# Yumi — Pending Approvals, Credentials & Decisions

**Context:** Ben OOO 2026-06-22. All outward Yumi actions front-loaded for one-time approval.
The Claude Code auto-classifier blocks each of these until explicitly authorized, so they are
listed here in full. Safe, no-permission work continues independently (§D).

---

## A. Outward actions needing your explicit approval

| # | Action | Why it's sensitive | Depends on |
|---|---|---|---|
| A1 | **Email Shad** from `ben@flow-master.ai` with the Yumi brief + links | Outbound submission to a specific recipient | C1 (Shad's email), C6 (mailbox authed) |
| A2 | **Create Gitea org** (proposed: `yumi`) + repos under `gitea.mmd01.flow-master.ai` | Creates org/repos on shared Gitea | C3 (token), D1 (org name) |
| A3 | **Add Shad as Gitea collaborator/admin** on the org/repos | Grants access | C2 (Shad's Gitea username) |
| A4 | **Push all Yumi docs + code** to those repos | Publishes content | follows A2 |
| A5 | **Create the `yumi` Hindsight bank** on mmd01 (`PUT /v1/default/banks/yumi` + PAT in `auth-router-config` Secret) | Live multi-user infra mutation | C4 (kube context) |
| A6 | **Deploy the Yumi admin console** to the cluster behind FlowMaster-tenant SSO | Live deploy + identity wiring | C5 (FM tenant SSO), D2 (domain) |
| A7 | **Register a Yumi Entra app** in the FlowMaster tenant (SSO) | Identity provider config — needs your console or an FM-tenant admin principal | C5 |

## B. Credentials / parameters I need from you

- **C1** — Shad's **email address**.
- **C2** — Shad's **Gitea username**.
- **C3** — **Gitea token**: a token is present (len 32, host `gitea.mmd01.flow-master.ai`) in the
  source repo remotes. Confirm I may use it and that it has **org-create + repo-write +
  collaborator** scopes — or give me a dedicated Yumi deploy token.
- **C4** — **kubectl context name** for mmd01: `~/.kube/mmd01` exists but `--context mmd01` is
  "not found" — what's the correct context name? And confirm I may mutate namespace
  `hindsight-mmd` (the `yumi` bank lives there).
- **C5** — **FlowMaster-tenant SSO details**: tenant ID, the oauth2-proxy endpoint, the existing
  Entra app reg for `flow-master.ai`, and the redirect URIs to use for Yumi. (This is the FM
  tenant — *not* the MMD tenant `28621512…`.)
- **C6** — **ms365-flowmaster connector auth**: it must be authenticated as `ben@flow-master.ai`
  to send the email. If not signed in, run `/mcp` → Authenticate (interactive — can't be done
  headless).
- **C7** — **Yumi domain** for SSO redirect URIs (e.g. `yumi.flow-master.ai`?).

## C. Decisions

- **D1** — Gitea org name (suggest `yumi`).
- **D2** — Yumi SSO domain (= C7).
- **D3** — Email form: attach the logo + `YUMI_MASTER.md`, or link to Gitea after A2–A4?
  (Suggest: link to Gitea so there's one canonical source.)

## D. What I will do with NO approvals (progress while you're away)

- Design the **Yumi logo** (SVG) + a **unified frontend** mockup (letterbox DS).
- Build the **admin console UI scaffold** locally (users / accounts / banks / subscriptions screens).
- Write the **Gitea org layout plan** (repo map, README per repo, access model).
- Use the **ZAI/GLM vision** MCP to review the logo + frontend.

## E. Already in hand (no action needed)

- Gitea token (present), Hindsight tokens (`HINDSIGHT_*` in env), ZAI/Anthropic base + token
  (for vision). Design tokens + master doc already written.