Add op/circleci auth, Node+Yarn via mise, and private registry config

- Authenticate with 1Password (op whoami / op signin) after installation
- Install and authenticate CircleCI CLI (circleci setup / CIRCLECI_CLI_TOKEN)
- Install Node.js (LTS via mise) and Yarn (via corepack) as baseline tools
- Add gh auth scopes (read:packages, write:packages) for GitHub Packages
- Configure Bundler (contribsys, GitHub Packages, GitHub git sources)
- Configure Yarn (@trusted via GitHub Packages, @FortAwesome via Font Awesome)
- Add ci/mock-op shim so op commands succeed in CI without a real session
- Add doctor checks for circleci, Node, Yarn, and all registry configs
- Update AGENTS.md scope to reflect Node.js, Yarn, circleci, and registries

Author: mhfs

.github/workflows/ci.yml

@@ -14,18 +14,24 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Run shellcheck
-        run: shellcheck -x setup.sh doctor.sh lib/*.sh
+        run: shellcheck -x setup.sh doctor.sh lib/*.sh ci/mock-op
 
   setup-ubuntu:
     name: Setup (Ubuntu)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
+      - name: Install op mock for CI
+        run: |
+          sudo cp ci/mock-op /usr/local/bin/op
+          sudo chmod +x /usr/local/bin/op
+
       - name: Run setup.sh
         run: bash setup.sh
         env:
           GH_TOKEN: ${{ secrets.TRUSTED_SHARED_SOURCE_GITHUB_TOKEN }}
+          CIRCLECI_CLI_TOKEN: ${{ secrets.TRUSTED_SHARED_SOURCE_CIRCLECI_TOKEN }}
 
       - name: Run doctor
         run: |
@@ -34,3 +40,4 @@ jobs:
           bash doctor.sh
         env:
           GH_TOKEN: ${{ secrets.TRUSTED_SHARED_SOURCE_GITHUB_TOKEN }}
+          CIRCLECI_CLI_TOKEN: ${{ secrets.TRUSTED_SHARED_SOURCE_CIRCLECI_TOKEN }}

AGENTS.md

@@ -50,16 +50,19 @@ When adding a new tool installation, provide install commands for all three plat
 This repo installs **tool managers, CLI tools, and infrastructure dependencies**:
 
 - Package managers (Homebrew, apt, pacman)
-- git, gh, mise, op
+- git, gh, mise, op, circleci
 - Ruby (latest stable via mise, as global default for `bin/setup` scripts)
+- Node.js (latest LTS via mise, as global default)
+- Yarn (via corepack, ships with Node.js)
 - Build essentials
 - Docker, Docker Compose, Colima (macOS only)
 - AWS CLI, AWS VPN Client
+- Private registry configuration (Bundler for gems, Yarn for npm scopes)
 
 It does **NOT** install:
 
-- Node.js, Python, or other runtimes (left to project `bin/setup` via mise)
-- Project-specific Ruby versions (handled by mise + `.mise.toml`)
+- Python or other runtimes (left to project `bin/setup` via mise)
+- Project-specific Ruby or Node.js versions (handled by mise + `.mise.toml`)
 - Application dependencies (gems, npm packages)
 - Databases, Redis, Elasticsearch, etc.
 - Editor configurations or dotfiles
@@ -82,7 +85,7 @@ It does **NOT** install:
 
 ## Commands
 
-- `shellcheck -x setup.sh doctor.sh lib/*.sh` — Lint bash scripts
+- `shellcheck -x setup.sh doctor.sh lib/*.sh ci/mock-op` — Lint bash scripts
 - `bash -n setup.sh` — Check for syntax errors without executing
 - `bash doctor.sh` — Run post-setup diagnostic checks
 - `date +%s` — Generate a migration timestamp

ci/mock-op

@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# Mock 1Password CLI for CI environments.
+#
+# Returns hardcoded dummy values so setup.sh code paths execute without
+# a real 1Password desktop app or service account. Placed on PATH before
+# the real op binary (or in place of it when op is not installed).
+
+case "$*" in
+  *whoami*)
+    echo "ci-mock-user@trusted.dev"
+    ;;
+  *BUNDLE_ENTERPRISE__CONTRIBSYS__COM*)
+    echo "ci-mock-contribsys-key"
+    ;;
+  *"Font Awesome"*)
+    echo "ci-mock-fa-token"
+    ;;
+  *--version)
+    echo "2.99.0-mock"
+    ;;
+  *signin*)
+    # No-op: mock is already "signed in"
+    ;;
+  *)
+    echo "ci-mock-op: unhandled args: $*" >&2
+    exit 1
+    ;;
+esac

doctor.sh

@@ -84,6 +84,9 @@ source "$SCRIPT_DIR/lib/mise_doctor.sh"
 # shellcheck source=lib/1password_doctor.sh
 source "$SCRIPT_DIR/lib/1password_doctor.sh"
 
+# shellcheck source=lib/circleci_doctor.sh
+source "$SCRIPT_DIR/lib/circleci_doctor.sh"
+
 # shellcheck source=lib/build_doctor.sh
 source "$SCRIPT_DIR/lib/build_doctor.sh"
 
@@ -93,6 +96,9 @@ source "$SCRIPT_DIR/lib/docker_doctor.sh"
 # shellcheck source=lib/aws_doctor.sh
 source "$SCRIPT_DIR/lib/aws_doctor.sh"
 
+# shellcheck source=lib/registries_doctor.sh
+source "$SCRIPT_DIR/lib/registries_doctor.sh"
+
 # shellcheck source=lib/migrate_doctor.sh
 source "$SCRIPT_DIR/lib/migrate_doctor.sh"
 

lib/1password_setup.sh

@@ -42,3 +42,26 @@ else
       ;;
   esac
 fi
+
+# ---------------------------------------------------------------------------
+# 1Password Authentication
+# ---------------------------------------------------------------------------
+
+fmt_header "1Password Authentication"
+
+if op whoami > /dev/null 2>&1; then
+  fmt_ok "1Password: already signed in"
+else
+  echo "  1Password CLI needs to be authenticated."
+  echo "  This will open a browser/system auth prompt."
+  echo ""
+  eval "$(op signin)"
+
+  if ! op whoami > /dev/null 2>&1; then
+    echo ""
+    echo "ERROR: 1Password authentication failed or was cancelled."
+    echo "Setup cannot continue without 1Password access."
+    exit 1
+  fi
+  fmt_ok "1Password: signed in"
+fi

lib/circleci_doctor.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Doctor check: CircleCI CLI.
+# Sourced by doctor.sh — do not execute directly.
+# Requires: lib/common.sh, doctor helpers (check_pass, check_fail, check_cmd)
+
+fmt_header "CircleCI CLI"
+
+check_cmd "circleci" "circleci"
+
+if cmd_exists circleci; then
+  version_output="$(circleci version 2>&1 | head -1)"
+  check_pass "circleci reports version: $version_output"
+
+  if circleci diagnostic 2>&1 | grep -q "OK, got a token"; then
+    check_pass "circleci is authenticated"
+  else
+    check_fail "circleci is not authenticated (run: circleci setup)"
+  fi
+fi

lib/circleci_setup.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+#
+# CircleCI CLI setup and authentication.
+# Sourced by setup.sh — do not execute directly.
+# Requires: lib/common.sh
+
+# ---------------------------------------------------------------------------
+# CircleCI CLI
+# ---------------------------------------------------------------------------
+
+fmt_header "CircleCI CLI"
+
+if cmd_exists circleci; then
+  fmt_ok "circleci already installed ($(circleci version 2>/dev/null | head -1))"
+else
+  fmt_install "CircleCI CLI"
+  case "$OS" in
+    macos)
+      brew install circleci
+      ;;
+    ubuntu|arch)
+      # Official installer — works on any Linux
+      curl -fLSs https://raw.githubusercontent.com/CircleCI-Public/circleci-cli/main/install.sh | sudo bash
+      ;;
+  esac
+fi
+
+# ---------------------------------------------------------------------------
+# CircleCI Authentication
+# ---------------------------------------------------------------------------
+
+fmt_header "CircleCI Authentication"
+
+if circleci diagnostic 2>&1 | grep -q "OK, got a token"; then
+  fmt_ok "CircleCI CLI: already authenticated"
+else
+  echo "  CircleCI CLI needs to be configured."
+  echo "  You will need a personal API token from:"
+  echo "  https://app.circleci.com/settings/user/tokens"
+  echo ""
+  circleci setup
+
+  if ! circleci diagnostic 2>&1 | grep -q "OK, got a token"; then
+    echo ""
+    echo "ERROR: CircleCI CLI authentication failed or was cancelled."
+    echo "Setup cannot continue without CircleCI access."
+    exit 1
+  fi
+  fmt_ok "CircleCI CLI: authenticated"
+fi

lib/git_setup.sh

@@ -56,18 +56,38 @@ fi
 
 fmt_header "GitHub Authentication"
 
+gh_auth_ok=false
+gh_scopes_ok=false
+
 if gh auth status > /dev/null 2>&1; then
-  fmt_ok "Already authenticated with GitHub"
-elif [ "${CI:-}" = "true" ]; then
+  gh_auth_ok=true
+  # Check for required scopes (read:packages needed for private registries)
+  gh_status_output="$(gh auth status 2>&1)"
+  if echo "$gh_status_output" | grep -qE 'read:packages|write:packages'; then
+    gh_scopes_ok=true
+  fi
+fi
+
+if $gh_auth_ok && $gh_scopes_ok; then
+  fmt_ok "Authenticated with GitHub (with required scopes)"
+elif $gh_auth_ok; then
+  echo "  GitHub CLI is authenticated but missing required scopes (read:packages, write:packages)."
+  echo "  Re-authenticating with required scopes..."
   echo ""
-  echo "ERROR: Not authenticated with GitHub in CI."
-  echo "Set GH_TOKEN or GITHUB_TOKEN in your workflow environment."
-  exit 1
+  gh auth login --web --git-protocol https --scopes read:packages,write:packages
+
+  if ! gh auth status > /dev/null 2>&1; then
+    echo ""
+    echo "ERROR: GitHub re-authentication failed or was cancelled."
+    echo "Setup cannot continue without GitHub access."
+    exit 1
+  fi
+  fmt_ok "Authenticated with GitHub (scopes updated)"
 else
   echo "  GitHub CLI needs to be authenticated."
   echo "  This will open a browser window for GitHub login."
   echo ""
-  gh auth login --web --git-protocol https
+  gh auth login --web --git-protocol https --scopes read:packages,write:packages
 
   # Verify authentication succeeded before continuing
   if ! gh auth status > /dev/null 2>&1; then

lib/mise_doctor.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Doctor check: mise and Ruby.
+# Doctor check: mise, Ruby, Node.js, and Yarn.
 # Sourced by doctor.sh — do not execute directly.
 # Requires: lib/common.sh, doctor helpers (check_pass, check_fail, check_cmd)
 
@@ -38,3 +38,39 @@ if cmd_exists mise; then
 else
   check_fail "Cannot check Ruby — mise is not installed"
 fi
+
+# ---------------------------------------------------------------------------
+# Node.js (via mise)
+# ---------------------------------------------------------------------------
+
+fmt_header "Node.js (via mise)"
+
+if cmd_exists mise; then
+  if mise which node > /dev/null 2>&1; then
+    check_pass "Node.js is available via mise"
+    node_version="$(mise exec -- node --version 2>&1)"
+    if [[ "$node_version" == v* ]]; then
+      check_pass "Node.js executes and reports version: $node_version"
+    else
+      check_fail "Node.js returned unexpected output: $node_version"
+    fi
+  else
+    check_fail "Node.js is not available via mise (expected global default)"
+  fi
+else
+  check_fail "Cannot check Node.js — mise is not installed"
+fi
+
+# ---------------------------------------------------------------------------
+# Yarn (via corepack)
+# ---------------------------------------------------------------------------
+
+fmt_header "Yarn (via corepack)"
+
+if cmd_exists yarn; then
+  check_pass "yarn is installed"
+  yarn_version="$(yarn --version 2>&1)"
+  check_pass "yarn reports version: $yarn_version"
+else
+  check_fail "yarn is not installed (expected via corepack)"
+fi

lib/mise_setup.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# mise version manager and Ruby setup.
+# mise version manager, Ruby, Node.js, and Yarn setup.
 # Sourced by setup.sh — do not execute directly.
 # Requires: lib/common.sh
 
@@ -69,5 +69,43 @@ if mise which ruby > /dev/null 2>&1; then
 else
   fmt_install "Ruby (latest stable via mise)"
   mise use --global ruby@latest
-  fmt_ok "Ruby installed: $(mise exec ruby -- ruby --version)"
+  fmt_ok "Ruby installed: $(mise exec -- ruby --version)"
+fi
+
+# ---------------------------------------------------------------------------
+# Node.js (via mise — global default for running bin/setup scripts)
+# ---------------------------------------------------------------------------
+
+fmt_header "Node.js (via mise)"
+
+if mise which node > /dev/null 2>&1; then
+  fmt_ok "Node.js already available via mise"
+else
+  fmt_install "Node.js (latest LTS via mise)"
+  mise use --global node@lts
+  fmt_ok "Node.js installed: $(mise exec -- node --version)"
+fi
+
+# ---------------------------------------------------------------------------
+# Yarn (via corepack — ships with Node.js)
+# ---------------------------------------------------------------------------
+
+fmt_header "Yarn (via corepack)"
+
+if cmd_exists yarn; then
+  fmt_ok "yarn already available ($(yarn --version 2>/dev/null))"
+else
+  fmt_install "Enabling corepack for yarn"
+  mise exec -- corepack enable
+
+  # corepack installs shims to the Node prefix bin directory, which may not
+  # be on PATH yet. Reshim mise so the yarn shim is available.
+  mise reshim 2>/dev/null || true
+
+  if cmd_exists yarn; then
+    fmt_ok "yarn enabled via corepack"
+  else
+    echo "  WARNING: yarn was enabled via corepack but is not yet on PATH."
+    echo "  It will be available after restarting your shell."
+  fi
 fi