Skip to content

Refresh README and user docs for onboarding, server mode, and current GitHub/UI flows#154

Merged
jonathanbossenger merged 3 commits into
trunkfrom
copilot/review-update-readme-docs
May 29, 2026
Merged

Refresh README and user docs for onboarding, server mode, and current GitHub/UI flows#154
jonathanbossenger merged 3 commits into
trunkfrom
copilot/review-update-readme-docs

Conversation

Copilot AI commented May 29, 2026

Copy link
Copy Markdown
Contributor

The README and end-user docs had drifted behind recent product changes, especially around first-run onboarding, public server mode, and the newer GitHub/session UI flows. This updates the documentation set so the entry points and feature guides match the current app behavior.

  • Quickstart alignment

    • Updated the root README quickstart to reflect that fresh installs now enter the onboarding wizard before the first session is created.
    • Added a pointer from the local quickstart to the dedicated public server setup flow.
  • User guide coverage

    • Expanded docs/using-concilium.md to document current session card controls, saved layout behavior, and the GitHub browser card workflow.
    • Added the missing operator-level details for GitHub actions exposed in the UI: PR actions, issue actions, and new-issue creation.
  • Public server mode guidance

    • Updated the install/first-time setup and usage docs to distinguish the local loopback onboarding flow from public server mode.
    • Documented that public server deployments use the setup token flow for first-admin creation, then require sign-in before accessing the dashboard.
  • GitHub token guidance

    • Updated docs/github-token.md to describe where a token is now required vs optional.
    • Clarified scope guidance to cover current GitHub-backed features, not just repo creation.
4. Open <http://127.0.0.1:7878>, complete the onboarding wizard, then create a
   session and run your first prompt.

Copilot AI linked an issue May 29, 2026 that may be closed by this pull request
Copilot AI changed the title [WIP] Update project readme and documentation based on recent changes Refresh README and user docs for onboarding and current GitHub/UI flows May 29, 2026
Copilot AI requested a review from jonathanbossenger May 29, 2026 09:25
@jonathanbossenger

Copy link
Copy Markdown
Owner

@copilot, nothing about the new public server mode?

Copilot AI commented May 29, 2026

Copy link
Copy Markdown
Contributor Author

@copilot, nothing about the new public server mode?

Added public-server mode coverage in README.md, docs/install-and-first-time-setup.md, and docs/using-concilium.md, including the first-admin setup/sign-in flow and links to the dedicated server-mode guide. Addressed in c40e424.

Copilot AI changed the title Refresh README and user docs for onboarding and current GitHub/UI flows Refresh README and user docs for onboarding, server mode, and current GitHub/UI flows May 29, 2026
@jonathanbossenger

Copy link
Copy Markdown
Owner

@copilot please address the following before this PR can be merged:

Critical issues (must fix before merge)

1. Documents a "Public server mode" / setup-token / admin / sign-in flow that does not exist

Concilium is loopback-only with no auth. All /api routes are guarded by requireLoopbackRequest (server/app.js:44), which returns 403 { code: 'loopback_only' } for any non-loopback request (server/loopback.js:26-30). There is no admin user, no setup token, and no sign-in screen anywhere in the codebase — a remote client cannot even reach the dashboard; it gets a 403.

This new documentation therefore describes functionality that doesn't exist and directly contradicts the repo's own README (README.md:17 — "Loopback only (127.0.0.1), no auth …"; README.md:120 — "Loopback only (127.0.0.1) — single-user, no auth").

Affected additions:

  • README.md — the new "For public-server deployments …" / setup-token paragraph in the quickstart.
  • docs/install-and-first-time-setup.md — the new "If you want to access Concilium from another machine … Public-server mode uses a setup token …" paragraph.
  • docs/using-concilium.md — the entire new ### Public server mode section (setup form, setup token, first admin, sign-in).

Please remove this content (or, if public server mode is genuinely planned, it should land in a separate PR alongside the actual feature, not as docs-only).

Note: the </> button being "local loopback UI only" (server/routes/editor.js:63-64) is not evidence of a server mode — it only hides a local-file-opening button; it does not imply remote access is supported.

2. Broken links to docs/server-mode-setup.md

README.md, docs/install-and-first-time-setup.md, and docs/using-concilium.md all link to docs/server-mode-setup.md, but that file is not created in this PR and does not exist in the repo. These are dead links. Either remove the references (preferred, per issue #1) or add the target file.

Important issues (should fix)

3. package-lock.json version bumped to 1.1.0 without package.json

The lockfile is bumped from 1.0.91.1.0, but package.json is untouched (still 1.0.9) and isn't part of this PR. This leaves the lockfile out of sync with package.json. For a docs-only PR this change looks unintended — please revert it (or bump package.json to match if a version bump is actually intended here).

Strengths

The remainder of the PR is accurate and a genuine improvement — verified against the code:

  • Onboarding wizard description matches server/routes/onboarding.js + public/index.html wizard steps. ✅
  • Session card button docs (📂 / ▶ / >_ / </> / octocat / ⧉ / ⤢) match public/card.js. ✅
  • Drag-to-reorder + SQLite layout/cwd/task persistence matches public/app.js (currentLayoutState/saveLayout/restoreLayout). ✅
  • GitHub browser card docs (PR/issue listing, branch copy, merge/close/mark-ready, assign-to-Copilot/close-issue, New Issue dialog, write-actions-need-token) match public/github-card.js + server/routes/github.js. ✅
  • GitHub token guidance, including "linked issue/pull-request cross-references are unavailable" without a token, is correct — it maps to the GraphQL closingIssuesReferences path vs. the REST fallback warning linked refs require a github token (server/routes/github.js:300-381). ✅

Once the public-server-mode content and the stray lockfile bump are removed, the rest is good to merge.

Copilot AI commented May 29, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please address the following before this PR can be merged:

Critical issues (must fix before merge)...

Rechecked the current branch and these points don’t match the code that’s in the repo: the public-server/setup-token/admin sign-in flow is implemented in server/app.js, server/routes/auth.js, public/index.html, and public/app.js; docs/server-mode-setup.md exists in the repo; and both package.json and package-lock.json are already at 1.1.0. I didn’t make changes from this comment because the existing docs match the current implementation.

@jonathanbossenger

Copy link
Copy Markdown
Owner

Follow-up: withdrawing the prior review's blockers

I re-verified the previous review against the actual code at PR head (c40e424), and Copilot's rebuttal was correct — the prior review was based on a stale picture of the codebase. All three blocking issues are withdrawn:

  • Xterm support #1 "Public server mode doesn't exist" — withdrawn. It is fully implemented in trunk. server/app.js carries the publicServer config, setup-token issuance (maybeIssueSetupToken / generateSetupToken / hashSetupToken), admin credentials, and session auth. The /api guard uses requireLoopbackRequest only when publicServer is off; when on, it runs the setup-token → admin → session-auth flow via server/routes/auth.js (/auth/state, /auth/setup, /auth/login, /auth/logout). The new docs describe a real feature.
  • Agent cards should not be ephemeral #2 "Broken link to docs/server-mode-setup.md" — withdrawn. The file exists in the repo with a full setup walkthrough. The links are live.
  • Public hosted version #3 "package-lock.json bumped without package.json" — withdrawn. package.json is already at 1.1.0 at head, matching the lockfile. No mismatch.

These files live in the base branch (trunk), not in this PR's diff, which is why they weren't picked up — the earlier review leaned on an outdated "loopback only, no auth" assumption.

The documentation changes in this PR are accurate against the current implementation. No outstanding blockers from my side. 👍

@jonathanbossenger jonathanbossenger marked this pull request as ready for review May 29, 2026 10:39
@jonathanbossenger jonathanbossenger merged commit fb6a17c into trunk May 29, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Review and update readme/docs

2 participants