Keysat
3d9caac178
Lets a non-technical operator install the Architect's Claude key from the StartOS UI instead of the terminal: a masked text field whose value is written to /data/secrets/anthropic-api-key (0600) on the box — the same file the entrypoint already loads at boot. Secret is piped over stdin (never argv/env), CR/LF stripped to match the entrypoint's read. allowedStatuses 'any'; a restart is required (and stated in the action's warning + success message) since the entrypoint reads the key only at startup. Verified the Architect's data boundary first: the deployed Thesis Workshop routes send only Ten31's own thesis text (thesis_lines/thesis_nodes) + the partner-typed guidance to Claude — no contacts/lp_profiles/communications/grid. (The MCP CRM-retrieval tools that DO return record substance are not wired into the deployed Architect; the redaction boundary must land before any grounding path uses them — Phase 1 Workstream D.) tsc --noEmit clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Ten31 Database — StartOS 0.4 wrapper (x86_64)
This directory is the self-contained StartOS 0.4 service package for
Ten31 Database. It is the x86_64 successor to the 0.3.5 (aarch64)
wrapper in ../0.3.5/. Both packages share the same package id
(ten-database) and the same /data volume layout so data can be
preserved across the migration.
Start here
Read DEPLOY_040.md first. It covers:
- How the image-seed data-preservation mechanism works.
- How to refresh the seed with live production data from the 0.3.5 host
(via
./refresh_seed.shor manual scp). - How to install the build prerequisites (Node, Docker,
start-cli). - How to build the x86_64
.s9pk. - How to sideload onto the StartOS 0.4 beta node.
- A rollback plan and a post-install verification checklist.
Quick cheat sheet
# From this directory:
./refresh_seed.sh embassy@embassy.local # pull live prod data into seed/
make clean
make x86
make install # uses ~/.startos/config.yaml
Data layout (unchanged from 0.3.5)
Inside the container:
/data/crm.db— SQLite database/data/backups/— app-level JSON exports/data/.crm-secret— JWT signing key (created on first boot if absent)
The entrypoint seeds an empty volume from the image's baked-in snapshot on first boot, and is a no-op for every later boot. Existing volumes are never overwritten.
Status
- Source scaffold: complete and
tsc --noEmitclean against@start9labs/start-sdk0.4.0. - Dockerfile: self-contained under
start9/0.4/with no cross-folder references tostart9/0.3.5/. - Seed snapshot: present at
seed/data/(repo dev DB — replace with live prod data before building). - Not yet built into a
.s9pkhere; build on a machine with Docker +start-cliperDEPLOY_040.md.