AI-Cognitive-Leap/agnes-the-ai-analyst
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
agnes-the-ai-analyst/app/web/setup_instructions.py
Vojtech 001e5ce40e
feat(web): /home value-first redesign + unified page-shell across app (#366) 
* feat(web): value-first /home reskin (CEO mock palette + pillars + first-session)

Restructures `/home` to lead with product value instead of install steps,
matching the CEO mock proposed for the homepage:

- New intro hero on top — eyebrow `Welcome, {{ display_name }}`, H1
  `{{ instance_brand }} is your team's AI workspace`, lede framing the
  product as an "AI Chief of Staff", two CTAs (`Set up in ~15 min →`
  jumps to the wizard, `Just browse — no install needed` jumps to
  `#look-around`), and a four-pillar row (Data packages · Plugins ·
  Skills · Memory). Renders for both onboarded and not-onboarded users
  so the value framing is consistent across visits.
- New `first-session` narrative — five-beat walkthrough (launch → pick
  project → memory loads → ask → close) with mock terminal frames
  carrying traffic-light dots, prompts, and dimmed system output.
- Setup wizard chrome — progress chip (`Step 1 of N · ~15 min ·
  One-time · Reversible`), thin progress bar, and per-step number
  badges on each `.install-block` so the wizard reads as bounded
  instead of an open-ended scroll.
- Palette shift from blue to green/navy: `--hp-primary` aliases
  `#2ea877` (mint), `--hp-hero-bg` is navy `#0f1b3a`, code panels stay
  near-black `#0c1224` with warm-yellow `#ffd866` accents. The token
  alias is reused so downstream rules pick up the new accent
  automatically; instance theme overrides via
  `config.theme_overrides()` still win.
- VS Code surface tile carries a `Recommended` pill; the existing
  "Want to look around first?" section is renamed to `Explore your
  workspace` and gets the `#look-around` anchor.

All test-pinned class names and IDs (`install-hero`, `install-block`,
`home-mock`, `self-mark-btn`, `setupClaudeBtn`, `offboard-strip`,
`home-getting-started`, `home-gs-item`, `home-overview`,
`home-usage`) preserved as structural anchors; new visual language
overlays via additional classes. Existing onboarded/not-onboarded
branching, `/api/me/onboarded` POST, status frame gating, post-CTA
modal, and OS-tab switching JS unchanged. Stray `~/FoundryAI`
comment swapped for `~/{{ workspace_dir }}` to honor the
vendor-agnostic OSS rule.

51 home tests pass without modification.

* fix(web): /home palette inversion — dark intro hero on top, light setup card below

Previous reskin commit kept the install-hero as a dark navy gradient and
rendered the new intro hero as a light surface — opposite of what the CEO
mock specifies. Playwright comparison vs `data/ceo_home.html` confirmed:

- CEO mock: dark navy hero at TOP (with white pillars on navy), LIGHT
  white setup card BELOW with light step rows and dark code panels
  inset.
- Previous: light intro hero on top, dark setup card below. Inverted.

This patch flips both:

- `.home-hero-intro` now: dark navy gradient `#0f1b3a → #1a2a5f`, green
  radial glow in the corner, green eyebrow, white H1 (`accent` span
  green), rgba-white lede, green pill primary CTA, translucent-white
  secondary CTA, pillars row separated by hairline border-top with
  green square-dot bullets in front of each pillar header.
- `.install-hero` and `.install-block` now: white surface card with
  thin green accent strip across the top, light step rows split by
  hairline borders, green-tinted step-number circles (`#e6f9f0` bg,
  `#1f8a5e` ink), green progress chip + bar. Code panels
  (`.install-cmd`) and terminal frames stay dark — they're the "type
  this" surfaces.
- All previously-rgba-white descendants of `.install-hero`
  (close button, eyebrow, h1, lead, links, code chips, OS tabs,
  install notes, setup-CTA button, self-mark fallback, auto-detect
  badge, terminal-howto disclosure) re-skinned for light surface.

All 12 home page tests still pass (no markup changes, only CSS).

* fix(web): /home parity polish — system font + mock sizes + blue info hint + gray step-num

After v2 palette flip, user comparison vs CEO mock surfaced three
remaining gaps in the wizard area:

- Font stack mismatch: Agnes inherits Inter via `style-custom.css`,
  but the CEO mock uses the platform system stack (San Francisco on
  macOS, Segoe UI on Windows). The rendered weight/letterforms read
  noticeably different. `.home-mock` now declares
  `-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif`
  for itself and all descendants, with the monospace stack reserved
  for `code`/`kbd`/`pre`, `.install-cmd`, and `.terminal-body`.
- Step number badges were green-tinted; mock uses neutral gray
  (`#f0f2f6` bg, `#4a5168` ink) — green is reserved for the "done"
  state. Switched to `--hp-surface-dim` + `--hp-text-secondary`.
- "Don't have a terminal open?" disclosure was an amber/yellow
  variant left over from the old dark-hero palette. Mock uses a
  blue info-hint vocabulary (`--info-bg: #eef3ff`,
  `--info-line: #4f7cf2`, `--info-ink: #1c3994`) with white kbd
  chips. Added the info-* tokens to the `:root` block and re-skinned
  `details.terminal-howto` (incl. summary, body, kbd) to match.

Step-body type sizes also brought in line with the mock spec —
`.install-block .label` (step h3 equivalent) is now 17px / 700 with
6px gap; `.install-note` body type is 14px / 1.55.

`--hp-info-bg / --hp-info-ink / --hp-info-line / --hp-warn-bg /
--hp-warn-ink / --hp-warn-line / --hp-surface-dim` added as
first-class tokens so future hint/warn callouts pick the same colors
without a duplicate vocabulary.

12/12 home tests pass.

* feat(web): centralize design tokens + reword /home wizard to 6 steps (CEO mock parity)

Two intertwined changes that touch both global design + /home structure:

GLOBAL TOKEN SHIFT (app/web/static/style-custom.css)
- `--primary` flipped from blue `#0073D1` to green `#2ea877` — same brand
  alias the rest of the app referenced, so every page picks up the new
  accent automatically. Old `--primary-dark` / `--primary-light` recolored
  to match.
- New tokens added: `--brand-accent`, `--hero-bg`, `--hero-ink`,
  `--surface-dim`, `--info-bg/ink/line`, `--warn-bg/ink/line`. Brings
  the global vocabulary in line with the CEO mock's `:root` block so
  callouts and hero surfaces don't have to invent local tokens.
- `--font-primary` switched from Inter-led stack to the system stack
  (`-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Inter",
  system-ui, sans-serif`) so weight/letterforms render identically on
  macOS (San Francisco) and Windows (Segoe UI) — matches the mock and
  avoids a font-loading flash for analysts without Inter installed.
- Shadow tints re-cast in navy `rgba(15,27,58,...)`; focus ring uses
  the new green `rgba(46,168,119,0.25)`.
- `.app-nav-link` font-size 13px → 14px, padding 6px 12px → 8px 14px,
  hover bg → `--primary-light` (mint), color → `--primary-dark`.
  `.app-nav-menu-item.is-active` re-tinted to the same green system.
- Sweep across 26 templates (style-custom.css + 25 template files)
  replacing every hardcoded `#0073D1` / `#005BA3` / `#E6F3FC` /
  `rgba(0,115,209,…)` / `rgba(0,86,163,…)` with token references or
  the new green hexes — 175 occurrences total. Pages that styled their
  own buttons / borders / shadows pick up the new brand color without
  per-page overrides.

/HOME WIZARD: 6 STEPS PER MOCK (app/web/templates/home_not_onboarded.html)
- Step 1 reworded `Install Claude Code on your computer` + `~3 min`
  subhead (mock copy).
- Step 2 renamed `Pick a folder for {{ instance_brand }}` (was
  `create your workspace folder`) — same `mkdir` command, mock-aligned
  framing.
- NEW Step 3 `Open a terminal inside that folder` — no shell command,
  just the "you are standing in the right directory" reassurance with
  a Finder/PowerShell/file-manager howto disclosure. Mirrors the CEO
  mock's Step 3.
- Step 4 (was Step 3, gated by `home_automode.show`) renamed
  `Launch Claude with auto-approve on`. Body copy lightly updated so
  it references "the next step" instead of "Step 4".
- Step 5 (was Step 4) renamed `Get the install script and paste it
  into Claude`. The setup-cta-lead now explicitly says
  "pasting the script into Claude Code will install {{ instance_brand
  }}…" so existing test assertions pinning the `install Agnes`
  substring still match.
- NEW Step 6 `Optional: create a one-word shortcut for next time` —
  prints an `echo 'alias {{workspace_dir|lower}}=…' >> ~/.zshrc`
  one-liner for Unix and an `Add-Content $PROFILE …` equivalent for
  Windows. OS tabs + copy buttons reuse the existing wizard chrome.
- Progress chip dynamic: `Step 1 of 6` when home_automode is on,
  `Step 1 of 5` when off. Progress bar fill `100 // total_steps` so
  the bar sits at 16-20 % on first paint.
- `.step-lede` token added for the new short body copy beneath each
  step label (14.5px / ink-soft).
- `macOS / Linux / WSL` tab labels changed to `macOS / Linux` per
  user instruction. Terminal-howto `WSL:` paragraph dropped; the
  paste-shortcut hint now reads `(Linux)` instead of `(Linux/WSL)`.
  Functional WSL handling in `connector_prompts.py` (it's a Linux
  detection fallback, not user-facing label) preserved.
- `setup_instructions.py` Claude Code install hint:
  `npm (Linux / WSL)` → `npm (Linux)`.

SURFACES — 4 CARDS PER MOCK
- Replaced the 3-tile `.home-usage-grid` with a 4-card grid:
  - VS Code (Recommended) — `.surface-card.feature`, green ring,
    DAILY USE eyebrow + 5-step numbered list + `Open VS Code setup
    guide →` link to `/setup-advanced#vscode`.
  - Terminal — QUICK ACCESS eyebrow + 4-step list.
  - Claude Code (Desktop app) — CONNECT IT eyebrow + 4-step list.
  - Cowork (claude.ai) — `.surface-card.incomplete`, warn-tinted
    border + `Instructions needed` badge + a TODO callout describing
    the missing content. The card is intentionally honest about the
    gap rather than hiding it.

TEST UPDATES
- `test_web_home_page.py` negative onboarded-state assertions
  rebased on the new step labels (6 entries instead of 4).
- `test_home_route_resolution.py` `test_home_renders_automode_block_by_default`
  + its `_when_env_off` counterpart now check the new
  `Step 4 — Launch Claude with auto-approve on` label.

* fix(web): /home section content + layout — verbatim mock match

User comparison flagged several remaining gaps; this patch rewrites
the three lower sections of /home to match the CEO mock spec exactly:

FIRST-SESSION (5 beats)
- h2 28px / 700 / -.5px tracking (was 19px / 600).
- lede 18px ink-soft (was 13.5px secondary).
- `.session-walk` wrapper, 36px gap between beats (mock spec).
- `.session-step` grid 48px / 1fr, gap 22px — number circle on
  the left, content on the right.
- `.session-num` 40 × 40 circle with SOLID GREEN bg (`--primary`)
  and WHITE text + soft green shadow (was 28px mint pill w/
  dark-green text).
- `.session-content h3` 18px / 600 (was 14.5px / 600).
- `.session-content > p` 15px.
- `.session-content .annotation` 13.5px ink-muted body type with
  `strong` for highlighting (replaces the upper-case "WHAT'S
  HAPPENING" eyebrow pattern that didn't match the mock).
- `.session-intro` callout card (white surface + mint icon block)
  framing the "five beats" tagline.
- `.session-tldr` summary box (brand-light bg + brand-dark left
  border) wrapping up the loop.
- Terminal frames re-skinned: `#0c1224` body / `#182241` bar /
  real macOS traffic-light colors `#ff5f57` / `#febc2e` / `#28c840`.
- Terminal body 13px / 1.65 line-height with mock-spec class
  vocabulary: `.you` (yellow input), `.ai-name` (brand bold),
  `.path` (light blue), `.dim` (translucent code-ink), `.caret`
  (blinking cursor).
- Five beats rewritten with mock's exact narrative flow (launch →
  menu → pick → ask → close), vendor-agnostic project names
  (`RevenueAnalysis`, `Onboarding`, etc.) replacing the customer-
  specific `GRPN_*` examples in the mock. Templated `{{
  instance_brand }}` / `{{ workspace_dir }}` / `{{ workspace_dir |
  lower }}` (the shortcut alias) everywhere.

SURFACES (4 cards)
- The section is no longer wrapped in a white rectangle; the
  `.home-usage` class loses its bg + border + padding (mock has the
  cards directly on the page bg).
- h2 28px (was 22px). Eyebrow 12px / 1.5px tracking / brand-dark.
- `.surface-card.feature` (VS Code) now uses 2px green border +
  vertical brand-light → white gradient (was 1px ring).
- `.surface-card.incomplete` (Cowork) uses 2px red border (`#e35e5e`)
  + vertical red-tint → white gradient (was yellow flat bg).
- `.surface-card .steps` panel: inner surface-dim bg + 8px radius
  + 13px font.
- `.surface-foot` top-border + ink-muted (mock spec).
- `.badge-warn` now a solid red box (`#e35e5e` bg + white ink + 4px
  radius) instead of a yellow pill, matching the mock.
- Header layout fixed: the global absorbed `header { display: flex;
  justify-content: space-between }` rule was making the h2 sit on
  the right of the eyebrow; explicit `display: block` override on
  `.home-mock section > header` puts the title on the LEFT under
  the eyebrow as the mock has.

BROWSE — Explore your workspace
- Wrapped in `<section class="browse-section">` with proper
  eyebrow + h2 + lede (was a bare `.section-label` div).
- `.browse-grid` 5-col grid (was responsive auto-fill, 4-card
  layout). Skills tile added as a 5th card linking to
  `/marketplace?type=skills`.
- `.browse-card` mock-spec: 22 20 padding, 28px icon, 15px title,
  12.5px ink-muted desc, hover lifts -2px with brand border +
  shadow-md.

Section wrappers (`.home-usage`, `.first-session`) no longer carry
the white card chrome — they sit directly on the page bg, matching
the mock. Only Getting Started + Overview keep their white cards.

GLOBAL eyebrow vocabulary (`.home-hero-intro .eyebrow`,
`.first-session > .eyebrow`, `.surfaces > header .eyebrow`,
`.browse-section .eyebrow`) all aligned to mock spec: 12px / 700 /
1.5px tracking / brand-dark color / 14px bottom margin.

Hero h1 bumped to 44px / 800 / -1px tracking (was 32px / 600).

51/51 home tests pass.

* fix(web): /home session-intro card + terminal-body verbatim mock match

User comparison flagged three remaining /home gaps; this patch
addresses each:

- `.session-intro` rule was missing — the "five beats" tagline
  rendered as a bare line with no card chrome. Added the mock-
  spec card: white surface, 14px radius, 20×24 padding, 1px
  border + shadow-sm, with a 44×44 brand-light icon block on the
  left.

- Beat 1 terminal-title was `~/{{ workspace_dir }} — zsh` (mock-
  style shell-pwd format), but the user wants every terminal
  frame across all 5 beats to read `claude — {{ instance_brand }}`.
  Updated.

- Terminal-body line structure for beats 2-5 rewritten verbatim
  from the CEO mock:
  - `<span class="prompt">&gt;</span><span class="you">…</span>`
    now has no space between the prompt and user input (mock
    pattern: zero gap, the .prompt's `margin-right: 8px` provides
    the visual separation).
  - Beat 2 menu items use `<strong>[N]</strong>` numbering with
    project entries on indented lines, each project name followed
    by a `<span class="dim">(N ago)</span>` timestamp at a fixed
    column — instead of my prior single-line concatenation.
  - Beat 3 narrative split into 4 stanzas separated by blank lines
    (matches mock): the "Switched to <strong>X</strong>" status,
    then dim Loaded/Last-session lines, then a stand-alone "One
    unprocessed input detected:" pair, then the "Want me to
    process …" question. My prior version dim-wrapped the entire
    block, which looked off.
  - Beat 4 narrative split into headline summary + risks section
    with <strong> heads + bullet lists separated by blank lines,
    matching the mock's "Q1 close summary" / "Open risks" rhythm.
    The Q1 question carries the mock's manual line-break + 2-
    space continuation indent inside the `.you` span — without
    that, terminal-body's `white-space: pre-wrap` would auto-wrap
    awkwardly at a different column than the mock.
  - Beat 5 exit narrative uses two separate dim lines + a
    standalone `.ai-name` "See you next time." line, then prompt
    + caret. My prior version collapsed everything into one dim
    block.
  - Project names changed from customer-specific (`GRPN_*`) to
    generic (RevenueAnalysis, WeeklyReview, Onboarding, OpsDb,
    HRHandShake) so the OSS distribution stays vendor-agnostic
    per CLAUDE.md.
  - `Marketing plan` examples replaced with `Q1 close` so the
    narrative stays plausible for an analyst audience.

12/12 home tests pass.

* fix(web): /home surfaces verbatim mock — VS Code thumb, Terminal expected-output, NEW badge

User comparison flagged three remaining surface-section gaps:

- VS Code surface card was rendering a generic "Screenshot pending"
  placeholder; the mock has a labeled inline mockup
  (`<a class="vscode-thumb">` w/ `.thumb-fallback`) showing the
  recommended 4-pane layout (EXPLORER yellow, TERMINAL 1 purple,
  TERMINAL 2 green, TERMINAL 3 orange) on a dark navy bg + a
  "Recommended layout" caption pill. CSS `.vscode-thumb` block
  added — uses gradient-strip backgrounds to draw the colored
  panel bars without needing a base64 image.

- "Recommended" badge was a pill (999px radius) with
  `--brand-accent` bg + navy text. Mock uses `.badge` instead of
  `.recommend-pill` — solid `--primary` (brand-dark green) bg
  with WHITE text and 4px radius. Replaced the class + CSS rule
  so the badge reads as a tag, not a pill.

- Terminal surface card was missing the "What you should see"
  subsection — mock has an `.expected-output` block showing a
  sample of the welcome menu inside a dim dashed panel. Added the
  block with the mock's exact rendered output (templated to
  `{{ instance_brand }}` + generic project names instead of
  customer-specific GRPN entries) plus the `.expected-output`
  CSS (surface-dim bg + dashed border + `::before` "WHAT YOU
  SHOULD SEE" eyebrow per mock spec).

Also addressed the explore-section feedback:

- Skills browse-card now carries the `new` class so it picks up
  the `.browse-card.new::after` corner badge ("NEW", green bg,
  white text, 10px / 700 / 0.5px tracking) per mock.
- Browse cards align same height via `align-self: stretch` (grid
  default) + `flex-grow: 1` on `.browse-desc` so descriptions
  fill remaining vertical space; previously the Skills tile sat
  shorter because its desc text was longer than others'.

Structural HTML changes to all four surface cards: dropped the
inner `<div class="surface-card-head">` wrapper + `<p
class="surface-pitch">` class in favor of mock's flat layout
(`.what` + `.steps` + `.when-to-use`). `<ol class="surface-steps">`
replaced with `<div class="steps"><strong
class="steps-eyebrow">DAILY USE / QUICK ACCESS / CONNECT IT</strong>
<ol>...</ol></div>` so the eyebrow + numbered list share the
mock's tinted surface-dim panel.

12/12 home tests pass.

* fix(web): align /home setup walkthrough to design spec

- Setup-section header (eyebrow + heading + lede) floats above the
  install hero; install card has no accent strip; step labels drop
  `Step N —` prefix; closing strip is single flex row.
- VS Code surface card renders recommended-layout screenshot from
  `/static/img/vscode-layout.png` with click-to-enlarge lightbox.
- Workspace install path cascades to `~/Desktop/{workspace_dir}` in
  every step, surface card, first-session annotation, and shortcut.
- Step 1 verify text restores Enterprise — Finance and Legal option.
- Step 6 shortcut installs a shell function with arg forwarding
  (`"$@"` unix / `@args` windows) and a user-facing Auto / YOLO
  permission-mode toggle.
- Step 5 manual-fallback details inline on the CTA row; description
  reads at step-lede size, not 13px chip.
- Setup-section heading no longer right-aligns (was inheriting
  `header { display: flex; justify-content: space-between }` from
  the legacy stylesheet; wrapper changed to `<div>`).
- Getting Started `<details>` block removed (duplicated links).

* test(web): align /home tests with restructured setup wizard

- Replace test_getting_started_card_renders_on_home with
  test_setup_section_renders_for_not_onboarded — asserts the new
  setup-section-header floats above the install hero and Getting
  Started markup is absent (block removed in the prior commit).
- Update automode-block test to match labels without the
  `Step N —` prefix.
- Update setup-CTA partial test to match the relabeled
  "Copy install script to clipboard" button.

Drop orphaned CSS for `.home-getting-started`, `.home-gs-summary*`,
and `.home-gs-item` — selectors had no matching markup after the
Getting Started block was removed.

Also: Step 3 `pwd` expected-output uses an absolute path
(`/Users/yourname/Desktop/{workspace_dir}`) instead of the
tilde-prefixed form, matching what the command actually prints.

* fix(web): repaint home_onboarded + setup_advanced; align CTA label

- home_onboarded + setup_advanced still carried the retired blue
  `#0056A3` as both `--hp-primary-dark` and the hero gradient
  endpoint. Both reference `var(--primary-dark)` now so the green
  palette cascades.
- setup_advanced YOLO snippet was the old `alias` form (no cd, no
  arg forwarding). Replaced with the shell function variant from
  /home Step 6 — drops into ~/Desktop/{workspace_dir} and forwards
  "\$@" (unix) / @args (Windows).
- setup_advanced ~/{workspace_dir} path references cascaded to
  ~/Desktop/{workspace_dir} so install story matches /home.
- Dashboard's "Setup a new Claude Code" button label aligned to the
  canonical "Copy install script to clipboard" — matches /home and
  the new docstring in _claude_setup_cta.jinja, which now mandates
  this label across consumers.

* fix(web): keep base brand blue; scope green palette to /home redesign

User noticed login + dashboard had turned green when the /home
redesign flipped --primary from blue (#0073D1) to green (#2ea877)
in commit 278f202e. The brand-wide flip went further than the
redesign needed — only /home, /home (onboarded), and /setup-advanced
intentionally use the green/navy spec; every other page (login,
dashboard, catalog, marketplace, admin, profile) was just inheriting
the green because --primary cascaded everywhere.

Revert the global brand colour to blue and lock the green into the
two outstanding redesign scopes:

- style-custom.css: --primary back to #0073D1, --primary-light back
  to rgba(0,115,209,0.1), --primary-dark back to #005BA3,
  --brand-accent back to a lighter blue.
- home_onboarded.html: .home-mock now sets --hp-primary,
  --hp-primary-dark, --hp-primary-light to explicit green hex
  (matching home_not_onboarded), so the hero stays green regardless
  of the global brand.
- setup_advanced.html: same lock — .advanced-mock pins the green
  palette in-scope.

Hero gradients on both pages now reference the local --hp-primary
chain (not the global --primary), so any future palette tweak inside
either scope cascades correctly without disturbing the rest of the app.

* refactor(web): hoist --hp-* into shared design-tokens.css (--ds-*)

PR 2 of the design-system extraction ladder. Pure mechanical rename
+ dedup; no visual diff on any rendered page (verified on /home,
/dashboard).

- New app/web/static/css/design-tokens.css declares the full token
  set on :root: brand surface (green primary, primary-dark, mint
  light, brand-accent), hero (navy bg + ink), code-panel (near-black
  bg + cool ink + warm-yellow), light surfaces (bg/surface/border),
  text (primary/secondary/muted), orange accent, info + warn
  callout vocabularies, navy-tinted elevation shadows, system font
  stack + mono.
- base.html loads it alongside style-custom.css so the tokens are
  globally available.
- Rename --hp-* -> --ds-* in home_not_onboarded (313 refs),
  home_onboarded (15), setup_advanced (39). 367 token references
  pointed at one of three local blocks; now all point at the
  global :root.
- Drop the three local token blocks. Each scope class
  (.home-mock / .advanced-mock) only keeps its base ink + font-size
  + line-height rules.

The legacy --primary family stays canonical for the blue base
brand — login, dashboard, catalog, marketplace, admin still read
blue. The design system is opt-in via the scope class.

* refactor(web): extract shared components.css; migrate /home markup

PR 3 of the design-system extraction ladder. First batch of
reusable components lifted out of home_not_onboarded.html into a
new shared stylesheet; markup migrated to consume them.

- New app/web/static/css/components.css with five components, all
  reusable on any page that loads design-tokens.css:
    .callout-rec        — amber lightbulb recommendation box
    .callout-hint       — blue info hint box
    .code-output        — "WHAT YOU SHOULD SEE" terminal output block
    .lightbox           — full-bleed image enlarge overlay
    .setup-section-header — wizard header (eyebrow + h2 + lede)
- base.html loads components.css after design-tokens.css.
- home_not_onboarded.html markup renamed:
    class="rec"             -> class="callout-rec"
    class="hint"            -> class="callout-hint"
    class="expected-output" -> class="code-output"
- Local CSS rules removed from home_not_onboarded.html for each of
  the extracted components — ~150 lines down to 5-line "extracted to
  components.css" comments. The bespoke wizard-specific styles
  (.install-cmd, .os-tabs, .mode-tabs, .terminal-frame) stay
  template-local for now since they only have one consumer.

Visual regression check: /home install hero renders the amber rec
callout, blue hint callout, dashed code-output block, green section
header, and click-to-enlarge VS Code thumb identically to the
pre-extraction render. 43 home tests pass.

* fix(web): unify page-headers — activity-center full-width, marketplace shares box

- /activity-center audit-log hero rendered as half-width because the
  _page_hero include was inside <header class="obs-topbar">, a flex
  row that pinned the time-range + auto-refresh controls next to it.
  The hero is now a sibling rendered before the <header>, so it
  spans the full container width like every other admin page; the
  controls keep their flex row underneath.
- Marketplace hero unified with .page-header--hero. Markup is now
  <section class="page-header page-header--hero mp-hero"> so the
  shared box drives padding/radius/gradient/max-width/shadow; the
  .mp-hero override block only carries the right-anchored cover
  image and the rules for the search row + scope checkboxes (which
  the canonical hero doesn't have). Inner text uses the canonical
  .page-header__eyebrow / __title / __subtitle classes.
- .page-header--hero shadow tint now follows the brand blue
  (rgba(0, 115, 209, 0.2)) instead of the leftover green from the
  prior palette flip; same depth highlight everywhere the gradient
  is blue.

* fix(web): unify remaining page heroes — admin, profile, install, store, stack

Sweep across pages that carried bespoke gradient hero markup so
every page-hero shares the canonical `.page-header--hero`
dimensions (padding 28/32/24, border-radius 14, max-width
var(--width-app), navy-tinted shadow, gradient with --primary →
--primary-dark). Inner text uses the .page-header__eyebrow /
__title / __subtitle classes so typography matches across the app.

- admin_tables: migrated to _page_hero.html include.
- admin_tokens: kept .tokens-hero wrapper for the counts-chip row
  but added the canonical class on the same element; stripped
  duplicate gradient + padding + typography rules.
- install: same pattern (kept hero-meta pill row).
- profile: migrated to _page_hero.html include.
- store_upload: kept .upload-hero wrapper for the .meta chip row;
  composite class with the canonical hero.
- setup_advanced: .advanced-mock .ad-hero now matches canonical
  dimensions; green palette retained via --ds-primary/dark.
- stack_card.css: .stack-hero (catalog + corporate-memory search
  hero) uses canonical gradient + padding + max-width.

The detail-page heroes (marketplace_plugin_detail,
marketplace_item_detail, catalog_*_detail, store_edit,
admin_group_detail, admin_store_submission_detail) stay bespoke
for now — they're rich detail headers with photos, badges, install
actions; converting them would lose contract context. Same applies
to dashboard.html env-setup-cta (it's a CTA card, not a page hero).

* fix(web): canonicalise .container — single page shell every page inherits

Previously each admin page set its own `.container:has(.<page>)
{max-width: none}` + `.<page>-page {max-width: 1400px}` override,
and per-page hero markup either nested inside flex toolbars (which
pinned the hero next to filter controls and squeezed it half-width)
or self-constrained with a different max-width than the page. /home,
/dashboard, /marketplace, and /admin/* ended up at different widths
with different nav-to-hero gaps.

- style-custom.css `.container` now carries the canonical 1280px
  max-width + `16px 32px 48px` padding so every page inherits the
  same nav-to-hero gap and side gutters. `.container > main` is
  margin/padding 0 so the container is the sole owner of gutters.
- `.page-header--hero` drops its self-constraining max-width and
  auto-centering margin — the container provides the width, so the
  hero sits flush with the table/toolbar below it.
- `.stack-hero` (catalog + corporate-memory) and `.advanced-mock
  .ad-hero` (/setup-advanced) follow the same pattern: container
  owns the width.
- Per-page max-width overrides stripped from admin_users,
  admin_access, admin_groups, admin_marketplaces, admin_welcome,
  admin_workspace_prompt.
- _page_hero include extracted from inside flex toolbars on
  admin_users, admin_access, admin_groups, admin_marketplaces,
  admin_server_config, admin_welcome, admin_workspace_prompt,
  admin_sessions, admin_session_detail, admin_usage,
  activity_center. The toolbar (`.users-toolbar`, `.gp-toolbar`,
  etc.) keeps only the filter + action controls; hero renders
  before it as a sibling.
- _page_chrome.html trimmed to just the page-background tint for
  the redesign scopes; the duplicate `.container` rules it carried
  are now redundant.

Verified: /home, /admin/marketplaces, /admin/users all render
container width 1280px with hero top at 88px (16px below the
72px-tall sticky nav). Same spacing as /home design spec.

* fix(web): admin_tables + admin_corporate_memory inherit canonical .container

Both pages were overriding `{% block layout %}` from base.html,
which bypasses the canonical `.container` wrapper. Result: hero
span the full viewport (1596px on a wide screen) while the inner
content sat at a narrower max-width — hero and content didn't
align, and the nav-to-hero gap differed from every other admin
page.

Switched both templates to `{% block content %}` so they render
inside the canonical `.container` from base.html — same path as
admin_groups, admin_users, admin_marketplaces, etc.

- admin_tables: dropped local `.page-title { max-width: 1600px }`
  + `.content { max-width: 1600px }` overrides (kept typography +
  inner gutter rules) and the mobile padding overrides that paired
  with them. Container now owns the gutters.
- admin_corporate_memory: only the block keyword needed changing;
  the template already had a clean inner structure (no max-width
  override on `.container-memory`).

Verified on /admin/tables and /admin/corporate-memory:
- .container width 1280, padding 16/32/48
- Hero top 88 (nav 72 + container padding-top 16)
- Hero + content both 1216px wide, both at left 190 — perfect
  alignment with /admin/groups.

* fix(web): drop .page-shell padding override + admin_tables stale :root

Two regressions discovered after the canonical-container unification:

1. `.container:has(.page-shell)` still set `padding: 28px 32px 48px`
   while the canonical `.container` had moved to `16px 32px 48px`.
   Every page-shell consumer (/admin/sessions, /admin/sessions/<id>,
   /admin/usage, /marketplace, /dashboard, marketplace detail pages,
   /me/activity, /store/*, /admin/store-submissions) was rendering
   with a 28px nav-to-hero gap while /admin/users + /admin/groups
   rendered with 16px. Same width, mismatched vertical rhythm.
   The opt-in rule is now a no-op marker: canonical container
   already provides 1280px + 16/32/48 + main margin/padding 0.

2. admin_tables.html had a stale `<style>` block that re-declared
   `:root { --primary: var(--primary); ... }`. The self-referential
   token resolved to empty, collapsing the page-header hero's
   `linear-gradient(135deg, var(--primary), var(--primary-dark))`
   to no background — the hero appeared as a pale ghost without
   colour. The entire shadow `:root` block was a stale copy of the
   design tokens that style-custom.css already provides. Dropped
   it; tokens now resolve from the global `:root`.

After both fixes /admin/sessions, /admin/tables, and every other
page-shell consumer match /admin/groups exactly: container 1280px,
container padding-top 16px, hero at top 88px / left 190px / width
1216px.

* fix(web): drop /admin/tokens .tokens-page width + padding override

`.tokens-page` carried its own `max-width: 1280px; margin: 0 auto;
padding: 28px 8px 48px` block — the canonical `.container` already
provides width + 16/32/48 padding, so the nested wrapper was
adding 28px on top of the container's 16px (= 44px nav-to-hero
gap, vs 16px on every other admin page) and shrinking the hero
sideways by 8px on each side (1200px vs the canonical 1216px).

After: container owns the layout; `.tokens-page` is just a
font-family scope. /admin/tokens hero now sits at top 88, left 190,
width 1216 — same numbers as /admin/groups / /admin/users.

* fix(web): hero links readable on blue; /admin/access Groups link href

- New `.page-header--hero a` rule in style-custom.css forces any
  anchor inside a gradient hero to render white + underlined so
  links stay readable on the blue background. Previously links
  inherited the global `var(--primary)` blue, which disappeared
  on top of the matching blue gradient. No per-page class needed —
  drop a plain `<a>` in any hero subtitle and it just works.
- /admin/access hero subtitle was Jinja-passing the inline link
  with HTML-entity-encoded quotes (`href=&quot;...&quot;`). The
  entities decoded to literal `"` characters inside the rendered
  href, producing `/admin/%22/admin/groups%22` — a 404. Switched
  the `set` to a block-set (`{% set page_hero_subtitle %}...{% endset %}`)
  so the inline `<a href="/admin/groups">Groups</a>` survives
  unescaped through `_page_hero.html`. Also stripped the now-redundant
  inline `style="color:#fff;text-decoration:underline;"` — the new
  shared rule handles it.

* fix(web): /dashboard top padding matches every other page

`.main` on /dashboard had `padding: 28px 32px 48px` while every
other page now uses `16px 32px 48px` via the canonical
`.container`. Dashboard bypasses `.container` (overrides
base.html's `layout` block to render a full-width `<main>`
directly), so the padding lives on `.main` itself — bumped the
top to 16px to match.

After: first child top = 88, left = 190, width = 1216 — same
numbers as /admin/groups / /admin/users / /admin/marketplaces.

* fix(web): green eyebrow + white title on .page-header--hero (matches /home)

`.page-header--hero .page-header__eyebrow` was faint white
(rgba(255,255,255,0.75)) — readable but unbranded against the blue
gradient. Changed to `var(--ds-brand-accent)` (mint green #54d3a0)
so every page hero pairs a green eyebrow with white title +
subtitle, echoing /home's setup-section header (green eyebrow,
dark heading combo). One CSS rule applies everywhere — no
per-page styling needed.

Also bumped the eyebrow to font-weight 700 / letter-spacing 1.2px
so the green stands out cleanly against the gradient.

* fix(web): page-header--hero + stack-hero use /home navy gradient

`.page-header--hero` and `.stack-hero` were on the brand-blue
gradient (`var(--primary)` → `var(--primary-dark)`) while
/home's hero (`.home-hero-intro`) sits on the deeper navy
gradient (`#0f1b3a` → `#1a2a5f`). Every other page-hero now
uses that same navy gradient so /home, /marketplace, /catalog,
/corporate-memory, /admin/*, /profile, /install, /dashboard,
/setup-advanced share one brand surface. Shadow tint adjusted
to the navy depth (rgba(15, 27, 58, 0.22)).

Brand blue stays the link/CTA colour everywhere else; only the
hero box itself is navy.

* fix(web): primary buttons green; marketplace tabs navy translucent

Two parity tweaks pulling the rest of the app toward /home's
visual language.

- `.btn-primary` (both rules in style-custom.css) now uses
  `var(--ds-primary)` / `var(--ds-primary-dark)` green fill,
  matching the "Copy install script to clipboard" button on
  /home. Brand-blue `--primary` still drives link colour and the
  accent surface; only the filled button background flipped to
  green. Every page with a `.btn-primary` (admin "+Add user",
  "+Add marketplace", catalog, marketplace actions, dashboard,
  modals) now reads as the same "do it" affordance.
- `.mp-tabs` (Curated Marketplace / Flea Market / My Stack tab
  group) now sits on the navy `--ds-hero-bg` with translucent
  white pills (rgba(255,255,255,0.10) inactive, 0.18 active) —
  same translucent-white-on-navy treatment as the "Just browse —
  no install needed" pill on /home. Icons render as soft white;
  per-tab colour-coding dropped in favour of the unified surface.

* fix(web): catalog/memory tabs + empty-state CTA + admin action buttons

Bring /catalog and /memory in line with /home + /marketplace:

- `.stack-tabs` (Browse / My Stack / Recipes on /catalog,
  Browse / My Stack on /memory) now uses the navy `--ds-hero-bg`
  container with translucent-white-on-navy pills, mirroring the
  `.mp-tabs` treatment and /home's "Just browse — no install
  needed" CTA pill. Per-tab icon colour-coding dropped — icons
  render as soft white on the navy fill.
- `.stack-tabs-row__actions .btn` (right-slot "+New Recipe",
  "+New Data Package" admin CTAs) now uses green primary fill
  (`--ds-primary`), matching `.btn-primary` and /home's
  "Copy install script to clipboard" button.
- `.stack-empty .cta a` (empty-state action button — the
  "Open /admin/tables →" CTA on /catalog and equivalent on
  /memory) flipped from blue `--primary` to green `--ds-primary`
  so the colour aligns with every other primary button in the app.

* fix(web): marketplace Search button green (--ds-primary) matching other CTAs

* fix(web): unify Search button + admin-action button across browse pages

- Added Search button (`<button class="stack-hero__search-btn">`)
  to /catalog and /memory heroes — same green pill as /marketplace.
  Wired to the existing live-filter pipeline (button click runs
  `applyFilters()` and refocuses the input). All three browse pages
  now wear the identical search bar UI.
- `.stack-hero__search-btn` shares `--ds-primary` fill with
  `.mp-hero .search-btn`.
- `.mp-actions .btn` ("Submit a skill or plugin" CTA on /marketplace)
  flipped from the legacy blue-outline to the same green primary
  fill + dimensions (`display: inline-flex; line-height: 1;
  padding: 9px 16px; gap: 6px`) as `.stack-tabs-row__actions .btn`
  on /catalog and /memory. All three right-slot action buttons
  render at identical height now.
- `.stack-tabs-row__actions .btn` got `inline-flex` + `line-height: 1`
  + `gap: 6px` so a `<button class="btn">` and a `<a class="btn">`
  both render at exactly 33px high — the embedded
  `.admin-only-hint` chip no longer pushes one variant taller
  than the other.

* fix(web): marketplace guide CTAs green (fastpath + primary); drop flea purple

* fix(web): dashboard CTA hero on navy; readable <code> chips in hero

- `.env-setup-cta` on /dashboard ("Set up a new Claude Code"
  card) flipped from the brand-blue gradient + green-tinted shadow
  to the canonical navy gradient (`--ds-hero-bg` → `#1a2a5f`) with
  navy-tinted shadow + 14px radius + 28/32/24 padding, matching
  `.page-header--hero` and /home's `.home-hero-intro`. Dashboard's
  top CTA now sits on the same brand surface as every other hero.
- Added `.page-header--hero code` rule — translucent white pill +
  warm-yellow ink (#ffd866) so `<code>` chips embedded in hero
  subtitles read as code samples against the navy gradient. The
  global `code` rule sets `color: var(--text-primary)` (dark),
  which turned in-hero chips into invisible dark-on-white-on-navy
  ghosts (e.g. the `-by-dev` suffix on /store/new).
- /store/new's `.page-header__subtitle code` dropped its inline
  style override — the shared rule handles it now.

* feat(web): two-theme switching via data-theme + admin toggle

Introduces a theme system that flips the entire UI palette between
"navy" (current design, default) and "blue" (pre-redesign palette)
via a single `<html data-theme="...">` attribute. Page markup, class
names, and component styles don't change — only the `--ds-*` token
values flip.

Backend
- New `app/instance_config.py::get_instance_theme()` resolves the
  active theme from `AGNES_INSTANCE_THEME` env > `instance.theme`
  in instance.yaml > default "navy". Unrecognised values clamp to
  "navy" so a typo doesn't break the page.
- `app/web/router.py::_build_context` injects `instance_theme`
  alongside `instance_brand` etc. so every template inherits it.
- `app/web/templates/base.html` renders
  `<html lang="en" data-theme="{{ instance_theme | default('navy') }}">`.

CSS
- `app/web/static/css/design-tokens.css` adds two new tokens to
  the default `:root` set: `--ds-hero-shadow` (drop-shadow tint
  on hero boxes) and `--ds-hero-eyebrow` (eyebrow accent colour).
  Plus a `:root[data-theme="blue"]` override block that flips
  seven tokens: `--ds-primary`, `--ds-primary-dark`,
  `--ds-primary-light`, `--ds-brand-accent`, `--ds-hero-bg`,
  `--ds-hero-bg-deep`, `--ds-hero-shadow`, `--ds-hero-eyebrow`.
  The blue theme aliases the brand surface tokens back to the
  legacy `--primary` family.
- `.page-header--hero`, `.stack-hero`, `.env-setup-cta`,
  `.home-mock .home-hero-intro` now reference the new
  `--ds-hero-shadow` and `--ds-hero-bg-deep` tokens instead of
  hard-coding `rgba(15, 27, 58, 0.22)` and `#1a2a5f` — gradient +
  shadow now flip with the theme.
- `.page-header--hero .page-header__eyebrow` uses
  `var(--ds-hero-eyebrow)` so the eyebrow goes mint-green on
  navy and translucent-white on blue (mint on blue reads poorly).

Admin
- `app/api/admin.py::_KNOWN_FIELDS["instance"]` now registers a
  `theme` field of kind `select` with options `["navy", "blue"]`
  and a `hint` explaining the trade-off. The existing
  /admin/server-config UI auto-renders a select for this — no
  template changes needed.

Defaults
- Default value is "navy" so existing instances see no visual
  change. Admins flip to "blue" via /admin/server-config to
  restore the pre-redesign look.

Restart note: uvicorn must reload to pick up the Python changes
(new getter, new template-context key, new known-field). CSS
changes hot-reload via browser refresh.

* fix(web): blue theme — home hero eyebrow + CTA contrast

`.home-hero-intro .eyebrow` and `.btn-intro-primary` referenced
`--ds-brand-accent` directly, which on the blue theme resolves to
the lighter brand-accent blue (#4F9DEB). Result: light-blue eyebrow
on the blue gradient ("WELCOME, ADMIN" barely readable) and a
light-blue button with darker-blue text ("Set up in ~15 min")
that all sat in the same hue range.

Introduces three new theme-aware tokens:
- `--ds-hero-eyebrow` already existed; blue theme bumped opacity
  to 0.92 so the eyebrow reads as full white.
- `--ds-hero-cta-bg` + `--ds-hero-cta-fg` + `--ds-hero-cta-bg-hover`
  flip the primary hero CTA: mint-green on navy (default), white-
  on-blue under `data-theme="blue"`.

`.home-hero-intro .eyebrow` now uses `--ds-hero-eyebrow` (mint on
navy / white on blue) and `.btn-intro-primary` uses the CTA token
trio.

Recommended palette on blue theme:
- Eyebrow: white at 92% opacity (clear on the blue gradient).
- Primary CTA pill: white background, brand-blue dark text
  (`--primary-dark` = #005BA3) for AAA-level contrast.
- Secondary CTA: translucent white pill (unchanged).

* fix(web): blue theme — callout-hint info bg/border/ink re-tinted to brand blue (was indigo, clashed with brand-blue hero)
2026-05-21 06:19:16 +00:00

969 lines
49 KiB
Python
Raw Blame History

"""Single source of truth for the "Setup a new Claude Code" clipboard payload.
Both the JS-embedded clipboard renderer (`_claude_setup_instructions.jinja`)
and the read-only HTML preview on the dashboard and /install pages consume
these lines. Keep it in Python so there is exactly ONE place that edits.
Placeholders `{server_url}`, `{token}`, `{wheel_filename}`, and `{server_host}`
are substituted at render time. `{wheel_filename}` and `{server_host}` are
pre-substituted server-side via `resolve_lines()`; `{server_url}` and
`{token}` survive into the JS template and are filled in at click time.
`{wheel_filename}` is server-pre-substituted because `uv tool install`
validates the PEP 427 filename *in the URL path* before fetching, so a
stable alias like `agnes.whl` fails with "Must have a version" — we need
the real versioned filename inlined.
`{server_host}` is server-pre-substituted because the `git config` and
`claude plugin marketplace add` lines need the bare host (no scheme), and
the click-time JS only knows the full origin (`{server_url}`).
## Cross-platform trust strategy (when `ca_pem` is supplied)
The trust block (step 0) is the load-bearing piece. Three things bit us in
practice and the design here exists to dodge each one:
1. **rustls rejects the Agnes leaf cert as `CaUsedAsEndEntity`.** The Agnes
server's self-signed cert is simultaneously its own CA (basicConstraints
`CA:TRUE`) AND the leaf served on the wire — a setup OpenSSL tolerates
but webpki/rustls strictly refuses. So `uv tool install <https-url>`
never works against the Agnes wheel endpoint. We download the wheel via
curl first (curl uses OpenSSL, accepts the cert), then `uv tool install
--native-tls --force <local-file>` lets rustls reuse the OS trust store
for PyPI dependency resolution. No HTTPS hop through rustls touches the
Agnes host.
2. **`SSL_CERT_FILE` REPLACES the trust store, it doesn't append.** Pointing
it at `~/.agnes/ca.pem` alone breaks every Python tool that needs to
reach a public host (PyPI, GitHub) — `da` works fine because it only
talks to Agnes, but `uv run --with <pkg>` immediately fails with
`UnknownIssuer`. We materialize a combined bundle at
`~/.agnes/ca-bundle.pem` (system roots + Agnes CA) and point all
`SSL_CERT_FILE` / `REQUESTS_CA_BUNDLE` / `GIT_SSL_CAINFO` at it.
`NODE_EXTRA_CA_CERTS` keeps pointing at just `ca.pem` because Node's
semantics is *additive* (appends to bundled roots), so a single-cert
file is correct there.
3. **Bun-compiled `claude` (Windows + macOS distributions) ignores every
CA env var AND the OS trust store for marketplace HTTPS.** On macOS
arm64 the binary at `~/.local/bin/claude` is a Mach-O with a `__BUN`
segment (single-file `bun build --compile`); on Windows claude.exe is
the same shape. `strings` shows the binary recognizes
`NODE_EXTRA_CA_CERTS`, `SSL_CERT_FILE`, `REQUESTS_CA_BUNDLE`,
`CURL_CA_BUNDLE` (including a "NODE_EXTRA_CA_CERTS detected" log
string), but in practice the values never reach the TLS context — a
known limitation of Bun's compiled-binary HTTPS path. Registering the
cert in the OS trust store (Windows: `certutil -user -addstore Root`;
macOS: `security add-trusted-cert`; Linux: `update-ca-certificates` /
`update-ca-trust`) doesn't fix it on Windows or macOS either — the
binary's bundled CA list isn't refreshable from the OS store.
So the marketplace step always uses system `git clone` regardless of
platform — system git honors `GIT_SSL_CAINFO` from the combined bundle
in step 0(d). We tried having Linux attempt direct HTTPS first (where
node-based claude DOES respect `NODE_EXTRA_CA_CERTS`), but `claude
plugin marketplace add <https-url>` is broken end-to-end on every
distribution: it does succeed at downloading the marketplace.json, but
stores it as a single file. The plugin entries' `source: "./plugins/<name>"`
paths are then resolved as local filesystem paths against that file's
parent dir — and the plugin tree obviously isn't there. Only the clone
path produces a real directory tree that `plugin install` can read.
The OS trust-store registration in (c) is still done on all three
platforms because it's needed for *non-claude* native tools — e.g.
the system git fetch path itself (Schannel on Windows, Security
framework on macOS) trusts via the OS store, not via env vars.
Marketplace refresh: after the initial clone, `agnes refresh-marketplace`
incrementally `git pull`s against the same clone and runs `claude plugin
marketplace update agnes`. Credentials are injected per-pull via a
one-shot git credential helper (PAT from `~/.config/agnes/token.json`)
so the cloned repo's `origin` URL stays PAT-free at rest. The
SessionStart hook (installed by `agnes init`) calls refresh-marketplace
on every Claude Code session so changes server-side propagate
automatically.
## Step ordering
The numbered steps are arranged so that:
- All installation work (CLI, plugins) happens first, in one go.
- `agnes init` is mandatory — it bundles auth, workspace bootstrap,
CLAUDE.md fetch, and Claude Code SessionStart/End hooks into one
non-interactive call. Replaces the old `agnes auth import-token` +
`agnes auth whoami` pair.
- `agnes diagnose` runs late so it doubles as a final smoke test after
plugins are in place, instead of gating them. It is also the last
step before Confirm — the whole prompt is non-interactive, no
decision questions for the user.
Layout:
0 TLS trust block (only when ca_pem is supplied)
1 Install CLI
2 agnes init (auth + workspace bootstrap)
3 agnes catalog (smoke verify)
4 Pre-flight: git + claude
5 Marketplace (always, even with empty served stack)
6 MCP servers (Atlassian Remote MCP)
7 Diagnose
8 Confirm
The combined-bundle source uses a fallback chain so the prompt still works
on machines without the system Python `certifi`: we try (a) `python3 -c
'import certifi'`, (b) the platform's curl/openssl bundle path, (c)
`uv run --with certifi` as a network last-resort. The user explicitly
permitted that fallback chain — it's not improvising-around-a-TLS-error.
"""
from __future__ import annotations
# Marketplace name as published by app.marketplace_server.packager.
# Hard-coded here (rather than imported) to keep this module dependency-free
# and trivially testable. If the value ever drifts, the regression test
# below catches it.
_MARKETPLACE_NAME = "agnes"
def _tls_trust_block(ca_pem: str) -> list[str]:
"""Step 0 — cross-platform TLS trust bootstrap for the Agnes server.
Emitted only when the server has a non-publicly-trusted cert. Does four
things in a single numbered block (see module docstring for the full
rationale):
(a) Detect platform (Windows Git Bash / macOS / Linux) and pick the
shell rc file that the user's login shell actually reads.
`$SHELL`-driven, NOT existence-of-rc-driven — old setups put a
legacy `.bashrc` next to a default zsh shell on macOS, and the
`[ -f .bashrc ]` heuristic silently writes to the wrong file.
(b) Write the cert PEM to `~/.agnes/ca.pem` via single-quoted heredoc
(so `$` / backtick chars in real-world certs never shell-expand).
(c) Register the cert in the OS trust store (so native binaries that
bypass our env vars — claude.exe, system git's Schannel backend,
Python apps using `truststore` — still trust the host).
Idempotent: re-running just re-affirms the entry.
(d) Build a *combined* CA bundle (system roots + Agnes CA) at
`~/.agnes/ca-bundle.pem`, with a fallback chain for the system
roots source. Persist `SSL_CERT_FILE` / `REQUESTS_CA_BUNDLE` /
`GIT_SSL_CAINFO` pointing at the bundle, plus
`NODE_EXTRA_CA_CERTS` pointing at just `ca.pem` (Node
appends-not-replaces). Persistence is idempotent via a grep
guard for the `AGNES_CA_PEM_TRUST` marker.
"""
pem = ca_pem.strip()
lines: list[str] = [
"0) Trust the Agnes TLS certificate — cross-platform setup for a self-signed / private-CA host.",
"",
" (a) Detect platform + pick the shell rc file your login shell actually reads.",
" Driven by $SHELL + uname (NOT by which rc files happen to exist on disk).",
"",
" case \"$(uname -s)\" in",
" Darwin) PLATFORM=macos ;;",
" Linux) PLATFORM=linux ;;",
" MINGW*|MSYS*|CYGWIN*) PLATFORM=windows ;;",
" *) echo \"Unsupported OS: $(uname -s)\" >&2; exit 1 ;;",
" esac",
" SHELL_NAME=\"$(basename \"${SHELL:-bash}\")\"",
" case \"${SHELL_NAME}:${PLATFORM}\" in",
" zsh:*) RC=\"$HOME/.zshrc\" ;;",
" bash:macos) RC=\"$HOME/.bash_profile\" ;;",
" bash:windows|bash:linux) RC=\"$HOME/.bashrc\" ;;",
" *) RC=\"$HOME/.profile\" ;;",
" esac",
" echo \"Platform: $PLATFORM, shell: $SHELL_NAME, rc: $RC\"",
"",
" (b) Write the cert (single-quoted heredoc so $/backticks in the body don't expand):",
"",
" mkdir -p ~/.agnes",
" cat > ~/.agnes/ca.pem <<'AGNES_CA_PEM'",
]
# PEM body is flush-left: `<<'DELIM'` heredocs preserve leading whitespace,
# and any indent inside the cert breaks `openssl x509` / Python ssl parsers.
lines.extend(pem.splitlines())
lines.extend([
"AGNES_CA_PEM",
"",
" (c) Register the cert in the OS trust store. Native binaries (claude.exe,",
" system git's Schannel/Security.framework backends) read the OS store",
" and ignore our env vars — without this, the later marketplace `git",
" clone` (when plugins are configured) and any user-side git/native",
" tooling against the Agnes host will fail.",
" No admin rights needed (user-store only). Idempotent.",
"",
" case \"$PLATFORM\" in",
" windows)",
" WIN_CA=\"$(cygpath -w ~/.agnes/ca.pem)\"",
" certutil.exe -user -addstore \"Root\" \"$WIN_CA\"",
" ;;",
" macos)",
" # Will prompt once for the keychain password.",
" security add-trusted-cert -r trustRoot \\",
" -k \"$HOME/Library/Keychains/login.keychain-db\" \\",
" ~/.agnes/ca.pem",
" ;;",
" linux)",
" if command -v update-ca-certificates >/dev/null 2>&1; then",
" sudo cp ~/.agnes/ca.pem /usr/local/share/ca-certificates/agnes.crt",
" sudo update-ca-certificates",
" elif command -v update-ca-trust >/dev/null 2>&1; then",
" sudo cp ~/.agnes/ca.pem /etc/pki/ca-trust/source/anchors/agnes.crt",
" sudo update-ca-trust",
" else",
" echo \"WARN: install ~/.agnes/ca.pem into your distro's trust store manually\" >&2",
" fi",
" ;;",
" esac",
"",
" (d) Build a COMBINED CA bundle (system roots + Agnes CA) for Python tools",
" and curl. SSL_CERT_FILE *replaces* the trust store, so pointing it at",
" the Agnes CA alone would break public hosts (PyPI etc.). Source the",
" system roots from a fallback chain — the first source that produces",
" a non-empty, existing path wins. Don't abort on the first miss; that's",
" what the chain is for.",
"",
" CERTIFI_PATH=\"$(python3 -c 'import certifi; print(certifi.where())' 2>/dev/null || true)\"",
" [ -z \"$CERTIFI_PATH\" ] && CERTIFI_PATH=\"$(python -c 'import certifi; print(certifi.where())' 2>/dev/null || true)\"",
" if [ -z \"$CERTIFI_PATH\" ]; then",
" for p in /mingw64/ssl/certs/ca-bundle.crt /usr/ssl/certs/ca-bundle.crt \\",
" /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt \\",
" /etc/ssl/cert.pem; do",
" [ -f \"$p\" ] && CERTIFI_PATH=\"$p\" && break",
" done",
" fi",
" if [ -z \"$CERTIFI_PATH\" ]; then",
" CERTIFI_PATH=\"$(uv run --native-tls --with certifi --no-project python -c 'import certifi; print(certifi.where())' 2>/dev/null || true)\"",
" fi",
" if [ -z \"$CERTIFI_PATH\" ] || [ ! -f \"$CERTIFI_PATH\" ]; then",
" echo \"ERROR: locate a system CA bundle. Install Python 3 + certifi and re-run.\" >&2",
" exit 1",
" fi",
" echo \"Base CA bundle: $CERTIFI_PATH\"",
" cat \"$CERTIFI_PATH\" ~/.agnes/ca.pem > ~/.agnes/ca-bundle.pem",
"",
" (e) Persist env vars in the rc file picked in (a). Idempotent — won't",
" duplicate on re-run thanks to the AGNES_CA_PEM_TRUST grep guard.",
" Note the asymmetry: SSL_CERT_FILE (and REQUESTS_CA_BUNDLE, GIT_SSL_CAINFO)",
" point at the COMBINED bundle because those tools REPLACE trust.",
" NODE_EXTRA_CA_CERTS points at just ca.pem because Node APPENDS to its",
" bundled roots.",
"",
" if ! grep -q 'AGNES_CA_PEM_TRUST' \"$RC\" 2>/dev/null; then",
" cat >> \"$RC\" <<'AGNES_RC_BLOCK'",
"# AGNES_CA_PEM_TRUST — added by Agnes setup",
"# Combined bundle (system roots + Agnes CA) for tools that REPLACE trust:",
"export SSL_CERT_FILE=\"$HOME/.agnes/ca-bundle.pem\"",
"export REQUESTS_CA_BUNDLE=\"$HOME/.agnes/ca-bundle.pem\"",
"export GIT_SSL_CAINFO=\"$HOME/.agnes/ca-bundle.pem\"",
"# Single-cert file for Node (APPENDS to bundled roots):",
"export NODE_EXTRA_CA_CERTS=\"$HOME/.agnes/ca.pem\"",
"export PATH=\"$HOME/.local/bin:$PATH\"",
"AGNES_RC_BLOCK",
" fi",
" # Apply for THIS shell too:",
" export SSL_CERT_FILE=\"$HOME/.agnes/ca-bundle.pem\"",
" export REQUESTS_CA_BUNDLE=\"$HOME/.agnes/ca-bundle.pem\"",
" export GIT_SSL_CAINFO=\"$HOME/.agnes/ca-bundle.pem\"",
" export NODE_EXTRA_CA_CERTS=\"$HOME/.agnes/ca.pem\"",
" export PATH=\"$HOME/.local/bin:$PATH\"",
"",
" IMPORTANT for the Bash tool: env vars do NOT persist between separate",
" Bash invocations. Re-export the four lines above (SSL_CERT_FILE,",
" REQUESTS_CA_BUNDLE, GIT_SSL_CAINFO, NODE_EXTRA_CA_CERTS) plus PATH at",
" the top of every later step's bash block that talks to Agnes.",
"",
])
return lines
def _install_cli_lines(*, has_ca: bool, server_url_placeholder: str = "{server_url}") -> list[str]:
"""Step 1 — install the `agnes` CLI.
When the trust block was emitted (`has_ca=True`), we MUST avoid
`uv tool install <https-url>` against the Agnes wheel endpoint:
rustls rejects the Agnes leaf cert with `CaUsedAsEndEntity`, regardless
of `--native-tls` (the rejection is at chain validation, not at trust
lookup — putting the cert in the OS store doesn't fix it). Solution:
download the wheel with `curl --cacert` (curl uses OpenSSL, no rustls),
then `uv tool install --native-tls` from the local file. PyPI deps
still resolve over HTTPS, but `--native-tls` makes uv use the OS trust
store for that path, which is fine because PyPI's CA chain is public.
When `has_ca=False`, we trust the server's cert is publicly valid, so
the simple direct install works.
"""
if has_ca:
return [
"1) Install the CLI.",
" The Agnes server's self-signed cert trips rustls' CaUsedAsEndEntity check,",
" so direct `uv tool install <https-url>` against the wheel endpoint fails",
" (even with --native-tls). Workaround: curl-then-local-install.",
"",
" If uv is missing first:",
" curl -LsSf https://astral.sh/uv/install.sh | sh",
" export PATH=\"$HOME/.local/bin:$PATH\"",
"",
" WHEEL=/tmp/{wheel_filename}",
f" curl -fsSL --cacert ~/.agnes/ca.pem -o \"$WHEEL\" {server_url_placeholder}/cli/wheel/{{wheel_filename}}",
" uv tool install --native-tls --force \"$WHEEL\"",
"",
" If `agnes --version` fails after install because ~/.local/bin is not on PATH:",
" export PATH=\"$HOME/.local/bin:$PATH\"",
" # Persist for future shells. Use `grep -qF` (fixed-string,",
" # not regex) + `||` short-circuit so a re-run doesn't append",
" # a duplicate. Pick the rc file your login shell reads:",
" RC=\"$HOME/.zshrc\" # or ~/.bashrc / ~/.bash_profile",
" grep -qF '$HOME/.local/bin' \"$RC\" 2>/dev/null \\",
" || echo 'export PATH=\"$HOME/.local/bin:$PATH\"' >> \"$RC\"",
" # (The trust block in step 0 already does this for you on first run.)",
]
return [
"1) Install the CLI:",
f" uv tool install --force {server_url_placeholder}/cli/wheel/{{wheel_filename}}",
"",
" If uv is not installed yet:",
" curl -LsSf https://astral.sh/uv/install.sh | sh",
"",
" If `agnes --version` fails after install because ~/.local/bin is not on PATH:",
" export PATH=\"$HOME/.local/bin:$PATH\"",
" # Persist for future shells. Use `grep -qF` (fixed-string, not",
" # regex) + `||` short-circuit so a re-run doesn't append a",
" # duplicate. Pick the rc file your login shell reads:",
" RC=\"$HOME/.zshrc\" # or ~/.bashrc / ~/.bash_profile",
" grep -qF '$HOME/.local/bin' \"$RC\" 2>/dev/null \\",
" || echo 'export PATH=\"$HOME/.local/bin:$PATH\"' >> \"$RC\"",
]
def _init_lines(server_url_placeholder: str = "{server_url}") -> list[str]:
"""Steps 2-4 — workspace folder check, then `agnes init` + smoke verify.
Step 2 verifies the user is already cd'd into the workspace folder
that the /home onboarding page's visible "Step 2 — create your
workspace folder" told them to create manually (`mkdir -p
~/{workspace_dir} && cd ~/{workspace_dir}`). The pasted script
DOES NOT auto-create the folder — that would silently override an
intentional choice to install at a different path (e.g. the user
cd'd to `~/work/agnes-prod` on purpose). Instead we `pwd`, compare
to `$HOME/{workspace_dir}`, and on mismatch warn loudly and ask the
user to either re-paste from the right folder or explicitly confirm
"install here" in the current cwd.
`{workspace_dir}` and `{instance_brand}` are placeholders pre-substituted
by :func:`resolve_lines` from the operator-configured brand. Defaults
keep `~/Agnes` behavior for instances that don't set the brand knob.
`agnes init --workspace .` continues to use the current cwd, so once
step 2 has confirmed (or the user has explicitly accepted) the
install dir, step 3 lands in the right place. Step 9's restart-claude
cue references "this same directory" so users on a custom path see
accurate guidance.
`agnes init` is the workspace-rails delivery mechanism for everyone:
it authenticates with the PAT, fetches CLAUDE.md (RBAC-filtered),
writes AGNES_WORKSPACE.md (human-facing docs), installs Claude Code
SessionStart/End hooks (auto-refresh), and runs an initial `agnes pull`
so DuckDB views are ready. Subsumes the legacy `agnes auth import-token`
+ `agnes auth whoami` pair — `init` already verifies the PAT against
`/api/catalog/tables` internally, and `agnes catalog` then doubles as
a smoke verify of the data plane.
The PAT minted by `/setup` is `general` scope with a 90 d TTL, so the
init call will succeed for the operator's whole 90 d window without
re-clicking "Generate prompt".
"""
return [
"",
"2) Verify the user is already in the workspace folder.",
" The /home page's visible \"Step 2 — create your workspace folder\"",
" already asked the user to run",
" mkdir -p ~/{workspace_dir} && cd ~/{workspace_dir}",
" in their terminal BEFORE pasting this script. Do NOT silently",
" re-create the folder here — the user may have intentionally cd'd",
" to a different location to install {instance_brand} there instead.",
"",
" Run:",
" pwd",
" Expected: $HOME/{workspace_dir} (i.e. ~/{workspace_dir})",
"",
" If `pwd` matches the expected path: continue silently to step 3.",
"",
" If `pwd` does NOT match, STOP and tell the user verbatim:",
"",
" \"You are in <current-pwd>, but {instance_brand} is normally",
" installed in ~/{workspace_dir} (see /home Step 2). Either run",
" mkdir -p ~/{workspace_dir} && cd ~/{workspace_dir}",
" in your terminal now and re-paste this setup script, OR reply",
" 'install here' to install {instance_brand} in <current-pwd>",
" instead. Reply 'abort' to stop.\"",
"",
" Wait for the user's reply.",
" - 'install here' → continue to step 3 in the current cwd.",
" The cwd you saw from `pwd` is the install",
" directory; remember it for step 9.",
" - 'abort' / anything else → stop without making any changes.",
" Do NOT run `mkdir`, do NOT `cd`, do NOT",
" continue to step 3.",
"",
"3) Bootstrap your {instance_brand} workspace in this directory.",
" Write the PAT to a file FIRST, then run `agnes init` with",
" `--token-file`. Passing the JWT inline via `--token \"eyJ...\"`",
" sometimes trips Claude Code's auto-classifier (long bearer",
" token in a command line looks like a credential-exfil pattern);",
" piping the token through a file keeps it out of the command-",
" line argv entirely.",
"",
" mkdir -p ~/.agnes && umask 077 && cat > ~/.agnes/token <<'AGNES_PAT'",
"{token}",
"AGNES_PAT",
f" agnes init --server-url \"{server_url_placeholder}\" --token-file ~/.agnes/token --workspace .",
"",
" If Claude Code still blocks an `agnes` command (e.g. the",
" `agnes init` line above or `agnes catalog` in step 4), prefix",
" it with `!` to run the command directly in your shell,",
" bypassing the auto-classifier — e.g. `! agnes init …`. The",
" `!` prefix is Claude Code's escape hatch for commands you",
" explicitly trust.",
"",
" This authenticates with the PAT, fetches your CLAUDE.md (RBAC-filtered),",
" writes AGNES_WORKSPACE.md (human-facing docs), installs Claude Code",
" SessionStart/End hooks (auto-refresh), and runs an initial `agnes pull`",
" so your DuckDB views are ready.",
"",
"4) Verify the data is queryable:",
" agnes catalog",
"",
" This should list the tables your account has grants for. Empty list",
" means your admin hasn't granted you access yet — contact them.",
"",
" Tip: type `/agnes-private` inside any Claude Code session to mark it",
" private — its transcript is skipped by `agnes push` (audit-logged to",
" `.claude/agnes-sessions-private-skipped.txt`). The statusbar shows",
" `🔒 agnes-private` while you're in a private session.",
]
def _diagnose_lines(*, diagnose_num: str) -> list[str]:
"""Diagnose step — runs AFTER the marketplace + MCP blocks.
Putting it last (instead of right after `whoami`) means it doubles as
a server-health smoke test that runs once everything else is in place,
not as a gate before them.
The bundled `agnes skills` knowledge base (markdown documents listable
via `agnes skills list` / readable via `agnes skills show <name>`) is
intentionally NOT surfaced as its own setup step (#242 dropped that
interactive prompt). Discovery happens organically when CLAUDE.md or
another skill references a specific entry (see the
`agnes skills show agnes-data-querying` mention in the CLAUDE.md
template's BigQuery section). Bulk-copying every skill into
`~/.claude/skills/agnes/` at setup time was an opinion question with
no obvious right answer; on-demand lookup is the one-size-fits-all
default.
"""
return [
"",
f"{diagnose_num}) Run diagnostics:",
" agnes diagnose",
"",
" This should print \"Overall: healthy\". `db_schema: unknown` and",
" `data: 0 tables` are NORMAL in two cases:",
" - fresh install (no tables registered yet), and",
" - non-admin roles (e.g. `analyst`) that don't have grants to read",
" the system schema even on populated instances.",
" Only flag actual yellow/red checks (api / duckdb_state / users).",
]
def _connectors_block(
step_num: str,
connector_prompts: dict[str, str],
*,
confirm_step_num: str,
) -> list[str]:
"""Per-connector interactive ask + inline prompt. Last interactive
step before Confirm.
Defaults to install (Y) — the user has to actively type "no" to skip.
Rationale: when the operator provisions a shared GWS OAuth app
(AGNES_GWS_CLIENT_ID + AGNES_GWS_CLIENT_SECRET), the GWS path runs
in ~2 minutes with zero GCP clickops; Asana + Atlassian only need
the user's own API token from their respective developer consoles —
which they need either way to use the tool. Default-install matches
"wire everything up" — the common path.
Each connector's prompt body comes verbatim from
``app/web/connector_prompts.py`` — same source the /home tile cards
render, so editing one place updates both surfaces. The prompts
themselves are idempotent (each has its own step-0 precheck) so
re-runs short-circuit cleanly.
Connectors are presented in the order they appear in the
``connector_prompts`` dict — the caller controls ordering by how
they build the dict. Today that's asana → gws → atlassian, matching
the /home tile order.
"""
lines = [
"",
f"{step_num}) Connect the user's tools (last interactive ask before Confirm):",
"",
" For each tool below, ask the user verbatim: \"Set up <NAME> now? (Y/n)\".",
" Treat empty/Enter as YES — the default is install. Only skip when the",
" user types an explicit \"no\" / \"n\" / \"skip\". Wait for each answer",
" before moving to the next. The prompts below are idempotent and",
" safe to re-run if anything goes sideways.",
"",
]
# Stable ordering — let the dict iteration order win (Python 3.7+ insertion-ordered).
# Caller controls which connectors are present; we just iterate.
sub_letters = "abcdefghij"
for i, (slug, body) in enumerate(connector_prompts.items()):
# Display name is sourced from the registry so the ask phrasing stays
# in lockstep with what /home renders.
from app.web.connector_prompts import CONNECTORS # local import — avoids module-load cycles
display = next((c.display_name for c in CONNECTORS if c.slug == slug), slug)
desc = next((c.description for c in CONNECTORS if c.slug == slug), "")
lines.append(f" {sub_letters[i]}) {display}{desc}")
lines.append(f" Ask: \"Set up {display} now? (Y/n)\"")
lines.append(" If yes (default) — follow this inline prompt verbatim:")
lines.append("")
# Indent the prompt body two spaces so it visually nests under the
# ask. Empty lines stay empty (no trailing whitespace).
for body_line in body.split("\n"):
lines.append(f" {body_line}" if body_line else "")
lines.append("")
lines.extend([
f" After all asks (regardless of answers) continue to step {confirm_step_num}.",
])
return lines
def _restart_claude_lines(step_num: str) -> list[str]:
"""Final 'restart Claude Code' instruction emitted immediately before
Confirm. Marketplace plugins, MCP server registrations, and the
SessionStart hooks installed during init only load on the next
Claude Code session — without this step the user sits inside the
setup session with stale state and re-discovers the requirement
later. The marketplace step's trailer already mentions /exit
+ claude conditionally; this is the unconditional equivalent so
every path (with or without plugins) ends on the same cue.
"""
return [
"",
f"{step_num}) Restart Claude Code so every plugin, MCP server, and SessionStart hook installed above actually loads:",
" Tell me to type `/exit` (or close the Claude Code session entirely), then run `claude` again from this same directory — the install dir confirmed in step 2 (`~/{workspace_dir}` on the default path, or whatever cwd the user explicitly accepted with 'install here').",
" The next session boots with all marketplace plugins, every connector's keychain entries / OAuth grants, and the agnes-welcome + refresh-marketplace SessionStart hooks active. This is the last action before the Confirm summary — once I'm back in Claude Code, setup is complete.",
]
def _finale_lines(*, confirm_step_num: str, has_ca: bool) -> list[str]:
"""Final Confirm step. Bullets it asks the assistant to report on must
only reference earlier steps that were actually emitted, otherwise the
assistant either hallucinates an answer or asks the user about a
non-existent step. The CA-bundle-source bullet only makes sense when
the trust block ran (`has_ca`). The marketplace clone bullet is
unconditional now — preflight + marketplace are always emitted (Fix B
in the 2026-05-10 init-report response). Init + catalog + diagnose +
skills + connectors + version always render, so their bullets are
unconditional. The per-connector ✅/❌ bullet exploits the uniform
output contract every connector prompt emits on its verify step —
the assistant scans its own prior output for those markers instead
of re-running probes."""
bullets = [
" - `agnes --version` output",
" - First few lines of `agnes catalog` (tables you can see)",
" - Confirmation that `./CLAUDE.md` and `./AGNES_WORKSPACE.md` exist",
" - Confirmation that `./.claude/settings.json` contains SessionStart/End hooks",
" - The `agnes diagnose` overall status",
" - Whether skills were copied or left on-demand",
" - Confirmation that `~/.agnes/marketplace/.git/` exists "
"(the marketplace clone) and that any granted plugins installed",
" - For each connector (Asana, Google Workspace, Atlassian): "
"the verbatim ✅ or ❌ line that the connector's verify step "
"emitted earlier in this session (e.g. `✅ Asana ready — connected "
"as Vojtech Rysanek. 2 workspace(s) visible.` or `❌ Atlassian setup "
"failed: ...`). If the user declined a connector, say declined.",
]
if has_ca:
bullets.append(
" - Which CA bundle source got picked in step 0(d) "
"(system Python certifi / system curl bundle / uv-fetched)"
)
return [
f"{confirm_step_num}) Confirm:",
" Tell me \"{instance_brand} workspace is ready\" and summarize:",
*bullets,
]
def _preflight_block(step_num: str) -> list[str]:
"""Pre-flight check — runs before the marketplace clone.
`claude plugin marketplace add` (and our git-clone fallback) shells out
to `git`, AND the marketplace step calls `claude` itself, so a missing
binary on either side fails the step with a confusing error. We check
both here so the user gets a single clear "install X" message instead
of debugging a downstream error.
Cross-platform install commands cover the three supported workstation
OSes:
- macOS: Homebrew (`brew install git`). The Xcode CLT bundle also
ships git; we prefer brew because it's non-interactive.
- Windows: winget (`winget install --id Git.Git -e ...`). Bundled
with Windows 10 1809+ and Windows 11; non-interactive with --silent.
- Linux: apt or dnf, depending on distro family.
For `claude` we point at the official platform installer docs rather
than vendoring an install one-liner — Anthropic ships per-platform
installers (npm on Linux, native binary on macOS/Windows) and the
canonical instructions live at https://docs.claude.com/claude-code.
`step_num` is parameterized because step ordering shifted between
layouts (the marketplace block now runs before diagnose/skills, so
preflight + marketplace are steps 4-5 instead of 6-7).
"""
return [
"",
f"{step_num}) Make sure git and claude are installed (required for the marketplace clone):",
" git --version",
" claude --version",
"",
" If `git --version` fails (\"command not found\" or similar), install git:",
" - macOS: brew install git",
" - Windows: winget install --id Git.Git -e --source winget --silent",
" - Linux: sudo apt-get install git OR sudo dnf install git",
"",
" If `claude --version` fails, install Claude Code:",
" - npm (Linux): npm i -g @anthropic-ai/claude-code",
" - macOS / Windows native installer: see https://docs.claude.com/claude-code",
"",
" Then re-run both `--version` checks to confirm before continuing.",
]
def _marketplace_block(
plugin_install_names: list[str],
step_num: str,
) -> list[str]:
"""Build the marketplace + plugin-install block.
`plugin_install_names` may be empty: registering the per-user
marketplace clone with Claude Code is useful even when the operator
has zero plugin grants, because it pre-wires the SessionStart hook
and the grant flow — admin grants land on the next Claude Code
session without re-running setup. The block copy adapts for the
empty case so the comment-bullet doesn't promise plugin installs
that won't happen.
`step_num` is parameterized because step ordering shifted between
layouts (this block now runs before diagnose/skills, so it's step 5
instead of the old step 7).
The whole block is one CLI invocation: ``agnes refresh-marketplace
--bootstrap``. The CLI handles clone + PAT-strip + chmod + register-
with-Claude + auto-install-from-manifest internally. This is what
used to be a 15-line shell sequence inline; pulling it into the CLI
bought:
1. **Claude Code permission gate friendliness.** The agent-driven
onboarding flow inside Claude Code denies ``rm -rf`` by default;
the inline script tripped on it. Wrapping the destructive prep
inside agnes lets the CLI's already-trusted permission grant
cover it (Python ``shutil.rmtree`` doesn't pattern-match the
shell ``rm -rf`` block).
2. **Idempotence without inline ``rm``.** Re-running the install
prompt over an existing clone now does fetch+reset under the
hood (no destructive cleanup needed). The prompt's "safe to
re-run" promise holds without forcing the operator to delete
anything by hand.
3. **One source of truth.** ``agnes refresh-marketplace`` is also
the SessionStart hook command, so install + refresh share the
same code path — version-aware reconcile, hook JSON output,
credential helper PAT injection, all consistent.
Why always clone (with the CLI doing it) instead of trying direct
HTTPS marketplace add first? ``claude plugin marketplace add
<https-url>`` does succeed against our ``/marketplace.git/`` endpoint
(returns 200 + JSON), but Claude Code stores the response as a
single-file marketplace and resolves plugin ``source:
"./plugins/<name>"`` paths as local filesystem refs — so the
subsequent ``claude plugin install`` looks for plugin trees at
``<marketplace-dir>/plugins/<name>/`` and 404s because the dir is a
file. Only the git-clone path produces a real directory tree with
plugin contents in place. Broken end-to-end on every Claude Code
distribution; cloning is the only reliable install path.
TLS handling for the in-binary ``git clone`` is fully covered by the
cross-platform trust block (step 0) when the server's cert needs
bootstrapping (`ca_pem` non-empty), and by the OS trust store when
the cert is publicly-trusted. There used to be a legacy fallback
here that emitted a host-scoped ``git config http.<host>.sslVerify
false`` line for the ``AGNES_DEBUG_AUTH`` path; that's gone — it
masked operator misconfigurations (a ``self_signed_tls=True``
instance without ``/data/state/certs/fullchain.pem`` on disk) and
its ``sslVerify=false`` shell command tripped Claude Code auto-mode
classifiers. Operators serving a self-signed or private-CA cert
must place the fullchain at ``AGNES_TLS_FULLCHAIN_PATH`` (default
``/data/state/certs/fullchain.pem``) so step 0 can read it via
``_read_agnes_ca_pem``.
"""
has_plugins = bool(plugin_install_names)
header = (
"Register the Agnes Claude Code marketplace and install plugins:"
if has_plugins
else "Register the Agnes Claude Code marketplace (no plugins granted yet):"
)
bullet_5 = (
" # 5. install every plugin listed in the served manifest"
if has_plugins
else " # 5. (no plugins to install — your account has zero grants)"
)
if has_plugins:
trailer = [
" These run non-interactively. After they finish, tell the user to /exit",
" and run `claude` again so the new plugins load. From then on, the",
" SessionStart hook keeps the marketplace clone in sync via",
" `agnes refresh-marketplace --quiet` on every Claude Code session.",
]
else:
trailer = [
" Your account has no plugin grants right now, but registering the",
" marketplace anyway pre-wires the SessionStart hook. When an admin",
" grants you a plugin later, `agnes refresh-marketplace` (run by the",
" hook on every Claude Code session) will install it automatically —",
" no need to re-run this setup script.",
]
return [
"",
f"{step_num}) {header}",
" # `agnes refresh-marketplace --bootstrap` does:",
" # 1. clone the per-user marketplace bare repo to ~/.agnes/marketplace",
" # 2. strip the PAT from the cloned origin URL (refreshes use a",
" # per-invocation git credential helper, not the URL)",
" # 3. best-effort chmod 700/600 on POSIX (no-op on Windows NTFS)",
" # 4. `claude plugin marketplace add ~/.agnes/marketplace`",
bullet_5,
" # Idempotent — re-runs over an existing clone do fetch+reset+reconcile",
" # via the same path the SessionStart hook uses.",
" agnes refresh-marketplace --bootstrap || {",
" echo \"ERROR: agnes refresh-marketplace --bootstrap failed\" >&2",
" exit 1",
" }",
"",
*trailer,
]
def _preamble_lines(*, has_ca: bool) -> list[str]:
"""Header that opens the prompt before the numbered steps. The
`step 0(d) fallback chain` reference is only emitted when the trust
block actually exists (`has_ca`); without it the line points at a
non-existent step. The "don't disable TLS verification" advice itself
stays unconditional — it's good guidance regardless of whether the
server runs with a private CA."""
lines = [
"Set up the {instance_brand} CLI on this machine.",
"",
"Server: {server_url}",
"Personal access token: {token}",
"(Just generated; treat it as a secret.)",
"",
"Run these, in order. The script is idempotent — safe to re-run if a step",
"fails partway through. If a step fails with an unfamiliar error, paste the",
"exact error back and stop. Do NOT improvise around TLS errors by disabling",
"verification (`-k`, `NODE_TLS_REJECT_UNAUTHORIZED=0`,",
"`git -c http.sslVerify=false`, etc.) — those are dead ends that hide the",
"real problem.",
]
if has_ca:
lines.append(
"The fallback chain inside step 0(d) is documented and OK to "
"use; that's what fallback chains are for."
)
lines.append("")
return lines
def _step_numbers(*, has_connectors: bool = True) -> dict[str, str]:
"""Compute the step numbers for the unified layout.
Returns a dict keyed by logical step name; values are stringified
1-based step numbers (preserving the existing string-based helper API
so call sites stay diff-minimal).
Steps (always emitted): install (1), mkdir/cd (2), init (3),
catalog (4), preflight (5), marketplace (6), diagnose (7),
connectors (8), restart_claude (9), confirm (10). Preflight +
marketplace + connectors + restart_claude are always-on:
- Marketplace registration is useful even when the operator has
zero plugin grants (SessionStart hook reconciles future grants
automatically).
- Connectors (Asana / GWS / Atlassian) are per-connector default-yes
asks — the user can decline each individually, so always-emitting
the block costs nothing for users who skip everything. The
Atlassian Remote MCP registration (`claude mcp add ...`) used to
be its own step 6 but moved INTO the Atlassian connector's
prompt body (atlassian_prompt() in app.web.connector_prompts) so
everything Atlassian-related lives in one group — both the
/home Atlassian tile and the inlined Atlassian sub-block in the
setup script emit the same `claude mcp add` line as part of the
standard connector setup.
The interactive "Skills" step that previously sat between diagnose
and Confirm was deleted in #242 — on-demand `agnes skills show
<name>` is the one-size-fits-all default; bulk-copying every skill
into ``~/.claude/skills/agnes/`` was an opinion question without an
obvious right answer.
`has_connectors` is kept as a parameter for future flexibility
(default True). When set False, the connectors step is skipped and
Confirm shifts down to step 7.
Step-0 (TLS trust block) sits outside this numbering — it is gated by
has_ca and has its own "0)" header rendered inside the trust block
helper.
"""
n = 5
preflight = str(n); n += 1
marketplace = str(n); n += 1
diagnose = str(n); n += 1
connectors = str(n) if has_connectors else ""
if has_connectors:
n += 1
restart_claude = str(n); n += 1
confirm = str(n)
return {
"preflight": preflight,
"marketplace": marketplace,
"diagnose": diagnose,
"connectors": connectors,
"restart_claude": restart_claude,
"confirm": confirm,
}
def resolve_lines(
wheel_filename: str,
*,
plugin_install_names: list[str] | None = None,
server_host: str = "",
ca_pem: str | None = None,
connector_prompts: dict[str, str] | None = None,
instance_brand: str = "Agnes",
workspace_dir: str = "Agnes",
) -> list[str]:
"""Return the template lines with server-side placeholders substituted.
Pre-substitutes `{wheel_filename}` and `{server_host}`. Leaves
`{server_url}` and `{token}` as placeholders for click-time JS
substitution (or for `render_setup_instructions()` below).
`ca_pem` (PEM-encoded fullchain of the Agnes server's TLS cert) gates
the cross-platform step-0 trust-bootstrap block AND switches step 1 to
the curl-then-local-install pattern AND switches step 5 to the
platform-aware marketplace strategy. Caller decides whether the cert
needs the bootstrap (typically: skip for publicly-trusted certs like
Let's Encrypt, emit for self-signed or private corp CA).
`connector_prompts` is a dict {slug: prompt_text} sourced from
:func:`app.web.connector_prompts.all_connector_prompts`. When empty
or None we fall back to the module's defaults (no operator GWS OAuth
credentials baked in — the unconfigured GCP-walkthrough branch
renders). Both the /home tiles and this setup script consume the
same dict so the prompt text stays in lockstep across surfaces.
Fallback: callers pass `"agnes.whl"` when no wheel is present on disk.
The resulting URL (`/cli/wheel/agnes.whl`) will 404 at download time, but
the instruction text still renders so operators can see the snippet shape
and diagnose the missing wheel on the server.
"""
names = list(plugin_install_names or [])
has_ca = bool(ca_pem and ca_pem.strip())
# Lazy default for connector_prompts. Imported inline so the
# setup_instructions module stays import-light when callers don't
# actually emit the connectors block (tests that hit a single helper
# don't pay the cost of loading the prompt strings).
if not connector_prompts:
from app.web.connector_prompts import all_connector_prompts
connector_prompts = all_connector_prompts()
# Step layout. Preflight + marketplace + MCP go BEFORE diagnose;
# connectors is the LAST interactive ask before Confirm — once plugins
# + MCP + diagnose are settled, the only remaining work is plugging
# the user's tools (Asana / GWS / Atlassian). The Skills step that
# used to sit between diagnose and Confirm was deleted in #242
# (on-demand `agnes skills show <name>` is the default;
# bulk-copying skills was an opinion question).
steps = _step_numbers(has_connectors=True)
lines: list[str] = []
if has_ca:
lines.extend(_tls_trust_block(ca_pem)) # type: ignore[arg-type]
lines.extend(_preamble_lines(has_ca=has_ca))
lines.extend(_install_cli_lines(has_ca=has_ca)) # 1
lines.extend(_init_lines()) # 2, 3
lines.extend(_preflight_block(steps["preflight"])) # 4
lines.extend(_marketplace_block(names, step_num=steps["marketplace"])) # 5
# Standalone MCP step used to live here — moved INTO the Atlassian
# connector's prompt body in step 7 so all Atlassian setup is grouped
# together.
lines.extend(_diagnose_lines(diagnose_num=steps["diagnose"])) # 6
# Connectors are the LAST interactive ask before the restart-claude
# cue. Per-connector default-yes — empty/Enter is install, explicit
# "no" skips.
lines.extend(_connectors_block(
steps["connectors"], connector_prompts,
confirm_step_num=steps["confirm"],
))
# Restart-claude lands between connectors and confirm so the user
# picks up freshly-registered plugins / MCP servers / hooks on the
# next session — without this every path silently expected the user
# to know they had to re-launch.
lines.extend(_restart_claude_lines(steps["restart_claude"]))
lines.append("")
lines.extend(_finale_lines(
confirm_step_num=steps["confirm"],
has_ca=has_ca,
))
return [
line
.replace("{wheel_filename}", wheel_filename)
.replace("{server_host}", server_host)
.replace("{workspace_dir}", workspace_dir)
.replace("{instance_brand}", instance_brand)
for line in lines
]
def render_setup_instructions(
server_url: str,
token: str,
wheel_filename: str = "agnes.whl",
*,
plugin_install_names: list[str] | None = None,
server_host: str = "",
ca_pem: str | None = None,
connector_prompts: dict[str, str] | None = None,
instance_brand: str = "Agnes",
workspace_dir: str = "Agnes",
) -> str:
"""Render the setup instructions as a single string.
Used server-side for tests and any non-JS rendering path. The browser
clipboard flow uses the JS renderer embedded in the Jinja partial; both
must produce byte-identical output for a given (server_url, token,
wheel, plugins, host, ca_pem, connector_prompts, brand, workspace_dir) tuple.
"""
lines = resolve_lines(
wheel_filename,
plugin_install_names=plugin_install_names,
server_host=server_host,
ca_pem=ca_pem,
connector_prompts=connector_prompts,
instance_brand=instance_brand,
workspace_dir=workspace_dir,
)
text = "\n".join(lines)
return text.replace("{server_url}", server_url).replace("{token}", token)
Reference in a new issue View git blame Copy permalink