fix(onboarding): six defects in self-host deploy path (#443)#833
Merged
Conversation
Friction surfaced on a fresh clone → start.sh → login walkthrough. Each fix is small and independent; bundled here per the issue's "all are onboarding hygiene" framing. 1. scripts/deploy/start.sh — auto-generate SECRET_KEY and INTERNAL_API_SECRET if blank (same pattern as the existing CREDENTIAL_ENCRYPTION_KEY block, extracted to a helper). Fail fast with a clear message if ADMIN_PASSWORD is blank rather than booting into a state the operator can't log into. 2. .env.example — document FRONTEND_PORT=80 with an inline comment explaining "remap if your host's port 80 is taken." The var was already read by docker-compose.yml and start.sh but wasn't reachable from the quickstart. 3. scripts/deploy/start.sh — replace "login: admin/password" hint with "login: admin / ADMIN_PASSWORD from .env". New users took "password" as the literal default. 4. src/mcp-server/src/index.ts + README.md — drop hardcoded http://localhost:3000/api-keys hint. Port was wrong (frontend default is 80) and ignored FRONTEND_PORT overrides. Replaced with "your Trinity web UI → Settings → MCP Keys". 5. scripts/deploy/clean.sh — new script. Stops compose + removes leftover agent-* containers + trinity-agent-network. Without this, a fresh install inherits Exited zombie agents from previous tests and the first new agent collides on AGENT_SSH_PORT_START (2222). Preserves data volumes intentionally — operators can wipe those manually. 6. src/mcp-server/Dockerfile — point healthcheck at /health, not /mcp. The /mcp endpoint rejects HEAD requests with 400 (which `wget --spider` sends), so `docker compose ps` reported the container as unhealthy despite serving traffic. /health returns 200 to both HEAD and GET. Verified live: post-rebuild, trinity-mcp-server reports `healthy` within 30s. No schema, API, or runtime-behavior changes. No migration needed. Related to #443 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…form_default_model The lint job on #443's PR went red on a file that is NOT in the PR's diff — `tests/test_platform_default_model.py` carries 6 bare `sys.modules` mutations that were merged to dev without an entry in `tests/lint_sys_modules_baseline.txt`. Same #802 rebase-race shape as the original #791 vs #783 incident: baseline-introducing PR (#791) and violation-introducing PR landed disjointly, both green pre-merge, dev went red post-merge, the next PR off dev (this one) inherits it. Ratcheting the baseline here unblocks #443. Same precedent as #796 which baselined `test_cleanup_unreachable_orphan.py` for the same reason. The proper fix is to convert the file's bare sys.modules writes to `monkeypatch.setitem` / `monkeypatch.delitem`; that's scope-creep relative to the onboarding work this PR is doing and should land separately. (That file's count is currently 0 against the lint, so a follow-up that converts it can drop the baseline line altogether.) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
vybe
approved these changes
May 13, 2026
Contributor
vybe
left a comment
vybe
left a comment
There was a problem hiding this comment.
Clean, focused fix — all six defects verified. Dockerfile healthcheck and ADMIN_PASSWORD guard are the highest-value changes. Second commit correctly resolves the pre-existing sys_modules baseline rebase-race from #831. ✅ Approved to merge.
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Six small fixes on the fresh-clone →
start.sh→ login walkthrough. Each independent, no schema/API/runtime-behavior change.SECRET_KEY+INTERNAL_API_SECRETif blank; fail-fast on blankADMIN_PASSWORDscripts/deploy/start.shFRONTEND_PORT=80with remap comment.env.examplelogin: admin/passwordhint withadmin / ADMIN_PASSWORD from .envscripts/deploy/start.shlocalhost:3000/api-keysURL — replace with "your Trinity web UI → Settings → MCP Keys"src/mcp-server/src/index.ts,README.mdclean.sh— removes leftoveragent-*containers +trinity-agent-network; preserves data volumesscripts/deploy/clean.sh/mcp→/health(the/mcpendpoint rejects HEAD with 400, which is whatwget --spidersends)src/mcp-server/DockerfileVerification (live)
.env, confirmedCREDENTIAL_ENCRYPTION_KEYleft alone when set;SECRET_KEY/INTERNAL_API_SECRETgenerated when blank;ADMIN_PASSWORDguard tripped correctly when blank.bash -non bothclean.shandstart.shclean.mcp-serveragainst this PR's Dockerfile and watcheddocker compose ps mcp-server— wasunhealthybefore, reportsUp (healthy)within 30s now.docker inspect'sState.Health.Statusflipped tohealthywithFailingStreak=0.Out of scope (deferred / separate tracking)
agent-*zombies from previous test runs. The newclean.shwould remove them, but I'm not running it on the dev box as part of this PR — operator's call.docs.ability.ai/getting-started) — issue notes these are tracked separately; in-repodocs/user-docs/guides/*was already corrected alongside thegenerate-user-docsplaybook.feature/443-onboarding-fixesalready exists on remote with @vybe's WIP (refactor(skills): prevent duplicate validation issues, 2026-04-21, same day issue was filed — likely abandoned start at this work). Didn't touch it. This PR ships underfeature/443-onboarding-six-defectsinstead.Related to #443
🤖 Generated with Claude Code