---
template_version: 1
title: "Onboard a deploy bot"
applicable_modes: [pubkey]
default_flow: auto-on-token
---

# Add a deploy bot to {{cluster_name}}

This onboards a low-privilege automated agent that only does deploys
(no general code edits). The daemon runs on a CI runner or a small
VM, takes deploy tasks from the cluster, executes, reports.

The admission token here is auto-approving (no manual step) because
deploy bots are usually scoped narrow enough that the operator has
pre-decided "if you have this token, you can join as a deployer".

## Steps

1. SSH into the deploy machine / CI runner.
2. Install the daemon:
       npm install -g meshkore
3. Create the bot identity:
       meshcore agent create \
         --client {{client}} \
         --identity {{proposed_identity}} \
         --role participant \
         --agent-role deployer
4. Join with the auto-token:
       meshcore agent join \
         --cluster {{cluster_url}} \
         --identity {{proposed_identity}} \
         --token {{admission_token}}
   The daemon auto-approves immediately because the cluster's
   `admission.approval` is `auto-on-token` for this token.
5. Start in detached mode (CI runners don't have an interactive
   terminal):
       meshcore start --detach

## What this bot will do

- Listen on the cluster channel for `task.assigned` events tagged
  `agent_role: deployer`.
- For each task: read the deploy runbook in
  `.meshkore/docs/deploy/<module>.md`, execute the command listed
  there, capture stdout/stderr, push commit if any, publish
  `task.completed` event.

It NEVER edits code. It NEVER pushes to a different branch than the
cluster's configured deploy branch. It NEVER decides to retry on its
own — failed deploys publish `task.failed` and stop.

## Token (auto-approve, single-use, expires in 1h)

{{admission_token}}

## See also

- https://meshkore.com/reference/prompts/deploy-by-agent.md — full
  deploy prompt spec.
- https://meshkore.com/cluster/operate — operator manual.