Skip to main content
You may start with only an enrollment code. That code is enough to begin onboarding, but it is not enough to mutate systems. The current KHAW CLI path is provision and verify, not a live enroll subcommand.
Do not paste the raw enrollment code into public docs, screenshots, GitHub issues, or agent outputs. Redact it and keep only the provisioning receipt shape.

If email does not exist yet

Use the canonical local-part that should become the company email: 
khaw fde provision   --full-name "<Full Name>"   --email-local <firstname.lastname>   --domain namastex.ai   --role fde   --dry-run   --json   --out ./fde-provision.receipt.json

If email already exists

khaw fde provision   --full-name "<Full Name>"   --email <you@company-domain>   --role fde   --dry-run   --json   --out ./fde-provision.receipt.json
Expected receipt shape: 
{
  "subject": { "identity": "firstname.lastname", "email": "firstname.lastname@namastex.ai", "role": "fde" },
  "resource_profile": { "cpu": "4", "ram": "16GiB", "disk": "160GiB" },
  "required_approvals": ["email", "gitea", "lxc", "model_provider"],
  "mutation": "none"
}

Verify against the receipt

khaw fde verify --from ./fde-provision.receipt.json --dry-run --json
Good verification should prove identity and expected machine/access fields without changing remote state.

Ask for the exact missing package

I have a KHAL FDE provisioning receipt. Please provision or confirm:
1. company email account;
2. KHAL/Gitea account and groups;
3. KHAW profile/workstation binding;
4. clean-room LXC/SSH access route;
5. OpenRouter/model-provider route and budget policy.
Raw enrollment code is redacted. Receipt is attached or summarized.

Evidence to keep

  • khaw fde provision ... --dry-run --json output with private values redacted.
  • The local ./fde-provision.receipt.json file kept private.
  • khaw fde verify --from ... --dry-run --json output.
  • Ticket/owner/channel for each pending approval.
TASK: I am reading `fde-start-here/enrollment.mdx` (Enrollment code to active FDE). Use this page as the contract, then verify current CLI/output before you guide me.
CONTEXT: I may be a new KHAL FDE. Prefer read-only checks and dry-runs first. Do not mutate customer, HML, production, credentials, SSH, Gitea, or model-provider state without an explicit GO.
SAFE FIRST COMMANDS: Check versions, identity, target, git source/ref, KHAW doctor/status, KHAL context, and dry-run output. Redact secrets and private URLs.
EVIDENCE: Return command, exit status, sanitized output, what it proves, and the next safe action.