UCCO Foundation — Project Setup Brief v1.1¶

Date: 14 March 2026 From: Tim (via Claude) For: Alex

CRITICAL — READ THIS FIRST¶

This is a completely separate project from ucca-project. It has its own: - Directory: ~/projects/ucco-project/ - GitHub org: ucco-foundation (not uccaonline) - Cloudflare account: foundation account (not the UCCA account) - Domain registrar: Spaceship (not Porkbun/VentraIP) - Purpose: Open standards body — not commercial product

These two projects must never be mixed. Ever.

When working on ucco-project — you are working on a separate legal entity's infrastructure. Different account. Different credentials. Different deployment targets. If you are ever unsure which project a task belongs to — stop and ask Tim.

SURFACE: ucco-project (NEW — completely separate ecosystem)¶

DO NOT TOUCH: ucca-engine, ucca-docs, ucca-authenticator, or ANY surface under ucca-project or uccaonline GitHub org¶

→ ALEX¶

Phase 1 — Create the project directory¶

On the Mac Mini:

mkdir -p ~/projects/ucco-project
cd ~/projects/ucco-project
mkdir -p .credentials
mkdir -p ucco-site
mkdir -p ucco-api
mkdir -p ucco-standard
touch .credentials/README.md
touch .gitignore

Add to .gitignore:

.credentials/
.env
*.env
.DS_Store
node_modules/

Add to .credentials/README.md:

# UCCO Foundation Credentials

All credential files live here. Never committed to git.
Never shared. Never copied to ucca-project.

Files:
- cloudflare-foundation.env  — Cloudflare foundation account API token
- spaceship.env              — Spaceship domain registrar API credentials
- github.env                 — GitHub PAT for ucco-foundation org

Phase 2 — Create credential file stubs¶

Create these three files with placeholder structure only. Do not fill in values. Ask Tim for each key as you need it — he will provide them one at a time.

Create .credentials/cloudflare-foundation.env:

# UCCO Foundation — Cloudflare API Token
# Account: foundation Cloudflare account (NOT the UCCA account)
# Permissions: Workers, KV, D1, R2, DNS, Pages
# Created: 2026-03-14

CLOUDFLARE_API_TOKEN_FOUNDATION=
CLOUDFLARE_ACCOUNT_ID_FOUNDATION=

Create .credentials/spaceship.env:

# Spaceship Domain Registrar API
# Account: Tim Rignold personal (interim foundation steward)
# Domains: ucco.foundation, ucca.foundation, ucco.online
# API docs: https://docs.spaceship.dev
# Created: 2026-03-14

SPACESHIP_API_KEY=
SPACESHIP_API_SECRET=

Create .credentials/github.env:

# GitHub PAT — ucco-foundation org
# Token name: ucco-foundation-push
# Org: ucco-foundation (NOT uccaonline)
# Expires: 2027-03-14 — RENEW BEFORE THIS DATE
# Created: 2026-03-14

GITHUB_PAT_FOUNDATION=

When you need a value — ask Tim. He will paste it directly.

Phase 3 — Store GitHub PAT in macOS Keychain¶

Ask Tim for the ucco-foundation-push PAT value first.

Once you have it, store it in keychain as a separate entry from the UCCA one:

git credential-osxkeychain store <<EOF
protocol=https
host=github.com
username=ucco-foundation-push
password=PASTE_TOKEN_HERE
EOF

Test it works:

cd ~/projects/ucco-project
git clone https://github.com/ucco-foundation/ucco-standard.git

If it prompts for credentials — keychain didn't store correctly. Retry.

Phase 4 — Clone foundation GitHub repos¶

cd ~/projects/ucco-project
git clone https://github.com/ucco-foundation/ucco-standard.git
git clone https://github.com/ucco-foundation/ucco-site.git

Empty repos are fine — content comes in subsequent briefs.

Phase 5 — Add Cloudflare zones¶

Ask Tim for the Cloudflare foundation API token and account ID.

Add three zones to the foundation Cloudflare account: - ucco.foundation - ucca.foundation - ucco.online

For each zone, Cloudflare will assign two nameservers. Note them — format is xxx.ns.cloudflare.com. You need these for Phase 6.

Set SSL/TLS to Full (Strict) on all three zones immediately after adding.

Phase 6 — Set DNS records in Cloudflare¶

Important: Email is already working via Google Workspace on ucco.foundation. Tim set minimal DNS at Spaceship to get it running. You are NOT copying those records — you are creating the full correct DNS set fresh in Cloudflare. Once nameservers propagate, Cloudflare becomes authoritative and Spaceship DNS is irrelevant.

For ucco.foundation — create these records:

MX records (Gmail):

MX  @  aspmx.l.google.com        Priority 1   TTL Auto
MX  @  alt1.aspmx.l.google.com   Priority 5   TTL Auto
MX  @  alt2.aspmx.l.google.com   Priority 5   TTL Auto
MX  @  alt3.aspmx.l.google.com   Priority 10  TTL Auto
MX  @  alt4.aspmx.l.google.com   Priority 10  TTL Auto

SPF record:

TXT  @  "v=spf1 include:_spf.google.com ~all"

DKIM record:

TXT  google._domainkey  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApW01LuhSfVqAgx+uuqCe1CU4uG7cv1YcU5lOuQKFOir5N8/Cs4B7lw0oiVTpbCPgHJd+a0JHZK6kXrBtCGOq/scllnxoEfi1U86WEC4vJwy29+j8oCBDcW3LsNpX81AqNcEWfcoDciqHpVE4LtlnPJkXmfI4NPt90YcQ2lI90zv6TvIkJM2fGTUL+9/jvYvbhjaNTYdmfEcJMPswrDWWOKCCm57oC7hP+gLRJZmEmsVWc2QSQkEv04bYKCqBE+O/NBbQbj0dNo8BAh4GSX0jH4b0Cgk6nON623O68Nd+OsJo8PKAdexr9uvf1CC1ixAhys4XUMrPLS760knHU+LJcQIDAQAB"

DMARC record:

TXT  _dmarc  "v=DMARC1; p=none; rua=mailto:admin@ucco.foundation"

Ask Tim if there is a Google site verification TXT record — it will look like google-site-verification=xxxxxxxxx. If yes, add it as:

TXT  @  "google-site-verification=xxxxxxxxx"

For ucca.foundation and ucco.online: These don't have Google Workspace yet. Add minimal DNS for now:

TXT  @  "v=spf1 ~all"

We'll add full DNS when those domains are configured properly in subsequent briefs.

Phase 7 — Update nameservers at Spaceship¶

Ask Tim for the Spaceship API key and secret.

Load credentials:

source ~/projects/ucco-project/.credentials/spaceship.env

Update nameservers for each domain — use the nameservers Cloudflare assigned to each zone in Phase 5:

# ucco.foundation
curl -X PUT "https://spaceship.dev/api/v1/domains/ucco.foundation/nameservers" \
  -H "X-Api-Key: $SPACESHIP_API_KEY" \
  -H "X-Api-Secret: $SPACESHIP_API_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "custom",
    "hosts": [
      "NS1_FROM_CLOUDFLARE_FOR_UCCO_FOUNDATION",
      "NS2_FROM_CLOUDFLARE_FOR_UCCO_FOUNDATION"
    ]
  }'

# ucca.foundation
curl -X PUT "https://spaceship.dev/api/v1/domains/ucca.foundation/nameservers" \
  -H "X-Api-Key: $SPACESHIP_API_KEY" \
  -H "X-Api-Secret: $SPACESHIP_API_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "custom",
    "hosts": [
      "NS1_FROM_CLOUDFLARE_FOR_UCCA_FOUNDATION",
      "NS2_FROM_CLOUDFLARE_FOR_UCCA_FOUNDATION"
    ]
  }'

# ucco.online
curl -X PUT "https://spaceship.dev/api/v1/domains/ucco.online/nameservers" \
  -H "X-Api-Key: $SPACESHIP_API_KEY" \
  -H "X-Api-Secret: $SPACESHIP_API_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "custom",
    "hosts": [
      "NS1_FROM_CLOUDFLARE_FOR_UCCO_ONLINE",
      "NS2_FROM_CLOUDFLARE_FOR_UCCO_ONLINE"
    ]
  }'

Verify each update:

curl -X GET "https://spaceship.dev/api/v1/domains/ucco.foundation" \
  -H "X-Api-Key: $SPACESHIP_API_KEY" \
  -H "X-Api-Secret: $SPACESHIP_API_SECRET"

Nameserver propagation takes up to 24 hours. Email will keep working throughout — the Gmail MX records you set in Cloudflare will be live once propagation completes.

Phase 8 — Confirm and report back¶

When complete, confirm: - [ ] ~/projects/ucco-project/ directory created with correct structure - [ ] All three credential stub files created - [ ] GitHub PAT stored in macOS Keychain - [ ] Foundation repos cloned - [ ] Three Cloudflare zones added - [ ] All DNS records set for ucco.foundation (MX, SPF, DKIM, DMARC) - [ ] Minimal DNS set for ucca.foundation and ucco.online - [ ] Nameservers updated at Spaceship for all three domains - [ ] Cloudflare account ID reported back to Tim

Report: - Foundation Cloudflare account ID - Nameservers assigned to each zone - Any DNS records Tim needs to verify in Google Admin

What comes next (not this brief)¶

Separate briefs will follow for: - ucco-api Worker — pioneer key endpoint and knowledge model - ucco-site Worker — MkDocs foundation website - D1 database pioneer-db setup - KV namespace ucco-knowledge setup

Do not proceed to those until this brief is fully confirmed complete.

→ TIM¶

What this does¶

Sets up ucco-project as a clean separate project on the Mac. Alex creates the structure and stub credential files, then asks you for each key as he needs it. You pass them one at a time — no risk of accidentally exposing them all at once.

Keys Alex will ask for (in order)¶

ucco-foundation-push GitHub PAT — for Phase 3
Cloudflare foundation API token — for Phase 5
Cloudflare foundation account ID — for Phase 5
Spaceship API key — for Phase 7
Spaceship API secret — for Phase 7

Have them ready in 1Password. Pass each one when Alex asks.

One question Alex will ask you¶

"Is there a Google site verification TXT record for ucco.foundation?"

Check your Google Admin console for ucco.foundation. If there's a verification record, paste it to Alex. If you're not sure — log into admin.google.com, go to Domains, find ucco.foundation, and look for a DNS verification record.

After propagation¶

Once nameservers propagate (up to 24 hours, usually faster), send a test email to admin@ucco.foundation from an external address. Confirm it arrives in Google Workspace. If it doesn't — DNS records need checking.

Urgents still on the board¶

GitHub PAT ucca-engine-push expires March 26 — renew this week
ucca.com.au + ucca.asia expire March 24 — renew this week