00
MailSloth is two backends, one phone
AiMANAC mesh + mailsloth-server — both required

Mail Sloth is not a Satcheli-style “read AiMANAC’s JWT only” sibling. You run mailsloth-server from a public container image, complete MailSloth FirstBoot for a MailSloth JWT, and use AiMANAC on the same iPhone for owner HELM MCP and claim ingestion.

From AiMANAC (App Group)

group.net.llmtech.aimanac — owner JWT in keychain, backend URL discovery, HELM tools to aimanac-server (/mcp).

From mailsloth-server

FirstBoot → setup/login → MailSloth JWT in MailSlothClaim/claim.json; IHP-WS to your mailsloth HTTPS URL (aud = net.llmtech.mailsloth).

Between them

AiMANAC foreground scan reads the claim file so helm_mailsloth_* relay tools work against your mailsloth-server.

Customer order

Install AiMANAC → sign in → pull mailsloth-server → MailSloth FirstBoot → OAuth → send mail.

00a
Path A — pull public image (customer)
No git clone · no host rebuild

Pin the tag from /setup/llm/. Package must be Public on GitHub Packages before anonymous docker pull works.

export MS_IMAGE_TAG=rust-cutover-20260520-ghcr-pipeline
docker pull ghcr.io/everplay-tech/mailsloth-server:${MS_IMAGE_TAG}
# compose: image: ghcr.io/everplay-tech/mailsloth-server:${MS_IMAGE_TAG}
00b
Path B — build from source (operators)
aimanac-rs maintainer only

Everplay operators may build from aimanac-rs using infrastructure/docker/mailsloth-server.Dockerfile with repo-root context. Customers should use Path A.

01
AiMANAC first (same device)
Before MailSloth FirstBoot
  1. Install AiMANAC

    App Store — sign in with Apple. Owner JWT lands in the shared App Group keychain.

  2. Deploy aimanac-server

    Follow /setup/llm/ (pull aimanac-server or co-host on your VM). Paste that HTTPS URL into AiMANAC Settings → Connections.

  3. Optional but typical

    Run aimanac + mailsloth on one VM — see co-hosted YAML on setup/llm (add the mailsloth service block).

02
Set deploy values
Hostname + working directory
export MS_HOST=mail.yourdomain.com
export MS_URL="https://${MS_HOST}"
export DEPLOY_DIR="$HOME/mailsloth-deploy"
mkdir -p "$DEPLOY_DIR" && cd "$DEPLOY_DIR"

DNS: A record $MS_HOST → your server. Terminate TLS (Caddy/nginx) per the nginx sample in setup/llm.

03
Pull image and start stack
docker compose pull — not build

Copy block 03

cd "$DEPLOY_DIR"
curl -fsSLO "https://aimanac.llmtech.net/apps/mailsloth/setup/deploy/docker-compose.yml"
export MS_IMAGE_TAG=rust-cutover-20260520-ghcr-pipeline
# Create mailsloth.env (JWT secrets, DATABASE_URL, APPLE_CLIENT_ID=net.llmtech.mailsloth, etc.)
docker compose pull
docker compose up -d

Required env vars mirror aimanac-server shape: Postgres URL, JWT signing secrets, bootstrap setup code. See setup/llm JSON env_required for mailsloth-server.

04
Verify before opening MailSloth
Health gates
curl -fsSI "${MS_URL}/health" | head -1
curl -fsSI "${MS_URL}/ready" | head -1
# WebSocket (IHP-WS): expect 101 or 426 on /ihp-ws with upgrade headers
05
MailSloth iOS FirstBoot
MailSloth JWT → claim file
  1. Install Mail Sloth

    App Store ($1).

  2. First boot

    Paste $MS_URL (no trailing path) → setup secret + password → app writes MailSlothClaim/claim.json in the App Group.

  3. IHP-WS

    App opens WebSocket to mailsloth-server using the MailSloth JWT (aud = net.llmtech.mailsloth), not the AiMANAC owner token.

  4. HELM MCP (optional)

    When orchestrating from AiMANAC, owner bearer goes to aimanac-server /mcp; relay tools hit your mailsloth-server using the ingested claim.

06
Provider OAuth
Gmail + Outlook on your deployment

After the container is running, register Google Cloud + Microsoft Entra apps and apply credentials with pulled image + compose recreate — not a host rebuild.

07
AiMANAC claim ingest
Foreground scan

Bring AiMANAC to the foreground after MailSloth FirstBoot succeeds. AiMANAC reads MailSlothClaim/claim.json and registers provider settings for mailsloth relay. If HELM tools fail, confirm both URLs: aimanac-server (owner JWT) and mailsloth-server (claim JWT) are reachable.

11
Paste into your LLM (full walkthrough)
Self-contained — no secrets in chat
I am deploying MailSloth for my own subscribers. Help me run these steps. I will NOT paste JWT, database passwords, or OAuth client secrets into this chat.

Dual-path reminder: (1) AiMANAC installed and signed in — owner JWT in App Group for HELM MCP to aimanac-server. (2) mailsloth-server running from GHCR — MailSloth FirstBoot mints a separate MailSloth JWT in MailSlothClaim/claim.json and IHP-WS to mailsloth-server (aud net.llmtech.mailsloth).

1) Deploy aimanac-server per https://aimanac.llmtech.net/setup/llm/ — pull ghcr.io/everplay-tech/aimanac-server:TAG; sign into AiMANAC iOS with that URL.

2) export MS_HOST=mail.my-domain.com; MS_URL=https://$MS_HOST; DEPLOY_DIR=$HOME/mailsloth-deploy

3) docker pull ghcr.io/everplay-tech/mailsloth-server:rust-cutover-20260520-ghcr-pipeline (or TAG from setup/llm). No git clone.

4) curl docker-compose.yml from https://aimanac.llmtech.net/apps/mailsloth/setup/deploy/docker-compose.yml; create mailsloth.env; docker compose pull && docker compose up -d (no --build).

5) curl -I $MS_URL/health and /ready — both 200 before iOS.

6) MailSloth iOS FirstBoot: paste MS_URL, setup secret, password → claim file + IHP-WS.

7) OAuth: https://aimanac.llmtech.net/apps/mailsloth/setup/oauth/ — apply GOOGLE_* and MICROSOFT_* via --env-file; docker compose pull && recreate (not rebuild on host).

8) AiMANAC foreground once to ingest claim for helm_mailsloth_* relay.

Canonical: https://aimanac.llmtech.net/apps/mailsloth/setup/deploy/
12
Cross-links