Skip to content

Commit f16fece

Browse files
docs(skill): update setup.md — headless flow, install instructions, remove outdated steps [skip release]
1 parent 1b36d8c commit f16fece

1 file changed

Lines changed: 87 additions & 71 deletions

File tree

skills/workit/setup.md

Lines changed: 87 additions & 71 deletions
Original file line numberDiff line numberDiff line change
@@ -2,90 +2,106 @@
22

33
## Quick Start (no GCP setup needed)
44

5-
The `wk` binary includes a shared OAuth client via `auth.automagik.dev`.
6-
No GCP console, no credentials.json, no client secrets required.
5+
The `wk` binary ships with a shared OAuth client via `auth.automagik.dev`.
6+
**No GCP console, no credentials.json, no client secrets required.**
77

8-
**Desktop/laptop:**
8+
Install:
9+
```bash
10+
# Linux amd64
11+
curl -sSL https://github.com/automagik-dev/workit/releases/latest/download/workit_linux_amd64.tar.gz | tar xz -C ~/.local/bin
12+
# macOS arm64
13+
curl -sSL https://github.com/automagik-dev/workit/releases/latest/download/workit_darwin_arm64.tar.gz | tar xz -C ~/.local/bin
14+
```
15+
16+
Check: `wk version` and `wk auth status`
17+
18+
---
19+
20+
## Auth flows by environment
21+
22+
### Desktop / laptop
923
```bash
1024
wk auth manage # opens browser, auto-closes after login
11-
wk gmail search 'newer_than:1d'
1225
```
1326

14-
**Remote server / VPS (SSH):**
27+
### Remote server / VPS (SSH headless)
1528
```bash
16-
wk auth manage # prints URL with server IP — open in your browser
17-
# After login, server auto-closes
18-
wk gmail search 'newer_than:1d'
29+
wk auth manage # detects no TTY, prints URL with server outbound IP
30+
# Open printed URL in your browser — auth completes automatically
1931
```
2032

21-
**Agent / headless automation:**
33+
### Agent / automation (fully unattended)
2234
```bash
23-
wk auth manage --print-url # prints {"url":"http://IP:PORT","port":8085}
24-
# User opens URL, logs in; your code polls:
25-
wk auth poll <state> # returns token when ready
35+
wk auth add user@example.com --headless --no-input
36+
# Prints a Google login URL. User (or automation) opens it.
37+
# CLI polls auth.automagik.dev until token arrives, then stores it.
2638
```
2739

28-
**Linux headless (no D-Bus):**
29-
Keyring is auto-configured. After `wk auth manage`, source the generated file:
40+
### Get just the URL (for scripting)
3041
```bash
31-
source ~/.config/workit/credentials.env
42+
wk auth manage --print-url # prints JSON: {"url":"https://...","state":"..."}
3243
```
3344

34-
Use this file for account setup, token lifecycle, and Workspace service-account flows.
45+
**Linux headless keyring:** auto-configured. No manual setup or `source` needed after v2.260227.4+.
46+
47+
---
3548

3649
## 1) Inspect auth state
37-
- `wk auth status`
38-
- `wk auth list`
39-
- `wk auth services`
40-
41-
## 2) Login (interactive OAuth)
42-
- **Recommended entry point:** `wk auth manage` — opens account manager UI, works on desktop and headless/remote servers (binds to 0.0.0.0, shows outbound IP, auto-closes after auth)
43-
- Add account directly: `wk auth add <email>`
44-
- Remove account: `wk auth remove <email>`
45-
46-
## 3) Multi-account workflows
47-
- List accounts: `wk auth list`
48-
- Per-command account selection: `wk -a user@company.com drive ls`
49-
- Use aliases:
50-
- `wk auth alias set work user@company.com`
51-
- `wk auth alias list`
52-
- `wk auth alias unset work`
53-
54-
## 4) Headless OAuth flow
55-
- **Recommended:** `wk auth manage` — binds to 0.0.0.0, shows outbound IP for remote access, auto-closes after auth
56-
- For agents/automation (prints JSON with URL): `wk auth manage --print-url`
57-
- Legacy: `wk auth add user@company.com --headless --no-input`
58-
- Poll completion manually: `wk auth poll <state>`
59-
- No manual keyring setup needed on Linux headless — auto-configured automatically
60-
61-
## 5) Token management
62-
- List token keys: `wk auth tokens list`
63-
- Export token (sensitive): `wk auth tokens export <key> --out token.json`
64-
- Import token (sensitive): `wk auth tokens import <inPath>`
65-
- Delete token: `wk auth tokens delete <key>`
66-
67-
## 6) OAuth client credentials
68-
- List clients: `wk auth credentials list`
69-
- Set client from credentials.json: `wk auth credentials set <credentials-json-path> [--domain example.com]`
70-
- Select client on commands: `wk --client <name> gmail search 'in:inbox'`
71-
72-
## 7) Keyring backend
73-
- Show/set backend: `wk auth keyring [backend]`
74-
- Verify with: `wk auth status`
75-
76-
## 8) Service account (Workspace only)
77-
- Store key for domain-wide delegation:
78-
- `wk auth service-account set --key /path/key.json <impersonate@company.com>`
79-
- Check status:
80-
- `wk auth service-account status`
81-
- Remove key:
82-
- `wk auth service-account unset`
83-
84-
## 9) Keep-specific service account (Workspace only)
85-
- `wk auth keep --key /path/key.json admin@company.com`
86-
87-
## 10) Recommended auth pattern in agents
88-
1. `wk auth status`
89-
2. choose account (`-a`) and optional `--client`
90-
3. run read checks with `--read-only`
91-
4. run writes with `--dry-run`, then execute after confirmation
50+
```bash
51+
wk auth status # overall state + keyring backend
52+
wk auth list # all stored accounts
53+
wk auth services # services enabled per account
54+
```
55+
56+
## 2) Add / remove accounts
57+
```bash
58+
wk auth manage # recommended: interactive account manager
59+
wk auth add user@example.com # direct add (browser opens)
60+
wk auth add user@example.com --headless # headless: prints URL, polls until done
61+
wk auth remove user@example.com
62+
```
63+
64+
## 3) Multi-account
65+
```bash
66+
wk auth list
67+
wk -a user@company.com drive ls # per-command account
68+
wk auth alias set work user@company.com
69+
wk auth alias list
70+
wk auth alias unset work
71+
```
72+
73+
## 4) Token management
74+
```bash
75+
wk auth tokens list
76+
wk auth tokens export <key> --out token.json # sensitive
77+
wk auth tokens import <path> # sensitive
78+
wk auth tokens delete <key>
79+
```
80+
81+
## 5) OAuth client credentials (BYO GCP)
82+
```bash
83+
wk auth credentials list
84+
wk auth credentials set credentials.json [--domain example.com]
85+
wk --client <name> gmail search 'in:inbox'
86+
```
87+
88+
## 6) Keyring backend
89+
```bash
90+
wk auth keyring # show current backend
91+
wk auth keyring <backend> # set backend (secret-service, keychain, file, etc.)
92+
wk auth status # verify
93+
```
94+
95+
## 7) Service account (Workspace domain-wide delegation)
96+
```bash
97+
wk auth service-account set --key /path/key.json impersonate@company.com
98+
wk auth service-account status
99+
wk auth service-account unset
100+
```
101+
102+
## 8) Recommended pattern in agents
103+
1. `wk auth status` — check if account already exists
104+
2. If not: `wk auth add user@example.com --headless --no-input` and surface the URL
105+
3. `wk auth services` — verify services are authorized
106+
4. Read operations: add `--read-only`
107+
5. Write operations: `--dry-run` first, then without after confirmation

0 commit comments

Comments
 (0)