Issues / #121
Build /setup/stripe paste-token flow
open
feature
Project: nimsforestgrove
Reporter:
11 May 2026 09:51
Description
Grove's Connect Stripe tile currently links to `/setup/stripe`, which 404s. Build the flow that takes an org admin from the tile to a working Stripe integration.
**Approach:** simplest path is paste-token. Admin pastes their Stripe **secret key** (sk_live_… or sk_test_…) into a form. Backend stores it via mycelium (per-org credential vending — the same mechanism that holds the org bearer token), and landconfigregistry's stripe Configs template renders the value into `/opt/nimsforeststripe/config.yaml` at the next reconcile. Land then replants the container, which picks up the new secret and `configured` flips to true. The grove tile disappears.
**Pieces:**
- Form route in grove (or iamnim) at `/setup/stripe` with a single secret_key input.
- Backend endpoint that POSTs to mycelium: `POST /api/credentials/stripe?org_slug=<slug>` storing the key.
- landconfigregistry stripe template (`internal/store/seed.go`) updated to interpolate the mycelium-vended value at render time.
- Optional: webhook_secret field on the same form.
**Considerations:**
- Use HTTPS POST; never log the key.
- Allow re-paste to rotate.
- Validate format (sk_live/sk_test prefix) before accepting.
**Verification:** paste a test key, watch the org land reconcile, hit stripe `/api/v1/health` → `configured:true`, `/api/v1/customers` → 200.
**Approach:** simplest path is paste-token. Admin pastes their Stripe **secret key** (sk_live_… or sk_test_…) into a form. Backend stores it via mycelium (per-org credential vending — the same mechanism that holds the org bearer token), and landconfigregistry's stripe Configs template renders the value into `/opt/nimsforeststripe/config.yaml` at the next reconcile. Land then replants the container, which picks up the new secret and `configured` flips to true. The grove tile disappears.
**Pieces:**
- Form route in grove (or iamnim) at `/setup/stripe` with a single secret_key input.
- Backend endpoint that POSTs to mycelium: `POST /api/credentials/stripe?org_slug=<slug>` storing the key.
- landconfigregistry stripe template (`internal/store/seed.go`) updated to interpolate the mycelium-vended value at render time.
- Optional: webhook_secret field on the same form.
**Considerations:**
- Use HTTPS POST; never log the key.
- Allow re-paste to rotate.
- Validate format (sk_live/sk_test prefix) before accepting.
**Verification:** paste a test key, watch the org land reconcile, hit stripe `/api/v1/health` → `configured:true`, `/api/v1/customers` → 200.