66. Interactive admin install as guided installation orchestrator
Date: 2026-07-05
Status
Accepted
Context
Fullsend installation spans mint trust, inference WIF, GitHub Apps, scaffold delivery, and per-repo vs per-org scope. Standalone commands (mint, github, inference, repos) already exist (ADR 0029, ADR 0033, ADR 0057), and user-facing docs recently deprecated the all-in-one admin install as a monolithic path in favor of those phases.
That split reduced coupling but increased cognitive load: adopters must understand which role runs which phase, whether to use the hosted mint or a private one, how many GCP projects are involved, and whether ADR 0047 vendoring applies — from a single repo on hosted services through a multi-org footprint with private mints and several inference accounts. Agents assisting onboarding face the same matrix without a single machine-readable decision model.
Options
Option A: Standalone commands only (status quo docs)
Users and agents read guides and invoke mint / github / inference directly. Low CLI complexity; high expertise burden.
Option B: Interactive admin install orchestrator (chosen)
admin install becomes a guided entry point that walks the decision tree, then delegates execution to existing subcommands. Same tree drives agent skills.
Option C: New top-level fullsend install
Same behavior as B but a new command. Rejected — admin install is already the familiar entry point and matches org-admin mental models.
Decision
Revive
admin installas a guide, not a monolith. The command orchestrates installation; it does not re-inline GCP provisioning, mint deploy, or GitHub layer logic. Each step invokes the existing standalone commands (or their library equivalents) with composed flags.Interactive by default on a TTY. When stdin is a terminal and required flags are absent,
admin installruns a guided flow. Non-interactive use keeps today's explicit flags (--mint-url,--inference-project, etc.). Add--guided(force interactive) and--plan(print the composed command sequence without executing).Published decision tree. Maintain a versioned install decision tree (YAML) in-repo describing questions, branches, prerequisites, and the subcommand(s) each leaf executes. The CLI loads it; changes to install matrix update the tree, not scattered help text.
Coverage. The tree must reach at least:
- single-repo + hosted mint + shared inference (zero-GCP GitHub path);
- self-hosted or private mint (ADR 0059 tight vs public);
- multiple GCP projects / inference accounts;
- bulk per-repo rollout via
repos(ADR 0057); - optional
--vendor(ADR 0047). Per-org mode remains a deprecated branch per ADR 0044, shown only when explicitly chosen, with migration guidance.
Agent skills on the same tree. Provide an install-guidance skill that loads the decision tree and accepts optional context (org size, existing mint URL, compliance constraints, repos in scope). Agents traverse the tree, explain trade-offs, and emit the same
--planoutput humans would get — without bypassing authorization or inventing flags outside the tree.Normative spec deferred. The tree schema and leaf command templates are documented alongside the artifact; a
docs/normative/contract is out of scope until a second consumer (e.g. web installer) needs byte-level interoperability (ADR 0015).
Consequences
- User-facing docs that deprecated all-in-one
admin installshould be annotated: deprecated as an opaque monolith, not as the guided entry point. - The CLI must keep standalone commands as the execution layer so automation and skills do not depend on TTY prompts.
- The decision tree becomes a maintained product artifact; install changes require tree updates and tests.
- Agents gain a bounded, testable install guide instead of improvising from prose docs.
- Implementation scope (wizard UI, tree loader, skill packaging) is follow-on work; this ADR records the architectural choice only.
