GroupMe bot registration + secrets + go-live validation

forgejo_admin commented

2026-03-28 19:15:51 +00:00

Owner

Type

Feature

Lineage

Depends on forgejo_admin/westside-ai-assistant #1, #2, #3 (infra), #4 (scaffold), #5 (basketball client), #6 (AI engine core), and #8 (confirmation flow). All must be merged before this ticket starts.

Repo

forgejo_admin/westside-ai-assistant + cluster ops

User Story

As Marcus (admin)
I want the bot registered in GroupMe and the service deployed
So that I can start using the AI assistant in the test group

Context

This is the go-live ticket. All code and infra must be in place. This ticket registers the GroupMe bot (which gives us the bot_id), deploys k8s secrets, and validates end-to-end. GroupMe bots only have a bot_id — there is no separate token. The bot_id acts as the posting credential. GROUPME_BOT_ID is stored as a secret (not env var) because knowing it allows posting as the bot.

File Targets

Files the agent should create:

None — this is an ops/validation ticket

Files the agent should NOT touch:

Application code (should be complete from prior tickets)

Acceptance Criteria

Phase 1 — Agent-executable (automated ops):

GroupMe bot registered via API: name "Westside Assistant", callback URL = https://westside-ai-assistant.tail5b443a.ts.net/groupme/callback, group_id = 114069292
k8s secret westside-ai-assistant-secrets created in westside-ai-assistant namespace with ANTHROPIC_API_KEY, GROUPME_BOT_ID, KEYCLOAK_CLIENT_SECRET
Pod starts and passes readiness probe (kubectl get pods -n westside-ai-assistant)

Phase 2 — Human validation (manual, agent hands off here):

Read test: send "How many players are registered?" in test GroupMe group, verify bot responds with accurate count
Write test: send "Update a test player's height", verify confirmation prompt, reply "yes", verify execution
Safety test: verify bot ignores messages from non-allowlisted group

Test Expectations

Phase 1: agent verifies pod running via kubectl
Phase 2: manual validation in GroupMe test group — agent reports "ready for human validation" and stops
Run command: kubectl get pods -n westside-ai-assistant (Phase 1), manual GroupMe messages (Phase 2)

Constraints

GroupMe Bot API: POST https://api.groupme.com/v3/bots with access token to register
Bot registration returns bot_id only (no separate token)
Secrets created via kubectl, NOT committed to git
Do NOT deploy to any group other than the test group (114069292)
Lucas must approve tofu apply before this ticket starts

Checklist

Bot registered
Secrets deployed
Pod running
Agent hands off for human validation
End-to-end validation passed (human)

project-westside-ai-assistant — parent project
service-onboarding-sop — steps 7-10

### Type Feature ### Lineage Depends on forgejo_admin/westside-ai-assistant #1, #2, #3 (infra), #4 (scaffold), #5 (basketball client), #6 (AI engine core), and #8 (confirmation flow). All must be merged before this ticket starts. ### Repo `forgejo_admin/westside-ai-assistant` + cluster ops ### User Story As Marcus (admin) I want the bot registered in GroupMe and the service deployed So that I can start using the AI assistant in the test group ### Context This is the go-live ticket. All code and infra must be in place. This ticket registers the GroupMe bot (which gives us the bot_id), deploys k8s secrets, and validates end-to-end. GroupMe bots only have a `bot_id` — there is no separate token. The `bot_id` acts as the posting credential. `GROUPME_BOT_ID` is stored as a secret (not env var) because knowing it allows posting as the bot. ### File Targets Files the agent should create: - None — this is an ops/validation ticket Files the agent should NOT touch: - Application code (should be complete from prior tickets) ### Acceptance Criteria **Phase 1 — Agent-executable (automated ops):** - [ ] GroupMe bot registered via API: name "Westside Assistant", callback URL = https://westside-ai-assistant.tail5b443a.ts.net/groupme/callback, group_id = 114069292 - [ ] k8s secret `westside-ai-assistant-secrets` created in `westside-ai-assistant` namespace with ANTHROPIC_API_KEY, GROUPME_BOT_ID, KEYCLOAK_CLIENT_SECRET - [ ] Pod starts and passes readiness probe (`kubectl get pods -n westside-ai-assistant`) **Phase 2 — Human validation (manual, agent hands off here):** - [ ] Read test: send "How many players are registered?" in test GroupMe group, verify bot responds with accurate count - [ ] Write test: send "Update a test player's height", verify confirmation prompt, reply "yes", verify execution - [ ] Safety test: verify bot ignores messages from non-allowlisted group ### Test Expectations - [ ] Phase 1: agent verifies pod running via kubectl - [ ] Phase 2: manual validation in GroupMe test group — agent reports "ready for human validation" and stops - Run command: `kubectl get pods -n westside-ai-assistant` (Phase 1), manual GroupMe messages (Phase 2) ### Constraints - GroupMe Bot API: POST https://api.groupme.com/v3/bots with access token to register - Bot registration returns `bot_id` only (no separate token) - Secrets created via kubectl, NOT committed to git - Do NOT deploy to any group other than the test group (114069292) - Lucas must approve tofu apply before this ticket starts ### Checklist - [ ] Bot registered - [ ] Secrets deployed - [ ] Pod running - [ ] Agent hands off for human validation - [ ] End-to-end validation passed (human) ### Related - `project-westside-ai-assistant` — parent project - `service-onboarding-sop` — steps 7-10

forgejo_admin commented

2026-03-28 19:19:54 +00:00

Author

Owner

Scope Review: NEEDS_REFINEMENT

Review note: review-599-2026-03-28

Go-live ops ticket with solid template coverage and complete traceability. Three refinement items before this can move to next_up:

Incomplete Lineage: Missing dependencies on #4 (FastAPI scaffold) and #5 (basketball-api client). Pod readiness (AC 3) requires code from both tickets, not just infra (#1-#3) and AI engine (#6).
Agent/Human handoff unclear: 6 ACs split into agent-executable ops (bot registration, secrets, pod check) and human-only validation (3 GroupMe tests). Issue body should separate these two phases with a clear handoff marker.
Secret name mismatch with architecture: AC 2 lists GROUPME_BOT_ID and GROUPME_BOT_TOKEN but the deployment diagram (arch-deployment-westside-ai-assistant) only shows GROUPME_BOT_TOKEN. Reconcile whether BOT_ID is a secret or config value.

## Scope Review: NEEDS_REFINEMENT Review note: `review-599-2026-03-28` Go-live ops ticket with solid template coverage and complete traceability. Three refinement items before this can move to next_up: - **Incomplete Lineage**: Missing dependencies on #4 (FastAPI scaffold) and #5 (basketball-api client). Pod readiness (AC 3) requires code from both tickets, not just infra (#1-#3) and AI engine (#6). - **Agent/Human handoff unclear**: 6 ACs split into agent-executable ops (bot registration, secrets, pod check) and human-only validation (3 GroupMe tests). Issue body should separate these two phases with a clear handoff marker. - **Secret name mismatch with architecture**: AC 2 lists `GROUPME_BOT_ID` and `GROUPME_BOT_TOKEN` but the deployment diagram (`arch-deployment-westside-ai-assistant`) only shows `GROUPME_BOT_TOKEN`. Reconcile whether BOT_ID is a secret or config value.

forgejo_admin commented

2026-03-28 19:22:03 +00:00

Author

Owner

Scope refinement (review-599-2026-03-28):

Fixed Lineage — added #4 (scaffold) and #5 (basketball client) to dependency list. All 6 prior tickets must merge before this starts.
Added agent/human handoff — ACs now split into Phase 1 (agent-executable: bot registration, secrets, pod check) and Phase 2 (human validation: GroupMe message tests). Agent stops after Phase 1.
Fixed secret key mismatch — removed GROUPME_BOT_TOKEN (doesn't exist in GroupMe API). GroupMe bots only return bot_id. GROUPME_BOT_ID is the posting credential, stored as secret.

**Scope refinement (review-599-2026-03-28):** 1. **Fixed Lineage** — added #4 (scaffold) and #5 (basketball client) to dependency list. All 6 prior tickets must merge before this starts. 2. **Added agent/human handoff** — ACs now split into Phase 1 (agent-executable: bot registration, secrets, pod check) and Phase 2 (human validation: GroupMe message tests). Agent stops after Phase 1. 3. **Fixed secret key mismatch** — removed `GROUPME_BOT_TOKEN` (doesn't exist in GroupMe API). GroupMe bots only return `bot_id`. `GROUPME_BOT_ID` is the posting credential, stored as secret.

forgejo_admin commented

2026-03-28 19:30:40 +00:00

Author

Owner

Scope Review: READY

Review note: review-599-2026-03-28-v2

Re-review after refinement. All 3 findings from review-599-2026-03-28 resolved:

Lineage fixed -- #4 (scaffold), #5 (basketball client), and #8 (confirmation flow) added. All 7 dependencies documented.
Agent/human handoff added -- ACs now split into Phase 1 (agent-executable: 1-3) and Phase 2 (human validation: 4-6) with explicit handoff marker.
Secret key mismatch resolved -- GROUPME_BOT_TOKEN corrected to GROUPME_BOT_ID. AC 2 now matches arch-deployment diagram (3 keys). Context explains rationale.

Ticket is ready for dispatch when all 7 dependencies are merged.

## Scope Review: READY Review note: `review-599-2026-03-28-v2` Re-review after refinement. All 3 findings from `review-599-2026-03-28` resolved: - **Lineage fixed** -- #4 (scaffold), #5 (basketball client), and #8 (confirmation flow) added. All 7 dependencies documented. - **Agent/human handoff added** -- ACs now split into Phase 1 (agent-executable: 1-3) and Phase 2 (human validation: 4-6) with explicit handoff marker. - **Secret key mismatch resolved** -- GROUPME_BOT_TOKEN corrected to GROUPME_BOT_ID. AC 2 now matches arch-deployment diagram (3 keys). Context explains rationale. Ticket is ready for dispatch when all 7 dependencies are merged.