Prerequisites — Human Setup Before Phase 0
These are things that require human action (account creation, credentials, billing decisions) before agent work can begin. Check each off as completed.
AWS
- IAM user
wikibot-admincreated withAdministratorAccess+WikibotPermissionsBoundary - Permissions boundary denies: EC2/RDS/Redshift/SageMaker/EKS/ECS/ElastiCache instances, IAM user/key creation, organizations access, non-us-east-1 regional services
- API keys provisioned
- Credentials available as environment variables or AWS profile
- Budget alarm: $50/mo (create via AWS Budgets console)
- Region: us-east-1
Pulumi
- Pulumi account created (or self-managed state backend chosen)
pulumiCLI installed- State backend configured (Pulumi Cloud free tier, or S3 bucket)
WorkOS
- WorkOS account created
- Google OAuth provider configured
- GitHub OAuth provider configured
- Apple OAuth provider configured
- API keys available as environment variables
DNS
wikibot.iodomain registered (or dev subdomain chosen)- DNS hosted in Route 53 (or delegation configured)
Repositories
wikibot-ioprivate repo created (GitHub)- Agent has push access (SSH key or token)
Local Dev Environment
- Docker + docker-compose running (for dev wiki)
- Dev wiki running at localhost:8180
- MCP server running at localhost:8190
Agent Container (packnplay)
Agents run inside packnplay containers with --dangerously-skip-permissions. packnplay mounts ~/.claude, handles credentials, creates worktrees, and preserves host paths.
- packnplay installed (
brew install obra/tap/packnplay) - packnplay configured (
packnplay configure— enable git, ssh, gh, aws credentials) - Dev wiki MCP accessible from container — configure MCP endpoint as
http://host.docker.internal:8190/mcp(notlocalhost) since containerlocalhostis the container itself - Verify:
packnplay run --aws-creds claudelaunches and can reach the wiki MCP - Agent launch command documented:
packnplay run --aws-creds --worktree=<phase> claude --dangerously-skip-permissions