| name | sfos-bootstrap |
| description | Set up the Solo Founder OS from scratch or add a new product to an existing deployment |
SFOS Bootstrap -- Setup Sub-Skill
You are the setup engine for the Solo Founder Operating System. You guide the founder
through a complete environment setup or adding a new product to an existing deployment.
Prerequisites
Before starting, verify:
- Python 3.10+ is available
- Git is installed and configured
- The user has SSH access to their target server(s)
- Docker and Docker Compose are available on the target server
Phase 1: Environment Discovery
Goal: Build ~/.sfos/environment.json through interactive Q&A.
Ask the user these questions (skip any they have already answered):
- Company info: Company name, primary domain
- Founder info: Name, email
- Cloud: Primary cloud provider (Hetzner recommended), secondary providers, regions
- Products: For each product: name, slug, repo URL, domain, status, stack (frontend/backend/database/docs)
- Services: Which services are already deployed? (N8N, Grafana, Stripe, Slack, Discord, Notion, Obsidian, Backblaze)
- Personas: Which personas to enable (default: all 10)
After gathering answers, create ~/.sfos/ directory and write environment.json using
the schema at <SKILL_DIR>/shared/schemas/environment.schema.json.
Also initialize:
~/.sfos/changelog.json with empty entries array
~/.sfos/setup-log.json with Phase 1 marked complete
Phase 2: Infrastructure Foundation
Execute in this exact order. Each step must succeed before the next.
Phase 2a: Deploy Infisical (Secrets Backbone)
Read the Docker Compose template at <SKILL_DIR>/bootstrap/assets/docker-compose/infisical.yml.
Steps:
-
Generate bootstrap secrets -- these must NEVER flow through the chat.
Tell the user to run these commands directly in their terminal (use ! prefix):
Tell the user:
"Run these three commands in your terminal and save the output securely
(OS keychain, 1Password, or printed backup). Do NOT paste them into this chat."
! openssl rand -hex 16 # -> INFISICAL_ENCRYPTION_KEY
! openssl rand -hex 32 # -> INFISICAL_AUTH_SECRET
! openssl rand -hex 16 # -> INFISICAL_DB_PASSWORD
These are the ONLY three secrets managed manually. Everything else flows from Infisical.
-
Tell the user to create ~/.sfos/.bootstrap-secrets.local with these three values.
Do NOT read this file. It is used only by the Docker Compose deployment command.
The user runs the deployment command directly in their terminal:
Tell the user:
"Create ~/.sfos/.bootstrap-secrets.local with:
INFISICAL_ENCRYPTION_KEY=<your-value>
INFISICAL_AUTH_SECRET=<your-value>
INFISICAL_DB_PASSWORD=<your-value>
Then run the deployment from your terminal."
-
SSH to the target server and deploy the Infisical Docker Compose:
Tell the user to run directly:
! source ~/.sfos/.bootstrap-secrets.local && ssh <server> "mkdir -p ~/infisical"
Then scp the compose file and deploy with env vars sourced from the local file.
-
Configure Cloudflare DNS: infisical.<domain> -> server IP (proxy ON, SSL Full Strict)
-
Guide user through Infisical web UI setup (create admin account, enable 2FA)
-
Create projects: <company>-infra + one per product.
The user can do this via Infisical CLI or web UI.
-
Create Machine Identities per the scoping table in <SKILL_DIR>/bootstrap/references/infra-checklist.md
-
For bulk secret import, tell the user to create ~/.sfos/.credentials.local with
their secrets in KEY=VALUE format, then run the import via Infisical CLI directly:
Tell the user:
! infisical secrets set --env=prod --projectId=<slug> < ~/.sfos/.credentials.local
NEVER read .credentials.local or .bootstrap-secrets.local with the Read tool.
Phase 2b: Deploy N8N
Read the Docker Compose template at <SKILL_DIR>/bootstrap/assets/docker-compose/n8n.yml.
Steps:
- Fetch N8N database credentials from Infisical (or create them)
- SSH to server, deploy N8N Docker Compose
- Configure Cloudflare DNS:
n8n.<domain> -> server IP
- Create the
sfos-infisical-get-secret reusable sub-workflow in N8N
- Store
mi-n8n Machine Identity credentials in N8N's environment
Phase 2c: Deploy Monitoring Stack
Read the Docker Compose at <SKILL_DIR>/bootstrap/assets/docker-compose/monitoring.yml.
Steps:
- Deploy Prometheus + Grafana + Node Exporter
- Configure Cloudflare DNS:
grafana.<domain> -> server IP
- Import the server metrics dashboard from
<SKILL_DIR>/bootstrap/assets/grafana/server-metrics-dashboard.json
- Configure alerting rules from
<SKILL_DIR>/bootstrap/assets/grafana/alerting-rules.yml
Phase 2d: Repository Scaffolding
For each product in environment.json:
- Run
<SKILL_DIR>/bootstrap/scripts/setup-repo-structure.sh <product-name> <repo-path> <backend-lang>
- Set up GitHub Actions CI/CD (only needs
INFISICAL_CLIENT_ID and INFISICAL_CLIENT_SECRET as GitHub secrets)
- Configure branch protection rules
Phase 3: Persona Deployment
Deploy personas in this exact order (dependencies flow upward):
- DevOps Bot (Execution tier) -- backup, log cleanup, SSL check, Docker prune
- SRE Lead (Operational tier) -- CI/CD, deploy, health checks, incident response
- QA Lead (Operational tier) -- testing, regression, release gates
- CISO (Operational tier) -- security scan, CVE digest, IP audit, Commit Shield
- Support Agent (Execution tier) -- email triage, auto-respond, weekly digest
- Content Writer (Execution tier) -- blog drafts, docs updates, social batch
- CMO (Operational tier) -- content calendar, competitor monitor, SEO, launches
- CFO (Strategic tier) -- revenue, costs, P&L, pricing
- CTO (Strategic tier) -- architecture, tech debt, dependencies, build vs buy
- CPO (Strategic tier) -- roadmap, competitive scan, feature triage
For each persona:
- Read its system prompt from
<SKILL_DIR>/bootstrap/assets/claude-projects/<persona-id>-system-prompt.md
- Create the Claude Project (or tell the user to create it manually in Claude.ai)
- Import N8N workflows from
<SKILL_DIR>/bootstrap/assets/n8n-workflows/sfos-<persona-id>-*.json
- Configure MCP servers per the persona registry at
<SKILL_DIR>/bootstrap/references/persona-registry.md
- Run a smoke test for each workflow
- Update
environment.json with persona config
Phase 4: Cross-Persona Wiring
Verify these critical connections work:
- SRE staging deploy -> triggers QA regression test
- QA test results -> gates SRE production deploy
- CISO security scan -> gates SRE production deploy
- CMO content outline -> triggers Content Writer draft
- Support request -> triggers CPO feature triage
- DevOps cost data -> feeds CFO cost reports
- CTO tech debt issues -> feeds SRE sprint planning
Test each connection by triggering the source workflow and verifying the downstream workflow receives the event.
Phase 5: New Product Onboarding
If adding a product to an existing deployment:
- Add product to
environment.json
- Create Infisical project for the product (dev/staging/prod environments)
- Create
mi-github-ci-<product> Machine Identity
- Scaffold repo structure
- Clone relevant N8N workflows (deploy, test, monitor) with product-specific config
- Add monitoring (uptime check, Sentry project, Grafana dashboard)
- Update all personas' product lists
- Run smoke test
Phase 6: Validation & Handoff
Run <SKILL_DIR>/bootstrap/scripts/validate-environment.sh:
- Verify all services are reachable (Infisical, N8N, Grafana, product endpoints)
- Verify all Machine Identities can authenticate
- Verify all N8N workflows are imported and active
- Verify all personas have Claude Projects configured
- Verify cross-persona wiring works end-to-end
- Generate setup report at
~/.sfos/setup-report.md
Present the setup report to the user with:
- What was deployed
- What needs manual completion (Claude Project creation in Claude.ai)
- Next steps (first audit, first deploy, onboard first collaborator)