The Cloud
🛰️

Bring the Studios online — MachineSync guide for Adib

The CloudThe Cloud
runnerremotedaemonstudioinfraagentssetupadib

Goal: the Studio machines run The Cloud's agents on their own — hands-off and scale-ready. We do it by installing MachineSync — a small background helper that quietly syncs the machine to The Cloud and runs agent work. Adib already has full remote UI access and can install anytime — nothing on-site needed. The only gate is our readiness. No passwords or keys ever live on the machine. Safe to share this page with Adib.

⚡ Live session — bring both Studios online together (today)

✅ The installer is ready — `MachineSync-Installer.zip` (no terminal for Adib):

  1. Send the zip to each Studio (Jump Desktop file transfer / Drive / AirDrop) → unzip.

  2. Double-click "Install MachineSync.command." First time only: it says "unidentified developer" → right-click → Open → Open (the inner runner is signed; the wrapper isn't notarized yet).

  3. A popup asks for the pairing code → paste that box's code → Set up.

  4. It installs, pairs, sets auto-start, and starts — shows "MachineSync — Done." Repeat on the second Studio with its code.

Double-click, paste code, done. (Auth: Studio 29 ran before so it likely already has Claude + GitHub login; only a brand-new box might need it — and we can bake that into the installer to keep it no-terminal.)

Adib offered a ~1-hour live screen-share. We can do it now with what we have — the polished signed installer isn't published yet, but doing it live with Teka on the call keeps it fully secure: Teka enters anything sensitive on the call; Adib only provides machine access — no key or password is ever handed to him or left on the box.

Confirm before we start (the only prep):

  • Each Studio — Apple Silicon or Intel, + macOS version (so we bring the right build)

  • Any MDM / managed-device or security software that could block an install or a startup item?

Roles on the call:

  • Adib — shares screen / grants control; sets the box to never sleep; confirms it's reachable.

  • Teka (Daniel + Ora) — generates the pairing code, enters anything sensitive, verifies the box goes Active.

Quick pre-check Adib can run on each box first — tells us if the logins are already there, so we may skip entering anything (likely on Studio 29, which ran before):

  • gh auth status · claude (shows the signed-in user) · echo $ANTHROPIC_API_KEY

  • If those come back logged-in / non-empty → skip auth, just start MachineSync. If empty → Teka enters them live (only the new box should need this).

Steps, per Studio (~15 min each):

  1. Get MachineSync onto the box — Teka provides a download link/file; Adib downloads it (no repo access needed).

  2. Pair it with a one-time code from the Machines dashboard (Teka generates on the call).

  3. Teka enters anything sensitive live — Adib never sees or keeps a key.

  4. Set it to start automatically + never sleep.

  5. Confirm it shows Active and picks up the waiting test job — a Search-icon job is already queued on Studio 29, so we watch it run live as proof.

  6. Repeat on Studio 2.

Outcome: both boxes Active and self-restarting → we immediately send the agent queue to them, off the laptop. The one-click signed installer still ships after, so future machines need no live session at all.

✅ What we'll ask Adib to do (one step — when we ping that it's ready)

Because Adib can drive the machines remotely, this is genuinely small, and timed to our readiness — not his:

  1. We send one thing: either a single install command, or the MachineSync app + a pairing code from the dashboard.

  2. Adib runs/installs it once per Studio (via his screen access).

  3. Confirm each box shows "Active" on the Machines screen.

  4. That's it — it starts automatically, stays awake, and survives reboots. Same step for any future Studio.

Right now there's nothing for Adib to install — we're finishing the signed installer (below). When it's ready we ping him with the exact one step. The two quick questions below are the only thing that helps in the meantime.

❓ Quick questions for Adib (so there's zero friction later)

  1. On each Studio — Apple Silicon or Intel, and which macOS version? (Apple menu → About This Mac.) So we ship the right build.

  2. Is there any MDM / managed-device profile or security software on the boxes? So a signed app + start-at-login aren't silently blocked.

(If both are "standard Mac, nothing managed," even better — no friction at all.)

🔒 Are we secure? How Adib's setup and ours converge safely

Security comes from a clean split: Adib operates the machine; The Cloud operates the trust. They don't overlap, so neither side holds the other's secrets.

  • No secret to expose — even with full machine access. MachineSync stores only a per-machine, Cloud-issued credential in the Mac's secure keychain. The access it needs to do work (the AI model + GitHub) is handled by The Cloud's servers — there's no key or password sitting on the box for anyone (Adib included) to see or leak.

  • Verifiably genuine install. The installer is signed + notarized by Apple, so Adib installs a tamper-evident, authentic app — and macOS enforces it. (This is exactly why we wait until it's signed before handing it over.)

  • We verify from our side. We watch each box pair and pick up a known test job; an unexpected machine or a misbehaving one is obvious, and we can switch off its access instantly from the dashboard — a kill switch that doesn't depend on Adib.

  • Least privilege. MachineSync only does the agent work assigned to it. It is not a remote login or a backdoor into The Cloud.

  • Net: Adib never receives our secrets; we never need standing access to his machines beyond what MachineSync uses. Even if either side were compromised, the blast radius is one switch-off-able machine credential — not our keys.

What Teka handles, so no secrets leave us

  • The signed installer — one step, nothing to build, no repo access on the box.

  • All sensitive access handled server-side — never placed on a Studio.

  • Pairing codes — issued and switch-off-able from the Machines dashboard, one per box, short-lived.

  • Monitoring + kill switch — each Studio's health is visible to us; we can pause/restart/cut off a box remotely.

What we're still finishing (our side — the timing gate)

  • Publish the signed, notarized installer so the one step above is real. (Main blocker — and the reason there's nothing to hand Adib yet.)

  • Move all sensitive access server-side so a Studio never needs a key on it.

  • Bundle start-at-login + auto-restart + auto-update so reboots/crashes recover with no manual setup.

  • Machines dashboard at scale — every Studio shows Active / last-seen, with remote pause/restart/cut-off.

When these land, onboarding any Studio is: one step → confirm Active. Fully hands-off, fully repeatable.

Per-Studio checklist (repeatable)

MachineSync installed + paired (the one step)
Shows Active on the Machines screen
Set to never sleep; survives a reboot (comes back Active on its own)
Confirmed it picked up and ran a job
The Cloud