storkit: create 408_spike_fly_io_machines_api_integration_for_multi_tenant_storkit_saas

.storkit/work/1_backlog/408_spike_fly_io_machines_api_integration_for_multi_tenant_storkit_saas.md

@@ -6,19 +6,30 @@ name: "Fly.io Machines API integration for multi-tenant storkit SaaS"
 
 ## Question
 
-Build and test the Rust integration for Fly.io Machines API: create/start/stop/destroy machines per tenant, attach volumes, inject secrets, and implement the JWT auth reverse proxy with WebSocket support.
+Can we build a working Rust integration that creates and manages per-tenant Fly.io Machines, attaches volumes, injects Claude credentials, and proxies JWT-authenticated HTTP/WebSocket traffic to the right machine?
 
 ## Hypothesis
 
-- TBD
+A thin Rust service using `reqwest` for the Machines API and `axum` for the reverse proxy is sufficient. No heavyweight orchestration framework needed.
+
+## Prerequisites
+
+- Fly.io account with API token (set `FLY_API_TOKEN` env var)
+- Spike 407 findings reviewed
 
 ## Timebox
 
-- TBD
+4 hours
 
 ## Investigation Plan
 
-- TBD
+- [ ] Create a minimal Rust crate in `spikes/fly_machines/` — do not touch production code
+- [ ] Implement machine lifecycle: create, start, stop, destroy via Fly Machines REST API using `reqwest`
+- [ ] Test attaching a persistent volume to a machine and verify it persists across stop/start
+- [ ] Test secret injection — pass a dummy `credentials.json` as a Fly secret and verify it's readable inside the machine
+- [ ] Sketch the auth proxy: JWT validation → machine lookup → reverse proxy to machine's private IP; verify WebSocket proxying works
+- [ ] Measure actual cold start time for a minimal storkit container image
+- [ ] Document any API quirks, rate limits, or sharp edges discovered during testing
 
 ## Findings