category: dev

tags: [bugfix, auth, deployment, beta]

last_updated: 2026-03-16

Beta users (gruen, igor) reported TLS certificate errors when visiting their `{slug}.robot.wtf` wikis. Caddy's on-demand TLS couldn't provision certs because `/api/internal/check-slug` returned 404 for their slugs.

The signup flow (`POST /auth/signup`) created user records but redirected to `https://robot.wtf/` — the static marketing landing page. The landing page had no link to the dashboard (`/app/`) or wiki creation form (`/app/create`). Users had no way to discover wiki creation. Without a wiki record in the `wikis` table, `check-slug` returns 404, Caddy refuses TLS, browser shows cert error.

The wiki creation machinery at `/app/create` was fully implemented and tested. The gap was purely in the redirect wiring.

- `auth_server.py`: Both OAuth callback and signup now redirect to `/app/` instead of `/`

- `api_server.py`: Landing page (`/`) checks JWT cookie and redirects authenticated users to `/app/`

- Tests added for redirect targets and `return_to` precedence (MCP consent flow)

- `resolver.py`: Unauthenticated browser visitors to private wiki subdomains get a 302 to `https://robot.wtf/auth/login` instead of a JSON 403

- API/MCP clients still get JSON 403 (checks `Accept: text/html`)

- Redirect only on 403 (access denied), not 401 (bad credentials)

- Created wiki records, ACLs, git repos, and MCP tokens for gruen and igor directly in the DB

- Users can regenerate tokens from the dashboard (`/app/wiki/{slug}/mcp/regenerate`)

- Implementation Workflow updated with Step 0: read memories and create task list before dispatching any agents

- Worktree agents must be launched from the git repo directory, not the parent (`/Users/sderle/code/otterwiki/` is not a git repo)

- Both of these were already in memory but were not consulted at session start