Menu
Use when bootstrapping or managing VPS agent environments: fresh install, add project, hex-relay redeploy, diagnostics, or fleet plan/apply.
Use when installing, verifying, or updating the shared VPS host runtime for Claude Code, Codex, MCP, and marketplace plugins.
Use when creating or verifying one project runtime on a prepared VPS, including god-session, provider credentials, and local dispatcher setup.
Use when deploying, redeploying, verifying, migrating, or syncing users for the hex-relay Telegram/API control plane on a VPS.
Use when inspecting health, drift, logs, auth, ports, systemd, tmux, or safe repair needs for one VPS project environment.
Reviews skills (D1-D11 + M1-M6 criteria) or .claude/commands for quality. Use when validating skill correctness before release.
Use when validating Stories, plans, or tasks through the evaluation platform with mandatory research, parallel evidence lanes, sequential merge, and bounded refinement. Modes: story | plan_review.
| name | ln-030-vps-bootstrap |
| description | Use when bootstrapping or managing VPS agent environments: fresh install, add project, hex-relay redeploy, diagnostics, or fleet plan/apply. |
| license | MIT |
| allowed-tools | Bash, Read, mcp__hex-ssh__remote-ssh, mcp__hex-ssh__ssh-read-lines |
Paths: File paths (
shared/,references/,../ln-*,agents/hex-relay/,ops/) are relative to the skills repo root. If not found at CWD, locate thisSKILL.mddirectory and go up two levels for repo root.
Type: L2 Domain Coordinator Category: 0XX Shared / Infrastructure Tested on: Ubuntu 24.04 (apt + systemd base: Contabo, Hetzner, DigitalOcean)
Public entrypoint for VPS agent environments. This skill routes between fresh install, adding a project to an existing VPS, hex-relay lifecycle work, diagnostics, and fleet plan/apply. It does not inline detailed install work; it delegates to focused runtime workers and consumes their machine-readable summaries.
MANDATORY READ: Load shared/references/skill_contract.md, shared/references/worker_runtime_contract.md, shared/references/coordinator_summary_contract.md, shared/references/vps_runtime_contract.md, and shared/references/meta_analysis_protocol.md
MANDATORY READ: Load references/scope_layers.md, references/shared_user_pattern.md, references/troubleshooting.md, and references/verification_recipes.md
Reference inventory owned by this coordinator family but loaded by the worker that needs it:
README.md, vps_base_install.md, agent_runtime_install.md, god_session_install.md, project_repo_bootstrap.md, hex_relay_deploy.md, operator_dispatcher_install.md, provider_credentials.md, fleet_registry.md, fleet_plan_apply.md, substitution_rules.md, agent-sandbox.sh, agent-update.sh, agent-update.service, agent-update.timer, claude-usage-report.sh, codex-config.toml.template, codex-notify.sh, dispatch.md, dispatch.service, dispatch.timer, dispatcher.md.template, god-session.service, god-session.sh, hex-relay.service, mint-gh-token.sh, operator.CLAUDE.md, register-telegram-commands.sh, secrets.env.template, settings.agent-config.fragment.json, settings.hooks.fragment.json, settings.statusline.fragment.json, statusline.sh.
| Parameter | Required | Default | Description |
|---|---|---|---|
mode | No | auto | auto, fresh_install, add_project, relay_redeploy, diagnose, fleet_plan, or fleet_apply |
dry_run | No | false | Produce planned actions without mutation where supported |
registry_path | No | /etc/agent-fleet/environments | VPS-local fleet registry directory for fleet_plan / fleet_apply; repo ops/environments is templates/docs only |
environment_id | No | unset | Limit fleet operations to one registry environment |
plan_artifact_path | No | generated | Existing plan for fleet_apply, or output path for fleet_plan |
repair_scope | No | safe | none, safe, or explicit bounded repair action for diagnostics |
Single-project modes also require the project/VPS variables documented in references/scope_layers.md and worker inputs:
PROJECT_NAME, SERVICE_PREFIX, PROJECT_DIR, REPO_URL, REPO_REF, BOT_USER, VPS_HOST, VPS_SSH_KEY, TARGET_REPO_PATH, GIT_PROVIDER, REPO_SLUG, plus optional Telegram/provider variables.
Classify the requested operation:
| Condition | Operation |
|---|---|
mode=fleet_plan | Validate registry and compute drift plan for selected environments |
mode=fleet_apply | Revalidate registry, re-check live state, and apply approved plan targets |
mode=relay_redeploy | Redeploy agents/hex-relay/ for one existing project environment |
mode=diagnose | Inspect one environment and run only bounded safe repairs |
mode=fresh_install | Force host reconcile, project runtime, optional relay, verification |
mode=add_project | Reuse host through verify/update, then project runtime and optional relay |
mode=auto | Discover host state before selecting fresh vs add-project path |
Evidence:
dry_run / apply gate statusAlways perform a lightweight host discovery before project mutation unless the operation is registry validation only.
Discovery checks:
${VPS_HOST}id ${BOT_USER}claude, codex~${BOT_USER}/.claude/, ~${BOT_USER}/.codex/${AGENT_SKILLS_DIR} and marketplace manifestsagent-update.timer${SERVICE_PREFIX} units and port collisionsDecision:
ln-031-vps-host-runtime with mode=install_or_reconcileln-031-vps-host-runtime with mode=verify_or_updateln-034-vps-environment-diagnosticsCall ln-032-vps-project-runtime for one selected project unless the operation is only relay_redeploy, diagnose, or registry plan.
The worker owns project clone, project config/state dirs, god-session, scheduler, provider credentials, and local dispatcher setup. It must not rebuild shared host runtime or deploy hex-relay.
hex-relay LifecycleCall ln-033-hex-relay-lifecycle when:
mode=relay_redeployhex-relay source/service/user driftSkip with explicit N/A: reason when TELEGRAM_BOT_TOKEN is empty and no relay redeploy was requested.
Call ln-034-vps-environment-diagnostics after install/redeploy when final health evidence is needed, or directly for mode=diagnose.
Fleet rules:
fleet_plan loads and validates the live VPS registry from /etc/agent-fleet/environments/*.yaml by default, checks live state, and writes a plan artifact under .hex-skills/runtime-artifacts/runs/{run_id}/vps-fleet-plan/.fleet_apply must re-check the live VPS registry and live state before mutation. A stale, missing, or registry-mismatched plan is a blocker.ops/environments/ directory is template-only. Do not treat it as the source of truth for real fleet membership.Aggregate child summaries into one coordinator summary:
| Phase | Worker | Use |
|---|---|---|
| 2 | ln-031-vps-host-runtime | Shared VPS host/runtime install, verify, update |
| 3 | ln-032-vps-project-runtime | Per-project VPS runtime and local operator setup |
| 4 | ln-033-hex-relay-lifecycle | hex-relay deploy, redeploy, migration, Telegram users |
| 5 | ln-034-vps-environment-diagnostics | Health, drift, logs, bounded safe repair |
Managed worker pattern:
childRunId="run-ln-030-${operation}-${worker}-${environment_id}"
childSummaryArtifactPath=".hex-skills/runtime-artifacts/runs/${run_id}/vps-runtime-worker/${worker}--${environment_id}.json"
Skill(skill: "ln-031-vps-host-runtime", args: "mode={install_or_reconcile|verify_or_update|verify_only} environment_id={environment_id} runId=${childRunId} summaryArtifactPath=${childSummaryArtifactPath}")
Skill(skill: "ln-032-vps-project-runtime", args: "mode={bootstrap|verify_only} environment_id={environment_id} runId=${childRunId} summaryArtifactPath=${childSummaryArtifactPath}")
Skill(skill: "ln-033-hex-relay-lifecycle", args: "mode={initial_deploy|redeploy|verify_only|sync_users} environment_id={environment_id} runId=${childRunId} summaryArtifactPath=${childSummaryArtifactPath}")
Skill(skill: "ln-034-vps-environment-diagnostics", args: "mode={inspect|verify|repair_safe} environment_id={environment_id} repair_scope={repair_scope} runId=${childRunId} summaryArtifactPath=${childSummaryArtifactPath}")
Read ${childSummaryArtifactPath}
Risk Checklist:
N/A:- Phase 1: Resolve operation and required variables (pending)
- Phase 2: Discover host state and call host runtime worker when needed (pending)
- Phase 3: Call project runtime worker when project bootstrap is in scope (pending)
- Phase 4: Call hex-relay lifecycle worker when Telegram/relay is in scope (pending)
- Phase 5: Call diagnostics worker and/or write fleet plan/apply evidence (pending)
- Phase 6: Aggregate child summaries and run self-check (pending)
ln-030 owns routing decisions and ordering.verify_or_update.fleet_apply is not a continuous reconciler. It applies an approved plan after a fresh live-state check./etc/agent-fleet/environments; repo ops/environments is a template contract only.hex-relay source is owned by agents/hex-relay/; deployment logic lives in ln-033.N/A: items.runId and summaryArtifactPath.verify_or_update, not a blind skip.hex-relay work was delegated only when Telegram/relay scope required it.shared/references/meta_analysis_protocol.md.MANDATORY READ: Load shared/references/meta_analysis_protocol.md
Skill type: domain-coordinator. Run after Phase 6 and include whether the split reduced inline execution, preserved worker independence, and kept fleet apply guarded by a plan artifact.
Version: 1.0.0 Last Updated: 2026-05-05