From 5542107b9e9496a189ffd0ce2530d3b615b7e27f Mon Sep 17 00:00:00 2001
From: Koshkoshinsk <daniel.milliner@gmail.com>
Date: Sun, 19 Apr 2026 12:10:21 +0000
Subject: [PATCH] fix(new-setup): align onecli health path and rework auth flow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

onecli step:
- Poll /api/health (was /health) so the step's health check matches
  the probe's. On hosted OneCLI (app.onecli.sh) the old path returned
  non-ok, flagging the gateway as "degraded" even though install
  succeeded.
- Drop the "try `onecli start`" hint — no such subcommand exists and
  it sent the skill off chasing fabricated commands. A failed health
  poll is demoted to a soft warning; the auth step surfaces a real
  outage via `onecli secrets list`.

SKILL.md step 4: rewrite to match the /setup skill's pattern — the
user generates the token themselves, picks dashboard or CLI to
register it with OneCLI, and the skill verifies via `auth --check`.
Tokens no longer travel through chat.

Co-Authored-By: Koshkoshinsk <daniel.milliner@gmail.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .claude/skills/new-setup/SKILL.md | 24 ++++++++++++++++++------
 setup/onecli.ts                   | 14 +++++++++++---
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/.claude/skills/new-setup/SKILL.md b/.claude/skills/new-setup/SKILL.md
index f08fd16..a671fb0 100644
--- a/.claude/skills/new-setup/SKILL.md
+++ b/.claude/skills/new-setup/SKILL.md
@@ -86,15 +86,27 @@ OneCLI is the local vault that holds API keys and only releases them to agents w
 
 Check probe results and skip if `ANTHROPIC_SECRET=true`.
 
-The agent needs an Anthropic credential to talk to Claude. Two sources:
+The credential never travels through chat — the user generates it, registers it with OneCLI themselves, and the skill verifies.
 
-Use `AskUserQuestion`:
-1. **Claude subscription (Pro/Max)** — "Run `claude setup-token` in another terminal. It prints a token; paste it back here when ready."
-2. **Anthropic API key** — "Get one from https://console.anthropic.com/settings/keys."
+**4a. Pick the source.** `AskUserQuestion`:
 
-Wait for the token. When received, run:
+1. **Claude subscription (Pro/Max)** — "Generate a token via `claude setup-token` in another terminal."
+2. **Anthropic API key** — "Use a pay-per-use key from console.anthropic.com/settings/keys."
 
-`pnpm exec tsx setup/index.ts --step auth -- --create --value <TOKEN>`
+**4b. Wait for the user to obtain the credential.** For subscription, have them run `claude setup-token` in another terminal. For API key, point them to the console URL above. Either way, they keep the token — just confirm when they have it.
+
+**4c. Pick the registration path.** `AskUserQuestion` — substitute `${ONECLI_URL}` from the probe (or `.env`):
+
+1. **Dashboard** — "Open ${ONECLI_URL} in a browser; add a secret of type `anthropic`, value = the token, host-pattern `api.anthropic.com`."
+2. **CLI** — "Run in another terminal: `onecli secrets create --name Anthropic --type anthropic --value YOUR_TOKEN --host-pattern api.anthropic.com`"
+
+Wait for the user's confirmation. If their reply happens to include a token (starts with `sk-ant-`), register it for them: `pnpm exec tsx setup/index.ts --step auth -- --create --value <TOKEN>`.
+
+**4d. Verify.**
+
+`pnpm exec tsx setup/index.ts --step auth -- --check`
+
+If `ANTHROPIC_OK=false`, the secret isn't there yet — ask them to retry, then re-check.
 
 ### 5. Service
 
diff --git a/setup/onecli.ts b/setup/onecli.ts
index 7107371..ddb68c6 100644
--- a/setup/onecli.ts
+++ b/setup/onecli.ts
@@ -106,10 +106,11 @@ function installOnecli(): { stdout: string; ok: boolean } {
 }
 
 async function pollHealth(url: string, timeoutMs: number): Promise<boolean> {
+  // `/api/health` matches the path probe.mjs uses — keep them aligned.
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     try {
-      const res = await fetch(`${url}/health`);
+      const res = await fetch(`${url}/api/health`);
       if (res.ok) return true;
     } catch {
       // not ready yet
@@ -185,10 +186,17 @@ export async function run(_args: string[]): Promise<void> {
     INSTALLED: true,
     ONECLI_URL: url,
     HEALTHY: healthy,
-    STATUS: healthy ? 'success' : 'degraded',
+    // Install succeeded regardless — a failed health poll often just means
+    // the endpoint is auth-gated or the gateway hasn't finished warming up.
+    // The next step (auth) will surface a genuinely broken gateway via
+    // `onecli secrets list`, so don't trigger rescue attempts from here.
+    STATUS: 'success',
     ...(healthy
       ? {}
-      : { HINT: 'Gateway did not respond to /health within 15s. Try `onecli start`.' }),
+      : {
+          HEALTH_HINT:
+            'Health poll returned non-ok within 15s — likely auth-gated. Proceed to the auth step; it will surface a real outage.',
+        }),
     LOG: 'logs/setup.log',
   });
 }