askshepherd 0.1.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md ADDED
@@ -0,0 +1,179 @@
1
+ # AskShepherd
2
+
3
+ Customer-facing raw sync onboarding for Shepherd.
4
+
5
+ ## Coding Agent One-liner
6
+
7
+ Give this to a coding agent:
8
+
9
+ ```sh
10
+ npx -y askshepherd@latest agent
11
+ ```
12
+
13
+ The command defaults to the customer-facing production Shepherd cloud. It prints the exact prompt the agent should follow, then the exact follow-up commands to open Shepherd WorkOS login/signup, guide Google Workspace Admin Console delegation, open source auth for non-Google sources, open Granola's API key page, finalize, start cloud raw polling/backfills, request downstream production processing, and install local Messages sync.
14
+ The agent prompt tells coding agents to ask short selection questions first: existing/new org, sources to connect, and Messages skip/provide-handle. If Messages is selected, the agent runs `messages-chats`, opens a minimal searchable local webpage, and has the user select which contacts/groups to sync. Account creation/relinking always starts with Shepherd WorkOS auth.
15
+ Existing-organization joins are verified from Shepherd login and company email domain; the typed org name is not trusted by itself.
16
+
17
+ For experiments, pass a separate non-production API explicitly:
18
+
19
+ ```sh
20
+ npx -y askshepherd@latest agent --api https://<non-prod-brain-api>
21
+ ```
22
+
23
+ ## Human Terminal One-liner
24
+
25
+ ```sh
26
+ npx -y askshepherd@latest
27
+ ```
28
+
29
+ The command:
30
+
31
+ - runs Shepherd WorkOS login/signup first
32
+ - asks for name, organization, and an optional local Messages handle
33
+ - creates or reuses the Shepherd customer account from the WorkOS-authenticated email
34
+ - creates or reuses the organization, including case-insensitive and close-name matches
35
+ - only reuses an existing organization when the authenticated account is allowed to join it
36
+ - prints Google Workspace domain-wide delegation setup for a Workspace super admin
37
+ - opens Slack authorization
38
+ - opens the Granola desktop app to Settings -> Connectors -> API keys
39
+ - collects the Granola API key after opening the Granola screen when Granola is enabled
40
+ - asks the user to grant or confirm macOS Full Disk Access before local Messages sync
41
+ - checks local Messages access and keeps prompting in interactive onboarding until Full Disk Access works
42
+ - opens a minimal searchable local webpage with contact/group names and only syncs the chats selected by the user
43
+ - sets up local macOS Messages raw sync with a background LaunchAgent scoped to the selected chats
44
+ - starts raw polling/backfill for connected sources
45
+ - asks the customer-facing production cloud to schedule downstream processing; wiki ingestion, memory artifacts, and document summaries run in separate brain services, not in the local CLI
46
+
47
+ The command does not expose Railway, database, Redis, or internal service details to the user.
48
+
49
+ ## Customer MCP Login
50
+
51
+ After raw onboarding creates the Shepherd customer account, customers can
52
+ install the production MCP from the saved local onboarding session:
53
+
54
+ ```sh
55
+ npx -y askshepherd@latest mcp-login
56
+ ```
57
+
58
+ The command first verifies `~/.shepherd/raw-onboarding-agent.json` against the
59
+ production API and mints an MCP token for that exact customer account. If the
60
+ local onboarding session is unavailable, it falls back to Shepherd WorkOS auth
61
+ and still links only an existing onboarded customer account. It writes
62
+ `~/.shepherd/mcp.json` and asks where Shepherd MCP should be accessible. It can
63
+ install the MCP into:
64
+
65
+ - Codex CLI/app
66
+ - Claude Code
67
+ - Cursor IDE and Cursor Agent
68
+
69
+ The saved MCP state includes:
70
+
71
+ - `mcpUrl`: `https://brain-api-customer-facing.up.railway.app/mcp`
72
+ - `token`: bearer token for MCP clients
73
+ - `account`: linked customer account metadata
74
+ - `authSource`: `local_onboarding` or `workos`
75
+ - `localAuth`: raw onboarding state reference when local auth was used
76
+
77
+ Use `--json` when an agent or setup script needs machine-readable endpoint and
78
+ header details.
79
+
80
+ Install an existing MCP login later:
81
+
82
+ ```sh
83
+ npx -y askshepherd@latest mcp-install
84
+ ```
85
+
86
+ `mcp-install` refreshes missing or near-expired MCP auth from the saved local
87
+ onboarding session before configuring clients, so already-onboarded customers
88
+ do not need to sign in again. Local Messages continues syncing through its
89
+ LaunchAgent and cloud sources continue syncing through production pollers; MCP
90
+ auth only controls read access to that customer's production memory/wiki data.
91
+
92
+ Install targets can also be provided non-interactively:
93
+
94
+ ```sh
95
+ npx -y askshepherd@latest mcp-login --install codex,claude,cursor
96
+ npx -y askshepherd@latest mcp-install --install all
97
+ ```
98
+
99
+ After install, customers can immediately ask their coding agent questions like:
100
+
101
+ ```text
102
+ Use Shepherd to catch me up on what the team discussed yesterday.
103
+ Use Shepherd to search Slack, Gmail, Messages, Granola, and the wiki for launch blockers.
104
+ Use Shepherd to find the last meeting where we discussed the enterprise pilot.
105
+ Use Shepherd to summarize open follow-ups from this week's memory.
106
+ ```
107
+
108
+ The production MCP gives onboarded customers the same read/QA behavior that made
109
+ the internal Shepherd MCP useful: summary-first answers, wiki search/read, and
110
+ source drill-in. Internal local sync, admin, replay, write/delete, and cache
111
+ maintenance tools are not exposed to customers.
112
+
113
+ ## Google Workspace Domain-wide Delegation
114
+
115
+ Business customers connect Google Workspace once as an admin. Employees do not create service accounts and do not each complete Google OAuth for Gmail, Calendar, Drive, Docs, Sheets, Slides, Tasks, or Contacts.
116
+
117
+ Customer-side setup in Google Admin Console:
118
+
119
+ ```text
120
+ App name: Shepherd
121
+ Service account email: gigabrain-delegation@shepherd-gigabrain.iam.gserviceaccount.com
122
+ Domain-wide delegation OAuth Client ID: 118363960386741325727
123
+ ```
124
+
125
+ The customer super admin authorizes that Client ID with the scopes printed by the CLI. The customer does not upload service account JSON; Shepherd stores its private service account JSON server-side in `GOOGLE_WORKSPACE_SERVICE_ACCOUNT_KEY_JSON` and requests delegated tokens with `sub=<allowed_employee_email>`.
126
+
127
+ Shepherd must still enforce selected users and groups internally before impersonating or polling employee emails.
128
+
129
+ ## Options
130
+
131
+ ```sh
132
+ --email <email> Advanced: must match the WorkOS-authenticated email
133
+ --name <name> Full name
134
+ --org <name> Organization name
135
+ --granola-api-key <key> Granola API key
136
+ --messages-handle <value> Messages phone number or Apple ID email
137
+ --messages-chat-ids <ids> Comma-separated chat IDs selected from messages-chats
138
+ --messages-backfill-days Local Messages backfill window, default all selected chat history
139
+ --api <url> Advanced: Shepherd API URL. Use only for non-production experiments or local/staging testing.
140
+ --no-google Skip Google Workspace (Gmail/Drive/Docs/Calendar/Sheets/Slides/Tasks/Contacts)
141
+ --no-slack Skip Slack
142
+ --no-granola Skip Granola
143
+ --no-open-granola Do not open the Granola API key screen
144
+ --no-messages Skip local Messages
145
+ --no-open Print auth URLs instead of opening the browser
146
+ ```
147
+
148
+ ## Messages Chat Selection
149
+
150
+ Local Messages sync on macOS needs Full Disk Access. During onboarding, Shepherd asks the user to grant or confirm Full Disk Access for:
151
+
152
+ - the app running onboarding, such as Terminal, iTerm, Claude Code, or Codex
153
+ - the Node.js binary used by the background LaunchAgent
154
+
155
+ The Messages selector validates access to `~/Library/Messages/chat.db`, opens System Settings -> Privacy & Security -> Full Disk Access if access is missing, and keeps checking in interactive onboarding until access works. Background sync install also checks that launchd can start the Messages agent. Contacts permission may also appear when Shepherd resolves local contact names for selected chats.
156
+
157
+ Open the local Messages chat selector:
158
+
159
+ ```sh
160
+ npx -y askshepherd@latest messages-chats
161
+ ```
162
+
163
+ Use `--json` for machine-readable chat metadata, or `--text` for a terminal list.
164
+
165
+ The browser selector displays the first page of recent chats and lets the user search contacts or groups loaded from local Messages.
166
+
167
+ Pass the selected chat IDs when finishing onboarding:
168
+
169
+ ```sh
170
+ npx -y askshepherd@latest agent --continue --messages-handle "<phone_or_apple_id>" --messages-chat-ids "<id1>,<id2>"
171
+ ```
172
+
173
+ ## Granola API Keys
174
+
175
+ If Granola does not land on the API keys page, run:
176
+
177
+ ```sh
178
+ npx -y askshepherd@latest granola-api-keys
179
+ ```