Prerequisites — Human Setup Before Phase 0

These are things that require human action (account creation, credentials, billing decisions) before agent work can begin. Check each off as completed.

AWS

• IAM user wikibot-admin with AdministratorAccess + WikibotPermissionsBoundary
• Permissions boundary denies: EC2/RDS/Redshift/SageMaker/EKS/ECS/ElastiCache instances, IAM user/key creation, organizations access, non-us-east-1 regional services
• API keys in ~/.aws/credentials under [wikibot] profile
• Region: us-east-1
• Budget alarm: $50/mo
• Pulumi state bucket: s3://wikibot-pulumi-state (versioning enabled)

Pulumi

• pulumi CLI installed (brew install pulumi)
• State backend: pulumi login s3://wikibot-pulumi-state

WorkOS

• WorkOS account created
• Google OAuth provider configured
• GitHub OAuth provider configured
• Apple OAuth provider configured
• API keys available as environment variables

DNS

• wikibot.io domain registered
• Route 53 hosted zone: Z00731461A60YEWXMD1ZE
• Spaceship nameservers delegated to Route 53

Repositories

• wikibot-io private repo created (GitHub)
• Agent has push access (SSH key or token)

Local Dev Environment

• Docker + docker-compose running (for dev wiki)
• Dev wiki running at localhost:8180
• MCP server running at localhost:8190

Agent Container (packnplay)

Agents run inside packnplay containers with --dangerously-skip-permissions. packnplay mounts ~/.claude, handles credentials, creates worktrees, and preserves host paths.

• packnplay installed (brew install obra/tap/packnplay)
• packnplay configured (packnplay configure — enable git, ssh, gh, aws credentials)
• Dev wiki MCP accessible from container — configure MCP endpoint as http://host.docker.internal:8190/mcp (not localhost) since container localhost is the container itself
• Verify: packnplay run --aws-creds claude launches and can reach the wiki MCP
• Agent launch command documented: packnplay run --aws-creds --worktree=<phase> claude --dangerously-skip-permissions