settld 0.2.4 → 0.2.5

package/docs/CONFIG.md

@@ -82,6 +82,18 @@ Delivery/worker tuning:
 - `PROXY_AUTH_KEY_TOUCH_MIN_SECONDS` (default: `60`)  
   Throttle how often `last_used_at` is updated for API keys (reduces DB write amplification).
 
+## Public onboarding routing
+
+- `PROXY_ONBOARDING_BASE_URL` (optional but required for public onboarding on `settld-api`)  
+  Absolute `http(s)` URL for the onboarding service (`services/magic-link`). When set, `settld-api` reverse-proxies public onboarding routes:
+  - `/v1/public/auth-mode`
+  - `/v1/public/signup`
+  - `/v1/tenants/:tenantId/buyer/login/otp`
+  - `/v1/tenants/:tenantId/buyer/login`
+  - `/v1/tenants/:tenantId/onboarding/*`
+
+  If missing, these routes fail closed with `503` and code `ONBOARDING_PROXY_NOT_CONFIGURED`.
+
 ## Ingest auth
 
 - `PROXY_INGEST_TOKEN` (optional)  

package/docs/README.md

@@ -32,3 +32,6 @@ Reference docs:
 
 - `docs/QUICKSTART_MCP_HOSTS.md`
 - `docs/QUICKSTART_MCP.md`
+- `planning/trust-os-v1/state-of-the-art-launch-readiness-scorecard.md`
+- `planning/sprints/state-of-the-art-v1-6-week-plan.md`
+- `planning/jira/state-of-the-art-v1-backlog.json`

package/docs/ops/HOSTED_BASELINE_R2.md

@@ -13,14 +13,16 @@ This is the minimum hosted setup for a real product surface.
 
 ## 2) Railway service split
 
-Create two Railway services from this repo per environment:
+Create three Railway services from this repo per environment:
 
 - `settld-api`:
   - start command: `npm run start:prod`
+- `settld-magic-link`:
+  - start command: `npm run start:magic-link`
 - `settld-worker`:
   - start command: `npm run start:maintenance`
 
-Both services must point at the same environment DB and secret set for that environment.
+All services must point at the same environment DB and secret set for that environment.
 
 ## 3) Required runtime controls
 

package/docs/ops/MINIMUM_PRODUCTION_TOPOLOGY.md

@@ -7,12 +7,13 @@ This is the smallest topology that supports real paid agent tool calls with audi
 | Component | Purpose | Start command |
 |---|---|---|
 | `settld-api` | control plane + kernel APIs + receipts + ops endpoints | `npm run start:prod` |
+| `settld-magic-link` | public onboarding/auth/wallet bootstrap service | `npm run start:magic-link` |
 | `settld-maintenance` | reconciliation/cleanup/maintenance ticks | `npm run start:maintenance` |
 | `postgres` | system of record for tenants, gates, receipts, ops state | managed Postgres |
 | `x402-gateway` | payment challenge/authorize/verify wrapper for paid tool calls | `npm run start:x402-gateway` |
 | paid upstream tool API(s) | actual provider tools (`/exa`, `/weather`, etc.) | provider-specific |
 
-Without all five, the end-to-end paid tool path is incomplete.
+Without all six, public onboarding + paid tool path is incomplete.
 
 ## 2) Recommended production shape
 
@@ -35,9 +36,19 @@ Reference baseline: `docs/ops/HOSTED_BASELINE_R2.md`.
 - `PROXY_OPS_TOKENS` (scoped ops tokens)
 - `PROXY_FINANCE_RECONCILE_ENABLED=1`
 - `PROXY_MONEY_RAIL_RECONCILE_ENABLED=1`
+- `PROXY_ONBOARDING_BASE_URL=https://<magic-link-host>`
 
 Primary config source: `docs/CONFIG.md`.
 
+### `settld-magic-link`
+
+- `NODE_ENV=production`
+- `MAGIC_LINK_API_KEY` (admin key)
+- `MAGIC_LINK_PUBLIC_SIGNUP_ENABLED=1` (for self-serve public onboarding)
+- `MAGIC_LINK_BUYER_OTP_DELIVERY_MODE=smtp` + SMTP env
+- `MAGIC_LINK_SETTLD_API_BASE_URL=https://<settld-api-host>`
+- `MAGIC_LINK_SETTLD_OPS_TOKEN=<scoped ops token>`
+
 ### `settld-maintenance`
 
 - Same DB/env set as `settld-api`
@@ -67,22 +78,23 @@ Reference flow: `docs/QUICKSTART_X402_GATEWAY.md`.
 Must host for real customer traffic:
 
 1. `settld-api`
-2. `settld-maintenance`
-3. Postgres
-4. `x402-gateway`
-5. At least one paid upstream provider API
+2. `settld-magic-link`
+3. `settld-maintenance`
+4. Postgres
+5. `x402-gateway`
+6. At least one paid upstream provider API
 
 Optional at first:
 
 1. Receiver service (`npm run start:receiver`)
 2. Finance sink (`npm run start:finance-sink`)
-3. Magic-link UI service
+3. Additional onboarding UI shells
 
 ## 6) Definition of "usable in production"
 
 A deployment is considered usable when all are true:
 
-1. `GET /healthz` is green on API and gateway.
+1. `GET /healthz` is green on API and gateway; `GET /v1/public/auth-mode` is reachable on API host.
 2. Hosted baseline evidence command passes for the environment.
 3. One paid MCP tool call succeeds end-to-end with artifact output.
 4. Receipt verification succeeds and is replay-auditable.

package/docs/ops/PRODUCTION_DEPLOYMENT_CHECKLIST.md

@@ -14,7 +14,7 @@ Use this checklist to launch and verify a real hosted Settld environment.
 2. Confirm release workflow is blocked unless NOO-50 and the kernel/cutover gates are green for the release commit.
 3. Confirm release workflow runs NOO-65 promotion guard and blocks publish lanes if `release-promotion-guard.json` verdict is not pass/override-pass.
 4. Confirm staging and production have separate domains, databases, secrets, and signer keys.
-5. Confirm required services are deployable: `npm run start:prod`, `npm run start:maintenance`, `npm run start:x402-gateway`.
+5. Confirm required services are deployable: `npm run start:prod`, `npm run start:magic-link`, `npm run start:maintenance`, `npm run start:x402-gateway`.
 6. Configure GitHub Environment `production_cutover_gate` with:
    - `PROD_BASE_URL`
    - `PROD_TENANT_ID`
@@ -29,17 +29,22 @@ Use this checklist to launch and verify a real hosted Settld environment.
 3. Set scoped `PROXY_OPS_TOKENS`.
 4. Configure rate limits and quotas from `docs/CONFIG.md`.
 5. Configure gateway secrets: `SETTLD_API_URL`, `SETTLD_API_KEY`, `UPSTREAM_URL`.
+6. Configure onboarding routing:
+   - `PROXY_ONBOARDING_BASE_URL=https://<magic-link-host>` on `settld-api`
+   - `MAGIC_LINK_PUBLIC_SIGNUP_ENABLED=1` and OTP delivery (`smtp`) on `settld-magic-link`
 
 ## Phase 2: Deploy services
 
 1. Deploy `settld-api`.
-2. Deploy `settld-maintenance`.
-3. Deploy `x402-gateway`.
+2. Deploy `settld-magic-link`.
+3. Deploy `settld-maintenance`.
+4. Deploy `x402-gateway`.
 4. Verify service health:
 
 ```bash
 curl -fsS https://api.settld.work/healthz
 curl -fsS https://gateway.settld.work/healthz
+npm run test:ops:public-onboarding-gate -- --base-url https://api.settld.work --tenant-id tenant_default
 ```
 
 ## Phase 3: Baseline ops verification

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "settld",
-  "version": "0.2.4",
+  "version": "0.2.5",
   "description": "Settld kernel CLI and local control-plane tooling",
   "private": false,
   "type": "module",
@@ -25,6 +25,7 @@
     "scripts",
     "docs",
     "src",
+    "services/magic-link",
     "services/finance-sink",
     "services/x402-gateway",
     "services/receiver"
@@ -110,6 +111,7 @@
     "test:ops:onboarding-host-success-gate": "node scripts/ci/run-onboarding-host-success-gate.mjs",
     "test:ops:self-serve-benchmark": "node scripts/ci/build-self-serve-benchmark-report.mjs",
     "test:ops:launch-cutover-packet": "node scripts/ci/build-launch-cutover-packet.mjs",
+    "test:ops:public-onboarding-gate": "node scripts/ci/run-public-onboarding-gate.mjs",
     "test:ops:production-cutover-gate": "node scripts/ci/run-production-cutover-gate.mjs",
     "test:ops:release-promotion-guard": "node scripts/ci/run-release-promotion-guard.mjs",
     "test:ci:mcp-host-smoke": "node scripts/ci/run-mcp-host-smoke.mjs",

package/scripts/ci/run-public-onboarding-gate.mjs

@@ -0,0 +1,136 @@
+#!/usr/bin/env node
+import fs from "node:fs/promises";
+import path from "node:path";
+
+function parseArgs(argv) {
+  const out = {
+    baseUrl: process.env.SETTLD_BASE_URL ?? "https://api.settld.work",
+    tenantId: process.env.SETTLD_TENANT_ID ?? "tenant_default",
+    email: process.env.SETTLD_ONBOARDING_PROBE_EMAIL ?? "probe@settld.work",
+    out: "artifacts/gates/public-onboarding-gate.json"
+  };
+  for (let i = 0; i < argv.length; i += 1) {
+    const arg = String(argv[i] ?? "");
+    const next = () => {
+      i += 1;
+      if (i >= argv.length) throw new Error(`missing value for ${arg}`);
+      return String(argv[i] ?? "");
+    };
+    if (arg === "--base-url") out.baseUrl = next();
+    else if (arg.startsWith("--base-url=")) out.baseUrl = arg.slice("--base-url=".length);
+    else if (arg === "--tenant-id") out.tenantId = next();
+    else if (arg.startsWith("--tenant-id=")) out.tenantId = arg.slice("--tenant-id=".length);
+    else if (arg === "--email") out.email = next();
+    else if (arg.startsWith("--email=")) out.email = arg.slice("--email=".length);
+    else if (arg === "--out") out.out = next();
+    else if (arg.startsWith("--out=")) out.out = arg.slice("--out=".length);
+  }
+  out.baseUrl = String(out.baseUrl ?? "").trim().replace(/\/+$/, "");
+  out.tenantId = String(out.tenantId ?? "").trim();
+  out.email = String(out.email ?? "").trim().toLowerCase();
+  out.out = String(out.out ?? "").trim();
+  if (!out.baseUrl) throw new Error("--base-url is required");
+  if (!out.tenantId) throw new Error("--tenant-id is required");
+  if (!out.email) throw new Error("--email is required");
+  if (!out.out) throw new Error("--out is required");
+  return out;
+}
+
+async function requestJson(url, { method = "GET", body = null, headers = {} } = {}) {
+  const res = await fetch(url, {
+    method,
+    headers: {
+      ...(body === null ? {} : { "content-type": "application/json" }),
+      ...headers
+    },
+    body: body === null ? undefined : JSON.stringify(body)
+  });
+  const text = await res.text();
+  let json = null;
+  try {
+    json = text ? JSON.parse(text) : null;
+  } catch {
+    json = null;
+  }
+  return {
+    ok: res.ok,
+    statusCode: res.status,
+    url,
+    text,
+    json
+  };
+}
+
+function summarizeBody(outcome) {
+  if (outcome?.json && typeof outcome.json === "object") {
+    return {
+      code: outcome.json.code ?? null,
+      error: outcome.json.error ?? null,
+      message: outcome.json.message ?? null,
+      authMode: outcome.json.authMode ?? null
+    };
+  }
+  return { raw: String(outcome?.text ?? "").slice(0, 500) };
+}
+
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const startedAt = new Date().toISOString();
+  const steps = [];
+  const errors = [];
+
+  const authMode = await requestJson(`${args.baseUrl}/v1/public/auth-mode`);
+  steps.push({
+    step: "public_auth_mode",
+    statusCode: authMode.statusCode,
+    body: summarizeBody(authMode)
+  });
+  if (authMode.statusCode !== 200 || typeof authMode.json?.authMode !== "string") {
+    errors.push({
+      code: "PUBLIC_AUTH_MODE_UNAVAILABLE",
+      message: `expected GET /v1/public/auth-mode to return 200 with authMode; got ${authMode.statusCode}`
+    });
+  }
+
+  const otpProbe = await requestJson(
+    `${args.baseUrl}/v1/tenants/${encodeURIComponent(args.tenantId)}/buyer/login/otp`,
+    {
+      method: "POST",
+      body: { email: args.email }
+    }
+  );
+  steps.push({
+    step: "buyer_login_otp_probe",
+    statusCode: otpProbe.statusCode,
+    body: summarizeBody(otpProbe)
+  });
+  if ([403, 404, 405, 503].includes(otpProbe.statusCode)) {
+    errors.push({
+      code: "BUYER_LOGIN_OTP_UNAVAILABLE",
+      message: `expected buyer OTP endpoint to be reachable (non-403/404/405/503); got ${otpProbe.statusCode}`
+    });
+  }
+
+  const report = {
+    schemaVersion: "PublicOnboardingGate.v1",
+    ok: errors.length === 0,
+    startedAt,
+    completedAt: new Date().toISOString(),
+    baseUrl: args.baseUrl,
+    tenantId: args.tenantId,
+    steps,
+    errors
+  };
+
+  await fs.mkdir(path.dirname(args.out), { recursive: true });
+  await fs.writeFile(args.out, `${JSON.stringify(report, null, 2)}\n`, "utf8");
+  process.stdout.write(`wrote public onboarding gate report: ${path.resolve(args.out)}\n`);
+  process.stdout.write(`${JSON.stringify(report, null, 2)}\n`);
+  if (!report.ok) process.exit(1);
+}
+
+main().catch((err) => {
+  process.stderr.write(`${err?.stack ?? err?.message ?? String(err)}\n`);
+  process.exit(1);
+});
+

package/scripts/setup/login.mjs

@@ -8,6 +8,10 @@ import { fileURLToPath } from "node:url";
 import { cookieHeaderFromSetCookie, defaultSessionPath, writeSavedSession } from "./session-store.mjs";
 
 const FORMAT_OPTIONS = new Set(["text", "json"]);
+const AUTH_MODE_PUBLIC_SIGNUP = "public_signup";
+const AUTH_MODE_ENTERPRISE_PREPROVISIONED = "enterprise_preprovisioned";
+const AUTH_MODE_HYBRID = "hybrid";
+const KNOWN_AUTH_MODES = new Set([AUTH_MODE_PUBLIC_SIGNUP, AUTH_MODE_ENTERPRISE_PREPROVISIONED, AUTH_MODE_HYBRID]);
 
 function usage() {
   const text = [
@@ -151,6 +155,52 @@ async function requestJson(url, { method, body, headers = {}, fetchImpl = fetch
   return { res, text, json };
 }
 
+function normalizeAuthMode(value) {
+  const mode = String(value ?? "").trim().toLowerCase();
+  return KNOWN_AUTH_MODES.has(mode) ? mode : "unknown";
+}
+
+export async function detectDeploymentAuthMode({ baseUrl, fetchImpl = fetch } = {}) {
+  const normalizedBaseUrl = mustHttpUrl(baseUrl, "base URL");
+  let response;
+  try {
+    response = await requestJson(`${normalizedBaseUrl}/v1/public/auth-mode`, {
+      method: "GET",
+      fetchImpl
+    });
+  } catch {
+    return {
+      schemaVersion: "SettldAuthModeDiscovery.v1",
+      mode: "unknown",
+      source: "network_error",
+      enterpriseProvisionedTenantsOnly: null
+    };
+  }
+  if (!response.res.ok) {
+    return {
+      schemaVersion: "SettldAuthModeDiscovery.v1",
+      mode: "unknown",
+      source: `http_${response.res.status}`,
+      enterpriseProvisionedTenantsOnly: null
+    };
+  }
+  const mode = normalizeAuthMode(response.json?.authMode);
+  const enterpriseOnly =
+    typeof response.json?.enterpriseProvisionedTenantsOnly === "boolean"
+      ? response.json.enterpriseProvisionedTenantsOnly
+      : mode === AUTH_MODE_ENTERPRISE_PREPROVISIONED
+        ? true
+        : mode === "unknown"
+          ? null
+          : false;
+  return {
+    schemaVersion: "SettldAuthModeDiscovery.v1",
+    mode,
+    source: "endpoint",
+    enterpriseProvisionedTenantsOnly: enterpriseOnly
+  };
+}
+
 function responseCode({ json }) {
   const direct = typeof json?.code === "string" ? json.code : "";
   if (direct) return direct;
@@ -220,6 +270,15 @@ export async function runLogin({
     }
 
     const baseUrl = mustHttpUrl(state.baseUrl, "base URL");
+    const authMode = await detectDeploymentAuthMode({ baseUrl, fetchImpl });
+    if (interactive && authMode.mode !== "unknown") {
+      stdout.write(`Detected auth mode: ${authMode.mode}\n`);
+    }
+    if (!state.tenantId && authMode.mode === AUTH_MODE_ENTERPRISE_PREPROVISIONED) {
+      throw new Error(
+        "This deployment uses enterprise_preprovisioned mode. Pass --tenant-id <existing_tenant> and login via OTP, or use bootstrap/manual API key flow."
+      );
+    }
     if (!state.email) throw new Error("email is required");
     if (!state.tenantId && !state.company) throw new Error("company is required when tenant ID is omitted");
 
@@ -230,6 +289,12 @@ export async function runLogin({
         fetchImpl
       });
       if (!otpRequest.res.ok) {
+        const code = responseCode(otpRequest);
+        if (otpRequest.res.status === 403 && code === "FORBIDDEN") {
+          throw new Error(
+            "OTP login is unavailable on this base URL. Use `Generate during setup` with an onboarding bootstrap API key, or use an existing tenant API key."
+          );
+        }
         const message = responseMessage(otpRequest);
         throw new Error(`otp request failed (${otpRequest.res.status}): ${message}`);
       }
@@ -299,7 +364,8 @@ export async function runLogin({
       tenantId: session.tenantId,
       email: session.email,
       sessionFile: state.sessionFile,
-      expiresAt: session.expiresAt ?? null
+      expiresAt: session.expiresAt ?? null,
+      authMode: authMode.mode
     };
 
     if (state.format === "json") {