Umbra Group / Studio / Infra · Day 0
← Studio Ops v1.0 · Bring-Up
Studio Infra Kit · Bring-Up Runbook

Day 0. Studio,
online from zero.

A sequenced bring-up of every internal system the Studio runs on — from blank slate to first revenue-ready engagement — in three working days. Identity first, money last, validation in between. Every phase has a gate; nothing depends on a system that isn't already passing its check.

Pair this runbook with the five system-specific runbooks (USI-RB-02 through USI-RB-05) and the Studio Ops Kit (USO-ST-01 through USO-ST-06).

Doc-IDUSI-RB-01
PhaseBring-Up
Duration3 working days
StatusLive
01

How to use this runbook.

This is the meta-runbook for standing up the Studio's internal infrastructure. Read it once end-to-end before starting; then execute phase by phase, in order, without skipping ahead.

Three rules govern Day 0:

One — identity is foundational. Every other system depends on Google Workspace SSO and the 1Password vault. If those aren't right, fixing them later means re-rolling credentials across the entire stack. Do them first, do them carefully, and don't move on until the gate passes.

Two — phase gates are non-negotiable. Each phase ends with a short checklist. If any item is unchecked, you do not start the next phase — even if it feels like you're losing time. The cost of moving forward on a half-built foundation is always higher than the cost of finishing it now.

Three — validation day is real work. Day 3 is not "wrap-up." It is a deliberate end-to-end test of every system you stood up: log in to everything from a clean device, restore a file, sign a test contract, send a test invoice, deploy a commit. If anything fails, you fix it before declaring Day 0 complete.

§ Bottom line
If you follow this runbook end-to-end, the Studio is operationally ready to take on its first paid engagement on the morning of Day 4.
02

Prerequisites before Day 0.

Before opening this runbook on Day 0 morning, the following must already be in place. None of them are technical — they are the legal, financial, and physical preconditions for the rest of the work.

PrereqWhyTypical lead time
Legal entity formedNeed EIN, articles of incorporation, operating agreement before opening Mercury or signing contracts.2–4 weeks
Domain registeredumbra.group already in DNS. Need it in hand before Workspace setup.Done
Business addressMercury, Mercury account validation, and any state filings. Use a registered agent or coworking address — never a home address.Same day
Hardware orderedTier A workstation (MBP 16" M5 Max), 2x YubiKey 5C NFC, Studio Display. See USO-ST-05.5–10 days
Payment instrumentPersonal credit card or pre-funded debit card to cover Workspace, 1Password, Tailscale, etc., before Mercury is open.Same day
Quiet 3 daysDay 0 cannot be done in fragments. Block three full working days in the calendar with no client meetings, no recurring obligations.Calendar block
§ Stop · do not start
If any of the six prerequisites is missing, stop and resolve it first. Starting Day 0 without an EIN or without YubiKeys in hand will block you halfway through and cost more than the delay.
03

Phase 0 · Identity foundation.

Day 1 · morning + afternoon · ~6 hours

Identity comes first because every later system — Mercury, Dropbox Sign, Airtable, GitHub, Linear — will be enrolled against the Workspace SSO and protected by the 1Password vault and YubiKey hardware. Get this wrong and the whole stack is fragile.

Step 01Provision Google Workspace.~60 min
  1. Sign up at workspace.google.com on the Business Standard tier (one seat).
  2. Verify ownership of umbra.group via DNS TXT record.
  3. Create the primary identity: abe@umbra.group. Set a strong unique password generated by 1Password.
  4. Create role aliases as groups, not seats: hello@, billing@, contracts@, security@, press@, all forwarding to the primary.
  5. Enable 2-Step Verification — but leave the YubiKey enrollment for Step 03.
Gate
  • You can send and receive mail at abe@umbra.group from a fresh browser session.
  • All five role aliases route mail correctly.
Step 02Stand up 1Password Business.~45 min
  1. Sign up for 1Password Business at 1password.com/business. One seat.
  2. Use abe@umbra.group as the primary, generated master password (32+ chars), and a printed Emergency Kit stored in a fireproof safe.
  3. Create the six vaults from USO-ST-06 §03: studio, studio-shared, contracts, recovery, engineering, and a placeholder client-template (clone per client).
  4. Install the desktop app and the browser extension on the primary workstation.
Gate
  • Master password and Secret Key are printed, signed, dated, and locked in the safe.
  • Six vaults exist and are reachable from the desktop app.
Step 03Enroll hardware keys.~30 min
  1. Unbox both YubiKey 5C NFC units. Label one primary, the other backup.
  2. In Workspace, register both as 2-Step Verification methods. Disable SMS and authenticator-app fallbacks.
  3. In 1Password, register both as account unlock methods.
  4. Store the backup key in the same fireproof safe as the Emergency Kit. Carry the primary on your keychain.
Gate
  • Workspace and 1Password both refuse to unlock without one of the two YubiKeys present.
  • Backup key has been physically tested against both services and re-locked in the safe.
§ Phase 0 gate
All three steps gated & passing. If yes, proceed to Phase 1. If no — stop, resolve, retest. Do not start hardware setup with a half-built identity layer.
04

Phase 1 · Workstation bring-up.

Day 1 · evening · ~3 hours

The MBP arrives clean. Resist the urge to restore from a personal backup — the Studio device runs Studio identity only, no carryover from prior machines. See USI-RB-05 for the full endpoint runbook; this is the abridged Day 0 path.

Step 01macOS first-boot.~45 min
  1. Boot fresh. Sign in with the Apple ID associated with abe@umbra.group (create one if needed).
  2. Set FileVault to on. Save the recovery key in the recovery vault.
  3. Enable Find My Mac, automatic OS updates, Touch ID, and require password immediately on sleep.
  4. Install Chrome and 1Password as the first two applications.
Step 02Enroll in Jamf Now MDM.~30 min
  1. Sign up for Jamf Now (free for first 3 devices). Create the Studio org.
  2. Generate an enrollment profile, install it on the MBP.
  3. Apply the baseline blueprint: passcode policy, FileVault enforced, OS updates auto-installed, Find My required.
Gate
  • Device shows up as compliant in Jamf Now within 10 minutes of enrollment.
  • Remote-lock command tested from the Jamf admin console (then unlock).
Step 03Backup stack live.~45 min
  1. Time Machine: connect Synology DS224+ over Tailscale, configure as Time Machine target.
  2. Backblaze B2: install the Backblaze app, set initial backup. First seed will run for ~24 hours in the background.
  3. iCloud Drive: enable for Documents and Desktop only. Not for application data.
Gate
  • Time Machine reports a successful first backup before bed.
  • Backblaze upload is in progress and not blocked by network.
§ Phase 1 gate
Workstation is encrypted, MDM-enrolled, and backing up. Anything else — ergonomic setup, dock arrangement, font installation — can wait until Day 2 evening or later.
05

Phase 2 · Comms & workspace.

Day 2 · morning · ~3 hours

The collaboration stack from USO-ST-03. Slack, Notion, Drive, Loom, Figma. All enrolled against Workspace SSO so a single identity revocation kills access everywhere.

Step 01Slack workspace.~45 min
  1. Create the umbra-studio Slack workspace. Sign in with Workspace SSO.
  2. Create the seven baseline channels from USO-ST-03 §02: #studio-internal, #sprint-active, #sprint-pipeline, #patterns, #post-mortem, #alerts, #random.
  3. Configure the channel-naming convention for client channels: #client-<short>-active, #client-<short>-handoff.
  4. Enable enterprise grid only if and when there are multiple seats.
Step 02Notion workspace.~60 min
  1. Create the Studio Notion workspace via SSO.
  2. Create the seven top-level pages: Patterns, Engagements, Decisions, Post-mortems, Playbooks, Knowledge, People.
  3. Apply the page-naming convention: YYYY-MM-DD · <client-short> · <topic> for engagement notes.
  4. Set sharing default: workspace-only. No public links by default.
Step 03Google Drive structure.~30 min
  1. Create five Shared Drives: Studio, Engagements, Contracts, Finance, Patterns.
  2. Set Engagements with sub-folders per active client — one folder per engagement, never shared across clients.
  3. Default access: Manager-only on Contracts and Finance; Contributor on the others (matters when there are more seats).
Step 04Loom & Figma.~20 min
  1. Loom: sign up via SSO, install desktop app, test recording.
  2. Figma: sign up via SSO, create the Studio team. Defer Pro plan until first client design work begins.
§ Phase 2 gate
All collaboration tools online and SSO-enrolled. Test by signing out everywhere and signing back in via SSO from the desktop app of each tool.
06

Phase 3 · Pipeline & CRM.

Day 2 · afternoon · ~4 hours

The CRM holds the qualified pipeline; Linear holds the engagement work. Both gated to SSO, both with templates pre-loaded so the first inbound lead doesn't require schema design.

Step 01Airtable CRM base.~120 min
  1. Sign up for Airtable Team plan via SSO.
  2. Create the Studio CRM base. Build the four tables specified in USI-RB-03: Leads, Engagements, Outreach, Touchpoints.
  3. Create the six pipeline stages as a single-select field on Leads: Signal → Qualify → Scope → Proposal → Contract → Active.
  4. Create the Pipeline Kanban view grouped by stage. Pin to home.

Full schema in USI-RB-03.

Step 02Linear workspace.~60 min
  1. Create the Linear workspace via SSO.
  2. Create two teams to start: Studio (internal work) and Sprint Template (clone per engagement).
  3. In Sprint Template: pre-load the four-phase milestone structure (Observation, Redesign, Build, Handoff) and the four gate issues.
  4. Configure the workflow states from USO-ST-03 §04: Backlog → Triaged → In Progress → Review → Gate → Done.
Step 03Superhuman intake.~30 min
  1. Install Superhuman, sign in with abe@umbra.group.
  2. Create the four splits: Inbound leads, Active sprints, Contracts & finance, Personal.
  3. Configure snippets for the three outreach templates from umbra-studio-outreach.html.
§ Phase 3 gate
Add a synthetic test lead to Airtable, log a touchpoint, advance to Qualify, then archive. If that round-trip works in <3 minutes, the CRM is ready.
07

Phase 4 · Money & contracts.

Day 3 · morning · ~3 hours

Money systems go late on purpose. By Day 3 the identity layer is hardened, devices are MDM-managed, and the workflow surfaces are wired. Mercury and Wave inherit that posture.

Step 01Mercury business banking.~60 min
  1. Apply at mercury.com with the LLC EIN, articles, and operating agreement. Approval typically <24 hours.
  2. Open one checking and one savings sub-account. Configure the savings sub-account as the Tax Reserve.
  3. Create the recurring rule: 25% of every inbound transfer auto-routes to Tax Reserve.
  4. Issue one virtual debit card for SaaS subscriptions, store in 1Password studio vault.

Full setup in USI-RB-04.

Step 02Wave bookkeeping.~45 min
  1. Sign up at waveapps.com via SSO.
  2. Connect Mercury via secure feed. Verify last 30 days of transactions imported correctly.
  3. Configure the five expense tags: cogs, opex, capex, r&d, g&a.
  4. Create one test invoice for $1, send to a personal email, mark paid, then void. Verifies the invoicing flow end-to-end.
Step 03Dropbox Sign & templates.~60 min
  1. Sign up for Dropbox Sign Standard, SSO via Workspace.
  2. Upload the four templates (MSA, SOW, NDA, IP Rider) from contracts/templates/. Tag each merge field.
  3. Send a test envelope to contracts@umbra.group. Counter-sign. Verify the executed PDF lands in the Contracts Shared Drive automatically.
§ Phase 4 gate
Mercury funded, Wave reconciled, Dropbox Sign template envelope counter-signed. The Studio can now legally and financially transact with a client.
08

Phase 5 · Engineering surface.

Day 3 · afternoon · ~3 hours

Last phase before Validation Day. The engineering surface — GitHub org, repo scaffolds, secrets management — has to be in place before the first engagement spins up its client-<short> repo.

Step 01GitHub org & repos.~60 min
  1. Create the umbra-studio GitHub organization. Pay for Team plan.
  2. Enforce 2FA org-wide. Require commits to be GPG- or SSH-signed.
  3. Create the four template repos: studio-shared (shared utilities), patterns (the pattern library), contracts (signed PDFs & templates), infra (the runbooks themselves, versioned).
  4. Create the client-template repo. Future client repos clone this with the naming pattern client-<short>-<workflow>.
Step 02Tailscale mesh.~30 min
  1. Sign up for Tailscale via Workspace SSO.
  2. Install on the MBP and the Synology NAS. Both should appear on the tailnet within 2 minutes.
  3. Configure ACLs: only the MBP can reach the NAS. Both can reach external services through exit nodes if needed.
Step 03Anthropic & model access.~45 min
  1. Create the Anthropic Console account. Add a payment method on the Studio Mercury debit card.
  2. Generate three API keys: studio-dev, studio-eval, studio-prod. Store all three in the engineering vault, never in .env files committed to Git.
  3. Set spending limits: $200/mo on dev, $200/mo on eval, $1000/mo on prod (revisit at first engagement).
§ Phase 5 gate
Clone client-template as client-test-x, push a commit signed with your key, run a one-prompt Claude API call from a script that pulls the key from 1Password CLI. If all three steps succeed, the engineering surface is live.
09

Day 3 · Validation day.

Day 3 · evening · ~2 hours

Day 0 is not complete until every system is tested end-to-end from a clean state. Treat this as the final exam — if any step fails, fix it before declaring Day 0 done.

  1. Cold sign-in test. Sign out of every service. Sign back in to Workspace, 1Password, Slack, Notion, Drive, Linear, Airtable, GitHub, Mercury, Wave using only the YubiKey + master password. No fallbacks should be needed.
  2. Restore test. Pick a random file you created during Phase 2. Delete it. Restore it from Time Machine and from Backblaze. Both should succeed in <5 minutes.
  3. Contract envelope test. Send a test SOW envelope to a personal email, sign it, verify it lands in the Contracts Shared Drive automatically.
  4. Invoice test. Issue a $1 test invoice from Wave to a personal email. Mark paid in Mercury, then void. Confirm Wave reconciliation.
  5. Pipeline test. Add a synthetic lead in Airtable. Move it through all six stages. Log three touchpoints. Archive. Total time: under 5 minutes.
  6. Engineering test. From a fresh shell: op signin, pull the studio-dev key, run a one-prompt Claude API call, push a signed commit to client-test-x, delete the repo. Confirm clean teardown.
  7. Identity revocation test. In Workspace, suspend the test alias test@umbra.group created earlier. Verify it can no longer sign in to any of the connected SaaS surfaces within 10 minutes.
§ Validation gate
All seven tests pass. If yes, Day 0 is complete and the Studio is operationally ready. If no — do not start the next morning's first engagement until the failing test is resolved and re-verified.
10

Day-0 printable checklist.

Single-page summary. Print it, tape it next to the workstation, check off in pen as you go. The runbook is the source of truth for how; this is the source of truth for where you are.

Day 1 · Identity & workstation

  1. Workspace provisioned, primary identity live, role aliases routing.
  2. 1Password Business with six vaults; Emergency Kit in the safe.
  3. Two YubiKeys enrolled on Workspace and 1Password; backup in the safe.
  4. MBP first-boot, FileVault on, Jamf Now compliant.
  5. Time Machine + Backblaze backing up.

Day 2 · Comms & pipeline

  1. Slack workspace with seven baseline channels.
  2. Notion workspace with seven top-level pages.
  3. Five Google Drive Shared Drives.
  4. Loom & Figma signed in via SSO.
  5. Airtable CRM base with four tables and Pipeline Kanban view.
  6. Linear workspace with Studio team and Sprint Template team.
  7. Superhuman with four splits and outreach snippets.

Day 3 · Money, engineering, validation

  1. Mercury checking + savings (Tax Reserve, 25% rule).
  2. Wave connected, five tags, test invoice round-trip.
  3. Dropbox Sign with four templates, test envelope signed.
  4. GitHub org with five template repos, 2FA enforced.
  5. Tailscale mesh up; ACLs in place.
  6. Anthropic API keys (dev/eval/prod) in the engineering vault.
  7. All seven validation tests passed.
§ Bottom line
Three working days. Identity first. Validation last. The Studio takes its first engagement on the morning of Day 4.