This repository has been consolidated into OpenSIN-AI/Infra-SIN-Dev-Setup and is scheduled for archival.
https://github.com/OpenSIN-AI/Infra-SIN-Dev-Setup/tree/main/user-onboarding
All content is preserved exactly as it was here — same scripts/, docs/, config/, .well-known/ layout.
This repo covered "end-user first-run setup for OpenSIN." Infra-SIN-Dev-Setup already covered "developer environment setup for working on OpenSIN." Two repos in the same domain made it unclear where new setup automation should go. Merged under Infra-SIN-Dev-Setup so there is a single "everything that gets OpenSIN running on your machine" destination.
Full report: OpenSIN-overview/docs/CONSOLIDATION-2026-04.md
- Cloning for user onboarding?
git clone OpenSIN-AI/Infra-SIN-Dev-Setupandcd user-onboarding/. - Had a PR here? Reopen against
Infra-SIN-Dev-Setuptargetinguser-onboarding/. - Running
onboard.sh? Path is nowInfra-SIN-Dev-Setup/user-onboarding/scripts/onboard.sh.
This repo stays on GitHub in archived (read-only) state. All commits remain searchable.
Original README (preserved)
[!IMPORTANT] SSOT: Die kanonische OpenCode-Konfiguration liegt unter Delqhi/upgraded-opencode-stack. Nach jeder Änderung MUSS
sin-syncausgeführt werden.
Autonomous first-run setup for OpenSIN — zero manual intervention.
When a new user runs OpenSIN for the first time, this onboarding system automatically:
- Installs & configures the A2A-SIN-Passwordmanager with Google Cloud Secrets backend
- Installs OpenSIN Bridge Chrome Extension via CLI sideload
- Registers API accounts on free-tier platforms (NVIDIA NIM, Groq, Hugging Face, etc.)
- Provisions gcloud service account for secrets management
- Seeds initial credentials into the Passwordmanager vault
User runs: opensin init
│
▼
┌─────────────────────────────┐
│ Phase 0: Bun Install ⚡ │
│ ─ brew install oven-sh/bun/bun │
│ ─ NEVER npm or npx! │
└──────────┬──────────────────┘
│
▼
┌─────────────────────────────┐
│ Phase 1: System Bootstrap │
│ ─ gcloud CLI install │
│ ─ Bun verify (NOT npm!) │
│ ─ Chrome verify │
│ ─ opencode CLI verify │
└──────────┬──────────────────┘
│
▼
┌─────────────────────────────┐
│ Phase 2: GCP Project Setup │
│ ─ gcloud auth login (CDP) │
│ ─ Create GCP project │
│ ─ Enable Secret Manager API│
│ ─ Create service account │
│ ─ Generate & store SA key │
└──────────┬──────────────────┘
│
▼
┌─────────────────────────────┐
│ Phase 3: Passwordmanager │
│ ─ Build from source │
│ ─ Configure gcloud backend │
│ ─ Verify health check │
│ ─ Symlink CLI (spm) │
└──────────┬──────────────────┘
│
▼
┌─────────────────────────────┐
│ Phase 4: Chrome Extension │
│ ─ Build extension │
│ ─ Sideload via chrome CLI │
│ ─ Verify extension active │
└──────────┬──────────────────┘
│
▼
┌─────────────────────────────┐
│ Phase 5: Platform Accounts │
│ ─ Groq (free vision API) │
│ ─ NVIDIA NIM (free tier) │
│ ─ Hugging Face (spaces) │
│ ─ Store all keys in PM │
└──────────┬──────────────────┘
│
▼
┌─────────────────────────────┐
│ Phase 5.5: Cloud Storage │
│ ─ Box.com account creation │
│ ─ Create Public/Cache folders │
│ ─ Enable sharing (public links)│
│ ─ Optional: Developer Token │
└──────────┬──────────────────┘
│
▼
┌─────────────────────────────┐
│ Phase 6: Verification │
│ ─ PM health check │
│ ─ gcloud secrets list │
│ ─ Extension ping │
│ ─ API key validation │
│ ─ Print onboarding report │
└─────────────────────────────┘
OpenSIN uses Box.com (10 GB free) as primary cloud storage, replacing GitLab Storage (account banned).
| Folder | Purpose | Sharing |
|---|---|---|
/OpenSIN-Public |
Logos, images, docs (publicly accessible) | "People with link" → Can view |
/OpenSIN-Cache |
Logs, cache, temporary files | "People with link" → Can view |
During opensin init, users are guided through:
- Create Box.com account (free 10 GB)
- Create folders
/OpenSIN-Publicand/OpenSIN-Cache - Enable sharing (public links must work, otherwise 404!)
- Optional: Create Box Developer Token for API access
- GitLab Storage is DEAD — all previous GitLab-based log/cache uploads are migrated to Box.com
- Public links must be enabled — without "People with the link" sharing, URLs return 404
- Developer Token (optional) allows programmatic uploads via Box API
- Alternative: Google Drive (15 GB free) can be used instead for user data
After onboarding, users should:
- Get folder IDs from Box.com (
box folders:children 0) - Add to
.env:BOX_PUBLIC_FOLDER_ID=<id> BOX_CACHE_FOLDER_ID=<id> BOX_DEVELOPER_TOKEN=<token>
- Share the public links with the OpenSIN team
- Public: https://app.box.com/s/1st624o9eb5xdistusew5w0erb8offc7
- Cache: https://app.box.com/s/9s5htoefw1ux9ajaqj656v9a02h7z7x1
git clone https://github.com/OpenSIN-AI/OpenSIN-onboarding.git
cd OpenSIN-onboarding
./scripts/onboard.shOr via OpenSIN CLI:
opensin initOpenSIN-onboarding/
├── scripts/
│ ├── onboard.sh # Main entry point
│ ├── phase1_system_bootstrap.sh # System prerequisites
│ ├── phase2_gcp_setup.sh # GCP project + service account
│ ├── phase3_passwordmanager.sh # PM build + configure
│ ├── phase4_chrome_extension.sh # Extension sideload
│ ├── phase5_platform_accounts.py # Autonomous account registration
│ └── phase6_verification.sh # End-to-end health checks
├── docs/
│ ├── 01-prerequisites.md # What users need before starting
│ ├── 02-passwordmanager-setup.md # Deep dive: PM + GCS architecture
│ ├── 03-chrome-extension.md # Extension installation details
│ ├── 04-platform-accounts.md # Platform registration reference
│ ├── 05-troubleshooting.md # Common issues + fixes
│ └── 06-security-model.md # How secrets are protected
├── config/
│ └── templates/
│ ├── catalog.template.json # PM catalog seed template
│ └── env.template # Environment variable template
├── .well-known/
│ └── agent-card.json # A2A discovery card
└── README.md
| Platform | Free Tier | What OpenSIN Uses It For |
|---|---|---|
| Google Cloud | $300 credit + always-free Secret Manager (6 active versions) | Passwordmanager backend (Google Cloud Secrets) |
| Groq | 14,400 req/day (vision models) | OpenSIN Bridge vision analysis |
| NVIDIA NIM | 1,000 free API calls/month | Specialized AI models (Qwen, Cosmos) |
| Hugging Face | Unlimited free CPU Spaces | A2A agent hosting |
| GitHub | Unlimited public repos | Code hosting, Issues, A2A coordination |
OpenSIN uses the Two-Layer Browser Stack (nodriver + CDP) to:
- Navigate to platform signup page
- Fill registration forms with user-provided email
- Handle email verification via user's mail client
- Extract API keys from dashboard
- Store keys in Passwordmanager (Google Cloud Secrets)
The user only needs to provide:
- Email address (for account registration)
- Google account (for GCP + Chrome profile)
Everything else is fully autonomous.
- All secrets stored in Google Cloud Secret Manager (encrypted at rest with Google-managed keys)
- Service account key stored locally at
~/.config/opencode/auth/google/with600permissions - No secrets ever committed to git (enforced by
.gitignore+ pre-commit hooks) - Secret names follow pattern:
spm-{name}in GCP - Passwordmanager catalog (metadata only, no values) at
~/.config/sin/sin-passwordmanager/catalog.json
| Repository | Purpose |
|---|---|
| OpenSIN-backend | A2A-SIN-Passwordmanager source code |
| OpenSIN-documentation | Full platform docs (docs.opensin.ai) |
| OpenSIN-overview | Organization SSOT registry |
| OpenSIN | Core platform |
| OpenSIN-Code | CLI tool |
Apache 2.0 — see LICENSE