UCCO Foundation — Project Setup Brief v1¶
Date: 14 March 2026 From: Tim (via Claude) For: Alex
CRITICAL — READ THIS FIRST¶
This is a completely separate project from ucca-project. It has its own:
- Directory: ~/projects/ucco-project/
- GitHub org: ucco-foundation (not uccaonline)
- Cloudflare account: foundation account (not the UCCA account)
- Domain registrar: Spaceship (not Porkbun/VentraIP)
- Purpose: Open standards body — not commercial product
These two projects must never be mixed. Ever.
When working on ucco-project — you are working on a separate legal entity's infrastructure. Different account. Different credentials. Different deployment targets. If you are ever unsure which project a task belongs to — stop and ask.
SURFACE: ucco-project (NEW — completely separate ecosystem)¶
DO NOT TOUCH: ucca-engine, ucca-docs, ucca-authenticator, or ANY surface under the ucca-project directory or uccaonline GitHub org¶
→ ALEX¶
Phase 1 — Create the project directory¶
On the Mac Mini, run exactly:
mkdir -p ~/projects/ucco-project
cd ~/projects/ucco-project
mkdir -p .credentials
mkdir -p ucco-site
mkdir -p ucco-api
mkdir -p ucco-standard
touch .credentials/README.md
touch .gitignore
Add to .gitignore:
Add to .credentials/README.md:
# UCCO Foundation Credentials
All credential files live here. Never committed to git.
Never shared. Never copied to ucca-project.
Files:
- cloudflare-foundation.env — Cloudflare foundation account API token
- spaceship.env — Spaceship domain registrar API credentials
- github.env — GitHub PAT for ucco-foundation org
Phase 2 — Store credentials¶
Create .credentials/cloudflare-foundation.env:
# UCCO Foundation — Cloudflare API Token
# Account: foundation Cloudflare account (NOT the UCCA account)
# Permissions: Workers, KV, D1, R2, DNS, Pages
# Created: 2026-03-14
# Never expires (no expiry set)
CLOUDFLARE_API_TOKEN_FOUNDATION=<Tim provides token>
CLOUDFLARE_ACCOUNT_ID_FOUNDATION=<Tim provides account ID>
Create .credentials/spaceship.env:
# Spaceship Domain Registrar API
# Account: Tim Rignold personal (interim foundation steward)
# Domains: ucco.foundation, ucca.foundation, ucco.online
# API docs: https://docs.spaceship.dev
# Created: 2026-03-14
SPACESHIP_API_KEY=<Tim provides>
SPACESHIP_API_SECRET=<Tim provides>
Create .credentials/github.env:
# GitHub PAT — ucco-foundation org
# Token name: ucco-foundation-push
# Org: ucco-foundation (NOT uccaonline)
# Expires: 2027-03-14 — RENEW BEFORE THIS DATE
# Created: 2026-03-14
GITHUB_PAT_FOUNDATION=<Tim provides>
Tim will paste the actual values into each file directly on the Mac. Do not ask for them over chat.
Phase 3 — Store GitHub PAT in macOS Keychain¶
Run this to store the foundation PAT in keychain — separate entry from the UCCA one:
git credential-osxkeychain store <<EOF
protocol=https
host=github.com
username=ucco-foundation-push
password=PASTE_TOKEN_HERE
EOF
Test it works:
cd ~/projects/ucco-project/ucco-standard
git init
git remote add origin https://github.com/ucco-foundation/ucco-standard.git
git fetch
If it prompts for credentials — keychain didn't store correctly. Retry Phase 3.
Phase 4 — Clone foundation GitHub repos¶
cd ~/projects/ucco-project
# Clone standard repo
git clone https://github.com/ucco-foundation/ucco-standard.git
# Clone site repo
git clone https://github.com/ucco-foundation/ucco-site.git
If repos are empty that's fine — we'll add content in subsequent briefs.
Phase 5 — Point domains to Cloudflare nameservers¶
First — get the Cloudflare nameservers for the foundation account. In the foundation Cloudflare dashboard, add these three zones:
- ucco.foundation
- ucca.foundation
- ucco.online
Cloudflare will assign two nameservers per zone. Note them down — they'll look like xxx.ns.cloudflare.com and yyy.ns.cloudflare.com.
Then use the Spaceship API to update nameservers for each domain.
Load Spaceship credentials:
Update nameservers for each domain (run three times, once per domain):
curl -X PUT "https://spaceship.dev/api/v1/domains/ucco.foundation/nameservers" \
-H "X-Api-Key: $SPACESHIP_API_KEY" \
-H "X-Api-Secret: $SPACESHIP_API_SECRET" \
-H "Content-Type: application/json" \
-d '{
"provider": "custom",
"hosts": [
"NAMESERVER_1_FROM_CLOUDFLARE",
"NAMESERVER_2_FROM_CLOUDFLARE"
]
}'
Repeat for ucca.foundation and ucco.online — each zone may have different nameservers so check each one in Cloudflare.
Verify the update worked:
curl -X GET "https://spaceship.dev/api/v1/domains/ucco.foundation" \
-H "X-Api-Key: $SPACESHIP_API_KEY" \
-H "X-Api-Secret: $SPACESHIP_API_SECRET"
Nameserver propagation takes up to 24 hours but usually much faster.
Phase 6 — Set up Cloudflare Email Routing¶
In the foundation Cloudflare dashboard, for the ucco.foundation zone:
- Go to Email → Email Routing
- Enable Email Routing
- Add forwarding rule:
- From:
admin@ucco.foundation - To:
admin@ucca.online(Tim's working email — interim forwarding) - Cloudflare adds MX records automatically
- Confirm via the verification email Cloudflare sends
Repeat for ucca.foundation:
- From: admin@ucca.foundation
- To: admin@ucca.online
Phase 7 — Confirm and report back¶
When complete, confirm:
- [ ] ~/projects/ucco-project/ directory created with correct structure
- [ ] All three credential files created (values to be filled by Tim)
- [ ] GitHub PAT stored in macOS Keychain
- [ ] Foundation repos cloned
- [ ] Cloudflare zones added for all three domains
- [ ] Nameservers updated at Spaceship for all three domains
- [ ] Email routing active for admin@ucco.foundation
- [ ] Email routing active for admin@ucca.foundation
Report the Cloudflare account ID (find it in the foundation CF dashboard — it's a 32-char hex string in the right sidebar or account overview page). Tim needs this for the credentials file.
What comes next (not this brief)¶
Once this setup is confirmed complete, separate briefs will follow for:
- ucco-api Worker — the pioneer key endpoint and knowledge model
- ucco-site Worker — the MkDocs foundation website
- D1 database pioneer-db setup
- KV namespace ucco-knowledge setup
Do not proceed to those until this brief is fully confirmed.
→ TIM¶
What this does¶
Sets up the ucco-project directory on the Mac Mini as a completely clean, separate project from ucca-project. Different credentials. Different GitHub org. Different Cloudflare account. Alex treats these as two separate clients — because effectively they are.
The directory structure Alex creates¶
~/projects/ucco-project/
├── .credentials/ — never committed, your job to fill in values
│ ├── cloudflare-foundation.env
│ ├── spaceship.env
│ ├── github.env
│ └── README.md
├── .gitignore
├── ucco-standard/ — cloned from github.com/ucco-foundation/ucco-standard
├── ucco-site/ — cloned from github.com/ucco-foundation/ucco-site
└── ucco-api/ — cloned from github.com/ucco-foundation/ucco-api (future)
What you need to do after Alex creates the structure¶
Fill in the credential files directly on the Mac:
- Open
~/projects/ucco-project/.credentials/cloudflare-foundation.env - Paste the Cloudflare foundation API token you just created
-
Paste the foundation Cloudflare account ID (from CF dashboard)
-
Open
~/projects/ucco-project/.credentials/spaceship.env -
Paste your Spaceship API key and secret from spaceship.com/application/api-manager
-
Open
~/projects/ucco-project/.credentials/github.env - Paste the
ucco-foundation-pushPAT you just created
Do this before telling Alex to proceed past Phase 2.
The separation rule — say it to Alex directly¶
"This is a separate project. Separate credentials. Separate Cloudflare account. Separate GitHub org. Never mix with ucca-project. If you're ever unsure which project a task belongs to — ask me."
Urgents still on the board¶
- GitHub PAT
ucca-engine-pushexpires March 26 — renew this week - ucca.com.au + ucca.asia expire March 24 — renew this week
- Spaceship API key still needs generating at spaceship.com/application/api-manager