בס״ד

MASTER SESSION-KICKOFF — Hook Street Operating System

docs/MASTER_SESSION_KICKOFF.md · last changed (pre-VM history) · rendered from GitHub master

MASTER SESSION-KICKOFF — Hook Street Operating System

This is the single document you hand a fresh session so it can "deal with everything" without rediscovering what's already built.
Synthesized 2026-06-25 from 11 domain audits (ops-api · portals · command-inbox · brain/memory · MIS · money/Plaid · STR · skills · integrations · infra · automations/security), each grounded in live probes (D1 queries, /health, curl) and line-cited code.
LIVING doc — overwrite in place, keep the "Last verified" line current. Last verified: 2026-06-25.

The one-sentence anti-rediscovery truth: The cloud backend (ops-api Worker), the cloud brain (D1 hookstreet-memory, ingest+search+nightly Dreaming), Plaid production money feed, the camera path, the 5 crons, the command-inbox capture spine, MIS v2, the Airbnb calendar feeds, and ~20 skills ALL ALREADY EXIST AND WORK. Almost nothing here is a greenfield build — it is finish, harden, and un-freeze.


(A) THE LITERAL SESSION-START PROMPT

Paste these lines to open ANY new session:

Session-open ritual first. In order:
1. Anchor the date: powershell -NoProfile -File scripts/now.ps1   (never state a date from memory)
2. Read docs/MASTER_SESSION_KICKOFF.md (this file) — the built-inventory + freeze rules + lane plan.
3. Read CLAUDE.md current-status + docs/SESSION_HANDOFF.md + last 2 CONTEXT.md SESSION entries.
4. git fetch origin master && git log --oneline HEAD..origin/master  (parallel sessions run — rebase before any shared-doc edit).
5. Pick ONE lane from section (E) and announce it so parallel sessions don't collide.

HARD FREEZE WARNINGS (memorize before touching code):
- ops-api Worker is FROZEN on version 8523bfaf. A bare `wrangler deploy` STRANDS all 30 secrets
  (broke prod TWICE on 6/24-25). DO NOT deploy ops-api until the Phase-0 deploy-safe rail exists.
- MIS v2 engine is HARD-FROZEN since 2026-06-04. No new score/state/factor/weight, no engine deploy,
  without Sam opening a window. Reporting + read-only debugging only.
- The cloud brain, Plaid-production, cameras, 5 crons, ~40 endpoints, ~20 skills ALREADY EXIST.
  Verify with a live probe; never rebuild from scratch.

Live ground-truth probes (run before claiming any backend state):

curl -s https://ops-api.sam-0f0.workers.dev/health        # ok:true, plaid_env:production, *_set flags
git log -1 --format=%H -- ops-api/                          # confirm still frozen on 8523bfaf lineage
# D1 brain row count (via cloudflare-bindings d1_database_query on db 103ccb68-…):
#   SELECT COUNT(*) total, SUM(superseded_at IS NULL) current FROM memory;   -> ~384 / ~284

(B) ⭐ WHAT'S ALREADY BUILT — anti-rediscovery inventory (THE most important section)

Read this before proposing ANY build. If it's listed here, it exists — finish or harden it, do not recreate it.

B1 · ops-api Cloudflare Worker — the keystone backend (FROZEN on 8523bfaf)

ops-api/src/index.ts (~2211 lines). Account 80f0da535e7e84b988cc5260afb3c7e2. URL https://ops-api.sam-0f0.workers.dev. ~37–40 LIVE endpoints — do not rebuild any:
- Plaid (full money pipeline, PRODUCTION-LIVE): /plaid/link-token, /plaid/exchange, /plaid/items, /plaid/balances (5-min KV cache, ?fresh=1, failed[] data-honesty array), /plaid/webhook (full ES256 JWT verify, 30-day audit log), /plaid/webhook-backfill, /plaid/unlink, /plaid/family-balance (Chase 5609 only, referer-gated for Chanie). /link.html browser flow.
- Cameras: /camera/snapshot?cam=N — ONE referer-gated endpoint serves every portal page via CF-Access service token (CAM_CF_ID/SECRET) → cam.hookstreetservices.com go2rtc tunnel. Dormant PC-free path nvrFetch() at index.ts:186 still exists (secrets NVR_HOST/USER/PASS present) — restoring = re-route, not rebuild.
- Hospitable (STR PMS): /hospitable/properties|reservations (index.ts:668) — CODED, NOT DEPLOYED (commit 0962ffe, stranded behind the freeze; returns 404 live).
- MIS bridge: /mis/book (edge-renders per-account book, 120s cache, 0.09s vs 3-4s Sheet), /mis/peek, /mis/notify.
- Comms relays (generic engine): /p/<person>/send|thread is the ONE engine — adding a person = bot token + scope, no new code. Live aliases: /chanie/*, /mildred/*, /family/*. All dedup (12s window), KV 50-msg thread, mirror to D1, ping Sam on inbound.
- Voice: /voice/transcribe (CF Whisper, free) + /voice/speak (OpenAI TTS, LIVE default; MeloTTS free fallback).
- Cloud brain (#042 COMPLETE): /memory/ingest (idempotent, bi-temporal, source-scoped reconcile, event_log) + /memory/search (keyword LIKE ranker — deliberately NOT vector). saveToMemory() = single audited write path.
- Inbox/state: /inbox (whitelisted SAFE_COMMAND_PREFIXES), /state (queue+grocery+transcript bundle), /rethink (Claude haiku dedup), /operating (role-scoped action map), /queue/mildred, /morning/emailscan|check, /grocery/regulars, /calendar.
- Bindings: KV PLAID_ITEMS (1801c5fa…), D1 MEMORY=hookstreet-memory (103ccb68…), AI (Workers AI). 30 secrets inventoried by name in docs/CLOUDFLARE_INVENTORY.md.
- 5 crons (at free-plan HARD CAP): 0 2 MIS snapshot + motzei-Shabbos brief (MULTIPLEXED) · 0 7 Dreaming · 30 10+0 21 Plaid refresh · 45 11 * * 1-6 morning-delivery check (CF dow 1=SUNDAY trap fixed to 1-6=Sun-Fri). A 6th cron makes the deploy partially fail = silent-morning bug. Always multiplex.

B2 · Cloud Brain / Memory layer (#042 COMPLETE — verified live)

B3 · command-inbox / Personal Command Inbox + Start Here engine (LIVE)

command-inbox/Code.js (webhook) + start-here.gs (action engine). Sheet 1U0-Ll_WD…, script 1GIAKkn…, deploy id AKfycbyXJCCfkRe-….
- CAPTURE-ALWAYS spine: every inbound msg appended raw to INBOX with NY timestamp BEFORE any routing — capture never depends on the brain being up.
- Multi-channel ingress: iOS Shortcut JSON · Telegram text (chat-id whitelist) · Telegram VOICE (→ ops-api Whisper) · Twilio inbound SMS · narrow NOTIFY_SECRET send endpoint.
- Idempotency guard: Telegram update_id dedup (10-min CacheService) — the documented fix for the "voice answered 13×" loop. Present.
- Command vocabulary (routeCommand_): ACTION/TASK/URGENT, DONE, DEFER, DELEGATE, NEED_INFO, PROOF, STATUS, QUEUE/QUEUE_JSON, GROCERY/GLIST/BOUGHT, SPEAK/VOICE, TELL/CHANIE/MILDRED/FAMILY/MANNY relays, MIS bridge, EXPORT/STATE, FEED/BRAINFEED, REVIEW/TIDY, DREAM/LEARN, MEMSYNC/FORGET, BRIEF/AUTOBRIEF, OPERATING.
- Conversational brain (telegramBrainReply_ → callClaude_): 12-turn memory, ACTIONS protocol → tested engine fns (never raw cell writes), tools incl. get_ticker_price (anti-hallucination via MIS bridge). Prompt caching ON.
- Data model (header-driven, not positional): Action_Queue (21 cols), Action_Events (immutable proof log), Grocery_List, Transcript, Profile, Brain_Feed.
- Voice OUT (speakReply_): OpenAI TTS, persisted voice/speed/lang. Auto-assemble (autoAssembleInbox_) built + hardened but DORMANT until setupAutoAssemble trigger is installed.

B4 · MIS v2 — trading / cash-flow engine (HARD-FROZEN, best-ever state)

B5 · Money / Plaid (PRODUCTION-LIVE — stop re-litigating "sandbox")

B6 · STR (Davenport 9312 + 9332)

B7 · Portals (hs-core.js engine + surfaces)

B8 · Skills (~20 in hookstreet-skills/) + Integrations


(C) WHAT'S WEAK / BROKEN + the fix (one line each)

🔴 Deploy / infra
- ops-api frozen on 8523bfaf — bare wrangler deploy strands all 30 secrets → build the Phase-0 deploy-safe rail (SECRETS_MANIFEST + deploy-ops-api-safe.ps1 + no-op test) before any deploy.
- No machine-checkable deploy gate/health reports only plaid/kv/nvr booleans → extend /health to report all-30 secret presence so the rail can abort on regression.
- Cron count pinned at free-plan cap (5) → any new recurring job MUST multiplex; never add a 6th.

🔴 Security (live in deployed code)
- /memory/search accepts a spoofable Referer as SOLE auth (index.ts:2169-2171) → require a token; referer is never sole auth.
- No scope/visibility filter on memory reads (index.ts:2183) → add scope column (fail-closed business) + authOf() chokepoint forcing scope IN(caller.scopes).
- /memory/ingest stores content verbatim → add secret-redaction write gate (refuse card#/SSN/sk-/pk- shapes).
- Referer gate on /camera+/hospitable is spoofable defense-in-depth — fine behind CF Access, but x-ops-key is the real boundary.
- home.html hardcoded ops-key in client JS (L464) → move behind a gated fetch.

🟠 Brain / memory
- Titles-not-bodies (EMPIRICALLY PROVEN): cloud rows avg ~70-145 chars = MEMORY.md index lines, not file bodies → Phase 1 brain-sync.ps1 push backfills 186 bodies (no deploy needed); Phase 3 R2 bodies for depth.
- Claude-code hooks are a stale one-time push; nightly Dreaming only syncs Profile+Context tabs → wire brain-sync.ps1 into session-close.
- No local↔cloud sync automation → build push (Phase 1) + pull/export (Phase 2). "PC is a writer not a runtime" is unbuilt.
- Doc sprawl (7 brain specs coexist) → add SUPERSEDED-by-CLOUD_MEMORY_LAYER.md headers to the older ones. MEMORY.md = 213 lines, over its 200 cap → merge redundant feedback entries.

🟠 command-inbox
- Cross-person actor-misread (REAL, STILL PRESENT): recentTranscriptTurns_ (start-here.gs:2966) maps every IN→user / OUT→assistant, DROPPING Sender — so Mom's inbound SMS becomes "Sam said" → add if (clean_(data[i][c['Source']]) !== 'telegram') continue; so only the Sam↔bot thread forms conversation memory.
- Voice long-note crash (Code.js:372) is ALREADY FIXED — do NOT re-fix (see DON'T-REDISCOVER list).
- Auto-assemble DORMANT until setupAutoAssemble trigger installed → confirm + document trigger state.
- README.md partially stale (deploy wording + missing tabs) → refresh to current model.

🟠 MIS (freeze-context, not bugs)
- Stale-holdings class (the real live-money risk): HOLDINGS_CLEAN Qty written once, re-priced on stale count → fake concentration → misV2HoldingsFreshness_ + Broker_Qty seeding ritual (partial).
- Trade-import not auto-running (web app lacks Gmail grant by design) is WHY holdings go stale → wire misV2ImportTrades_ auto-import (freeze-SAFE, pending Sam go).
- Wash-sale guard missing from misV2VerdictFor_ → add it (freeze-SAFE, highest-leverage undone item).
- "Always NVIDIA / punishes strength" = percentile-contamination + penalty-dominance → DESIGNED-AROUND (decompose + absolute-score conversion). GATE-4 mutation = DISSOLVED (Gate C fixed it). Do not resurrect either.
- META ~50% of equity AND margined → live trim plan pending Sam go. v1 plaintext secrets residual → Sam-side 30s delete.

🟠 STR / portals / cameras
- Hospitable endpoint 404 live (coded-not-deployed) → gated on Phase-0 rail.
- Turnover-confirmation / damage-evidence workflow = 0% built (only folder map exists) → the real next STR build.
- Airbnb + Hospitable BOTH auto-message guests = duplicates (issue #37) → disable Airbnb auto-messages in dashboard (config, not code).
- Skill staleness: str-ops-davenport says cleaner "Luciana via Turno" but it's now Natalie (Nathali Galvao Oliveira), WhatsApp Business → fix skill.
- STR Drive folder not shared with mildred@ → Sam-side Drive→Share. home.html MIS tile hardcoded NVDA → wire to /mis/book.
- Camera tile DOWN (go2rtc on Sam's PC needs restart; whole path PC-tied) → restore dormant nvrFetch() PC-free path. The "Hikvision firmware killed it" comment (index.ts:636-638) is FABRICATED — forensics refuted it; root cause was Sam's own 6/1 port-forward hardening.

🟢 Hygiene
- NVR_USE secret = typo-dup of NVR_USER (safe delete, HOLD pending camera restore). 2 empty Workers (hookstreet-ops, telegram-webhook) likely dead (verify routes, then delete). dist/ in hookstreet-skills is EMPTY → run build.ps1. README claims "16 skills" / actual 20 → reconcile.


(D) OUTSTANDING — PRIORITIZED, with every open GitHub issue mapped to a lane

Issue universe (verified live 2026-06-25): open issues live in zee78900/hookstreet-workspace (#2,7,10,11,12,13,14,17,22,24,26,27,29,30,31,32,33,34,35,36,37), zee78900/MIS (#10), zee78900/levsms (#1). The STR audit's claim that "#37 is not a real GitHub issue" is WRONG — #37 is real in the workspace repo. (Note repo-collision: a separate MIS#10 exists distinct from workspace#10.)

DONE-but-not-closed (close these — proof exists)

P0 — money + safety this week (do first)

  1. Phase-0 deploy-safe rail (gates Hospitable, camera restore, every Worker security fix, every brain Worker phase). SECRETS_MANIFEST.md + deploy-ops-api-safe.ps1 + no-op deploy test (may prove the freeze was a misdiagnosis) + cloudflare-deploy-safe skill. → Infra lane.
  2. Jun-15 mortgage cluster $9,854.01 funded (Chase 5007 + 9312-6651) — verify against live Plaid balances. → Money lane.
  3. MIS stale-holdings + META ~50% margined — trade-import wiring + trim plan (freeze-SAFE items only). → MIS lane.
  4. Memory security holes (referer-only auth, no scope wall, no redaction) — but gated on the Phase-0 rail. → Bot+Brain lane (code) / Infra (deploy).

P1 — high-leverage, mostly un-gated

  1. command-inbox actor-misread fix (start-here.gs:2966) — clasp-deployed, does NOT need the ops-api freeze lifted. → Bot+Brain lane. (covers spirit of workspace #33/#35.)
  2. Phase-1 brain-sync push (186 bodies → live /memory/ingest, no Worker deploy) — closes titles-not-bodies for the keyword reader. → Bot+Brain lane. (workspace #17 self-learning loop.)
  3. MIS wash-sale into verdict path + auto-import + doc-rot (freeze-SAFE). → MIS lane. (MIS issues #10 SACS oscillation, #7 REDUCE/EXIT graduation, #13 ORCL stuck, #12 empty trade log, #11/#14 diagnostics.)
  4. Verify-before-assert skill (promote CLAUDE.md evidence rule cross-domain). → Skills/Infra. (workspace #36 evidence discipline, #31 mandatory-reads hook.)

P2 — finish-the-build

  1. Hospitable deploy + KNOWN{} → live names + disable Airbnb auto-msg (after P0 rail). → STR lane. (workspace #37.)
  2. STR turnover/damage-evidence workflow (0% built) + per-stay folder auto-create + share Drive w/ Mildred. → STR lane.
  3. 5609 pending/available display + Fidelity live-link decision + Plaid↔obligations reconciliation ("can I cover Jun-15?"). → Money lane.
  4. Camera PC-free restore (nvrFetch() re-route) + fix fabricated comment + retire go2rtc stopgap (Sam decides security tradeoff). → Infra/Portals.
  5. Portal LIVE-vs-SOURCE reconcile + commit/push (most P0/P1 already fixed in source: home.html cash, comms L99, pwa-deploy 605) + MIS NVDA hardcode + stale ?as=mildred deploy. → Portals lane. (workspace #29 raw-md rendering.)
  6. Skills hygiene: run build.ps1 (dist empty), regenerate README, add cloud-brain reference to session-operator, add freeze-guard to telegram-voice + session-operator. → Skills lane.

P3 / backlog (mapped, not scheduled)


(E) THE LANE PLAN — parallel-session division (so 4-5 sessions don't collide)

Per CLAUDE.md, Sam runs 2-3+ sessions in parallel. Announce your lane at session-open. Each lane owns specific files; cross-lane files (ops-api/src/index.ts, CONTEXT.md) require rebase-before-edit + manual conflict resolution.

Lane Owns (files/systems) First action Court / collision note
💰 Money Plaid endpoints (read-only verify), OBLIGATIONS.md, MORTGAGE_ROUTING.md, BOS sheets 1L_rxCSOnc…+1qNYUbb…, home.html cash section Fund Jun-15 cluster; build Plaid↔obligations coverage check Reads ops-api /plaid/* LIVE — never deploys ops-api.
🖥 Portals outputs/*.html, hs-core.js, hs-theme.css, PORTAL_PUNCHLIST.md; commit+push republishes to portal LIVE-vs-SOURCE reconcile + commit/push; fix MIS NVDA hardcode No backend code. Coordinates camera-tile with Infra.
🤖 Bot+Brain command-inbox/Code.js+start-here.gs (clasp), scripts/brain-sync.ps1 (new), .claude/memory/*, MEMORY.md, brain docs actor-misread fix + Phase-1 brain-sync push OWNS the ops-api /memory/* code — coordinate Worker deploy with Infra (frozen).
📈 MIS MIS/v2/Code.gs (clasp), MIS/docs/*, MIS memories Freeze-SAFE only: wash-sale, auto-import, doc-rot ENGINE FROZEN — no score/state/factor/weight without a Sam window. /mis/book lives in ops-api (Infra court).
🏠 STR mildred.html KNOWN{}, STR_PROPERTY_FILES.md, str-ops-davenport skill, Hospitable wiring Fix cleaner name; build turnover workflow; share Drive Hospitable endpoint deploy = Infra court (frozen).
⚙ Infra ops-api/src/index.ts, wrangler.toml, d1-schema.sql, deploy rail, CF inventory, crons, security, cameras Build Phase-0 deploy-safe rail FIRST (unblocks Money/Bot+Brain/STR) The gatekeeper lane. Owns the only path to deploy ops-api. All Worker changes route through here.

Court rule: ops-api/src/index.ts is shared by Money (Plaid), Bot+Brain (memory), MIS (/mis/*), STR (Hospitable), Infra (everything). Infra is the deploy authority. Other lanes write code + open a PR-equivalent; Infra runs the safe-deploy once the rail exists. Until then, NO ops-api deploy.


(F) HARD RULES — non-negotiable

  1. ops-api is FROZEN on version 8523bfaf. NEVER run a bare wrangler deploy — it strands all 30 secrets (broke prod twice 6/24-25, each recovered via wrangler rollback 8523bfaf…). No ops-api deploy until the Phase-0 deploy-safe rail re-asserts/verifies all 30 secrets AND /health shows every *_set:true. Isolated non-ops-api fixes (command-inbox/MIS via clasp) are safe — but use clasp push THEN clasp deploy -i <LIVE_DEPLOYMENT_ID> (versioned, not @HEAD), then curl /exec=200. Never a UI "New version."
  2. The flagship is the cloud memory layer (docs/CLOUD_MEMORY_LAYER.md). The cloud brain EXISTS (D1, 384 rows, ingest+search+nightly Dreaming all LIVE). Its only real gaps are: (a) titles-not-bodies, (b) no local↔cloud sync, (c) referer-only auth + no scope wall, (d) ops-api frozen blocking Worker phases. Extend D1 in place — do NOT adopt Mem0/Letta/Zep, do NOT rebuild the store. Highest zero-risk win = Phase-1 brain-sync.ps1 push (no deploy).
  3. Evidence & confidence discipline (always on). A web snippet and a position MARK are not verified facts. Source-tier for money: fill/confirmation > position mark > broker digest > web snippet. Open the actual source before stating/recommending; tag unverified. A "Sources:" list implies you READ them. (Origin: SPCX stale-mark.)
  4. MIS engine is HARD-FROZEN since 2026-06-04. Reporting + read-only fine. No new score/state/factor/weight, no engine deploy, no scale-to-200, no absolute-score conversion without Sam opening a window. Equity is ~$21.7K-$22.1K broker-verified — the $32K is a known phantom; never quote it. Canonical engine = MIS/v2/Code.gs, NOT v1.
  5. Rebase before push. git fetch origin master && git log --oneline HEAD..origin/master; if remote moved, git pull --rebase origin master BEFORE editing shared docs (CONTEXT.md, this file, MEMORY.md, CLAUDE.md). Search the doc for the current session number before numbering yours (parallel = "Session N pt M", never bump to N+1). Resolve CONTEXT.md conflicts manually — never auto-merge content.
  6. Never add a 6th cron (free-plan cap = 5; a 6th makes the deploy partially fail = silent-morning bug). Multiplex onto an existing cron. CF dow 1=SUNDAY.
  7. No hard deletesmv → archive/graveyard/<date>_<name>/. No secrets in git. No blind deletes of CF secrets/Workers without Sam's OK.

DON'T-REDISCOVER list (things sessions keep re-finding / re-fixing)


Source trail

Source trail · docs/MASTER_SESSION_KICKOFF.md @ master · rendered 2026-07-02 7:23 PM EDT by scripts/build-docs.py · the .md in the repo is the truth; this page is the phone-readable view