS record, and GitHub repo.”

The agent-ready label was set. Conductor dispatched it to Dev-E-node.

Dev-E’s first action: read BRAIN.md. The rig’s memory contained the full history of the bootstrap — the five PRs, the CF 1014 incident, the name rename from carrots to carrots-site. This context mattered: Dev-E knew to delete the carrots-site Pages project (not carrots), knew the DNS CNAME pointed to carrots-site.pages.dev, and knew the repo secrets would need to be revoked.

PR 1: Remove Terraform resources

Section titled “PR 1: Remove Terraform resources”

PR infra#131 removed the three for_each entries from the Terraform configs:

# cloudflare/pages.tf  — BEFORE
content_pages_projects = {
  carrots = {
    name        = "carrots-site"
    ...
  }
}


# cloudflare/pages.tf  — AFTER
content_pages_projects = {}

Same pattern for cloudflare/dns.tf (remove the CNAME) and github/repos.tf (remove the repo entry).

Review-E approved with one comment: “The repo entry removal will archive, not delete, the GitHub repo. Confirm that archive is the intended behavior (not hard delete).”

The operator replied in the PR: archive is correct — keep history, disable new pushes. Merged.

OpenTofu plan output:

Plan: 0 to add, 0 to change, 3 to destroy.
  - cloudflare_pages_project.carrots-site
  - cloudflare_record.carrots_cname
  - github_repository.carrots

Applied cleanly. DNS TTL: 300 seconds. The domain stopped resolving within 5 minutes.

PR 2: Revoke repo secrets

Section titled “PR 2: Revoke repo secrets”

PR infra#132 removed the secret provisioning block from github/repo_secrets.tf:

# Before
resource "github_actions_secret" "carrots_cf_token" {
  repository      = "carrots"
  secret_name     = "CLOUDFLARE_API_TOKEN"
  encrypted_value = var.cf_api_token_encrypted
}


# After — entire block removed

Secrets tied to an archived repo aren’t a live attack surface, but leaving them in Terraform state creates drift. Dev-E removed the block; OpenTofu applied with 1 to destroy.

PR 3: Update rig-docs memory

Section titled “PR 3: Update rig-docs memory”

PR rig-docs#191 added a research note documenting the teardown:

## Carrots teardown — 2026-04-23


**Resources destroyed:** Pages project (carrots-site), DNS CNAME, GitHub repo (archived)
**Secrets revoked:** CLOUDFLARE_API_TOKEN, CF_ACCOUNT_ID, RIG_BOT_PAT
**Total PRs:** 3 (infra#131, infra#132, rig-docs#191)
**Time from issue to zero resources:** 43 minutes

This wasn’t strictly necessary — the Terraform state log has the history. But the operator’s convention: any site that went through a notable lifecycle (the CF 1014 incident, the rename) gets a closing note. Future agents won’t waste time looking for carrots.dashecorp.com wondering if it still exists.

Closing

Section titled “Closing”

The teardown cost the operator three PR approvals. No console. No manual resource deletion. No DNS zone editor. The same pattern that built the site — GitOps, TF, agent-authored PRs, Review-E gate — removed it.

This is the rig’s core promise: if you built it through the rig, you can tear it down through the rig. The audit trail runs both directions.

OpenTofu apply complete. Resources: 0 added, 0 changed, 3 destroyed.

The rig built carrots. The rig removed carrots. The receipts exist for both.