White Glove Onboarding CLI

Feature row 54 — Sprint WGO

The wgo CLI is a super-admin tool bundled with the Behavry backend container.

What this is

wgo (White Glove Onboarder) turns the 20-step manual customer onboarding checklist into a single YAML file and one command. It's designed for the Behavry SaaS team and for Enterprise customers who want to automate tenant provisioning in their own control plane.

The goal is: git-committable customer config → fully provisioned tenant, with no clicking, no credential sharing, and no missed steps.

The command

wgo provision --config customer.yaml

This reads customer.yaml, runs the provisioning workflow transactionally, and prints a summary of what was created. Re-running with the same config is idempotent: objects that already exist are left alone.

Workflow

In order, wgo provision:

1. Creates the tenant — slug, name, plan tier, region, contact
2. Activates the license — writes the license key to TenantConfig
3. Creates the first admin user — or sends the admin an invite if Clerk / OIDC is configured
4. Seeds policies — imports a pack of baseline policies matched to the customer's vertical
5. Seeds DLP patterns — imports a custom DLP pattern set (optional)
6. Provisions enrollment tokens — one per declared agent, so the customer can start enrolling immediately
7. Creates SIEM destinations — destinations declared in YAML, credentials pulled from env or secret manager
8. Creates discovery connectors — IdP / SaaS / citizen-coder connectors, same credential pattern
9. Applies plan-level feature overrides — per contractual agreement
10. Writes an onboarding audit row — for the whole workflow, tagged with the operator's super-admin identity

If any step fails, the whole workflow rolls back unless --continue-on-error is passed (useful for partial re-provisioning).

Config schema

tenant:
  slug: acme
  name: Acme Corp
  plan: enterprise
  region: us-east-1
  contact: it@acme.example

license:
  key: env://ACME_LICENSE_KEY
  expires: 2027-01-01

admin:
  username: alice@acme.example
  # If Clerk: the admin will receive a Clerk invite email
  # If password: prompt for a password, or read from env://ACME_ADMIN_PASSWORD

policy_packs:
  - baseline-fsi
  - acme-internal          # a pack pushed to Acme's private community subscription

dlp_packs:
  - fsi-pii

agents:
  - name: analyst-bot
    type: claude-code
  - name: ci-reviewer
    type: claude-desktop

siem:
  - kind: splunk
    url: https://splunk.acme.example:8088
    token: env://ACME_SPLUNK_HEC_TOKEN

discovery:
  - kind: okta
    domain: acme.okta.com
    api_key: env://ACME_OKTA_KEY

features:
  enable:
    - policy_writer_ai     # enabled early per contract

env:// references are resolved from the shell environment at run time; they never land in the config file itself.

Dry run

wgo provision --config customer.yaml --dry-run

Prints the workflow without executing it and reports any schema or credential issues upfront.

Related

• Licensing & Feature Entitlements — what plans and overrides mean
• User Roles & Invites — the admin created in step 3
• Deployment Models — wgo works against SaaS, BYOC, and on-prem control planes