From b59e2098824eb5fe0c1391a5c5285bf194a505f5 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Fri, 15 May 2026 18:21:44 +0000
Subject: [PATCH 1/4] feat: add commit authorship guidance, scheduled PII
 scrub, and improve CI check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Expand pr-pii-check.yml to trigger on PR edited events and issue_comment
  events (covers regular PR thread comments, not just review comments)
- Add scripts/create-pii-scrub-schedule.sh for setting up a recurring Devin
  session to run sanitize-pr-pii.sh weekly via the Devin v3 API
- Document commit authorship configuration via Knowledge notes (§1.6)
- Document scheduled PII scrubbing setup (§1.7)
- Add PII Protection Summary section tying all layers together
---
 .github/workflows/pr-pii-check.yml   |  24 +++++--
 README.md                            | 100 ++++++++++++++++++++++++++-
 scripts/create-pii-scrub-schedule.sh |  93 +++++++++++++++++++++++++
 3 files changed, 212 insertions(+), 5 deletions(-)
 create mode 100755 scripts/create-pii-scrub-schedule.sh

diff --git a/.github/workflows/pr-pii-check.yml b/.github/workflows/pr-pii-check.yml
index f038b65..cd3a546 100644
--- a/.github/workflows/pr-pii-check.yml
+++ b/.github/workflows/pr-pii-check.yml
@@ -2,12 +2,15 @@ name: PR PII Check
 
 on:
   pull_request:
-    types: [opened, synchronize]
+    types: [opened, edited, synchronize]
+  issue_comment:
+    types: [created, edited]
   pull_request_review_comment:
     types: [created, edited]
 
 permissions:
   pull-requests: read
+  issues: read
 
 jobs:
   check-pii:
@@ -15,6 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     if: >-
       github.event_name == 'pull_request' ||
+      (github.event_name == 'issue_comment' && github.event.issue.pull_request) ||
       github.event_name == 'pull_request_review_comment'
     steps:
       - name: Check PR description for PII
@@ -35,14 +39,26 @@ jobs:
           fi
           echo "No PII found in PR description."
 
-      - name: Check comment for PII
-        if: github.event_name == 'pull_request_review_comment'
+      - name: Check issue comment for PII
+        if: github.event_name == 'issue_comment'
         env:
           COMMENT_BODY: ${{ github.event.comment.body }}
         run: |
-          echo "Checking comment for PII patterns..."
+          echo "Checking PR comment for PII patterns..."
           if printf '%s\n' "$COMMENT_BODY" | grep -qPi '^\s*requested\s+by\s*:\s*\S'; then
             echo "::error::Comment contains 'Requested by' PII. Edit the comment to remove it."
             exit 1
           fi
           echo "No PII found in comment."
+
+      - name: Check review comment for PII
+        if: github.event_name == 'pull_request_review_comment'
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
+        run: |
+          echo "Checking review comment for PII patterns..."
+          if printf '%s\n' "$COMMENT_BODY" | grep -qPi '^\s*requested\s+by\s*:\s*\S'; then
+            echo "::error::Comment contains 'Requested by' PII. Edit the comment to remove it."
+            exit 1
+          fi
+          echo "No PII found in review comment."
diff --git a/README.md b/README.md
index 150cff9..5eb815b 100644
--- a/README.md
+++ b/README.md
@@ -74,6 +74,7 @@ operator/
 │   ├── close-old-prs.sh              # Close open PRs older than N weeks
 │   ├── delete-stale-branches.sh       # Delete branches with no recent commits
 │   ├── deploy-pr-pii-check.sh        # Deploy PII check CI workflow to all repos
+│   ├── create-pii-scrub-schedule.sh   # Create a scheduled Devin session for weekly PII scrubbing
 │   └── lib/
 │       ├── common.sh                  # Shared functions (API calls, logging, config)
 │       ├── manage-org.sh             # Create/update/delete/list organizations
@@ -205,7 +206,82 @@ To prevent participant PII from leaking into PR descriptions across workshop rep
 ./scripts/deploy-pr-pii-check.sh Cognition-Partner-Workshops-mirror --dry-run
 ```
 
-This creates a PR in each repo adding a GitHub Actions workflow that fails if PR descriptions or review comments contain `Requested by:` PII patterns.
+This creates a PR in each repo adding a GitHub Actions workflow that fails if PR descriptions, issue comments, or review comments contain `Requested by:` PII patterns. The workflow triggers on:
+- PR opened, edited, or synchronized
+- Issue/PR comments created or edited
+- Review comments created or edited
+
+#### 1.6 Configure Commit Authorship (Devin Only)
+
+To prevent participant emails from leaking into git history, configure Devin to always commit as itself rather than the requesting user. This is done via a **Knowledge note** that applies to all sessions in the workshop org:
+
+**Knowledge Note Setup** (Settings → Knowledge in the Devin webapp, or via API):
+
+| Field | Value |
+|---|---|
+| **Name** | `Commit authorship — Devin only` |
+| **Trigger** | `When making git commits in any repository` |
+| **Body** | See below |
+
+```
+Always use the default Devin git identity for commits. Do NOT configure
+git user.name or user.email to match the requesting user. The default
+commit author should remain as "Devin AI <devin-ai-integration[bot]@users.noreply.github.com>".
+
+Never include the requesting user's name or email in commit messages,
+PR descriptions, or branch names.
+```
+
+You can create this via the API:
+
+```bash
+curl -X POST "https://api.devin.ai/v3/organizations/${DEVIN_ORG_ID}/knowledge" \
+  -H "Authorization: Bearer ${DEVIN_API_KEY}" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "Commit authorship — Devin only",
+    "trigger": "When making git commits in any repository",
+    "body": "Always use the default Devin git identity for commits. Do NOT configure git user.name or user.email to match the requesting user. The default commit author should remain as \"Devin AI <devin-ai-integration[bot]@users.noreply.github.com>\".\n\nNever include the requesting user'\''s name or email in commit messages, PR descriptions, or branch names."
+  }'
+```
+
+> **Note:** Devin's default behavior already commits as `devin-ai-integration[bot]`. This Knowledge note acts as a guardrail to prevent sessions from overriding the author (e.g., if a user's prompt asks to set `git config user.email`).
+
+#### 1.7 Set Up Scheduled PII Scrubbing
+
+Even with the CI check in place, PII can slip into PR comments (which aren't blocked by status checks). Set up a recurring Devin session to run `sanitize-pr-pii.sh` weekly:
+
+```bash
+# Create a weekly schedule (Monday 9am UTC)
+./scripts/create-pii-scrub-schedule.sh Cognition-Partner-Workshops-mirror \
+  --org-id=org-xxxxx
+
+# Custom cron (e.g., every Sunday at midnight UTC)
+./scripts/create-pii-scrub-schedule.sh Cognition-Partner-Workshops-mirror \
+  --org-id=org-xxxxx \
+  --cron="0 0 * * 0"
+
+# Preview without creating
+./scripts/create-pii-scrub-schedule.sh Cognition-Partner-Workshops-mirror \
+  --org-id=org-xxxxx \
+  --dry-run
+```
+
+Alternatively, create the schedule directly via the Devin webapp:
+1. Go to **Settings → Schedules** in the target org
+2. Click **New Schedule**
+3. Set frequency to weekly (e.g., `0 9 * * 1`)
+4. Use this prompt:
+   ```
+   Run the PII sanitization script against the Cognition-Partner-Workshops-mirror
+   GitHub organization.
+
+   Steps:
+   1. Clone the operator repo: git clone https://github.com/Cognition-Partner-Workshops/operator.git
+   2. Run: ./scripts/sanitize-pr-pii.sh Cognition-Partner-Workshops-mirror
+   3. Report the results (repos scanned, edits made)
+   ```
+5. Set **Notify on** to "failure" so you're alerted if scrubbing fails
 
 ### Phase 2: Workshop Day
 
@@ -254,6 +330,28 @@ This:
 1. **Clears all git permissions** from the org
 2. **Optionally deletes the org** (with `--delete-org` flag and a 5-second confirmation delay)
 
+## PII Protection Summary
+
+This repo provides a layered approach to preventing participant PII from leaking in workshop environments:
+
+| Layer | Mechanism | Coverage | When |
+|---|---|---|---|
+| **Commit authorship** | Knowledge note (§1.6) | Git history | Every commit (preventive) |
+| **CI check** | `pr-pii-check.yml` (§1.5) | PR descriptions + comments | On PR activity (detective) |
+| **Bulk scrub** | `sanitize-pr-pii.sh` (§3.1) | All PRs in an org | On-demand / post-workshop |
+| **Scheduled scrub** | `create-pii-scrub-schedule.sh` (§1.7) | All PRs in an org | Weekly recurring (automated) |
+
+**What gets detected/removed:**
+- `Requested by: @username` or `Requested by: email@...` lines
+- `Link to Devin session:` footer blocks (which may contain user identifiers)
+- `<!-- devin-review-badge` metadata blocks
+
+**Recommended setup order:**
+1. Deploy the CI workflow to all repos (`deploy-pr-pii-check.sh`)
+2. Configure commit authorship knowledge note
+3. Create the weekly scrub schedule
+4. Run an initial bulk scrub to clean existing PRs
+
 ## API Reference Cheatsheet
 
 See [docs/api-reference-cheatsheet.md](docs/api-reference-cheatsheet.md) for a complete reference of all Devin v3 API endpoints used by these scripts.
diff --git a/scripts/create-pii-scrub-schedule.sh b/scripts/create-pii-scrub-schedule.sh
new file mode 100755
index 0000000..f9bce43
--- /dev/null
+++ b/scripts/create-pii-scrub-schedule.sh
@@ -0,0 +1,93 @@
+#!/usr/bin/env bash
+# create-pii-scrub-schedule.sh — Create a scheduled Devin session for weekly PII scrubbing
+#
+# Sets up a recurring Devin session that runs sanitize-pr-pii.sh against a
+# target GitHub org on a weekly schedule.
+#
+# Usage:
+#   ./scripts/create-pii-scrub-schedule.sh <GITHUB_ORG> [OPTIONS]
+#
+# Options:
+#   --org-id=<id>       Devin org ID to create the schedule in (required)
+#   --cron=<expr>       Cron expression (default: "0 9 * * 1" = Monday 9am UTC)
+#   --dry-run           Print the API payload without creating the schedule
+#   --name=<name>       Custom schedule name (default: "Weekly PII Scrub - <GITHUB_ORG>")
+#
+# Prerequisites:
+#   - DEVIN_API_KEY set to a cog_ enterprise service user key
+#   - The operator repo must be accessible to the target Devin org
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/lib/common.sh"
+
+GITHUB_ORG="${1:?Usage: $0 <GITHUB_ORG> --org-id=<devin_org_id> [OPTIONS]}"
+shift
+
+DEVIN_ORG_ID=""
+CRON_EXPR="0 9 * * 1"
+DRY_RUN=false
+SCHEDULE_NAME=""
+
+for arg in "$@"; do
+  case "$arg" in
+    --org-id=*)   DEVIN_ORG_ID="${arg#*=}" ;;
+    --cron=*)     CRON_EXPR="${arg#*=}" ;;
+    --dry-run)    DRY_RUN=true ;;
+    --name=*)     SCHEDULE_NAME="${arg#*=}" ;;
+    -h|--help)
+      sed -n '2,/^[^#]/{ /^#/s/^# \?//p }' "$0"
+      exit 0
+      ;;
+    *) echo "Unknown option: $arg" >&2; exit 1 ;;
+  esac
+done
+
+[[ -z "$DEVIN_ORG_ID" ]] && die "--org-id is required"
+
+if [[ -z "$SCHEDULE_NAME" ]]; then
+  SCHEDULE_NAME="Weekly PII Scrub - ${GITHUB_ORG}"
+fi
+
+PROMPT="Run the PII sanitization script against the ${GITHUB_ORG} GitHub organization.
+
+Steps:
+1. Clone the operator repo: git clone https://github.com/Cognition-Partner-Workshops/operator.git
+2. Run: ./scripts/sanitize-pr-pii.sh ${GITHUB_ORG}
+3. Report the results (repos scanned, edits made)
+
+This removes 'Requested by' PII from all PR descriptions and comments across the org.
+The gh CLI must be authenticated with repo + pull-request scopes."
+
+PAYLOAD=$(jq -n \
+  --arg name "$SCHEDULE_NAME" \
+  --arg prompt "$PROMPT" \
+  --arg frequency "$CRON_EXPR" \
+  '{
+    name: $name,
+    prompt: $prompt,
+    frequency: $frequency,
+    schedule_type: "recurring",
+    notify_on: "failure"
+  }')
+
+info "Schedule config:"
+info "  Name:      ${SCHEDULE_NAME}"
+info "  Org:       ${DEVIN_ORG_ID}"
+info "  Cron:      ${CRON_EXPR}"
+info "  GitHub Org: ${GITHUB_ORG}"
+
+if [[ "$DRY_RUN" == true ]]; then
+  info "[DRY-RUN] Would create schedule with payload:"
+  echo "$PAYLOAD" | jq .
+  exit 0
+fi
+
+info "Creating scheduled session..."
+RESPONSE=$(api_post "/v3/organizations/${DEVIN_ORG_ID}/schedules" "$PAYLOAD")
+
+SCHEDULE_ID=$(echo "$RESPONSE" | jq -r '.schedule_id // .id // "unknown"')
+info "Schedule created: ${SCHEDULE_ID}"
+info "The session will run at cron: ${CRON_EXPR}"
+echo
+echo "$RESPONSE" | jq .

From 8faf70dd36299d1d20180150d36db1ddd6d28dae Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Fri, 15 May 2026 19:08:46 +0000
Subject: [PATCH 2/4] refactor: rework PII/ops docs per feedback

- Frame pr-pii-check.yml as a reference implementation, optionally deployed
  during mirroring via --deploy-pii-check flag on mirror-github-org.sh
- Remove create-pii-scrub-schedule.sh wrapper; document using the v3
  Schedules API and MCP directly instead
- Add Workshop Operations Devin Org section documenting the long-lived
  ops org pattern with enterprise service user secret, recurring schedules,
  and one-time event lifecycle automation (ACU zeroing via MCP)
- Update architecture diagram to include Workshop Operations org
- Rework PII Protection Summary to reference the new approach
---
 README.md                            | 197 ++++++++++++++++++---------
 scripts/create-pii-scrub-schedule.sh |  93 -------------
 scripts/mirror-github-org.sh         |  42 +++++-
 3 files changed, 171 insertions(+), 161 deletions(-)
 delete mode 100755 scripts/create-pii-scrub-schedule.sh

diff --git a/README.md b/README.md
index 5eb815b..b5c6aaf 100644
--- a/README.md
+++ b/README.md
@@ -5,24 +5,31 @@ Automate the provisioning and teardown of Devin Enterprise workshops using the D
 ## Architecture Overview
 
 ```
-┌─────────────────────────────────────────────────────────────┐
-│                   Devin Enterprise                          │
-│                                                             │
-│  ┌──────────────┐   ┌──────────────┐   ┌──────────────┐   │
-│  │  Source Org   │   │  Mirror Org  │   │  Workshop Org│   │
-│  │  (Demo)       │   │  (template)  │   │  (per-event) │   │
-│  └──────┬───────┘   └──────┬───────┘   └──────┬───────┘   │
-│         │                  │                   │            │
-│         ▼                  ▼                   ▼            │
-│  Cognition-Partner-  Cognition-Partner-   Created per      │
-│  Workshops (GH org)  Workshops-mirror     workshop via API │
-│                      (GH org)                              │
-└─────────────────────────────────────────────────────────────┘
+┌──────────────────────────────────────────────────────────────────────┐
+│                       Devin Enterprise                               │
+│                                                                      │
+│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐               │
+│  │  Source Org   │  │  Mirror Org  │  │  Workshop Org│  (per-event)  │
+│  │  (GH org)     │  │  (GH org)    │  │  (Devin org) │               │
+│  └──────┬───────┘  └──────┬───────┘  └──────┬───────┘               │
+│         │                 │                  │                        │
+│         ▼                 ▼                  ▼                        │
+│  Cognition-Partner-  Cognition-Partner-  Created per workshop        │
+│  Workshops           Workshops-mirror    via API; ephemeral          │
+│                                                                      │
+│  ┌────────────────────────────────────┐                              │
+│  │  Workshop Operations Org           │  (long-lived Devin org)      │
+│  │  - Scheduled PII scrubs            │                              │
+│  │  - Event lifecycle automation      │                              │
+│  │  - Enterprise service user secret  │                              │
+│  └────────────────────────────────────┘                              │
+└──────────────────────────────────────────────────────────────────────┘
 ```
 
 **Source org** (`Cognition-Partner-Workshops`) — canonical repos with workshop content.
 **Mirror org** (`Cognition-Partner-Workshops-mirror`) — GitHub org with mirrored repos that the Devin Enterprise GitHub App is installed on. Repos here are copied from the source org before each event.
 **Workshop org** — a Devin org created per workshop event via API. Participants use this org. It gets git permissions scoped to the mirror GitHub org repos, ACU limits, and environment configs set up by Devin sessions.
+**Workshop Operations org** — a long-lived Devin org hosting recurring and one-time scheduled sessions for maintenance and event lifecycle automation. See [Workshop Operations Devin Org](#workshop-operations-devin-org).
 
 ## Prerequisites
 
@@ -73,8 +80,7 @@ operator/
 │   ├── sanitize-pr-pii.sh            # Remove "Requested by" PII from PRs
 │   ├── close-old-prs.sh              # Close open PRs older than N weeks
 │   ├── delete-stale-branches.sh       # Delete branches with no recent commits
-│   ├── deploy-pr-pii-check.sh        # Deploy PII check CI workflow to all repos
-│   ├── create-pii-scrub-schedule.sh   # Create a scheduled Devin session for weekly PII scrubbing
+│   ├── deploy-pr-pii-check.sh        # Deploy PII check CI workflow to repos (standalone)
 │   └── lib/
 │       ├── common.sh                  # Shared functions (API calls, logging, config)
 │       ├── manage-org.sh             # Create/update/delete/list organizations
@@ -112,7 +118,7 @@ Repos from `Cognition-Partner-Workshops` must exist in `Cognition-Partner-Worksh
   --dry-run
 ```
 
-Options: `--include=<glob>`, `--exclude=<glob>`, `--visibility=private`, `--strip-workflows` (default), `--no-skip-existing`, `--config=<file>`.
+Options: `--include=<glob>`, `--exclude=<glob>`, `--visibility=private`, `--strip-workflows` (default), `--no-skip-existing`, `--deploy-pii-check`, `--config=<file>`.
 
 #### 1.2 Create a Workshop Config
 
@@ -191,12 +197,26 @@ If you skipped invitations during provisioning or need to add participants later
 
 The emails file format is one email per line; blank lines and `#` comments are ignored.
 
-#### 1.5 Deploy PII Check Workflow
+#### 1.5 Deploy PII Check Workflow (Optional)
 
-To prevent participant PII from leaking into PR descriptions across workshop repos:
+A reference GitHub Actions workflow (`.github/workflows/pr-pii-check.yml`) is included in this repo. It blocks PRs that contain `Requested by:` PII patterns in descriptions, issue comments, or review comments.
+
+**Option A — Deploy during mirroring:**
+
+```bash
+# Mirror repos AND deploy the PII check workflow in one step
+./scripts/mirror-github-org.sh Cognition-Partner-Workshops Cognition-Partner-Workshops-mirror \
+  --deploy-pii-check
+
+# Mirror without the PII check (default behavior)
+./scripts/mirror-github-org.sh Cognition-Partner-Workshops Cognition-Partner-Workshops-mirror \
+  --no-deploy-pii-check
+```
+
+**Option B — Deploy to existing repos separately:**
 
 ```bash
-# Deploy to all repos in the mirror org
+# Deploy to all repos in the org
 ./scripts/deploy-pr-pii-check.sh Cognition-Partner-Workshops-mirror
 
 # Deploy to specific repos only
@@ -206,16 +226,16 @@ To prevent participant PII from leaking into PR descriptions across workshop rep
 ./scripts/deploy-pr-pii-check.sh Cognition-Partner-Workshops-mirror --dry-run
 ```
 
-This creates a PR in each repo adding a GitHub Actions workflow that fails if PR descriptions, issue comments, or review comments contain `Requested by:` PII patterns. The workflow triggers on:
+The workflow triggers on:
 - PR opened, edited, or synchronized
 - Issue/PR comments created or edited
 - Review comments created or edited
 
-#### 1.6 Configure Commit Authorship (Devin Only)
+This configuration changes infrequently; it can be applied via a manual Devin session when needed.
 
-To prevent participant emails from leaking into git history, configure Devin to always commit as itself rather than the requesting user. This is done via a **Knowledge note** that applies to all sessions in the workshop org:
+#### 1.6 Configure Commit Authorship (Devin Only)
 
-**Knowledge Note Setup** (Settings → Knowledge in the Devin webapp, or via API):
+Devin's default behavior already commits as `devin-ai-integration[bot]`. To add a guardrail preventing sessions from overriding the author (e.g., if a user's prompt asks to set `git config user.email`), create a **Knowledge note** in the workshop org:
 
 | Field | Value |
 |---|---|
@@ -232,7 +252,7 @@ Never include the requesting user's name or email in commit messages,
 PR descriptions, or branch names.
 ```
 
-You can create this via the API:
+Create this via the Devin webapp (**Settings → Knowledge → New Note**) or via the [v3 Knowledge API](https://docs.devin.ai/api-reference/v3/knowledge):
 
 ```bash
 curl -X POST "https://api.devin.ai/v3/organizations/${DEVIN_ORG_ID}/knowledge" \
@@ -245,44 +265,6 @@ curl -X POST "https://api.devin.ai/v3/organizations/${DEVIN_ORG_ID}/knowledge" \
   }'
 ```
 
-> **Note:** Devin's default behavior already commits as `devin-ai-integration[bot]`. This Knowledge note acts as a guardrail to prevent sessions from overriding the author (e.g., if a user's prompt asks to set `git config user.email`).
-
-#### 1.7 Set Up Scheduled PII Scrubbing
-
-Even with the CI check in place, PII can slip into PR comments (which aren't blocked by status checks). Set up a recurring Devin session to run `sanitize-pr-pii.sh` weekly:
-
-```bash
-# Create a weekly schedule (Monday 9am UTC)
-./scripts/create-pii-scrub-schedule.sh Cognition-Partner-Workshops-mirror \
-  --org-id=org-xxxxx
-
-# Custom cron (e.g., every Sunday at midnight UTC)
-./scripts/create-pii-scrub-schedule.sh Cognition-Partner-Workshops-mirror \
-  --org-id=org-xxxxx \
-  --cron="0 0 * * 0"
-
-# Preview without creating
-./scripts/create-pii-scrub-schedule.sh Cognition-Partner-Workshops-mirror \
-  --org-id=org-xxxxx \
-  --dry-run
-```
-
-Alternatively, create the schedule directly via the Devin webapp:
-1. Go to **Settings → Schedules** in the target org
-2. Click **New Schedule**
-3. Set frequency to weekly (e.g., `0 9 * * 1`)
-4. Use this prompt:
-   ```
-   Run the PII sanitization script against the Cognition-Partner-Workshops-mirror
-   GitHub organization.
-
-   Steps:
-   1. Clone the operator repo: git clone https://github.com/Cognition-Partner-Workshops/operator.git
-   2. Run: ./scripts/sanitize-pr-pii.sh Cognition-Partner-Workshops-mirror
-   3. Report the results (repos scanned, edits made)
-   ```
-5. Set **Notify on** to "failure" so you're alerted if scrubbing fails
-
 ### Phase 2: Workshop Day
 
 Participants log into the Devin Enterprise webapp for the workshop org and start sessions using prompts from the event README. The environment configs created in Phase 1 ensure their sessions start with working build environments.
@@ -330,6 +312,86 @@ This:
 1. **Clears all git permissions** from the org
 2. **Optionally deletes the org** (with `--delete-org` flag and a 5-second confirmation delay)
 
+## Workshop Operations Devin Org
+
+Every customer enterprise hosting workshops should create a dedicated **Workshop Operations** Devin org. This org serves as the control plane for all workshop lifecycle automation.
+
+### Purpose
+
+The Workshop Operations org hosts:
+- **Recurring scheduled Devin sessions** for ongoing maintenance (e.g., weekly PII scrubbing)
+- **One-time scheduled Devin sessions** for event lifecycle events (e.g., zeroing ACU limits at event conclusion)
+- **Manual Devin sessions** for ad-hoc operations (e.g., deploying CI workflows, mirroring repos)
+
+All sessions in this org have access to the reference scripts in this repository.
+
+### Setup
+
+1. **Create the org** via the Devin Enterprise webapp or API:
+   ```bash
+   curl -X POST "https://api.devin.ai/v3/enterprise/organizations" \
+     -H "Authorization: Bearer ${DEVIN_API_KEY}" \
+     -H "Content-Type: application/json" \
+     -d '{"name": "Workshop Operations", "max_session_acu_limit": 50, "max_cycle_acu_limit": 500}'
+   ```
+
+2. **Add an org secret** with the enterprise service user API key:
+   - Go to **Settings → Secrets** in the Workshop Operations org
+   - Create a secret named `DEVIN_API_KEY` with the `cog_`-prefixed enterprise service user key
+   - This key needs: `ManageOrganizations`, `ManageGitIntegrations`, `ManageOrgSessions`, `ImpersonateOrgSessions`, `ManageAccountMembership`
+
+3. **Grant git permissions** for this operator repo so Devin sessions can clone it
+
+4. **Create a Knowledge note** (optional) so sessions know the org context:
+   | Field | Value |
+   |---|---|
+   | **Name** | `Workshop Operations context` |
+   | **Trigger** | `When running workshop operations or maintenance tasks` |
+   | **Body** | `This is the Workshop Operations org. Use the operator repo (Cognition-Partner-Workshops/operator) for reference scripts. The DEVIN_API_KEY org secret contains the enterprise service user key for API operations.` |
+
+### Recurring Schedules
+
+Create schedules using the [Devin v3 Schedules API](https://docs.devin.ai/api-reference/v3/schedules/organizations-schedules.md) or from within a Devin session via MCP (`devin_schedule_manage`).
+
+**Weekly PII Scrub** — scrubs `Requested by` PII from all PRs across the mirror org:
+
+```bash
+curl -X POST "https://api.devin.ai/v3/organizations/${OPS_ORG_ID}/schedules" \
+  -H "Authorization: Bearer ${DEVIN_API_KEY}" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "Weekly PII Scrub",
+    "prompt": "Clone the operator repo (Cognition-Partner-Workshops/operator) and run: ./scripts/sanitize-pr-pii.sh Cognition-Partner-Workshops-mirror\n\nReport the number of repos scanned and edits made.",
+    "frequency": "0 9 * * 1",
+    "schedule_type": "recurring",
+    "notify_on": "failure"
+  }'
+```
+
+Or via the Devin webapp: **Settings → Schedules → New Schedule** with cron `0 9 * * 1`.
+
+A Devin session running in the Workshop Operations org can also create this schedule via MCP:
+```
+Use the devin_schedule_manage MCP tool to create a recurring schedule named
+"Weekly PII Scrub" with cron "0 9 * * 1" that runs sanitize-pr-pii.sh
+against the Cognition-Partner-Workshops-mirror org.
+```
+
+### One-Time Event Schedules
+
+**End-of-event ACU zeroing** — schedule a one-time session to set the workshop org's ACU limit to 0 at event conclusion:
+
+From within a Devin session in the Workshop Operations org, use MCP to create a one-time scheduled session:
+
+```
+Use the devin_schedule_manage MCP tool to create a one-time schedule named
+"Zero ACU - <Event Name>" scheduled for <end_datetime_iso8601> that updates
+the workshop org <org_id> to set max_cycle_acu_limit to 0, preventing any
+further sessions from running.
+```
+
+This is preferred over calling the API directly because the Devin session handles auth via the org's `DEVIN_API_KEY` secret and can use the MCP tool natively.
+
 ## PII Protection Summary
 
 This repo provides a layered approach to preventing participant PII from leaking in workshop environments:
@@ -339,7 +401,7 @@ This repo provides a layered approach to preventing participant PII from leaking
 | **Commit authorship** | Knowledge note (§1.6) | Git history | Every commit (preventive) |
 | **CI check** | `pr-pii-check.yml` (§1.5) | PR descriptions + comments | On PR activity (detective) |
 | **Bulk scrub** | `sanitize-pr-pii.sh` (§3.1) | All PRs in an org | On-demand / post-workshop |
-| **Scheduled scrub** | `create-pii-scrub-schedule.sh` (§1.7) | All PRs in an org | Weekly recurring (automated) |
+| **Scheduled scrub** | v3 Schedules API | All PRs in an org | Weekly recurring (automated) |
 
 **What gets detected/removed:**
 - `Requested by: @username` or `Requested by: email@...` lines
@@ -347,10 +409,11 @@ This repo provides a layered approach to preventing participant PII from leaking
 - `<!-- devin-review-badge` metadata blocks
 
 **Recommended setup order:**
-1. Deploy the CI workflow to all repos (`deploy-pr-pii-check.sh`)
-2. Configure commit authorship knowledge note
-3. Create the weekly scrub schedule
-4. Run an initial bulk scrub to clean existing PRs
+1. Create the Workshop Operations Devin org with the enterprise service user secret
+2. Deploy the CI workflow to repos (during mirroring with `--deploy-pii-check` or standalone)
+3. Configure commit authorship knowledge note in each workshop org
+4. Create the weekly PII scrub schedule in the Workshop Operations org
+5. Run an initial bulk scrub to clean existing PRs
 
 ## API Reference Cheatsheet
 
diff --git a/scripts/create-pii-scrub-schedule.sh b/scripts/create-pii-scrub-schedule.sh
deleted file mode 100755
index f9bce43..0000000
--- a/scripts/create-pii-scrub-schedule.sh
+++ /dev/null
@@ -1,93 +0,0 @@
-#!/usr/bin/env bash
-# create-pii-scrub-schedule.sh — Create a scheduled Devin session for weekly PII scrubbing
-#
-# Sets up a recurring Devin session that runs sanitize-pr-pii.sh against a
-# target GitHub org on a weekly schedule.
-#
-# Usage:
-#   ./scripts/create-pii-scrub-schedule.sh <GITHUB_ORG> [OPTIONS]
-#
-# Options:
-#   --org-id=<id>       Devin org ID to create the schedule in (required)
-#   --cron=<expr>       Cron expression (default: "0 9 * * 1" = Monday 9am UTC)
-#   --dry-run           Print the API payload without creating the schedule
-#   --name=<name>       Custom schedule name (default: "Weekly PII Scrub - <GITHUB_ORG>")
-#
-# Prerequisites:
-#   - DEVIN_API_KEY set to a cog_ enterprise service user key
-#   - The operator repo must be accessible to the target Devin org
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-source "${SCRIPT_DIR}/lib/common.sh"
-
-GITHUB_ORG="${1:?Usage: $0 <GITHUB_ORG> --org-id=<devin_org_id> [OPTIONS]}"
-shift
-
-DEVIN_ORG_ID=""
-CRON_EXPR="0 9 * * 1"
-DRY_RUN=false
-SCHEDULE_NAME=""
-
-for arg in "$@"; do
-  case "$arg" in
-    --org-id=*)   DEVIN_ORG_ID="${arg#*=}" ;;
-    --cron=*)     CRON_EXPR="${arg#*=}" ;;
-    --dry-run)    DRY_RUN=true ;;
-    --name=*)     SCHEDULE_NAME="${arg#*=}" ;;
-    -h|--help)
-      sed -n '2,/^[^#]/{ /^#/s/^# \?//p }' "$0"
-      exit 0
-      ;;
-    *) echo "Unknown option: $arg" >&2; exit 1 ;;
-  esac
-done
-
-[[ -z "$DEVIN_ORG_ID" ]] && die "--org-id is required"
-
-if [[ -z "$SCHEDULE_NAME" ]]; then
-  SCHEDULE_NAME="Weekly PII Scrub - ${GITHUB_ORG}"
-fi
-
-PROMPT="Run the PII sanitization script against the ${GITHUB_ORG} GitHub organization.
-
-Steps:
-1. Clone the operator repo: git clone https://github.com/Cognition-Partner-Workshops/operator.git
-2. Run: ./scripts/sanitize-pr-pii.sh ${GITHUB_ORG}
-3. Report the results (repos scanned, edits made)
-
-This removes 'Requested by' PII from all PR descriptions and comments across the org.
-The gh CLI must be authenticated with repo + pull-request scopes."
-
-PAYLOAD=$(jq -n \
-  --arg name "$SCHEDULE_NAME" \
-  --arg prompt "$PROMPT" \
-  --arg frequency "$CRON_EXPR" \
-  '{
-    name: $name,
-    prompt: $prompt,
-    frequency: $frequency,
-    schedule_type: "recurring",
-    notify_on: "failure"
-  }')
-
-info "Schedule config:"
-info "  Name:      ${SCHEDULE_NAME}"
-info "  Org:       ${DEVIN_ORG_ID}"
-info "  Cron:      ${CRON_EXPR}"
-info "  GitHub Org: ${GITHUB_ORG}"
-
-if [[ "$DRY_RUN" == true ]]; then
-  info "[DRY-RUN] Would create schedule with payload:"
-  echo "$PAYLOAD" | jq .
-  exit 0
-fi
-
-info "Creating scheduled session..."
-RESPONSE=$(api_post "/v3/organizations/${DEVIN_ORG_ID}/schedules" "$PAYLOAD")
-
-SCHEDULE_ID=$(echo "$RESPONSE" | jq -r '.schedule_id // .id // "unknown"')
-info "Schedule created: ${SCHEDULE_ID}"
-info "The session will run at cron: ${CRON_EXPR}"
-echo
-echo "$RESPONSE" | jq .
diff --git a/scripts/mirror-github-org.sh b/scripts/mirror-github-org.sh
index eb0c7ad..28d64a1 100755
--- a/scripts/mirror-github-org.sh
+++ b/scripts/mirror-github-org.sh
@@ -17,6 +17,8 @@
 #   --visibility=<v>       Target repo visibility: public, private (default: private)
 #   --strip-workflows      Remove .github/workflows/ from all branches (default)
 #   --no-strip-workflows   Keep workflows as-is
+#   --deploy-pii-check     Add the reference pr-pii-check.yml workflow to mirrored repos
+#   --no-deploy-pii-check  Skip PII check deployment (default)
 #   --config=<file>        Read repo list from a workshop config JSON instead of listing the source org
 #
 # Prerequisites:
@@ -37,6 +39,7 @@ EXCLUDE_PATTERN=""
 SKIP_EXISTING=true
 VISIBILITY="private"
 STRIP_WORKFLOWS=true
+DEPLOY_PII_CHECK=false
 CONFIG_FILE=""
 
 for arg in "$@"; do
@@ -49,6 +52,8 @@ for arg in "$@"; do
     --visibility=*)        VISIBILITY="${arg#*=}" ;;
     --strip-workflows)     STRIP_WORKFLOWS=true ;;
     --no-strip-workflows)  STRIP_WORKFLOWS=false ;;
+    --deploy-pii-check)    DEPLOY_PII_CHECK=true ;;
+    --no-deploy-pii-check) DEPLOY_PII_CHECK=false ;;
     --config=*)            CONFIG_FILE="${arg#*=}" ;;
     -h|--help)
       sed -n '2,/^[^#]/{ /^#/s/^# \?//p }' "$0"
@@ -66,9 +71,17 @@ trap 'rm -rf "$WORK_DIR"' EXIT
 
 log() { echo "[$(date -u +%H:%M:%S)] $*" | tee -a "$LOGFILE"; }
 
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PII_CHECK_SRC="${SCRIPT_DIR}/../.github/workflows/pr-pii-check.yml"
+
+if [[ "$DEPLOY_PII_CHECK" == "true" && ! -f "$PII_CHECK_SRC" ]]; then
+  echo "ERROR: --deploy-pii-check requested but workflow not found at ${PII_CHECK_SRC}" >&2
+  exit 1
+fi
+
 log "=== GitHub Org Mirror ==="
 log "Source: ${SOURCE_ORG} -> Target: ${TARGET_ORG}"
-log "Visibility: ${VISIBILITY} | Strip workflows: ${STRIP_WORKFLOWS} | Dry run: ${DRY_RUN}"
+log "Visibility: ${VISIBILITY} | Strip workflows: ${STRIP_WORKFLOWS} | Deploy PII check: ${DEPLOY_PII_CHECK} | Dry run: ${DRY_RUN}"
 
 # ---------------------------------------------------------------------------
 # Collect repo names
@@ -184,6 +197,16 @@ for repo_name in "${REPO_NAMES[@]}"; do
       fi
     done
 
+    # Optionally add the PII check workflow to the default branch
+    if [[ "$DEPLOY_PII_CHECK" == "true" ]]; then
+      git checkout "$default_branch" 2>>"$LOGFILE"
+      mkdir -p .github/workflows
+      cp "$PII_CHECK_SRC" .github/workflows/pr-pii-check.yml
+      git add .github/workflows/pr-pii-check.yml
+      git commit -m "Add PR PII check workflow (reference implementation)" 2>>"$LOGFILE" || true
+      log "  Added PII check workflow to ${repo_name}"
+    fi
+
     git checkout "$default_branch" 2>>"$LOGFILE"
     cd - >/dev/null
 
@@ -192,6 +215,23 @@ for repo_name in "${REPO_NAMES[@]}"; do
     rm -rf "$local_dir"
   fi
 
+  # Deploy PII check even when not stripping workflows (standalone)
+  if [[ "$DEPLOY_PII_CHECK" == "true" && "$STRIP_WORKFLOWS" != "true" ]]; then
+    local_dir="${WORK_DIR}/${repo_name}-pii"
+    git clone "$clone_dir" "$local_dir" 2>>"$LOGFILE"
+    cd "$local_dir"
+    git checkout "$default_branch" 2>>"$LOGFILE"
+    mkdir -p .github/workflows
+    cp "$PII_CHECK_SRC" .github/workflows/pr-pii-check.yml
+    git add .github/workflows/pr-pii-check.yml
+    git commit -m "Add PR PII check workflow (reference implementation)" 2>>"$LOGFILE" || true
+    log "  Added PII check workflow to ${repo_name}"
+    cd - >/dev/null
+    rm -rf "$clone_dir"
+    git clone --bare "$local_dir" "$clone_dir" 2>>"$LOGFILE"
+    rm -rf "$local_dir"
+  fi
+
   # Create target repo
   if ! gh api "orgs/${TARGET_ORG}/repos" \
     -X POST \

From f35789b0daa6e1d70aba24f00ff889aed7677a37 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Wed, 20 May 2026 06:03:23 +0000
Subject: [PATCH 3/4] feat: dispatch env blueprint auto-creation session during
 provisioning

Adds Step 4 to provision-workshop.sh that dispatches a single Devin session
in the newly created org to auto-create environment YAML config blueprints
for all repos. This indexes the repos so Devin sessions boot faster.

- New --skip-env-setup flag to skip this step if repos are already indexed
- Session prompt instructs Devin to read setup docs and create blueprints
  with initialize/maintenance/knowledge sections for each repo
- Updated README to document the new step and flag
---
 README.md                     | 14 +++---
 scripts/provision-workshop.sh | 85 ++++++++++++++++++++++++++++-------
 2 files changed, 79 insertions(+), 20 deletions(-)

diff --git a/README.md b/README.md
index b5c6aaf..8cb6884 100644
--- a/README.md
+++ b/README.md
@@ -72,7 +72,7 @@ operator/
 │   └── dc-april-2026.json            # Example: DC April 2026 workshop
 ├── scripts/
 │   ├── verify-auth.sh                 # Verify API key and list enterprise state
-│   ├── provision-workshop.sh          # End-to-end: create org → permissions → invites → sessions
+│   ├── provision-workshop.sh          # End-to-end: create org → permissions → env blueprints → sessions
 │   ├── teardown-workshop.sh           # Remove org and clean up permissions
 │   ├── invite-participants.sh         # Invite users by email to an org
 │   ├── mirror-github-org.sh           # Mirror repos between GitHub orgs
@@ -160,15 +160,18 @@ Copy `configs/_template.json` and fill in the event details:
 #### 1.3 Provision the Workshop
 
 ```bash
-# Full provisioning (creates org, sets permissions, invites participants, runs setup sessions)
+# Full provisioning (creates org, sets permissions, invites, env blueprints, setup sessions)
 ./scripts/provision-workshop.sh --config configs/dc-april-2026.json
 
 # Use an existing org (updates ACU limits, re-sets permissions)
 ./scripts/provision-workshop.sh --config configs/dc-april-2026.json --org-id org-existing-id
 
-# Skip sessions if env configs are already set up
+# Skip per-repo setup sessions if env configs are already set up
 ./scripts/provision-workshop.sh --config configs/dc-april-2026.json --skip-sessions
 
+# Skip env blueprint auto-creation (repos already indexed)
+./scripts/provision-workshop.sh --config configs/dc-april-2026.json --skip-env-setup
+
 # Skip invitations (do them separately later)
 ./scripts/provision-workshop.sh --config configs/dc-april-2026.json --skip-invites
 
@@ -180,8 +183,9 @@ This script:
 1. **Creates a new Devin org** with the configured name and ACU limits
 2. **Adds git permissions** for each repo in the config, scoped to the new org
 3. **Invites participants** from the emails file (enterprise invite + org assignment)
-4. **Invokes Devin sessions** (one per repo) to set up the environment config YAML
-5. **Outputs** the org ID, session URLs, and a summary
+4. **Dispatches an env blueprint session** — a single Devin session that auto-creates environment YAML config blueprints for all repos (indexes the repos)
+5. **Invokes per-repo setup sessions** to do any repo-specific setup defined by the prompt template
+6. **Outputs** the org ID, session URLs, and a summary
 
 #### 1.4 Invite Participants Separately
 
diff --git a/scripts/provision-workshop.sh b/scripts/provision-workshop.sh
index 37738f9..afe1730 100755
--- a/scripts/provision-workshop.sh
+++ b/scripts/provision-workshop.sh
@@ -1,8 +1,9 @@
 #!/usr/bin/env bash
 # provision-workshop.sh — End-to-end workshop provisioning
 #
-# Creates a Devin org, sets git permissions for workshop repos, and invokes
-# Devin sessions to set up environment config YAMLs for each repo.
+# Creates a Devin org, sets git permissions for workshop repos, dispatches an
+# environment blueprint auto-creation session to index all repos, and invokes
+# per-repo Devin setup sessions.
 #
 # Usage:
 #   ./provision-workshop.sh --config configs/dc-april-2026.json
@@ -22,23 +23,26 @@ source "${SCRIPT_DIR}/lib/invoke-setup.sh"
 CONFIG_FILE=""
 SKIP_SESSIONS=false
 SKIP_INVITES=false
+SKIP_ENV_SETUP=false
 EXISTING_ORG_ID=""
 EMAILS_FILE=""
 
 while [[ $# -gt 0 ]]; do
   case "$1" in
-    --config)        CONFIG_FILE="$2"; shift 2 ;;
-    --skip-sessions) SKIP_SESSIONS=true; shift ;;
-    --skip-invites)  SKIP_INVITES=true; shift ;;
-    --org-id)        EXISTING_ORG_ID="$2"; shift 2 ;;
-    --emails-file)   EMAILS_FILE="$2"; shift 2 ;;
+    --config)         CONFIG_FILE="$2"; shift 2 ;;
+    --skip-sessions)  SKIP_SESSIONS=true; shift ;;
+    --skip-invites)   SKIP_INVITES=true; shift ;;
+    --skip-env-setup) SKIP_ENV_SETUP=true; shift ;;
+    --org-id)         EXISTING_ORG_ID="$2"; shift 2 ;;
+    --emails-file)    EMAILS_FILE="$2"; shift 2 ;;
     -h|--help)
-      echo "Usage: $0 --config <config.json> [--skip-sessions] [--skip-invites] [--org-id <org-id>] [--emails-file <file>]"
+      echo "Usage: $0 --config <config.json> [--skip-sessions] [--skip-invites] [--skip-env-setup] [--org-id <org-id>] [--emails-file <file>]"
       echo
       echo "Options:"
       echo "  --config <file>     Path to workshop config JSON (required)"
       echo "  --skip-sessions     Skip invoking Devin setup sessions"
       echo "  --skip-invites      Skip participant invitations"
+      echo "  --skip-env-setup    Skip dispatching env blueprint auto-creation session"
       echo "  --org-id <id>       Use an existing org instead of creating one"
       echo "  --emails-file <f>   File with participant emails (one per line)"
       exit 0
@@ -82,6 +86,7 @@ echo "  ACU limits     : session=${MAX_SESSION_ACU}, cycle=${MAX_CYCLE_ACU}"
 echo "  Setup user     : ${SETUP_USER_ID:-none (service user)}"
 echo "  Emails file    : ${EMAILS_FILE:-none}"
 echo "  Skip sessions  : ${SKIP_SESSIONS}"
+echo "  Skip env setup : ${SKIP_ENV_SETUP}"
 echo "  Skip invites   : ${SKIP_INVITES}"
 echo "============================================"
 echo
@@ -144,7 +149,53 @@ fi
 echo
 
 # ---------------------------------------------------------------------------
-# Step 4: Invoke Devin setup sessions (one per repo)
+# Step 4: Dispatch env blueprint auto-creation session
+# ---------------------------------------------------------------------------
+ENV_SESSION_ID=""
+if [[ "$SKIP_ENV_SETUP" == "true" ]]; then
+  info "Skipping env blueprint session (--skip-env-setup)"
+else
+  info "Dispatching environment blueprint auto-creation session..."
+
+  # Build a repo list for the prompt
+  REPO_LIST=""
+  for repo in "${REPOS[@]}"; do
+    REPO_LIST="${REPO_LIST}\n- ${repo}"
+  done
+
+  ENV_PROMPT="Create Devin environment YAML config blueprints for all repositories in this organization. \
+The repos to configure are:
+${REPO_LIST}
+
+For each repo:
+1. Read the README and any setup docs (package.json, pyproject.toml, Makefile, etc.)
+2. Create an environment blueprint with appropriate initialize and maintenance sections
+3. Add knowledge entries for lint, test, and startup commands where discoverable
+
+Do NOT start services in the initialize section — only install tools and dependencies. \
+Use incremental dependency commands in maintenance (e.g. npm install, not npm ci)."
+
+  env_session_json=$(create_session "$ORG_ID" "$ENV_PROMPT" "$SETUP_USER_ID") || {
+    warn "Failed to create env blueprint session — continuing with remaining steps"
+  }
+
+  if [[ -n "$env_session_json" ]]; then
+    ENV_SESSION_ID=$(echo "$env_session_json" | jq -r '.session_id')
+    ENV_SESSION_URL=$(echo "$env_session_json" | jq -r '.url')
+    echo
+    echo "============================================"
+    echo "  Env Blueprint Session"
+    echo "============================================"
+    echo "  Session: ${ENV_SESSION_ID}"
+    echo "  URL:     ${ENV_SESSION_URL}"
+    echo "  Task:    Auto-create environment config blueprints for all repos"
+    echo "============================================"
+  fi
+fi
+echo
+
+# ---------------------------------------------------------------------------
+# Step 5: Invoke Devin setup sessions (one per repo)
 # ---------------------------------------------------------------------------
 if [[ "$SKIP_SESSIONS" == "true" ]]; then
   info "Skipping session creation (--skip-sessions)"
@@ -171,14 +222,18 @@ echo "============================================"
 echo "  Org ID         : ${ORG_ID}"
 echo "  Org name       : ${ORG_NAME}"
 echo "  Repos          : ${#REPOS[@]}"
+if [[ -n "$ENV_SESSION_ID" ]]; then
+  echo "  Env blueprint  : ${ENV_SESSION_ID}"
+fi
 if [[ "$SKIP_SESSIONS" != "true" ]]; then
-  echo "  Sessions       : $(echo "$sessions_json" | jq length)"
+  echo "  Setup sessions : $(echo "$sessions_json" | jq length)"
 fi
 echo
 echo "  Next steps:"
-echo "    1. Monitor setup sessions in the Devin webapp or poll via API"
-echo "    2. Once sessions complete, env config YAMLs are ready for participants"
-echo "    3. Share the workshop org URL with participants"
-echo "    4. After the workshop: ./scripts/cleanup-all.sh <GITHUB_ORG>
-    5. Tear down the org:    ./scripts/teardown-workshop.sh --org-id ${ORG_ID}"
+echo "    1. Monitor the env blueprint session — it will create environment configs for all repos"
+echo "    2. Monitor setup sessions in the Devin webapp or poll via API"
+echo "    3. Once sessions complete, repos are indexed and ready for participants"
+echo "    4. Share the workshop org URL with participants"
+echo "    5. After the workshop: ./scripts/cleanup-all.sh <GITHUB_ORG>"
+echo "    6. Tear down the org: ./scripts/teardown-workshop.sh --org-id ${ORG_ID}"
 echo

From a6f6ab9d97015dcf089532a309e8df7cd75b50a3 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Wed, 20 May 2026 06:07:35 +0000
Subject: [PATCH 4/4] fix: use actual newlines for repo list in env blueprint
 prompt

---
 scripts/provision-workshop.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/provision-workshop.sh b/scripts/provision-workshop.sh
index afe1730..7b146f1 100755
--- a/scripts/provision-workshop.sh
+++ b/scripts/provision-workshop.sh
@@ -160,7 +160,8 @@ else
   # Build a repo list for the prompt
   REPO_LIST=""
   for repo in "${REPOS[@]}"; do
-    REPO_LIST="${REPO_LIST}\n- ${repo}"
+    REPO_LIST="${REPO_LIST}
+- ${repo}"
   done
 
   ENV_PROMPT="Create Devin environment YAML config blueprints for all repositories in this organization. \