You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Connecting Claude (web/mobile) to a hosted flair today takes ~10 steps end to end. Phases: get flair on a host (3 steps, normal self-host), enable the OAuth /mcp surface (5 steps of raw operator work: OAuth-app creation, four secrets, config block + flag + restart, identity mapping, client pre-registration), then the actual claude.ai connector add (2 steps, genuinely easy). The middle five steps are documented (docs/notes/mcp-oauth-model2.md) but are exactly the kind of operator friction that kills adoption at the consumer moment.
Proposal: flair mcp enable
One command that walks the operator checklist:
Generates the RS256 signing keypair and the DCR gate token.
Writes the @harperfast/oauth config block (issuer from --issuer or FLAIR_PUBLIC_URL, TTL 900, redirect-host allowlist for claude.ai/claude.com).
Prompts for (or accepts flags for) the IdP OAuth app credentials — with a docs pointer for creating the GitHub OAuth app, callback URL printed exactly.
Provisions secrets appropriately per deploy shape (env file locally; encrypted env secrets on managed deploys).
Pre-registers Claude as an OAuth client through the gated DCR endpoint.
Sets the flag, restarts (reusing the existing restart machinery), self-verifies the OAuth metadata endpoint answers on the public origin.
Prints: the /mcp URL + client id to paste into claude.ai → Settings → Connectors, and the three-tap instructions.
Companion: flair mcp disable (flag off + restart = byte-identical boot, per the Model-2 contract) and flair mcp status.
Constraints
No security-posture change: DCR stays token-gated, JIT stays default-off, Sherlock's four Model-2 requirements hold as shipped. The command automates the checklist; it must not loosen it.
Live enablement still gets the documented Sherlock sign-off for OUR instances; for external operators the command IS the hardened path.
Problem
Connecting Claude (web/mobile) to a hosted flair today takes ~10 steps end to end. Phases: get flair on a host (3 steps, normal self-host), enable the OAuth /mcp surface (5 steps of raw operator work: OAuth-app creation, four secrets, config block + flag + restart, identity mapping, client pre-registration), then the actual claude.ai connector add (2 steps, genuinely easy). The middle five steps are documented (docs/notes/mcp-oauth-model2.md) but are exactly the kind of operator friction that kills adoption at the consumer moment.
Proposal:
flair mcp enableOne command that walks the operator checklist:
Companion:
flair mcp disable(flag off + restart = byte-identical boot, per the Model-2 contract) andflair mcp status.Constraints