anaclumos/configs/AGENTS.md

Backlinks (1)

Handling Agents with Love

I prefer CLI

Why? Multi-tenant environments. First, we need to understand a few differences between environments:

End-user UI
Agent Runtime Environment
LLM Server

When you run Claude Code on your local MacBook, the first two are always local. The third is usually the Claude.ai server.
When you ssh to a virtual private server (VPS) and install Claude Code there, the first two are your remote server. The third is still the Claude.ai server.
When you run Claude RC on your virtual private server and code from your iPad using the Claude app, the end-user UI is on your iPad, the agent runtime environment is on your VPS, and the server is still Claude.ai.

Most people physically separate their tenancy, such as Claude Code, from their personal vs. work laptops. So in most cases, it's not a big deal.

But when you need multi-tenancy, it becomes super stressful. For example, say you have two different toolkits:

personal toolkits (personal Notion, personal Sentry, personal Linear)
workplace toolkits (company Notion, company Sentry, company Linear)

Most MCP auth states or code harnesses don't support profiles, so you can only log in to one.

So therefore... a natural evolution was to have both:

a personal VPS with all personal toolkits set up
a workplace VPS with all workspace toolkits set up

to physically isolate tenancies.

Now we've solved the multiple-profile issue, but the client's problems persist. Now let's get back to the environments:

End-user UI
Agent Runtime Environment
LLM Server

All MCP auth or toolkit auth info should always be saved in the Agent Runtime Environment IMHO. However, a surprising number of harnesses tie them to the LLM server (such as Codex Apps or Claude.ai Plugins) or put them in the end-user UI (Claude Desktop or Codex Desktop).

Now the problem is:

If the auth data is put on the LLM server, you cannot reuse LLM accounts across tenants
If the auth data is put on the end-user UI, you cannot use the same app to access multi-tenants.

The only way to reliably isolate different auth information is thus:

You ssh to a virtual private server (VPS) and run Claude Code there. Never use LLM server plugins.

Then

End-user UI
Agent Runtime Environment

are both isolated VPS, and

LLM Server holds no information on the tenancy

This way, you can provide different toolkits, creating multiple dev environments.

Backlinks (1)

260619

Clerk Passkey Nudge

You can create a custom UI component that prompts users to add a passkey. Use the user.createPasskey() method from Clerk's SDK:

tsx

import { useUser } from '@clerk/clerk-react'
export function PasskeyNudge() {  const { isSignedIn, user } = useUser()
  const createClerkPasskey = async () => {    if (!isSignedIn) return
    try {      await user?.createPasskey()      // Show success message    } catch (err) {      console.error('Error:', JSON.stringify(err, null, 2))    }  }
  // Check if user already has passkeys  const hasPasskey = user?.passkeys && user.passkeys.length > 0
  if (hasPasskey) return null
  return (    <div className="passkey-nudge">      <p>🔐 Set up a passkey for faster, more secure sign-ins!</p>      <button onClick={createClerkPasskey}>Add Passkey</button>    </div>  )}

Implementation Strategies

Here are some ways to nudge users:

Post-login prompt — Show a modal or banner after sign-in if the user doesn't have a passkey set up
Settings page highlight — Add a prominent section in user settings encouraging passkey setup
Conditional prompts — Show the nudge after a certain number of SMS-based logins
Incentive messaging — Highlight benefits like "Sign in faster with Face ID/Touch ID"

Using an Onboarding Flow

For a more structured approach, you can integrate passkey setup into a custom onboarding flow. Clerk has a guide that shows how to use session tokens, public metadata, and Middleware to require users to complete certain steps before accessing your app:

Add custom onboarding to your authentication flow

You could adapt this pattern to prompt users to set up a passkey as part of onboarding, tracking their passkey status in publicMetadata and redirecting them to a passkey setup page until they've added one.

Prerequisites

Ensure passkeys are enabled in your Clerk Dashboard under User & Authentication → Passkeys
Note: Passkeys require a paid plan for production use (free in development)

You can check user.passkeys to determine if a user already has passkeys configured and conditionally show your nudge UI accordingly.

Backlinks (1)

260120

anaclumos/configs/AGENTS.md

Backlinks (1)

Handling Agents with Love

I prefer CLI

Why? Multi-tenant environments. First, we need to understand a few differences between environments:

End-user UI
Agent Runtime Environment
LLM Server

When you run Claude Code on your local MacBook, the first two are always local. The third is usually the Claude.ai server.
When you ssh to a virtual private server (VPS) and install Claude Code there, the first two are your remote server. The third is still the Claude.ai server.
When you run Claude RC on your virtual private server and code from your iPad using the Claude app, the end-user UI is on your iPad, the agent runtime environment is on your VPS, and the server is still Claude.ai.

Most people physically separate their tenancy, such as Claude Code, from their personal vs. work laptops. So in most cases, it's not a big deal.

But when you need multi-tenancy, it becomes super stressful. For example, say you have two different toolkits:

personal toolkits (personal Notion, personal Sentry, personal Linear)
workplace toolkits (company Notion, company Sentry, company Linear)

Most MCP auth states or code harnesses don't support profiles, so you can only log in to one.

So therefore... a natural evolution was to have both:

a personal VPS with all personal toolkits set up
a workplace VPS with all workspace toolkits set up

to physically isolate tenancies.

Now we've solved the multiple-profile issue, but the client's problems persist. Now let's get back to the environments:

End-user UI
Agent Runtime Environment
LLM Server

Now the problem is:

If the auth data is put on the LLM server, you cannot reuse LLM accounts across tenants
If the auth data is put on the end-user UI, you cannot use the same app to access multi-tenants.

The only way to reliably isolate different auth information is thus:

You ssh to a virtual private server (VPS) and run Claude Code there. Never use LLM server plugins.

Then

End-user UI
Agent Runtime Environment

are both isolated VPS, and

LLM Server holds no information on the tenancy

This way, you can provide different toolkits, creating multiple dev environments.

Backlinks (1)

260619

Clerk Passkey Nudge

You can create a custom UI component that prompts users to add a passkey. Use the user.createPasskey() method from Clerk's SDK:

tsx

import { useUser } from '@clerk/clerk-react'
export function PasskeyNudge() {  const { isSignedIn, user } = useUser()
  const createClerkPasskey = async () => {    if (!isSignedIn) return
    try {      await user?.createPasskey()      // Show success message    } catch (err) {      console.error('Error:', JSON.stringify(err, null, 2))    }  }
  // Check if user already has passkeys  const hasPasskey = user?.passkeys && user.passkeys.length > 0
  if (hasPasskey) return null
  return (    <div className="passkey-nudge">      <p>🔐 Set up a passkey for faster, more secure sign-ins!</p>      <button onClick={createClerkPasskey}>Add Passkey</button>    </div>  )}

import { useUser } from '@clerk/clerk-react'
export function PasskeyNudge() {  const { isSignedIn, user } = useUser()
  const createClerkPasskey = async () => {    if (!isSignedIn) return
    try {      await user?.createPasskey()      // Show success message    } catch (err) {      console.error('Error:', JSON.stringify(err, null, 2))    }  }
  // Check if user already has passkeys  const hasPasskey = user?.passkeys && user.passkeys.length > 0
  if (hasPasskey) return null
  return (    <div className="passkey-nudge">      <p>🔐 Set up a passkey for faster, more secure sign-ins!</p>      <button onClick={createClerkPasskey}>Add Passkey</button>    </div>  )}

Implementation Strategies

Here are some ways to nudge users:

Post-login prompt — Show a modal or banner after sign-in if the user doesn't have a passkey set up
Settings page highlight — Add a prominent section in user settings encouraging passkey setup
Conditional prompts — Show the nudge after a certain number of SMS-based logins
Incentive messaging — Highlight benefits like "Sign in faster with Face ID/Touch ID"

Using an Onboarding Flow

Add custom onboarding to your authentication flow

Prerequisites

Ensure passkeys are enabled in your Clerk Dashboard under User & Authentication → Passkeys
Note: Passkeys require a paid plan for production use (free in development)

You can check user.passkeys to determine if a user already has passkeys configured and conditionally show your nudge UI accordingly.

Backlinks (1)

260120