Document cpflow app bootstrap

[justin808]

Summary

• document first-time staging bootstrap with setup-app --skip-post-creation-hook
• clarify why setup-app is preferred for new persistent apps before later apply-template updates
• add Shakacode team notes for staging and production bootstrap

Verification

• bin/conductor-exec bin/test-cpflow-github-flow ruby /private/tmp/control-plane-flow-release-check.lWpUu0/repo/bin/cpflow
• bin/conductor-exec git diff --check
• post-merge staging deploy 26392435821 passed
• https://rails-3k23yt62491bp.cpln.app returned HTTP 200

---

Note

Low Risk
Documentation-only changes with no application, workflow, or infrastructure code modifications.

Overview
Adds first-time bootstrap guidance for persistent Control Plane staging and production apps across .controlplane/readme.md, .controlplane/shakacode-team.md, and .github/cpflow-help.md.

Operators should run cpflow setup-app with --skip-post-creation-hook once before the initial merge-to-master staging deploy or production promotion, so provisioning (identity, secret dictionary, policies, templates from setup_app_templates) happens without running DB setup before an image exists. Docs distinguish first bootstrap (setup-app) from later template changes (cpflow apply-template plus reveal on the app secret policy). Production is called out to use the production org and production-only secrets.

^{Reviewed by Cursor Bugbot for commit 3eb2fb8. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Documentation
  • Updated deployment documentation with explicit bootstrap steps required before first staging and production app deployments.
  • Enhanced setup guides with clearer app initialization instructions for persistent environments.

[coderabbitai]

Walkthrough

This PR updates three deployment documentation files to document the required one-time bootstrap procedure using cpflow setup-app that must run before initial staging and production deployments for persistent apps, including the exact commands and guidance on secret/org values and the post-creation hook flag.

Changes

Bootstrap procedure documentation

Layer / File(s)	Summary
Staging bootstrap documentation .controlplane/readme.md, .github/cpflow-help.md	Adds explicit staging bootstrap instructions documenting the cpflow setup-app command with org and app flags, setup_app_templates behavior, and --skip-post-creation-hook rationale before first merge-to-master deploy.
Production bootstrap documentation .controlplane/readme.md, .github/cpflow-help.md	Adds corresponding production bootstrap instructions referencing production org, production-only secrets, and values before first promotion.
Team bootstrap guidance .controlplane/shakacode-team.md	Adds team-specific section with concrete cpflow setup-app commands for staging and production, clarifying when to use setup-app for initial setup versus cpflow apply-template for subsequent template updates.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• shakacode/react-webpack-rails-tutorial#735: This PR extends the same review-app documentation pages that were regenerated in the related PR, adding bootstrap procedure guidance alongside existing review-app workflow documentation.

Poem

🐰 Bootstrap those apps before they go live,
Setup the staging, let production thrive,
Just one cpflow command, skip that hook with care,
Templates update later—docs say everywhere!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Document cpflow app bootstrap' accurately summarizes the main change: adding documentation for bootstrapping cpflow apps across three markdown files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jg-codex/document-cpflow-bootstrap

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:
They require the repository to have cpflow review apps configured, including the CPLN_TOKEN_STAGING secret.

+review-app-deploy

Deploy your PR branch for testing.

+review-app-delete

Remove the review app when done.

+review-app-help

Show detailed instructions, environment setup, and configuration options.

Comment +review-app-help for full setup details.

[greptile-apps]

Greptile Summary

This PR adds first-time bootstrap documentation for the persistent staging and production Control Plane apps across three documentation files, clarifying that cpflow setup-app --skip-post-creation-hook must be run once before the first deploy or promotion, and that subsequent template changes should use cpflow apply-template.

• .controlplane/readme.md: Inserts a bootstrap code block and explanation after the staging resource table, and a symmetric one-liner before the production secrets section.
• .controlplane/shakacode-team.md: Adds explicit cpflow setup-app commands for both staging and production orgs, with guidance on when to prefer apply-template for later updates.
• .github/cpflow-help.md: Documents the same bootstrap step under "Staging And Production," using env-var placeholders ($STAGING_APP_NAME, $CPLN_ORG_STAGING) suited for the audience of that file.

Confidence Score: 4/5

Documentation-only change; no executable code is modified. Safe to merge after the minor formatting fix in cpflow-help.md.

All three files contain accurate, consistent bootstrap instructions. The only issue is a missing blank line in cpflow-help.md that causes two sentences to merge into one paragraph in the rendered output, which could make the bootstrap step harder to notice at a glance.

.github/cpflow-help.md — missing blank line between the existing 'Staging deploys use…' sentence and the new bootstrap paragraph.

Important Files Changed

Filename	Overview
.controlplane/readme.md	Adds a bootstrap section for the persistent staging app before the Production Promotion heading, and a symmetric note for production before the secrets table; both are accurate and well-placed.
.controlplane/shakacode-team.md	Adds concrete cpflow setup-app commands for both staging and production persistent apps, with a clear note distinguishing first-time bootstrap from subsequent apply-template updates.
.github/cpflow-help.md	Adds bootstrap instructions under 'Staging And Production'; a missing blank line between the existing sentence and the new paragraph causes them to render as a single merged paragraph in Markdown.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[First deploy / promotion?] -->|Yes| B["cpflow setup-app -a APP\n--org ORG\n--skip-post-creation-hook"]
    B --> C[Creates app identity\napp secret dictionary\napp secret policy\npolicy binding\ntemplate resources]
    C --> D[Deploy or promote normally]
    A -->|No — existing persistent app| E["cpflow apply-template\n(template updates only)"]
    E --> F[Verify app identity\nhas 'reveal' permission\non app secret policy]
    F --> D

Loading

_{Reviews (1): Last reviewed commit: "Document cpflow app bootstrap" | Re-trigger Greptile}

[claude]

Code Review – PR #748: Document cpflow app bootstrap

Overall: This is a clean, low-risk documentation PR. The content is accurate and fills a real gap (missing first-time bootstrap guidance). A few minor observations below.

What's Good

• Consistent use of --skip-post-creation-hook with a clear explanation of why it's needed (no image exists yet).
• Correct distinction between setup-app (first bootstrap) and apply-template (incremental updates).
• .github/cpflow-help.md correctly uses env-var placeholders ($STAGING_APP_NAME, $CPLN_ORG_STAGING) rather than hardcoded names, making the guidance portable for forks and clones.

Suggestions

1. Production bootstrap note in readme.md is underspecified

The staging section in readme.md provides the full explicit command with org and app name. The production section only says "Bootstrap production the same way before the first promotion, using the production org and production-only secret values." A reader focused on the production section won't see the explicit command form. Consider mirroring the staging example with the production names (or at minimum the flag), as shakacode-team.md already does.

2. Missing blank line in cpflow-help.md

The sentence "Staging deploys use the same CPLN_TOKEN_STAGING secret plus STAGING_APP_NAME." runs directly into the new "Before the first staging deploy..." paragraph with no blank line. A blank line between them improves readability and makes the paragraph boundary clear in rendered Markdown.

3. Minor: idempotency of setup-app not mentioned

Operators new to cpflow may wonder if accidentally running setup-app on an already-bootstrapped app will cause harm. A single parenthetical ("running it again on an already-bootstrapped app is safe" or the opposite if it isn't) would remove that uncertainty.

Verdict

Ready to merge with the existing content as-is; the above are suggestions, not blockers.

[greptile-apps]

The new paragraph starts immediately after the previous sentence with no blank line separating them, so Markdown renders both sentences as one flowing paragraph rather than two distinct ones. Adding a blank line preserves the intended paragraph break.

Suggested change

	Staging deploys use the same `CPLN_TOKEN_STAGING` secret plus `STAGING_APP_NAME`.
	Before the first staging deploy, bootstrap the persistent staging app once:
	Staging deploys use the same `CPLN_TOKEN_STAGING` secret plus `STAGING_APP_NAME`.
	Before the first staging deploy, bootstrap the persistent staging app once:

[claude]

There's no blank line between the existing "Staging deploys use the same..." sentence and this new paragraph. Without one, the two sentences render as a single paragraph in Markdown. Adding a blank line makes the boundary between the context sentence and the action step clear.

Suggested change

	Staging deploys use the same `CPLN_TOKEN_STAGING` secret plus `STAGING_APP_NAME`.
	Before the first staging deploy, bootstrap the persistent staging app once:

[claude]

The staging section above gives the full explicit command; this production note only says "the same way" without showing it. A reader who lands on the Production section directly (or who uses different org/app names) has to scroll up and mentally substitute values. Consider showing the production-specific command here, as shakacode-team.md already does:

Suggested change

	Bootstrap production the same way before the first promotion, using the
	Bootstrap production once before the first promotion:
	```sh
	cpflow setup-app -a react-webpack-rails-tutorial-production --org shakacode-open-source-examples-production --skip-post-creation-hook

Use the production org and production-only secret values.

[coderabbitai]

🧹 Nitpick comments (1)

.controlplane/readme.md (1)

99-100: ⚡ Quick win

Add the explicit production bootstrap command inline.

This note is correct, but adding the exact cpflow setup-app command here (like staging) will make first-time setup less error-prone and easier to execute quickly.

Suggested doc tweak

 Bootstrap production the same way before the first promotion, using the
 production org and production-only secret values.
+
+```sh
+cpflow setup-app -a react-webpack-rails-tutorial-production --org shakacode-open-source-examples-production --skip-post-creation-hook
+```

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.controlplane/readme.md around lines 99 - 100, Add the explicit production
bootstrap command inline after the sentence "Bootstrap production the same way
before the first promotion, using the production org and production-only secret
values." by inserting the exact cpflow setup-app invocation suggested in the
review (use the cpflow setup-app command for
react-webpack-rails-tutorial-production with the
shakacode-open-source-examples-production org and the --skip-post-creation-hook
flag) so readers have a copy-pasteable production bootstrap example.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.controlplane/readme.md:
- Around line 99-100: Add the explicit production bootstrap command inline after
the sentence "Bootstrap production the same way before the first promotion,
using the production org and production-only secret values." by inserting the
exact cpflow setup-app invocation suggested in the review (use the cpflow
setup-app command for react-webpack-rails-tutorial-production with the
shakacode-open-source-examples-production org and the --skip-post-creation-hook
flag) so readers have a copy-pasteable production bootstrap example.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: eb6bfa91-d10e-40d1-88b0-eb7dec990f1f

📥 Commits

Reviewing files that changed from the base of the PR and between 77eae2b and 3eb2fb8.

📒 Files selected for processing (3)

• .controlplane/readme.md
• .controlplane/shakacode-team.md
• .github/cpflow-help.md

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3eb2fb8711

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use apply-template for persistent app bootstrap

This new guidance tells operators to run cpflow setup-app for the persistent staging app, but the upstream command docs explicitly scope setup-app to temporary apps and direct persistent staging/production flows to cpflow apply-template. If someone follows this during first-time staging/production setup, they can run an unsupported path that creates/recreates full app resources instead of the documented persistent update flow, which risks unexpected infra changes in long-lived environments.

Useful? React with 👍 / 👎.

[github-actions]

✅ Review App Deleted

Review app for PR #748 is deleted

🎮 Control Plane Console
📋 View Workflow Logs