CLI Onboarding Reference

This page is the full reference for opensoul onboard. For the short guide, see Onboarding Wizard (CLI).

What the wizard does

Local mode (default) walks you through:

• Model and auth setup (OpenAI Code subscription OAuth, Anthropic API key or setup token, plus MiniMax, GLM, Moonshot, and AI Gateway options)
• Workspace location and bootstrap files
• Gateway settings (port, bind, auth, tailscale)
• Channels and providers (Telegram, WhatsApp, Discord, Google Chat, Mattermost plugin, Signal)
• Daemon install (LaunchAgent or systemd user unit)
• Health check
• Skills setup

Remote mode configures this machine to connect to a gateway elsewhere. It does not install or modify anything on the remote host.

Local flow details

Existing config detection

• If ~/.opensoul/opensoul.json exists, choose Keep, Modify, or Reset.
• Re-running the wizard does not wipe anything unless you explicitly choose Reset (or pass --reset).
• If config is invalid or contains legacy keys, the wizard stops and asks you to run opensoul doctor before continuing.
• Reset uses trash and offers scopes:
  • Config only
  • Config + credentials + sessions
  • Full reset (also removes workspace)

Model and auth

• Full option matrix is in Auth and model options.

Workspace

• Default ~/.opensoul/workspace (configurable).
• Seeds workspace files needed for first-run bootstrap ritual.
• Workspace layout: Agent workspace.

Gateway

• Prompts for port, bind, auth mode, and tailscale exposure.
• Recommended: keep token auth enabled even for loopback so local WS clients must authenticate.
• Disable auth only if you fully trust every local process.
• Non-loopback binds still require auth.

Channels

• WhatsApp: optional QR login
• Telegram: bot token
• Discord: bot token
• Google Chat: service account JSON + webhook audience
• Mattermost plugin: bot token + base URL
• Signal: optional signal-cli install + account config
• BlueBubbles: recommended for iMessage; server URL + password + webhook
• iMessage: legacy imsg CLI path + DB access
• DM security: default is pairing. First DM sends a code; approve via opensoul pairing approve <channel> <code> or use allowlists.

Daemon install

• macOS: LaunchAgent
  • Requires logged-in user session; for headless, use a custom LaunchDaemon (not shipped).
• Linux and Windows via WSL2: systemd user unit
  • Wizard attempts loginctl enable-linger <user> so gateway stays up after logout.
  • May prompt for sudo (writes /var/lib/systemd/linger); it tries without sudo first.
• Runtime selection: Node (recommended; required for WhatsApp and Telegram). Bun is not recommended.

Health check

• Starts gateway (if needed) and runs opensoul health.
• opensoul status --deep adds gateway health probes to status output.

Skills

• Reads available skills and checks requirements.
• Lets you choose node manager: npm or pnpm (bun not recommended).
• Installs optional dependencies (some use Homebrew on macOS).

Finish

• Summary and next steps, including iOS, Android, and macOS app options.

Note: If no GUI is detected, the wizard prints SSH port-forward instructions for the Control UI instead of opening a browser. If Control UI assets are missing, the wizard attempts to build them; fallback is pnpm ui:build (auto-installs UI deps).

Remote mode details

Remote mode configures this machine to connect to a gateway elsewhere.

Info: Remote mode does not install or modify anything on the remote host.

What you set:

• Remote gateway URL (ws://...)
• Token if remote gateway auth is required (recommended)

Note:

• If gateway is loopback-only, use SSH tunneling or a tailnet.
• Discovery hints:
  • macOS: Bonjour (dns-sd)
  • Linux: Avahi (avahi-browse)

Auth and model options

Anthropic API key (recommended)

Uses ANTHROPIC_API_KEY if present or prompts for a key, then saves it for daemon use.

Anthropic OAuth (Claude Code CLI)

• macOS: checks Keychain item "Claude Code-credentials"
• Linux and Windows: reuses ~/.claude/.credentials.json if present

On macOS, choose "Always Allow" so launchd starts do not block.

Anthropic token (setup-token paste)

Run claude setup-token on any machine, then paste the token. You can name it; blank uses default.

OpenAI Code subscription (Codex CLI reuse)

If ~/.codex/auth.json exists, the wizard can reuse it.

OpenAI Code subscription (OAuth)

Browser flow; paste code#state.

Sets agents.defaults.model to openai-codex/gpt-5.3-codex when model is unset or openai/*.

OpenAI API key

Uses OPENAI_API_KEY if present or prompts for a key, then saves it to ~/.opensoul/.env so launchd can read it.

Sets agents.defaults.model to openai/gpt-5.1-codex when model is unset, openai/*, or openai-codex/*.

xAI (Grok) API key

Prompts for XAI_API_KEY and configures xAI as a model provider.

OpenCode Zen

Prompts for OPENCODE_API_KEY (or OPENCODE_ZEN_API_KEY). Setup URL: opencode.ai/auth.

API key (generic)

Stores the key for you.

Vercel AI Gateway

Prompts for AI_GATEWAY_API_KEY. More detail: Vercel AI Gateway.

Cloudflare AI Gateway

Prompts for account ID, gateway ID, and CLOUDFLARE_AI_GATEWAY_API_KEY. More detail: Cloudflare AI Gateway.

MiniMax M2.1

Config is auto-written. More detail: MiniMax.

Synthetic (Anthropic-compatible)

Prompts for SYNTHETIC_API_KEY. More detail: Synthetic.

Moonshot and Kimi Coding

Moonshot (Kimi K2) and Kimi Coding configs are auto-written. More detail: Moonshot AI (Kimi + Kimi Coding).

Skip

Leaves auth unconfigured.

Model behavior:

• Pick default model from detected options, or enter provider and model manually.
• Wizard runs a model check and warns if the configured model is unknown or missing auth.

Credential and profile paths:

• OAuth credentials: ~/.opensoul/credentials/oauth.json
• Auth profiles (API keys + OAuth): ~/.opensoul/agents/<agentId>/agent/auth-profiles.json

Note: Headless and server tip: complete OAuth on a machine with a browser, then copy ~/.opensoul/credentials/oauth.json (or $OPENSOUL_STATE_DIR/credentials/oauth.json) to the gateway host.

Outputs and internals

Typical fields in ~/.opensoul/opensoul.json:

• agents.defaults.workspace
• agents.defaults.model / models.providers (if Minimax chosen)
• gateway.* (mode, bind, auth, tailscale)
• channels.telegram.botToken, channels.discord.token, channels.signal.*, channels.imessage.*
• Channel allowlists (Slack, Discord, Matrix, Microsoft Teams) when you opt in during prompts (names resolve to IDs when possible)
• skills.install.nodeManager
• wizard.lastRunAt
• wizard.lastRunVersion
• wizard.lastRunCommit
• wizard.lastRunCommand
• wizard.lastRunMode

opensoul agents add writes agents.list[] and optional bindings.

WhatsApp credentials go under ~/.opensoul/credentials/whatsapp/<accountId>/. Sessions are stored under ~/.opensoul/agents/<agentId>/sessions/.

Note: Some channels are delivered as plugins. When selected during onboarding, the wizard prompts to install the plugin (npm or local path) before channel configuration.

Gateway wizard RPC:

• wizard.start
• wizard.next
• wizard.cancel
• wizard.status

Clients (macOS app and Control UI) can render steps without re-implementing onboarding logic.

Signal setup behavior:

• Downloads the appropriate release asset
• Stores it under ~/.opensoul/tools/signal-cli/<version>/
• Writes channels.signal.cliPath in config
• JVM builds require Java 21
• Native builds are used when available
• Windows uses WSL2 and follows Linux signal-cli flow inside WSL

Related docs

• Onboarding hub: Onboarding Wizard (CLI)
• Automation and scripts: CLI Automation
• Command reference: opensoul onboard