askshepherd 0.1.25
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +179 -0
- package/assets/shepherd_G_vector_136033.png +0 -0
- package/bin/shepherd-onboard.js +3405 -0
- package/package.json +26 -0
package/README.md
ADDED
|
@@ -0,0 +1,179 @@
|
|
|
1
|
+
# AskShepherd
|
|
2
|
+
|
|
3
|
+
Customer-facing raw sync onboarding for Shepherd.
|
|
4
|
+
|
|
5
|
+
## Coding Agent One-liner
|
|
6
|
+
|
|
7
|
+
Give this to a coding agent:
|
|
8
|
+
|
|
9
|
+
```sh
|
|
10
|
+
npx -y askshepherd@latest agent
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
The command defaults to the customer-facing production Shepherd cloud. It prints the exact prompt the agent should follow, then the exact follow-up commands to open Shepherd WorkOS login/signup, guide Google Workspace Admin Console delegation, open source auth for non-Google sources, open Granola's API key page, finalize, start cloud raw polling/backfills, request downstream production processing, and install local Messages sync.
|
|
14
|
+
The agent prompt tells coding agents to ask short selection questions first: existing/new org, sources to connect, and Messages skip/provide-handle. If Messages is selected, the agent runs `messages-chats`, opens a minimal searchable local webpage, and has the user select which contacts/groups to sync. Account creation/relinking always starts with Shepherd WorkOS auth.
|
|
15
|
+
Existing-organization joins are verified from Shepherd login and company email domain; the typed org name is not trusted by itself.
|
|
16
|
+
|
|
17
|
+
For experiments, pass a separate non-production API explicitly:
|
|
18
|
+
|
|
19
|
+
```sh
|
|
20
|
+
npx -y askshepherd@latest agent --api https://<non-prod-brain-api>
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
## Human Terminal One-liner
|
|
24
|
+
|
|
25
|
+
```sh
|
|
26
|
+
npx -y askshepherd@latest
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
The command:
|
|
30
|
+
|
|
31
|
+
- runs Shepherd WorkOS login/signup first
|
|
32
|
+
- asks for name, organization, and an optional local Messages handle
|
|
33
|
+
- creates or reuses the Shepherd customer account from the WorkOS-authenticated email
|
|
34
|
+
- creates or reuses the organization, including case-insensitive and close-name matches
|
|
35
|
+
- only reuses an existing organization when the authenticated account is allowed to join it
|
|
36
|
+
- prints Google Workspace domain-wide delegation setup for a Workspace super admin
|
|
37
|
+
- opens Slack authorization
|
|
38
|
+
- opens the Granola desktop app to Settings -> Connectors -> API keys
|
|
39
|
+
- collects the Granola API key after opening the Granola screen when Granola is enabled
|
|
40
|
+
- asks the user to grant or confirm macOS Full Disk Access before local Messages sync
|
|
41
|
+
- checks local Messages access and keeps prompting in interactive onboarding until Full Disk Access works
|
|
42
|
+
- opens a minimal searchable local webpage with contact/group names and only syncs the chats selected by the user
|
|
43
|
+
- sets up local macOS Messages raw sync with a background LaunchAgent scoped to the selected chats
|
|
44
|
+
- starts raw polling/backfill for connected sources
|
|
45
|
+
- asks the customer-facing production cloud to schedule downstream processing; wiki ingestion, memory artifacts, and document summaries run in separate brain services, not in the local CLI
|
|
46
|
+
|
|
47
|
+
The command does not expose Railway, database, Redis, or internal service details to the user.
|
|
48
|
+
|
|
49
|
+
## Customer MCP Login
|
|
50
|
+
|
|
51
|
+
After raw onboarding creates the Shepherd customer account, customers can
|
|
52
|
+
install the production MCP from the saved local onboarding session:
|
|
53
|
+
|
|
54
|
+
```sh
|
|
55
|
+
npx -y askshepherd@latest mcp-login
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
The command first verifies `~/.shepherd/raw-onboarding-agent.json` against the
|
|
59
|
+
production API and mints an MCP token for that exact customer account. If the
|
|
60
|
+
local onboarding session is unavailable, it falls back to Shepherd WorkOS auth
|
|
61
|
+
and still links only an existing onboarded customer account. It writes
|
|
62
|
+
`~/.shepherd/mcp.json` and asks where Shepherd MCP should be accessible. It can
|
|
63
|
+
install the MCP into:
|
|
64
|
+
|
|
65
|
+
- Codex CLI/app
|
|
66
|
+
- Claude Code
|
|
67
|
+
- Cursor IDE and Cursor Agent
|
|
68
|
+
|
|
69
|
+
The saved MCP state includes:
|
|
70
|
+
|
|
71
|
+
- `mcpUrl`: `https://brain-api-customer-facing.up.railway.app/mcp`
|
|
72
|
+
- `token`: bearer token for MCP clients
|
|
73
|
+
- `account`: linked customer account metadata
|
|
74
|
+
- `authSource`: `local_onboarding` or `workos`
|
|
75
|
+
- `localAuth`: raw onboarding state reference when local auth was used
|
|
76
|
+
|
|
77
|
+
Use `--json` when an agent or setup script needs machine-readable endpoint and
|
|
78
|
+
header details.
|
|
79
|
+
|
|
80
|
+
Install an existing MCP login later:
|
|
81
|
+
|
|
82
|
+
```sh
|
|
83
|
+
npx -y askshepherd@latest mcp-install
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
`mcp-install` refreshes missing or near-expired MCP auth from the saved local
|
|
87
|
+
onboarding session before configuring clients, so already-onboarded customers
|
|
88
|
+
do not need to sign in again. Local Messages continues syncing through its
|
|
89
|
+
LaunchAgent and cloud sources continue syncing through production pollers; MCP
|
|
90
|
+
auth only controls read access to that customer's production memory/wiki data.
|
|
91
|
+
|
|
92
|
+
Install targets can also be provided non-interactively:
|
|
93
|
+
|
|
94
|
+
```sh
|
|
95
|
+
npx -y askshepherd@latest mcp-login --install codex,claude,cursor
|
|
96
|
+
npx -y askshepherd@latest mcp-install --install all
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
After install, customers can immediately ask their coding agent questions like:
|
|
100
|
+
|
|
101
|
+
```text
|
|
102
|
+
Use Shepherd to catch me up on what the team discussed yesterday.
|
|
103
|
+
Use Shepherd to search Slack, Gmail, Messages, Granola, and the wiki for launch blockers.
|
|
104
|
+
Use Shepherd to find the last meeting where we discussed the enterprise pilot.
|
|
105
|
+
Use Shepherd to summarize open follow-ups from this week's memory.
|
|
106
|
+
```
|
|
107
|
+
|
|
108
|
+
The production MCP gives onboarded customers the same read/QA behavior that made
|
|
109
|
+
the internal Shepherd MCP useful: summary-first answers, wiki search/read, and
|
|
110
|
+
source drill-in. Internal local sync, admin, replay, write/delete, and cache
|
|
111
|
+
maintenance tools are not exposed to customers.
|
|
112
|
+
|
|
113
|
+
## Google Workspace Domain-wide Delegation
|
|
114
|
+
|
|
115
|
+
Business customers connect Google Workspace once as an admin. Employees do not create service accounts and do not each complete Google OAuth for Gmail, Calendar, Drive, Docs, Sheets, Slides, Tasks, or Contacts.
|
|
116
|
+
|
|
117
|
+
Customer-side setup in Google Admin Console:
|
|
118
|
+
|
|
119
|
+
```text
|
|
120
|
+
App name: Shepherd
|
|
121
|
+
Service account email: gigabrain-delegation@shepherd-gigabrain.iam.gserviceaccount.com
|
|
122
|
+
Domain-wide delegation OAuth Client ID: 118363960386741325727
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
The customer super admin authorizes that Client ID with the scopes printed by the CLI. The customer does not upload service account JSON; Shepherd stores its private service account JSON server-side in `GOOGLE_WORKSPACE_SERVICE_ACCOUNT_KEY_JSON` and requests delegated tokens with `sub=<allowed_employee_email>`.
|
|
126
|
+
|
|
127
|
+
Shepherd must still enforce selected users and groups internally before impersonating or polling employee emails.
|
|
128
|
+
|
|
129
|
+
## Options
|
|
130
|
+
|
|
131
|
+
```sh
|
|
132
|
+
--email <email> Advanced: must match the WorkOS-authenticated email
|
|
133
|
+
--name <name> Full name
|
|
134
|
+
--org <name> Organization name
|
|
135
|
+
--granola-api-key <key> Granola API key
|
|
136
|
+
--messages-handle <value> Messages phone number or Apple ID email
|
|
137
|
+
--messages-chat-ids <ids> Comma-separated chat IDs selected from messages-chats
|
|
138
|
+
--messages-backfill-days Local Messages backfill window, default all selected chat history
|
|
139
|
+
--api <url> Advanced: Shepherd API URL. Use only for non-production experiments or local/staging testing.
|
|
140
|
+
--no-google Skip Google Workspace (Gmail/Drive/Docs/Calendar/Sheets/Slides/Tasks/Contacts)
|
|
141
|
+
--no-slack Skip Slack
|
|
142
|
+
--no-granola Skip Granola
|
|
143
|
+
--no-open-granola Do not open the Granola API key screen
|
|
144
|
+
--no-messages Skip local Messages
|
|
145
|
+
--no-open Print auth URLs instead of opening the browser
|
|
146
|
+
```
|
|
147
|
+
|
|
148
|
+
## Messages Chat Selection
|
|
149
|
+
|
|
150
|
+
Local Messages sync on macOS needs Full Disk Access. During onboarding, Shepherd asks the user to grant or confirm Full Disk Access for:
|
|
151
|
+
|
|
152
|
+
- the app running onboarding, such as Terminal, iTerm, Claude Code, or Codex
|
|
153
|
+
- the Node.js binary used by the background LaunchAgent
|
|
154
|
+
|
|
155
|
+
The Messages selector validates access to `~/Library/Messages/chat.db`, opens System Settings -> Privacy & Security -> Full Disk Access if access is missing, and keeps checking in interactive onboarding until access works. Background sync install also checks that launchd can start the Messages agent. Contacts permission may also appear when Shepherd resolves local contact names for selected chats.
|
|
156
|
+
|
|
157
|
+
Open the local Messages chat selector:
|
|
158
|
+
|
|
159
|
+
```sh
|
|
160
|
+
npx -y askshepherd@latest messages-chats
|
|
161
|
+
```
|
|
162
|
+
|
|
163
|
+
Use `--json` for machine-readable chat metadata, or `--text` for a terminal list.
|
|
164
|
+
|
|
165
|
+
The browser selector displays the first page of recent chats and lets the user search contacts or groups loaded from local Messages.
|
|
166
|
+
|
|
167
|
+
Pass the selected chat IDs when finishing onboarding:
|
|
168
|
+
|
|
169
|
+
```sh
|
|
170
|
+
npx -y askshepherd@latest agent --continue --messages-handle "<phone_or_apple_id>" --messages-chat-ids "<id1>,<id2>"
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
## Granola API Keys
|
|
174
|
+
|
|
175
|
+
If Granola does not land on the API keys page, run:
|
|
176
|
+
|
|
177
|
+
```sh
|
|
178
|
+
npx -y askshepherd@latest granola-api-keys
|
|
179
|
+
```
|
|
Binary file
|