Identity, access,
and secrets.

1. Sign up at workspace.google.com. Choose Business Standard ($14/seat/mo) — required for Shared Drives and Vault.
2. Enter umbra.group as the primary domain.
3. Verify domain ownership via DNS TXT record at the registrar (Cloudflare/etc).
4. Add MX records pointing to Google. Disable any prior mail routes.

1. Create user abe@umbra.group. Generate a strong password in 1Password (32+ chars).
2. Create five Groups (not seats) for role aliases. Groups are free; seats are not:

hello@umbra.group        # public inbound
billing@umbra.group      # invoices, finance
contracts@umbra.group    # legal, MSAs, SOWs
security@umbra.group     # security disclosures
press@umbra.group        # press & media inquiries

All five forward to abe@.

In Admin Console → Security

• 2-Step Verification: enforce on all users. Allowed methods: Security Key only (no SMS, no Authenticator app fallback once YubiKey is enrolled).
• Less Secure Apps: disabled.
• Session length: 8 hours, then re-auth.
• Recovery email/phone: disable user-set recovery; admin-only.
• Login challenges: enable.
• Context-Aware Access: enable; restrict admin actions to managed devices.

In Admin Console → Apps → Google Workspace

• Drive sharing: restrict external sharing to allowlisted domains.
• Gmail: enable enhanced pre-delivery scanning.
• Calendar: disable external visibility of free/busy by default.

1. Sign up for 1Password Business at 1password.com/business. One seat, $20/mo.
2. Create the primary identity using abe@umbra.group.
3. Generate a 32-character master password. Print it. The Emergency Kit (master password + Secret Key) goes in a fireproof safe before any data lands in the vault.
4. Configure SSO via Workspace OIDC (now or after Workspace is fully hardened).
5. Create the six vaults named per the table above (substitute client-template as a placeholder for the per-client vault pattern).

1. Install the desktop app and browser extension on the workstation.
2. Install the 1Password CLI: brew install 1password-cli. Verify with op signin.
3. Configure SSH agent: enable in 1Password → Developer. Generate a per-Studio SSH key inside the engineering vault.
4. Configure shell helper for secret injection in scripts: op run -- <cmd>.

1. For each vault, set the access policy per the table above.
2. Disable the default Personal and Shared vaults — they bypass the ACL discipline.
3. Configure travel mode toggle for the engineering vault (excludes it from device sync when traveling internationally).

Gate

• Six vaults visible, each with the correct ACL.
• Emergency Kit printed, signed, dated, in the safe.
• op signin works from a fresh shell using the YubiKey.

1. Two YubiKey 5C NFC keys, ordered direct from yubico.com.
2. Label one P (primary), one B (backup). Use a small adhesive label, not a marker.
3. Set a PIN on each key via Yubico Authenticator (8–15 chars). Same PIN on both is acceptable; the keys themselves are the second factor.

1. Workspace → My Account → Security → 2-Step Verification → Add Security Key.
2. Tap the primary key. Name it YK-P.
3. Repeat with the backup key. Name it YK-B.
4. Disable all other 2FA methods: SMS, Authenticator app, backup codes (or store backup codes in recovery vault and disable in UI).

1. 1Password → My Profile → Manage Two-Factor Authentication → Security Key.
2. Enroll both keys.
3. Verify by signing out and back in using each key.

1. GitHub → Settings → Password & Authentication → Security Keys. Enroll both.
2. Anthropic Console: enroll both as 2FA.
3. Mercury, Wave, Dropbox Sign, Tailscale: enroll wherever supported.
4. For services that don't support WebAuthn (rare in this stack), use TOTP stored in 1Password's built-in TOTP — never SMS.

1. Sign up at tailscale.com using Workspace SSO (Google identity provider).
2. Install the Tailscale macOS app on the MBP. Sign in.
3. Install Tailscale on the Synology NAS via the Package Center.
4. Confirm both devices appear on the tailnet within 2 minutes.

Edit the tailnet policy file (Admin console → Access Controls). Default-deny; explicit allow for what's actually needed.

{
  "tagOwners": {
    "tag:studio-workstation": ["abe@umbra.group"],
    "tag:studio-nas":         ["abe@umbra.group"],
    "tag:contractor":         ["abe@umbra.group"]
  },
  "acls": [
    // Workstation can reach NAS for Time Machine + file shares
    { "action": "accept",
      "src": ["tag:studio-workstation"],
      "dst": ["tag:studio-nas:445,548,5000-5001"] },

    // Contractors get only what's named per engagement
    { "action": "accept",
      "src": ["tag:contractor"],
      "dst": ["tag:studio-workstation:0"] }   // none by default
  ],
  "ssh": [
    { "action": "check",
      "src": ["autogroup:member"],
      "dst": ["tag:studio-workstation"],
      "users": ["autogroup:nonroot"] }
  ]
}

1. Tag the workstation as tag:studio-workstation.
2. Tag the NAS as tag:studio-nas.
3. Verify Time Machine still backs up over the mesh, and that any other ports are blocked (test from a third device if available).

1. Create the umbra-studio organization. Subscribe to Team plan ($4/seat/mo).
2. In Org → Settings → Authentication: require 2FA org-wide. Enable IP allow lists if and when team grows.
3. In Org → Settings → Member privileges: default repository permission = Read. No member can create public repos by default.

1. In 1Password, generate an SSH commit-signing key in the engineering vault.
2. Add the public key to GitHub → Settings → SSH and GPG keys, marked as a signing key.
3. Configure git locally: git config --global gpg.format ssh, git config --global commit.gpgsign true.
4. Test by making a signed commit and verifying the green Verified badge appears on GitHub.

1. Create the four template repos: studio-shared, patterns, contracts, infra.
2. Create client-template. Mark as Template repository in settings.
3. For each repo: enable Dependabot, enable secret scanning, require signed commits on the default branch.
4. Add the standard .gitignore, SECURITY.md, and CODEOWNERS files.