Skip to content

docs(onboarding): operator-path fixes across QUICK_START + /setup + /onboard-repo skills#432

Open
isadeks wants to merge 5 commits into
mainfrom
docs/onboarding-ux
Open

docs(onboarding): operator-path fixes across QUICK_START + /setup + /onboard-repo skills#432
isadeks wants to merge 5 commits into
mainfrom
docs/onboarding-ux

Conversation

@isadeks

@isadeks isadeks commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Onboarding-doc + plugin-skill fixes from a live first-contact deployment to a fresh, security-managed AWS Org account (clone → /setup → deploy → first task). The common thread: the docs and skills impose ceremony the platform doesn't require. Edits QUICK_START.mdx, the /setup skill, and the /onboard-repo skill (Starlight mirror regenerated).

Fixes #431.

QUICK_START.mdx + /setup skill

  • X-Ray → optional. Step 3 / Phase 3 told users aws xray update-trace-segment-destination was "required before first deployment." The stack ships with tracing disabled (tracingEnabled in agent.ts) and deploys fully without it; on a security-managed Org account that call is SCP-blocked and unclearable — a dead-end on a no-op step. Removed from the deploy path, demoted to an opt-in note.
  • arm64/binfmt pre-empted. x86 hosts hit exec /bin/sh: exec format error building the Graviton image. Added the binfmt step + native-arm64 fallback.
  • --require-approval never in the deploy command (avoids the non-TTY hang).
  • Failed-create teardown documented (ROLLBACK_COMPLETE → destroy+recreate; DELETE_FAILED is async Hyperplane-ENI reclaim ~20–40 min; don't force-delete → orphans the quota-capped VPC).
  • mise papercuts surfaced up front (Node/Yarn/CDK "all not found" before install, headless GPG-verify, dual trust, non-interactive PATH, noisy-but-benign build output).

/onboard-repo skill (new in this PR)

The skill drove operators to edit cdk/src/stacks/agent.ts + redeploy to add a repo, and invoked ADR-003 contribution governance. Both wrong for an operator configuring their own deployment:

  • bgagent repo onboard <owner/repo> (the CLI "operator path") writes the RepoTable record at runtime — no agent.ts edit, no cdk deploy. The skill never mentioned it.
  • ADR-003 governs contributing to aws-samples, not operating your own stack. Onboarding a repo is an operation, not a codebase contribution.

Rewrote so Path A (CLI bgagent repo onboard) is the default, Path B (CDK Blueprint) is the declarative alternative, and ADR-003 appears only where it genuinely applies — wiring a brand-new Bedrock model into the stack (e.g. Opus 4.8, which the runtime doesn't yet grantInvoke), the one real source change.

Validation

End-to-end on a fresh AWS account (never previously used): git clone/setup with the edited plugin → CREATE_COMPLETE first attempt, zero X-Ray setup, no rollback → PAT/Cognito/CLI configured → authenticated GET /tasks works. binfmt carried the arm64 build through on the x86 host. mise //docs:build passes; Starlight mirror in sync.

Related

Complements the four bootstrap least-privilege fixes (#403/#405/#408/#410, all merged) — together a fresh-account first deploy now succeeds without the prior gap-by-gap rollback cycle.

For reviewers

Docs/skills only — 4 files (QUICK_START.mdx, /setup SKILL.md, /onboard-repo SKILL.md, regenerated Starlight mirror). No code or infra changes.

docs(onboarding): mark X-Ray optional, pre-empt arm64/binfmt + teardo…
d534cd3 
…wn, fix toolchain papercuts

Setup-UX fixes from a live first-contact deploy to a fresh security-managed
AWS Org account. Edits QUICK_START.mdx + the /setup plugin SKILL.md (Starlight
mirror regenerated):

- X-Ray → CloudWatch Logs tracing reframed as OPTIONAL, not a prerequisite.
  The stack ships with tracing disabled (`tracingEnabled` in agent.ts), so it
  deploys fully without any X-Ray account setup. On Org accounts an SCP can
  make `update-trace-segment-destination` fail with AccessDenied regardless —
  a dead-end on a step the platform doesn't use. Removed the X-Ray commands
  from the deploy path; demoted to an opt-in note.
- arm64/binfmt pre-empted: x86 hosts hit `exec /bin/sh: exec format error`
  building the Graviton image. Added the binfmt step + native-arm64 fallback
  to Prerequisites and a Step 3 caution.
- Deploy command now uses `--require-approval never` (avoids the non-TTY
  approval hang).
- Failed-create teardown documented: ROLLBACK_COMPLETE needs destroy+recreate;
  DELETE_FAILED on SG/subnet is async Hyperplane-ENI reclaim (~20-40min);
  don't force-delete (orphans the quota-capped VPC).
- Toolchain papercuts: mise provisions Node/Yarn/CDK (the "all missing" scare),
  headless GPG verify, dual mise-config trust, non-interactive PATH, and noisy-
  but-benign build output (trust the exit code).
@isadeks isadeks requested review from a team as code owners June 23, 2026 14:40
isadeks and others added 2 commits June 23, 2026 12:13
@isadeks
Merge branch 'main' into docs/onboarding-ux
5a8a796
docs(onboard-repo skill): lead with bgagent repo onboard operator p…
18c031a 
…ath; drop misapplied ADR-003

The /onboard-repo skill drove operators to edit cdk/src/stacks/agent.ts and
redeploy to add a repo, and invoked ADR-003 contribution governance. Both are
wrong for an operator configuring their own deployment:

- `bgagent repo onboard <owner/repo>` (cli repo command, "operator path")
  writes the RepoTable record at runtime — no agent.ts edit, no cdk deploy.
  The skill never mentioned it.
- ADR-003 governs contributing to aws-samples, NOT operating your own stack.
  Onboarding a repo is an operation, not a codebase contribution.

Rewrite: Path A (CLI operator onboard) is the default; Path B (CDK Blueprint)
kept as the declarative/canonical alternative. ADR-003 now appears only where
it genuinely applies — wiring a brand-new Bedrock model into the stack, the one
case that is a real source change (e.g. Opus 4.8, which the runtime doesn't yet
grantInvoke). Preserves the model-ID / IAM / Bedrock-access reference.

Surfaced during the 2026-06-23 fresh-account live run, where the skill walked
through agent.ts surgery for what is a one-line runtime command.
@isadeks isadeks changed the title docs(onboarding): mark X-Ray optional, pre-empt arm64/binfmt + teardown, fix toolchain papercuts docs(onboarding): operator-path fixes across QUICK_START + /setup + /onboard-repo skills Jun 23, 2026
This was referenced Jun 23, 2026
Open
Merged
bgagent and others added 2 commits June 23, 2026 16:16
docs(onboard-repo skill): clarify when the CLI path suffices vs. need…
628dad1 
…s a Blueprint

Consistency with @krokoko's review on #435: the CLI `bgagent repo onboard` path
applies when the repo fits the platform/default-blueprint setup (default token,
already-granted model, default egress). A repo needing its own token, an
ungranted model, custom egress, Cedar policies, or system-prompt overrides
requires a dedicated Blueprint + redeploy. Reframed the two-path intro to set
that expectation up front (start with Path A; promote to a Blueprint if a task
later fails on a missing token / model grant / blocked egress).
@isadeks
Merge branch 'main' into docs/onboarding-ux
6b74b88
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

docs(onboarding): X-Ray gate, arm64/binfmt, failed-create teardown, and mise papercuts block first-time setup

1 participant

@isadeks