Files

T

Dotta 8da50dbcf8 [codex] Add private browser first-admin claim flow (#6755 )

## Thinking Path

> - Paperclip orchestrates AI agents for zero-human companies.
> - Fresh self-hosted deployments need an operator path before any
invite exists.
> - Umbrel installs are private LAN deployments, so a one-time browser
claim is appropriate only when the deployment is private and unclaimed.
> - Public deployments and installs with active invites must keep the
existing invite-only model so admin creation is not exposed broadly.
> - GitHub PR #2927 established the useful direction, but it needed to
be adapted onto current `master` rather than merged as-is.
> - This pull request adds that adapted private-only claim flow across
server, UI, docs, and regression coverage.
> - The benefit is that a fresh private Umbrel-style install can be
claimed from the browser without weakening public deployment access.

## What Changed

- Added a first-admin claim service and access route support for
one-time admin claim eligibility on private unclaimed deployments.
- Updated the bootstrap/access UI so eligible private installs show a
setup claim path, while public and invited deployments keep invite-first
behavior.
- Added a bootstrap-pending setup UX lab covering claim, invite, public,
and signed-in access states.
- Updated deployment and local development docs for authenticated
private/public behavior and the Umbrel-style claim path.
- Added server and UI regression tests for private claim, public
no-claim, active invite fallback, existing board/no-access flows, and
health exposure reporting.
- Stabilized PR handoff verification by serializing the aggregate server
Vitest workspace run, forcing `NODE_ENV=test`, and relaxing the
heartbeat batching test around legitimate recovery follow-up runs.

## Verification

- `pnpm -r typecheck`
- `pnpm build`
- `pnpm vitest --run
server/src/__tests__/heartbeat-comment-wake-batching.test.ts`
- `pnpm vitest --run
server/src/__tests__/health-dev-server-token.test.ts`
- `pnpm test:run`
- QA validation: PAP-10115 passed browser validation with screenshots
for private fresh install claim, active invite versus claim conflict,
public invite-only/claim-absent behavior, existing invite fallback, and
normal board/no-access flows.
- GitHub closeout: issue #2579 and PR #2927 were updated with the
accepted direction: adapt the implementation, do not direct-merge #2927
as-is.

## Risks

- The claim endpoint must remain private-only and one-time; a regression
here could expose admin creation on public deployments.
- Existing invite behavior must remain intact for public deployments and
installs that already have an active invite.
- The stable Vitest harness now serializes the aggregate server
workspace group; this is slower, but it avoids DB-backed suite
collisions under root workspace mode.

> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and
discuss it in `#dev` before opening the PR. Feature PRs that overlap
with planned core work may need to be redirected - check the roadmap
first. See `CONTRIBUTING.md`.
>
> ROADMAP.md checked: this is a scoped deployment bootstrap/access fix
and does not duplicate a listed roadmap project.

## Model Used

- OpenAI GPT-5 Codex via Paperclip `codex_local` for product
engineering, implementation, and verification, with tool-enabled local
code execution. Paperclip QA browser validation was performed in
PAP-10115 by the assigned QA agent; exact adapter model metadata for
that QA run is not exposed in this PR context.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>

2026-05-27 21:15:01 -10:00

6.0 KiB

Raw Permalink Blame History

Deployment Modes

Status: Canonical deployment and auth mode model
Date: 2026-02-23

1. Purpose

Paperclip supports two runtime modes:

local_trusted
authenticated

authenticated supports two exposure policies:

private
public

This keeps one authenticated auth stack while still separating low-friction private-network defaults from internet-facing hardening requirements.

Paperclip now treats bind as a separate concern from auth:

auth model: local_trusted vs authenticated, plus private/public
reachability model: server.bind = loopback | lan | tailnet | custom

2. Canonical Model

Runtime Mode	Exposure	Human auth	Primary use
`local_trusted`	n/a	No login required	Single-operator local machine workflow
`authenticated`	`private`	Login required	Private-network access (for example Tailscale/VPN/LAN)
`authenticated`	`public`	Login required	Internet-facing/cloud deployment

Reachability Model

Bind	Meaning	Typical use
`loopback`	Listen on localhost only	default local usage, reverse-proxy deployments
`lan`	Listen on all interfaces (`0.0.0.0`)	LAN/VPN/private-network access
`tailnet`	Listen on a detected Tailscale IP	Tailscale-only access
`custom`	Listen on an explicit host/IP	advanced interface-specific setups

3. Security Policy

`local_trusted`

loopback-only host binding
no human login flow
optimized for fastest local startup

`authenticated + private`

login required
low-friction URL handling (auto base URL mode)
private-host trust policy required
bind can be loopback, lan, tailnet, or custom

`authenticated + public`

login required
explicit public URL required
stricter deployment checks and failures in doctor
recommended bind is loopback behind a reverse proxy; direct lan/custom is advanced

4. Onboarding UX Contract

Default onboarding remains interactive and flagless:

pnpm paperclipai onboard

Server prompt behavior:

quickstart --yes defaults to server.bind=loopback and therefore local_trusted/private
advanced server setup asks reachability first:

Trusted local → bind=loopback, local_trusted/private
Private network → bind=lan, authenticated/private
Tailnet → bind=tailnet, authenticated/private
Custom → manual mode/exposure/host entry

raw host entry is only required for the Custom path
explicit public URL is only required for authenticated + public

Examples:

pnpm paperclipai onboard --yes
pnpm paperclipai onboard --yes --bind lan
pnpm paperclipai run --bind tailnet

configure --section server follows the same interactive behavior.

5. Doctor UX Contract

Default doctor remains flagless:

pnpm paperclipai doctor

Doctor reads configured mode/exposure and applies mode-aware checks. Optional override flags are secondary.

6. Board/User Integration Contract

Board identity must be represented by a real DB user principal for user-based features to work consistently.

Required integration points:

real user row in authUsers for Board identity
instance_user_roles entry for Board admin authority
company_memberships integration for user-level task assignment and access

This is required because user assignment paths validate active membership for assigneeUserId.

7. Local Trusted -> Authenticated Claim Flow

When running authenticated mode, if the only instance admin is local-board, Paperclip emits a startup warning with a one-time high-entropy claim URL.

URL format: /board-claim/<token>?code=<code>
intended use: signed-in human claims board ownership
claim action:
- promotes current signed-in user to instance_admin
- demotes local-board admin role
- ensures active owner membership for the claiming user across existing companies

This prevents lockout when a user migrates from long-running local trusted usage to authenticated mode.

8. First Admin Setup For Fresh Authenticated Installs

Fresh authenticated installs start in bootstrap_pending until the first instance_admin exists.

For authenticated/private, Paperclip supports a browser-first setup path:

open the Paperclip URL from the private network or appliance UI
sign in or create a Paperclip account
choose Claim this instance on the setup screen

That browser claim promotes the signed-in session user to the first instance admin and then falls through to normal onboarding. The endpoint is available only to real browser session actors in authenticated/private; unauthenticated requests, agent keys, board API keys, and local implicit board actors are rejected.

The CLI fallback remains supported in all authenticated setup states:

pnpm paperclipai auth bootstrap-ceo

That command prints a one-time first-admin invite URL. Browser claim and bootstrap invite acceptance share the same first-admin transaction, so whichever path wins first makes later attempts return a conflict.

For authenticated/public, browser first-admin claim is intentionally disabled. Public deployments must use the high-entropy bootstrap invite path unless a future public-hosted setup design explicitly changes this policy.

9. Current Code Reality (As Of 2026-02-23)

runtime values are local_trusted | authenticated
authenticated uses Better Auth sessions and bootstrap invite flow
local_trusted ensures a real local Board user principal in authUsers with instance_user_roles admin access
company creation ensures creator membership in company_memberships so user assignment/access flows remain consistent

10. Naming and Compatibility Policy

canonical naming is local_trusted and authenticated with private/public exposure
no long-term compatibility alias layer for discarded naming variants

11. Relationship to Other Docs

implementation plan: doc/plans/deployment-auth-mode-consolidation.md
V1 contract: doc/SPEC-implementation.md
operator workflows: doc/DEVELOPING.md and doc/CLI.md
invite/join state map: doc/spec/invite-flow.md

6.0 KiB Raw Permalink Blame History