Manual setup checklist

This MVP keeps secrets out of product state. Configure these values manually in `.env.local`.

1. Create a Neon development database

   Use a development-only database with no production data. This is classified as low risk when cost blast radius and data sensitivity are limited.

2. Set DATABASE_URL

   Paste the Neon connection string into `.env.local`. Do not commit it.

3. Generate AUTH_SECRET

   Use a long random value for signed owner sessions.

4. Generate OWNER_PASSWORD_HASH

   Run `npm run auth:hash -- "your password"` and copy the generated scrypt hash.

5. Connect OpenCode to ChatGPT Plus/Pro

   Run OpenCode `/connect`, choose OpenAI, and select `ChatGPT Plus/Pro`. Local runs use the resulting auth file without storing it in Wondermade state.

6. Configure deployed OpenCode auth

   For Vercel or sandbox execution, set `OPENCODE_AUTH_CONTENT` to the full OpenCode auth JSON as an encrypted environment secret. Leave it empty for normal local development.

7. Configure the runtime worker

   OpenCode questioning is queued in Postgres. Run `npm run runtime:worker` locally after queuing a job, and set `RUNTIME_WORKER_SECRET` for trusted production worker calls.

8. Run migrations

   Run `npm run db:migrate` after DATABASE_URL is configured.

9. Validate safely

   Run `npm run build`. The app should build without printing any secret values.