Properties
category: dev tags: [bugfix, auth, deployment, beta] last_updated: 2026-03-16 confidence: high
2026-03-16: Beta User TLS Fix
Symptom
Beta users (gruen, igor) reported TLS certificate errors when visiting their {slug}.robot.wtf wikis. Caddy's on-demand TLS couldn't provision certs because /api/internal/check-slug returned 404 for their slugs.
Root cause
The signup flow (POST /auth/signup) created user records but redirected to https://robot.wtf/ — the static marketing landing page. The landing page had no link to the dashboard (/app/) or wiki creation form (/app/create). Users had no way to discover wiki creation. Without a wiki record in the wikis table, check-slug returns 404, Caddy refuses TLS, browser shows cert error.
The wiki creation machinery at /app/create was fully implemented and tested. The gap was purely in the redirect wiring.
Fixes deployed
1. Post-signup/login redirect (e6c5bba)
auth_server.py: Both OAuth callback and signup now redirect to/app/instead of/api_server.py: Landing page (/) checks JWT cookie and redirects authenticated users to/app/- Tests added for redirect targets and
return_toprecedence (MCP consent flow)
2. Private wiki auth redirect (13f4762)
resolver.py: Unauthenticated browser visitors to private wiki subdomains get a 302 tohttps://robot.wtf/auth/logininstead of a JSON 403- API/MCP clients still get JSON 403 (checks
Accept: text/html) - Redirect only on 403 (access denied), not 401 (bad credentials)
3. Manual wiki creation for stranded users
- Created wiki records, ACLs, git repos, and MCP tokens for gruen and igor directly in the DB
- Users can regenerate tokens from the dashboard (
/app/wiki/{slug}/mcp/regenerate)
Process lessons
- Implementation Workflow updated with Step 0: read memories and create task list before dispatching any agents
- Worktree agents must be launched from the git repo directory, not the parent (
/Users/sderle/code/otterwiki/is not a git repo) - Both of these were already in memory but were not consulted at session start