Nora self-hosted MVP sprint (security-first) #4
Description
Goal
Ship Nora as a trustworthy self-hosted MVP, with security-first execution and bounded recurring worker cycles.
Approved direction
- Self-hosted MVP first
- Security-first sprint approved
- Recurring bounded lane jobs approved
- Merge to main requires approval
- Live deploy requires approval
P0 blockers
- Lock down OAuth login flow
- Add centralized ownership/authorization checks on agent/workspace/channel/integration/log routes
- Replace insecure token/query-string auth patterns
- Enforce encryption key usage and redact secrets from API responses
- Remove insecure default admin/bootstrap credential paths
- Fix backend test suite so tests run green
- Add coverage for deploy/chat/control-plane path
- Resolve runtime contract mismatch (9090 vs 18789)
P1 follow-ups
- Stabilize provisioning and port allocation
- Improve activation UX (signup → deploy → key sync → chat)
- Add structured logging + real readiness checks
- Tighten README/landing proof and positioning
Visibility gaps
- Grant Discord bot access to server/category
- Create and wire #executive-briefs
Notes
- Operating model doc branch:
ops/nora-operating-model - Repo:
https://github.com/solomon2773/nora