// Deploy your own Open-Inspect instance. Use when the user wants to set up, deploy, or onboard to Open-Inspect. Guides through repository setup, credential collection, Terraform deployment, and verification with user handoffs.
Record and upload a short browser interaction video artifact
Verify application UI changes with uploaded screenshot or video artifacts
Upload an existing screenshot file to the Open-Inspect session
| name | onboarding |
| description | Deploy your own Open-Inspect instance. Use when the user wants to set up, deploy, or onboard to Open-Inspect. Guides through repository setup, credential collection, Terraform deployment, and verification with user handoffs. |
| user-invocable | true |
| allowed-tools | Bash, Read, Write, Edit, Glob, Grep, AskUserQuestion, TodoWrite |
You are guiding the user through deploying their own instance of Open-Inspect. This is a multi-phase process requiring user interaction for credential collection and external service configuration.
Use TodoWrite to create a checklist tracking these phases:
First, generate a random suffix suggestion for the user:
echo "Suggested deployment name: $(openssl rand -hex 3)"
Use AskUserQuestion to gather:
open-inspect-{deployment_name}.vercel.app and must be unique across all Vercel users.Execute these commands (substitute values from Phase 1):
mkdir -p {directory_path}
gh repo create {github_account}/open-inspect-{name} --private --description "Open-Inspect deployment"
cd {directory_path}
git clone git@github.com:ColeMurray/open-inspect.git .
git remote rename origin upstream
git remote add origin git@github.com:{github_account}/open-inspect-{name}.git
git push -u origin main
npm install
npm run build -w @open-inspect/shared
Hand off to user for each service. Use AskUserQuestion to collect credentials.
Tell the user:
*.YOUR-SUBDOMAIN.workers.devCheck wrangler login status, then create bucket:
wrangler whoami
wrangler r2 bucket create open-inspect-{name}-tf-state
Tell user to create R2 API Token at R2 → Overview → Manage R2 API Tokens with "Object Read & Write" permission.
team_)modal token newThen set the token:
modal token set --token-id {token_id} --token-secret {token_secret}
modal profile current
sk-ant-)Guide user through creating a GitHub App (handles both OAuth and repo access):
Open-Inspect-{YourName} (globally unique)https://open-inspect-{deployment_name}.vercel.apphttps://open-inspect-{deployment_name}.vercel.app/api/auth/callback/github
After receiving the .pem path, convert to PKCS#8:
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in {pem_path} -out /tmp/github-app-key-pkcs8.pem
cat /tmp/github-app-key-pkcs8.pem
Guide user:
app_mentions:read, chat:write, channels:history,
channels:read, groups:history, groups:read, im:history, im:read, reactions:writexoxb-...)echo "token_encryption_key: $(openssl rand -base64 32)"
echo "repo_secrets_encryption_key: $(openssl rand -base64 32)"
echo "internal_callback_secret: $(openssl rand -base64 32)"
echo "nextauth_secret: $(openssl rand -base64 32)"
echo "modal_api_secret: $(openssl rand -hex 32)"
echo "github_webhook_secret: $(openssl rand -hex 32)" # Only if GitHub bot enabled
Create terraform/environments/production/backend.tfvars:
access_key = "{r2_access_key}"
secret_key = "{r2_secret_key}"
bucket = "open-inspect-{name}-tf-state"
endpoints = {
s3 = "https://{cloudflare_account_id}.r2.cloudflarestorage.com"
}
Create terraform/environments/production/terraform.tfvars with all collected values. Set:
enable_durable_object_bindings = false
enable_service_bindings = false
If GitHub bot is enabled, also set:
enable_github_bot = true
github_webhook_secret = "{generated_value}"
github_bot_username = "{app-slug}[bot]"
Important: Build the workers before running Terraform (Terraform references the built bundles):
npm run build -w @open-inspect/control-plane -w @open-inspect/slack-bot -w @open-inspect/github-bot
Phase 1 (bindings disabled):
cd terraform/environments/production
terraform init -backend-config=backend.tfvars
terraform apply
Phase 2 (after Phase 1 succeeds): Update tfvars to set both bindings to true, then:
terraform apply
After Terraform deployment, guide user:
The App Home provides a settings interface where users can configure their preferred Claude model.
https://open-inspect-slack-bot-{deployment_name}.{subdomain}.workers.dev/eventsapp_home_opened, app_mention, message.imhttps://open-inspect-slack-bot-{deployment_name}.{subdomain}.workers.dev/interactions/invite @BotNameAfter Terraform deployment, guide user:
https://open-inspect-github-bot-{deployment_name}.{subdomain}.workers.dev/webhooks/githubgithub_webhook_secret valueThe bot username is the App's slug with [bot] appended. E.g., if the app is My-Inspect-App, the
bot username is my-inspect-app[bot]. Confirm this matches github_bot_username in
terraform.tfvars.
npx vercel link --project open-inspect-{deployment_name}
npx vercel --prod
curl https://open-inspect-control-plane-{deployment_name}.{subdomain}.workers.dev/health
curl https://{workspace}--open-inspect-api-health.modal.run
curl -I https://open-inspect-{deployment_name}.vercel.app
Present deployment summary table. Instruct user to test: visit web app, sign in with GitHub, create session, send prompt.
Ask if user wants GitHub Actions CI/CD. If yes, use gh secret set for all required secrets.
enable_github_bot = true, and
github_bot_username matches the App's bot loginnpm run build -w @open-inspect/control-plane -w @open-inspect/slack-bot -w @open-inspect/github-botnpm run build -w @open-inspect/shared