generated from coulomb/repo-seed
Fixed and improved token tracking
This commit is contained in:
@@ -4,12 +4,12 @@ type: workplan
|
||||
title: "Multi-User Onboarding and Environment Bootstrap"
|
||||
domain: custodian
|
||||
repo: state-hub
|
||||
status: active
|
||||
status: finished
|
||||
owner: custodian
|
||||
topic_slug: custodian
|
||||
state_hub_workstream_id: "a28d9e29-4119-4b73-9469-f921920253ef"
|
||||
created: "2026-03-11"
|
||||
updated: "2026-05-17"
|
||||
updated: "2026-05-23"
|
||||
---
|
||||
|
||||
# Multi-User Onboarding and Environment Bootstrap
|
||||
@@ -51,7 +51,7 @@ Two personas:
|
||||
```task
|
||||
id: CUST-WP-0012-T01
|
||||
state_hub_task_id: 71628269-9a75-4dae-a347-e64a86040322
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
```
|
||||
|
||||
@@ -79,6 +79,12 @@ git config --global credential.helper 'cache --timeout=3600'
|
||||
**Done when:** included in bootstrap script; push to Gitea works without
|
||||
re-entering credentials on second attempt.
|
||||
|
||||
**Implemented 2026-05-23:** `scripts/bootstrap-env.sh` configures a global
|
||||
credential helper when one is not already present. It prefers `libsecret`, uses
|
||||
`cache --timeout=3600` as the safe automatic fallback, and supports explicit
|
||||
headless plaintext storage via `--git-helper store --allow-plaintext-store`.
|
||||
`docs/onboarding.md` documents the tradeoffs.
|
||||
|
||||
---
|
||||
|
||||
### T02 — SSH key generation and authorization automation
|
||||
@@ -86,7 +92,7 @@ re-entering credentials on second attempt.
|
||||
```task
|
||||
id: CUST-WP-0012-T02
|
||||
state_hub_task_id: fea965e9-8a8f-439c-9096-8f7756eb71ed
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
```
|
||||
|
||||
@@ -110,6 +116,11 @@ ssh-copy-id -i ~/.ssh/id_ed25519.pub tegwick@92.205.130.254
|
||||
|
||||
**Done when:** included in bootstrap script; documented in onboarding guide.
|
||||
|
||||
**Implemented 2026-05-23:** `scripts/bootstrap-env.sh` generates
|
||||
`~/.ssh/id_ed25519` if missing, prints the public key, and can run
|
||||
`ssh-copy-id` for Railiance01 and CoulombCore with `--authorize-ssh`.
|
||||
`docs/onboarding.md` documents the operator and collaborator path.
|
||||
|
||||
---
|
||||
|
||||
### T03 — Claude Code MCP registration automation
|
||||
@@ -117,7 +128,7 @@ ssh-copy-id -i ~/.ssh/id_ed25519.pub tegwick@92.205.130.254
|
||||
```task
|
||||
id: CUST-WP-0012-T03
|
||||
state_hub_task_id: 60318e9a-972e-45c8-afde-82ed0625f594
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
```
|
||||
|
||||
@@ -132,10 +143,10 @@ make register-mcp # idempotent; safe to re-run
|
||||
|
||||
The script should:
|
||||
1. Detect whether `state-hub` is already in `~/.claude.json`
|
||||
2. Extract the server config from `.mcp.json`
|
||||
2. Use the current SSE MCP config (`http://127.0.0.1:8001/sse` locally or
|
||||
`http://127.0.0.1:18001/sse` through ops-bridge)
|
||||
3. Run `claude mcp add-json -s user state-hub <config>`
|
||||
4. Run `patch_mcp_cwd.py` to restore the cwd field
|
||||
5. Print instructions to restart Claude Code
|
||||
4. Print instructions to restart Claude Code
|
||||
|
||||
Should also detect whether the state hub is reachable directly
|
||||
(`http://127.0.0.1:8000`) or needs a tunnel (via ops-bridge), and emit
|
||||
@@ -144,6 +155,12 @@ a warning if neither is available.
|
||||
**Done when:** `make register-mcp` works on a clean machine; documented
|
||||
in onboarding guide.
|
||||
|
||||
**Implemented 2026-05-23:** `scripts/register-mcp.sh` and the
|
||||
`make register-mcp` target register the current SSE MCP transport
|
||||
idempotently. The script detects local/tunnel reachability, supports
|
||||
`MCP_URL`, `API_BASE`, and `DRY_RUN=1`, and documents the old `.mcp.json` cwd
|
||||
patch path as legacy.
|
||||
|
||||
---
|
||||
|
||||
### T04 — Environment bootstrap script
|
||||
@@ -151,7 +168,7 @@ in onboarding guide.
|
||||
```task
|
||||
id: CUST-WP-0012-T04
|
||||
state_hub_task_id: 84a94761-e424-4470-a9a2-64d9cabadb7f
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
```
|
||||
|
||||
@@ -176,6 +193,11 @@ Design constraints:
|
||||
**Done when:** running the script on a clean Ubuntu 24.04 machine
|
||||
produces a working Custodian environment with no additional manual steps.
|
||||
|
||||
**Implemented 2026-05-23:** `scripts/bootstrap-env.sh` and
|
||||
`make bootstrap-env` provide the idempotent entrypoint. It supports dry-run,
|
||||
non-interactive mode, optional apt package installation, SSH authorization,
|
||||
Gitea token prompting, MCP registration, and State Hub health checks.
|
||||
|
||||
---
|
||||
|
||||
### T05 — Onboarding guide and user journey documentation
|
||||
@@ -183,7 +205,7 @@ produces a working Custodian environment with no additional manual steps.
|
||||
```task
|
||||
id: CUST-WP-0012-T05
|
||||
state_hub_task_id: b0839802-659a-475b-8b84-ab7341ea3d15
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
```
|
||||
|
||||
@@ -208,6 +230,10 @@ for both personas:
|
||||
**Done when:** a new collaborator can follow the guide without
|
||||
clarification from the primary operator.
|
||||
|
||||
**Implemented 2026-05-23:** `docs/onboarding.md` covers primary operator and
|
||||
domain collaborator journeys, including SSH, Gitea token file, credential
|
||||
helper choices, MCP registration, tunnel setup, and verification checks.
|
||||
|
||||
---
|
||||
|
||||
### T06 — State Hub multi-user model (deferred)
|
||||
@@ -215,7 +241,7 @@ clarification from the primary operator.
|
||||
```task
|
||||
id: CUST-WP-0012-T06
|
||||
state_hub_task_id: d5df3302-67b9-4765-a8d8-ea2df53dff6e
|
||||
status: todo
|
||||
status: done
|
||||
priority: low
|
||||
```
|
||||
|
||||
@@ -235,6 +261,11 @@ domain) or rely on Gitea repo permissions as the authoritative boundary
|
||||
Implement T01–T05 first; multi-user access control is only needed when
|
||||
there is more than one user.
|
||||
|
||||
**Implemented 2026-05-23:** `docs/multi-user-access-model.md` records the
|
||||
current decision: repo permissions, SSH access, tunnels, and OpenBao remain the
|
||||
authoritative boundaries for this phase; State Hub API auth is deferred until a
|
||||
real second-user or exposed-deployment trigger exists.
|
||||
|
||||
---
|
||||
|
||||
## References
|
||||
|
||||
Reference in New Issue
Block a user