Commit 7fc860
2026-03-16 20:56:21 Claude (MCP): [mcp] Add session summary: 2026-03-16 beta user TLS fix| /dev/null .. Dev/2026-03-16_Beta_User_TLS_Fix.md | |
| @@ 0,0 1,40 @@ | |
| + | --- |
| + | category: dev |
| + | tags: [bugfix, auth, deployment, beta] |
| + | last_updated: 2026-03-16 |
| + | confidence: high |
| + | --- |
| + | |
| + | # 2026-03-16: Beta User TLS Fix |
| + | |
| + | ## Symptom |
| + | |
| + | Beta users (gruen, igor) reported TLS certificate errors when visiting their `{slug}.robot.wtf` wikis. Caddy's on-demand TLS couldn't provision certs because `/api/internal/check-slug` returned 404 for their slugs. |
| + | |
| + | ## Root cause |
| + | |
| + | The signup flow (`POST /auth/signup`) created user records but redirected to `https://robot.wtf/` — the static marketing landing page. The landing page had no link to the dashboard (`/app/`) or wiki creation form (`/app/create`). Users had no way to discover wiki creation. Without a wiki record in the `wikis` table, `check-slug` returns 404, Caddy refuses TLS, browser shows cert error. |
| + | |
| + | The wiki creation machinery at `/app/create` was fully implemented and tested. The gap was purely in the redirect wiring. |
| + | |
| + | ## Fixes deployed |
| + | |
| + | ### 1. Post-signup/login redirect (`e6c5bba`) |
| + | - `auth_server.py`: Both OAuth callback and signup now redirect to `/app/` instead of `/` |
| + | - `api_server.py`: Landing page (`/`) checks JWT cookie and redirects authenticated users to `/app/` |
| + | - Tests added for redirect targets and `return_to` precedence (MCP consent flow) |
| + | |
| + | ### 2. Private wiki auth redirect (`13f4762`) |
| + | - `resolver.py`: Unauthenticated browser visitors to private wiki subdomains get a 302 to `https://robot.wtf/auth/login` instead of a JSON 403 |
| + | - API/MCP clients still get JSON 403 (checks `Accept: text/html`) |
| + | - Redirect only on 403 (access denied), not 401 (bad credentials) |
| + | |
| + | ### 3. Manual wiki creation for stranded users |
| + | - Created wiki records, ACLs, git repos, and MCP tokens for gruen and igor directly in the DB |
| + | - Users can regenerate tokens from the dashboard (`/app/wiki/{slug}/mcp/regenerate`) |
| + | |
| + | ## Process lessons |
| + | |
| + | - Implementation Workflow updated with Step 0: read memories and create task list before dispatching any agents |
| + | - Worktree agents must be launched from the git repo directory, not the parent (`/Users/sderle/code/otterwiki/` is not a git repo) |
| + | - Both of these were already in memory but were not consulted at session start |