For users who want to hand the install to a coding assistant (Claude Code, Cursor, Aider), docs/AI-INSTALL.md is a runbook designed to be executed by one. The guardrails are baked in.
The hard rule
Secure by default. LAN-only. Generated (never invented) secrets. Never expose to the public internet unless the user explicitly asks and TLS + a strong admin password are in place.
The flow
- Host prep (Docker, ports, disk)
- Secrets:
scripts/setup-env.shwrites a strong.env, the agent never
invents passwords
docker compose up -d- First-run configuration via the API, or the new
- A Verify check after every step so the agent can catch its own mistakes
Why this matters
The non-AI install path is unchanged: docker compose up -d, then open http://<host>:8080/admin. But power users running an agent can now get an identical, audited install in a fraction of the time, with no hand-edited secrets and no copy-pasted commands from a blog post.
Committed in 634388e. Root CLAUDE.md points new agents at the runbook on first contact.