New Agent Deployment — Pre-Deploy Setup (Human Required)

Setup steps required before any new agent is provisioned. Follow in order: hardware, Tailscale, Cloudflare DNS, SimpleMDM enrollment, portal payload. Each step is human-gated.

1. Stage Mac mini with macOS, enroll in SimpleMDM
2. Generate Tailscale auth key (see below)
3. Provision Cloudflare tunnel record
4. Push portal payload + bootstrap script
5. Verify first sweep in Fleet Status

Create a Telegram Bot for a New Agent

Bot is the agent's human-facing relay. Created via @BotFather, then token is stored in Infisical under agents/<name>/telegram_bot_token.

# 1. Open Telegram, message @BotFather
# 2. /newbot
# 3. Name: JockiBox <Agent>
# 4. Username: jockibox_<agent>_bot
# 5. Copy token → Infisical agents/<name>/telegram_bot_token

SSH Into Any Agent Directly

Tailscale SSH only — never use plain ssh user@ip.

tailscale ssh jockibox-chc-arbor-atlas

tailscale ssh jockibox-chc-cob-beau

tailscale ssh jockibox-chc-shaw-monty

tailscale ssh jockibox-chc-northpark-parker

tailscale ssh jockibox-chc-boswell-wellington

tailscale ssh jockibox-titan

Emergency Fixes — Run on Any Agent

Erik — Tailscale ACL Update Required

When a new agent is provisioned, the Tailscale ACL must be updated to grant the agent's tag access to the right facilities.

// tailscale-acl.json
{
  "acls": [
    { "action": "accept", "src": ["tag:agent"], "dst": ["tag:facility:*"] }
  ]
}

New User Setup — Start the Bot

When a new user is added to a facility, they DM the agent's bot to register. The bot binds their Telegram user ID to the facility principal in Better-Auth.

# In Telegram, the user messages:
/start

# The bot replies with their facility binding + a one-time link.

Tailscale Auth Key

Generate a pre-authorized auth key for new-agent enrollment.

# Tailscale admin → Settings → Keys → Generate auth key
# - Reusable: no
# - Ephemeral: no
# - Pre-approved: yes
# - Tags: tag:agent