security hardening + drafts/attachments

INSTALL.md

@@ -0,0 +1,53 @@
+# INSTALL — Mastermind MVP
+
+## Prerequisites
+- Docker + Docker Compose
+- A stable hostname/IP you can reach (LAN or Tailscale)
+
+## Configure
+```bash
+cd /root/clawd/mastermind-mvp
+cp .env.example .env
+```
+
+Edit `.env`:
+- `SESSION_SECRET` — set to a long random value
+- `BASE_URL` — the URL you use to reach the app (Tailscale IP recommended)
+
+OAuth is optional for now:
+- `GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET`
+- `MICROSOFT_CLIENT_ID/MICROSOFT_CLIENT_SECRET`
+
+## Start
+```bash
+docker compose up -d --build
+```
+
+App:
+- http://<BASE_URL_HOST>:3005/login
+
+## First login (important)
+On first run the app creates:
+- `owner@local` / `owner`
+
+Immediately change it:
+- http://<host>:3005/account/password
+
+## Create your first project
+- http://<host>:3005/projects
+
+## Import email (until OAuth is connected)
+Export emails as `.eml` and upload:
+- http://<host>:3005/inbox
+
+## Enable connector placeholders
+- http://<host>:3005/admin/email
+
+Connectors will show **Configured: no** until OAuth client credentials are added.
+
+## OAuth callbacks (when you’re ready)
+These are the callback URLs the app expects:
+- Google: `BASE_URL/auth/google/callback`
+- Microsoft: `BASE_URL/auth/microsoft/callback`
+
+Set `BASE_URL` correctly before authorizing.