Setup wizard — Kerno Docs

The /setup wizard is the only configuration UI a customer ever uses. Seven steps, all skippable except LLM and Auth.

1. Welcome

One-screen intro. Click Begin setup.

2. LLM

Paste an API key from any OpenAI-compatible provider — Mistral (recommended), OpenAI, Groq, Together AI, or a self-hosted runtime. Click Test connection; you should see a green ✓.

Mistral: console.mistral.ai — free tier covers personal use comfortably.
OpenAI: platform.openai.com/api-keys — set base URL to https://api.openai.com/v1.
Groq: console.groq.com/keys — base URL https://api.groq.com/openai/v1.

3. Auth

Google OAuth client ID + secret + an allowed email (only this address can sign in).

Go to console.cloud.google.com → APIs & Services → Credentials.
Create an OAuth 2.0 client ID (Web application).
Set redirect URI to http://localhost:3000/api/auth/callback/google. (For production, also add https://kerno.yourdomain.com/api/auth/callback/google.)
Add scopes for the connectors you'll use: Calendar, Gmail, Tasks, Drive, Docs.
Copy the client ID and secret into the wizard.
Allowed emails accepts a comma-separated list — jeremy@x.com,sam@y.com — leave empty to allow any Google-authenticated user (only safe on a closed network).

4. API keys

Three fields:

Internal API key — auto-generated on first boot, no action required.
Serper — for web search. Free tier at serper.dev covers personal use.
Licence key — paste the key from your trial email. Click Test connection — green means the licence server validated it. See License keys & trial for the state machine.

5. Connectors

Slack, Linear, Notion, GitHub. Each one is independent — skip what you don't need. Each has a Test button. Where to grab credentials: Connecting services.

Google Workspace is auto-configured. Calendar, Gmail, Tasks, Drive, and Docs tokens are captured during the Google sign-in step after you save the wizard — no separate field here, no CLI command. Approve the consent screen once and the connectors light up.

6. Dev Mode

Optional. Activates the engineering overlay — Claude Sonnet 4.6 + GitHub branches/PRs + REVIEW/BUILD gating. Needs an Anthropic API key from console.anthropic.com. Off by default.

7. Review

Final summary of every value you've entered. Jump back to any step from the row buttons. Click Save to commit everything to the encrypted DB store.

After save

Once you save, /setup stops being publicly reachable. The route redirects to sign-in (Google OAuth) and from there to /admin, the same panel without the stepped wrapper.

Reconfigure anything later from /admin. Each connector has the same Test button.

Hot reload vs restart

Most config changes from /admin take effect on the very next request — no restart required. Connector tokens (Slack, Linear, Notion, GitHub, Anthropic), the LLM API key, the licence key, embeddings settings, and Dev Mode toggles all hot-reload.

Four values are the exception. They feed NextAuth, which only reads them when the Next.js subprocess starts:

GOOGLE_CLIENT_ID
GOOGLE_CLIENT_SECRET
ALLOWED_EMAIL
AUTH_SECRET (auto-generated, you shouldn't need to change it)

After changing any of these from /admin, restart the container so NextAuth picks them up:

docker compose restart app

You'll know it's needed if sign-in fails with MissingSecret or invalid_client after a recent change.