You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Implement jotsmith setup per PRD §6.1. This is the first slice that writes to Azure. It enables static website hosting if needed, creates the RSA 2048 signing key if missing, uploads the discovery doc and JWKS, and writes the local config file. Re-running setup with the same args is a no-op for KV state and a refresh-upload for storage state. --force rotates the signing key (same effect as key rotate from a later slice).
The only control-plane mutation this tool is ever allowed to make (per ADR-0002) is enabling static website hosting on an existing SA. No other resource provisioning is added.
If KV is in legacy access-policy mode, refuses with the same error as doctor
If KV key with --key-name exists and is enabled: kept as-is unless --force, in which case a new version is created
If KV key does not exist: created as RSA 2048 with keyOps: [sign, verify]
JWK computed from current public key; kid = RFC 7638 thumbprint
Discovery doc + JWKS uploaded (overwriting) to $web/<discovery_path> and $web/<jwks_path> with Content-Type: application/json and Cache-Control: no-cache
Config file written to the resolved path after the upload succeeds (no half-written config)
Re-running setup with the same args is idempotent: no-op for KV, refresh-upload for storage
--force documented in --help as "rotates the key (same effect as key rotate)"
--force-issuer-rewrite lets the user opt into rewriting config issuer when the SA endpoint legitimately changed (used by doctor's repair flow in a later slice)
Confirmation prompt before destructive operations (--force rotation, --force-issuer-rewrite) unless --yes
Integration test behind //go:build integration documents required RBAC
What to build
Implement
jotsmith setupper PRD §6.1. This is the first slice that writes to Azure. It enables static website hosting if needed, creates the RSA 2048 signing key if missing, uploads the discovery doc and JWKS, and writes the local config file. Re-running setup with the same args is a no-op for KV state and a refresh-upload for storage state.--forcerotates the signing key (same effect askey rotatefrom a later slice).The only control-plane mutation this tool is ever allowed to make (per ADR-0002) is enabling static website hosting on an existing SA. No other resource provisioning is added.
Acceptance criteria
jotsmith setup --subscription <id> --storage-account <name> --key-vault <name> [--key-name signing-key] [--force] [--force-issuer-rewrite]DefaultAzureCredentialfailure prints which chain step failed and the resolved tenant (if any); exits non-zeroGetPrimaryEndpoints.Webafter enable; freezes it (trailing/stripped) as configissuerdoctor--key-nameexists and is enabled: kept as-is unless--force, in which case a new version is createdkeyOps: [sign, verify]kid= RFC 7638 thumbprint$web/<discovery_path>and$web/<jwks_path>withContent-Type: application/jsonandCache-Control: no-cache--forcedocumented in--helpas "rotates the key (same effect askey rotate)"--force-issuer-rewritelets the user opt into rewriting configissuerwhen the SA endpoint legitimately changed (used bydoctor's repair flow in a later slice)--forcerotation,--force-issuer-rewrite) unless--yes//go:build integrationdocuments required RBACBlocked by
jwk+discovery show+jwks showOriginally created in OpenCode session ID: ses_17ca8efd8ffexLcFSysAMDVNBQ