CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-06-01 15:51:41 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
3bef43bc5ad85a3e46ce54db5ae6d0f7f181fef3
gstack/setup-gbrain/SKILL.md.tmpl
T
Garry Tan 070722ace3 v1.52.1.0 feat: brain-aware planning — 5 skills read structured gbrain context before asking (#1742) 
* feat(brain): brain-cache-spec.ts — single source of truth for cache layer

Foundation for the brain-aware planning skills work (v1.48 plan / D2).
One TS const file consolidates BRAIN_CACHE_ENTITIES (8 entities × TTL +
budget + invalidation rules), SKILL_DIGEST_SUBSETS (per-skill which
files to load), SALIENCE_DEFAULT_ALLOWLIST (D9 privacy gate),
SKILL_CALIBRATION_WEIGHTS (Phase 2 E5), and policy / identity / schema
constants.

Drift between docs and runtime becomes impossible by construction:
resolver, cache CLI, and test/skill-preflight-budget.test.ts all import
from the same module.

test/brain-cache-spec.test.ts: 19 invariant assertions (subset/entity
consistency, per-skill achievability, allowlist sanity, transport
defaults, user-slug fallback chain, lock timeout, retention policy).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(brain): gstack-core@1.0.0 schema pack (T1 / Phase 0)

Defines 8 typed page kinds for the brain entity model:
  gstack/user-profile, gstack/product, gstack/goal,
  gstack/developer-persona, gstack/brand, gstack/competitive-intel,
  gstack/skill-run, gstack/take

Each declares frontmatter shape (typed fields with required/optional flags),
retention policy (immutable / archive-after-90d / never-archive), and
emits_links graph for mcp__gbrain__schema_graph rendering.

getSchemaPackMutationPayload() returns JSON in the shape accepted by
mcp__gbrain__schema_apply_mutations. Idempotent registration: gbrain
skips when pack+version already installed.

test/gstack-schema-pack.test.ts: 16 invariants on pack shape, retention
policies, link verb consistency, JSON serializability.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(brain): gstack-brain-cache CLI (T2a) — core subcommands

bin/gstack-brain-cache: TS CLI with five subcommands:
  get <entity-name> [--project <slug>]
  refresh [--full] [--entity X] [--project <slug>]
  invalidate <entity-name> [--project <slug>]
  digest <entity-slug>
  meta [--project <slug>]

Cache layout per Phase 0.5 design:
  ~/.gstack/brain-cache/                 ← cross-project (user-profile)
  ~/.gstack/projects/<slug>/brain-cache/ ← per-project (everything else)

Per-entity TTL drives staleness; per-entity byte budgets enforce
compression at write time. Atomic writes via tmp+rename. Stale-but-usable
fallback when brain unreachable (returns cached digest with diagnostic
prefix instead of failing). Schema-version mismatch + endpoint switch
both trigger full rebuild for the affected scope (D4 A4).

Fetch+compress paths wired for the 7 entities (user-profile, product,
goals, developer-persona, brand, competitive-intel, recent-decisions,
salience) via gbrain CLI shell-out — works for local PGLite and
local-stdio MCP, transparent over the existing spawnGbrain helper.

Concurrent-refresh dedup (D3 / T15) is a follow-up commit. Salience
allowlist gate (D9 / T17) is a follow-up commit. Bootstrap + lifecycle
subcommands (T2b / T18) are follow-up commits.

test/brain-cache-roundtrip.test.ts: 11 tests covering path resolution,
meta lifecycle, endpoint detection, schema mismatch behavior, and the
four cache states (warm / cold-refreshed / stale-fallback / missing).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(brain): concurrent-refresh lockfile dedup (T15 / D3)

When autoplan dispatches 4 planning skills back-to-back and they all hit
a cold-miss on the same digest, only ONE actually fetches from the brain.
The rest dedup via the project-scoped lockfile at
~/.gstack/projects/<slug>/brain-cache/.refresh.lock.

Reuses the 5-min stale-takeover convention from /sync-gbrain. Lock is
taken over when:
  - File is older than CACHE_REFRESH_LOCK_TIMEOUT_MS
  - PID is on the same host and dead (process.kill(pid, 0) fails)
  - Lock file is corrupt (defensive)

withRefreshLock(projectSlug, fn) returns either the callback's value or
the literal 'dedup'. The CLI emits exit code 3 + diagnostic stderr on
dedup, so callers can choose to wait + retry (resolver does this) or
fall through to stale-but-usable behavior.

test/cache-concurrent-refresh.test.ts: 7 tests covering acquire/release,
stale-takeover, dead-PID takeover, corrupt-lock recovery, error-path
release, and cross-project lock location.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(brain): salience privacy allowlist gate (T17 / D9)

D9 cross-model finding from codex outside voice: salience-sourced digests
can include emotionally-weighted personal pages (family, therapy,
reflection). Pulling those into a coding-review prompt leaks sensitive
context into work-flow reasoning.

fetchSalience now strips entries whose slugs don't match an allowlist
prefix BEFORE writing to the cache file. Default allowlist is
SALIENCE_DEFAULT_ALLOWLIST = ['projects/', 'concepts/', 'gstack/'].
User can extend via:
  gstack-config set salience_allowlist 'projects/,gstack/,concepts/,custom/'
or override with GSTACK_SALIENCE_ALLOWLIST env var.

Digest still records the strip count for transparency. Empty result
emits 'all N entries stripped' note rather than silent absence.

test/salience-allowlist.test.ts: 9 tests covering default permits,
default blocks, empty allowlist, env override, whitespace trimming,
and the invariant that defaults contain nothing sensitive (personal,
family, therapy, reflection, private, medical, health).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(brain): bootstrap + list + purge subcommands (T2b / T18)

T2b — bootstrap synthesizes draft entity content from CLAUDE.md + README
+ recent learnings.jsonl and emits as JSON for the caller. Skill template
is responsible for the AUQ-confirm-before-write flow (D10 T4 extraction-
review requirement). Cli stays pure (no AUQ logic); agent owns user
interaction.

T18 — list/purge subcommands close the lifecycle loop:
  list [--project <slug>] — enumerate gstack-owned pages in brain
                            (probe all 8 gstack/* page types)
  purge <slug>           — delete one gstack page, refuses non-gstack/
                            slugs (defensive)

list defaults to all-projects (cross-project user-profile included).
With --project, filters to per-project pages plus the cross-project
user-profile. --json flag emits machine-readable output for the agent.

Retention sweep + audit subcommand are deferred to a follow-up commit
(they need the lifecycle scheduling design, not just CLI plumbing).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(brain): brain-aware planning resolvers + 3 new placeholders (T4)

scripts/resolvers/gbrain.ts adds:
  - generateBrainPreflight(ctx)       — emits per-skill ## Brain Context
                                        block + bash that loads digests via
                                        gstack-brain-cache get (one call per
                                        digest). Per-skill subset comes from
                                        SKILL_DIGEST_SUBSETS (single source).
  - generateBrainCacheRefresh(ctx)    — at-skill-end background refresh hook;
                                        non-blocking; warms cache for next run.
  - generateBrainWriteBack(ctx)       — Phase 2 / E5 calibration write-back
                                        with per-skill weight. Gated on
                                        personal trust policy + the
                                        BRAIN_CALIBRATION_WRITEBACK flag.
                                        Includes invalidation bash that busts
                                        affected digests after the write.

scripts/resolvers/index.ts registers three new placeholders:
  {{BRAIN_PREFLIGHT}}, {{BRAIN_CACHE_REFRESH}}, {{BRAIN_WRITE_BACK}}

All three resolvers return empty string for skills not in
SKILL_DIGEST_SUBSETS (defensive — skill template authors can drop the
placeholders into non-preflight skills with zero effect).

D9 privacy is mentioned in the rendered preflight prose so the agent
knows to expect filtered salience.
D11 codex tension: write-back gates on brain_trust_policy@<hash> being
personal — shared brains skip write-back to avoid polluting team
calibration profile.

test/brain-preflight.test.ts: 19 tests covering subset rendering,
non-preflight skill gating, cross-project vs per-project --project flag
emission, weight injection per skill, BRAIN_CALIBRATION_WRITEBACK flag
mention, and registration in RESOLVERS map.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(brain): gstack-config brain integration helpers (T5+T10+T16)

Extends bin/gstack-config to support the brain-aware planning layer:

KEY VALIDATION (T5):
  Plain alphanumeric/underscore now extended to allow @<hex-hash> suffix.
  Required for per-endpoint namespaced keys (brain_trust_policy@<sha8>,
  user_slug_at_<sha8>). Keys without the suffix still validate as before.

VALUE WHITELISTING (D4 / D11):
  brain_trust_policy@* values gated to personal | shared | unset.
  Unknown values warn + default to unset (defense against typos).

NEW DEFAULTS (lookup_default):
  brain_trust_policy@*  -> unset
  salience_allowlist    -> '' (resolver uses SALIENCE_DEFAULT_ALLOWLIST)
  user_slug_at_*        -> '' (resolve-user-slug fills + persists on demand)

NEW SUBCOMMANDS:
  endpoint-hash      — print sha8 of active gbrain MCP URL from
                       ~/.claude.json. Collision check escalates to sha16
                       when a prior endpoint stored at the same sha8
                       would conflict (T10 defensive default).
  resolve-user-slug  — walks D4 A3 identity chain:
                         1. mcp__gbrain__whoami.client_name
                         2. $USER env var
                         3. sha8(git config user.email)
                         4. anonymous-<sha8(hostname)>
                       Persists result on first call so subsequent
                       calls are stable across sessions.

test/user-slug-fallback.test.ts: 14 tests covering endpoint-hash output
shape, fallback chain ordering, persistence, brain_trust_policy
namespace value validation + per-endpoint isolation, and key validator
extension for @-suffixed keys.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(brain): wire 5 planning skill templates with BRAIN_* placeholders (T6)

Adds three placeholders to each of the 5 planning SKILL.md.tmpl files:
  {{BRAIN_PREFLIGHT}}     — top of skill body, before first interactive
                            section. Loads the per-skill digest subset
                            (5 files for office-hours, 2 for plan-eng-
                            review, etc.) into the prompt context before
                            any AskUserQuestion fires.
  {{BRAIN_WRITE_BACK}}    — end of skill, before refresh hook. Phase 2
                            calibration write path; gated on personal
                            policy + BRAIN_CALIBRATION_WRITEBACK flag.
  {{BRAIN_CACHE_REFRESH}} — end of skill, after write-back. Non-blocking
                            background refresh so next invocation gets
                            warm cache.

Files touched (templates + regenerated SKILL.md):
  office-hours/SKILL.md.tmpl
  plan-ceo-review/SKILL.md.tmpl
  plan-eng-review/SKILL.md.tmpl
  plan-design-review/SKILL.md.tmpl
  plan-devex-review/SKILL.md.tmpl
  (matching .md files regenerated via bun run gen:skill-docs)

All 5 generated SKILL.md files now contain the rendered ## Brain Context
(preflight) section + write-back guidance + background-refresh hook. The
resolver renders only for skills in SKILL_DIGEST_SUBSETS — these 5 + an
empty string for any other skill that drops in the placeholders.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(brain): setup-gbrain trust-policy step + sync-gbrain flags (T5b / T13+T5c)

T5b — setup-gbrain Step 9.5:
  Inserts the brain trust policy AskUserQuestion before the verdict block.
  Detects active endpoint hash via gstack-config endpoint-hash. Branches
  per transport:
    * Local (sha == "local"): auto-set personal, one-line notice
    * Remote-MCP, unset: AskUserQuestion (personal vs shared)
    * Already-set: skip, just print current policy
  Personal default flips artifacts_sync_mode=full when still off.

T13+T5c — sync-gbrain:
  Adds two flag short-circuits:
    --refresh-cache : route to gstack-brain-cache refresh --project <slug>;
                       skip code + memory + brain-sync stages. Replaces
                       the planned /brain-refresh-context skill per D1
                       fold (one fewer always-loaded skill in catalog).
    --audit          : emit gstack-owned page summary + sensitive-content
                       leak check via gstack-brain-cache list. Read-only.
  Step 1 trust policy gate: fires the same AskUserQuestion as setup-gbrain
  Step 9.5 when policy is unset for a remote endpoint. Local engines
  auto-set personal silently. Idempotent for already-set policies.

Both templates re-rendered via bun run gen:skill-docs. Trust policy
question wording centralized in setup-gbrain Step 9.5; sync-gbrain
Step 1 references it to avoid prompt drift.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(brain): schema migration + fence-block fallback + preflight budget (T19+T21)

3 new gate-tier test files closing the most important coverage gaps in
the brain-aware planning layer:

test/schema-version-migration.test.ts (D4 A4):
  - Cache file with mismatched schema_version triggers wipe-and-rebuild
  - Matching version + fresh TTL stays warm-hit (no unnecessary rebuild)
  - Rebuild wipes ALL files in scope, not just the one being read

test/takes-fence-fallback.test.ts:
  - Every preflight skill mentions both takes_add (preferred) and
    put_page fence-block (fallback for pre-T8 gbrain versions)
  - All 5 skills gate on BRAIN_CALIBRATION_WRITEBACK flag + personal
    trust policy
  - Per-skill weight matches SKILL_CALIBRATION_WEIGHTS (E5)
  - Write-back emits the kind=bet frontmatter shape and invalidates
    affected cache digests

test/skill-preflight-budget.test.ts (T21 / D7):
  - Per-skill BRAIN_* instruction bytes stay under 3x the runtime
    digest budget (resolver bloat catch)
  - Autoplan total instruction bytes stay under 75 KB (3x of 25 KB
    runtime cap)
  - Non-preflight skills emit zero brain bytes
  - Per-skill subset references are present in the preflight bash

Note on the 3x multiplier: SKILL_PREFLIGHT_BUDGET_BYTES governs runtime
digest data (enforced by cache CLI truncateToBudget). Instruction text
emitted by the resolver gets a separate 3x headroom — anything beyond
that signals the instructions themselves are bloated and need a trim.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(todos): brain-aware planning follow-ups (T11)

Adds five deferred items from the v1.48.0.0 brain-aware planning plan:

  - P2: /gstack-reflect nightly synthesis skill (E2, deferred D4)
  - P3: cross-machine brain-cache sync (E3, deferred D5)
  - P3: /gstack-onboarding dedicated skill (E4, deferred D6)
  - P2: upstream gbrain takes_add + takes_resolve MCP ops (T8 wrap-up)
  - P3: background-refresh hook supervision (codex outside-voice T3)

Each entry follows the TODOS.md format: What / Why / Pros / Cons /
Context / Effort / Depends on. Each cross-references the v1.48.0.0
review decision (D-numbers from /plan-ceo-review and /plan-eng-review)
that deferred it.

The plan itself is at ~/.claude/plans/hm-interesting-well-why-dapper-eagle.md
and is NOT a TODO entry (it's a one-shot design doc, not ongoing work).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(brain): bump schema-migration test timeout to 60s

Rebuild path fans out to 7 per-project entity refreshes, each shelling
gbrain with 10s internal timeout. Worst case ~70s. Default bun test
5s was timing out on slow brain unreachable cases.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: bump version and changelog (v1.50.0.0)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(test): tighten put_page regression pin to CLI subcommand

The test asserted no substring 'put_page' anywhere in the resolver,
but the BRAIN_WRITE_BACK resolver legitimately references the MCP op
`mcp__gbrain__put_page` as the fallback path for calibration takes
when gbrain v0.42+'s `takes_add` op isn't available. The check
conflated the deprecated `gbrain put_page` CLI subcommand (renamed in
v0.18+ to `gbrain put`) with the still-valid MCP op of the same name.

Narrow the assertion to `gbrain put_page` (with the space) so the
fallback prose stays legal while the CLI rename regression stays caught.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(brain): gstack-config gbrain-refresh subcommand

Adds a new subcommand that re-detects gbrain installation state and
persists the result to ~/.gstack/gbrain-detection.json. The detection
file is consumed by gen-skill-docs --respect-detection (next commit)
to decide whether to render the GBRAIN_CONTEXT_LOAD and
GBRAIN_SAVE_RESULTS resolver blocks in user-local SKILL.md generation.

Reuses the existing bin/gstack-gbrain-detect helper for the actual
probe; this subcommand just persists + summarizes. Users run it after
installing or uninstalling gbrain so their locally generated SKILL.md
files match their installation state.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(brain): gen-skill-docs respects gbrain-detection override

Adds --respect-detection flag (and bun run gen:skill-docs:user script).
When the flag is set, gen-skill-docs reads ~/.gstack/gbrain-detection.json
and filters GBRAIN_CONTEXT_LOAD + GBRAIN_SAVE_RESULTS out of each host's
suppressedResolvers when gbrain_local_status is "ok". When absent or
gbrain isn't detected, suppression behaves as before.

The default `bun run gen:skill-docs` (CI canonical) ignores the
detection file so the committed SKILL.md stays reproducible regardless
of any developer's local gbrain installation state. Use
gen:skill-docs:user for user-local installs (./setup invokes it).

No host config files modified — the static suppressedResolvers stay
correct for the no-gbrain case; the override happens at gen-time.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(brain): setup runs gbrain detection + conditional SKILL.md regen

At the end of install, ./setup now:
  1. Runs bin/gstack-gbrain-detect, persists the result to
     ~/.gstack/gbrain-detection.json
  2. If gbrain_local_status == "ok", regenerates Claude-host SKILL.md
     via `bun run gen:skill-docs:user --host claude` so the user's
     local install picks up the compressed brain-aware blocks
  3. If gbrain isn't detected, leaves the canonical no-gbrain SKILL.md
     files in place (zero token overhead) and surfaces the
     gstack-config gbrain-refresh path for users who install gbrain
     later

Together with the prior two commits, this completes the setup-time
conditional un-suppression: brain-aware blocks render iff the user
has gbrain installed, regardless of which CLI host they're on.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor(brain): compress GBRAIN_* resolvers, move template prose to docs/

generateGBrainContextLoad: 80 -> 115 tokens with explicit skip-header.
generateGBrainSaveResults: 500-700 -> 161 tokens per skill with the
skill metadata extracted into a typed skillSaveMap (slugPrefix + title
+ tag). Verbose prose (heredoc body, entity-stub instructions, throttle
handling, backlink protocol) moved into a new doc:
docs/gbrain-write-surfaces.md (Sections: §Context Load, §Save Template).
The agent reads the doc on-demand only when actually saving — one Read
call, cached by Claude's context.

Net per-planning-skill overhead under un-suppression drops from ~1000
tokens (naive un-suppression) to ~275 tokens (compressed). Combined
with the setup-time detection from prior commits, users WITHOUT gbrain
pay zero overhead (block suppressed at gen-time) and users WITH gbrain
pay ~275 tokens.

The /investigate special-case (data-research routing in CONTEXT_LOAD)
stays inline since it's skill-specific.

docs/gbrain-write-surfaces.md also serves as the manual-probe reference
for humans verifying live persistence + a topology summary covering
trust-policy + .gbrain-source reads-only semantics.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(brain): wire SAVE_RESULTS for plan-design-review + plan-devex-review

Adds {{GBRAIN_SAVE_RESULTS}} placeholder to the two planning skills
that were missing it, immediately before {{BRAIN_WRITE_BACK}} (mirrors
plan-eng-review:324 + office-hours:650). The corresponding skillSaveMap
entries (design-reviews/<feature-slug> + devex-reviews/<feature-slug>)
landed with the resolver compression in the prior commit.

Regenerated SKILL.md reflects the new placeholder position. The
default no-gbrain generation (CI canonical) still suppresses the
block — zero diff in the rendered output for non-gbrain users.

All five planning skills now write a retrievable review page to gbrain
when gbrain is detected at setup time, instead of three of five.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(brain): resolver compression + detection-override regression pins

test/resolvers-gbrain-save-results.test.ts (140 LOC, 10 tests):
  - Per-skill assertions for all 5 planning skills: emits gbrain put +
    correct slug prefix + tag + title.
  - Skip-header present so agent can short-circuit when gbrain isn't
    on PATH.
  - Compression pin: each per-skill block stays under 750 chars
    (~190 tokens) — guards against a future "let me add one more
    line" refactor silently re-inflating toward the ~1000-token naive
    un-suppression baseline.
  - Generic fallback for unmapped skill names still works.
  - /investigate gets the data-research routing suffix; non-investigate
    skills do not.
  - generateGBrainContextLoad stays under 500 chars (~125 tokens).

test/gbrain-detection-override.test.ts (120 LOC, 4 tests):
  - End-to-end through gen-skill-docs subprocess against an isolated
    temp GSTACK_HOME. Asserts:
    * detected:true un-suppresses GBRAIN_* → SKILL.md gains the block
    * detected:false (status != "ok") suppresses → no block
    * no detection file suppresses → no block (graceful default)
    * no --respect-detection flag IGNORES the detection file → no
      block (CI canonical path stays reproducible)

Each detection-override test restores the canonical SKILL.md in a
finally block so the working tree stays clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(brain): fake-CLI agent-obedience E2E for /office-hours writeback

test/skill-e2e-office-hours-brain-writeback.test.ts (~210 LOC,
periodic-tier, ~$0.50-1/run):

Drives /office-hours via runSkillTest against a deterministic fixture
brief (pixel.fund founder pitch). The workdir has:
  - A regenerated office-hours/SKILL.md with the compressed brain blocks
    (generated via gen-skill-docs --respect-detection against a temp
    GSTACK_HOME, then restored to canonical post-snapshot)
  - A fake gbrain shell script on PATH that uses printf %q quoting to
    preserve --content "$(cat <<'EOF' ... EOF)" heredoc payloads
    intact (naive `echo "$@"` would lose argv boundaries)
  - The docs/gbrain-write-surfaces.md the resolver points to

Asserts:
  - gbrain-calls.log contains `gbrain put office-hours/pixel-fund`
  - Payload file at gbrain-payloads/office-hours/pixel-fund.md exists
    with valid YAML frontmatter (title: + tags: + design-doc tag)
  - At least one gbrain put entities/<name> call (entity stub
    enrichment is best-effort, soft warning if absent)

Covers agent obedience to the SAVE_RESULTS instruction. Out of scope:
gbrain CLI persistence contract (T11 covers that with real PGLite).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(brain): real PGLite round-trip E2E (matched-pair persistence)

test/skill-e2e-gbrain-roundtrip-local.test.ts (~145 LOC, periodic-tier,
~$0.001/run on Voyage):

Real gbrain CLI round-trip against an isolated temp HOME:
  1. gbrain init --pglite --embedding-model voyage:voyage-code-3
  2. gbrain put office-hours/<unique-slug> --content <markdown>
  3. gbrain get <slug>
  4. Assert every body line survives + title + tags + non-empty

This is the matched-pair check for the v1.50.0.0 question "is the data
we hope to save actually being saved?" — proves the gbrain CLI
persistence contract gstack relies on, against a real engine.

Does NOT involve the agent — pure CLI integration test. The agent
obedience side is covered by the fake-CLI E2E in the prior commit.

Skips cleanly when VOYAGE_API_KEY is unset OR gbrain CLI is missing
from PATH, so CI without secrets degrades gracefully.

Remote/Supabase routing is gbrain's contract — the same CLI shape
works against every engine. gstack stops at local round-trip coverage
to avoid re-testing gbrain's MCP client implementation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(brain): touchfiles + TODOS + CHANGELOG for v1.50.0.0

test/helpers/touchfiles.ts: register the two new E2Es in
E2E_TOUCHFILES + E2E_TIERS (both periodic):
  - office-hours-brain-writeback: triggered by resolver / gen-pipeline /
    detection helper / refresh subcommand / office-hours template /
    docs / fixture / test file changes
  - gbrain-roundtrip-local: triggered by resolver / test file changes

TODOS.md: append two P2 follow-ups carried over from the v1.50 plan:
  - Re-verify calibration takes when gbrain v0.42+ ships takes_add and
    BRAIN_CALIBRATION_WRITEBACK flips TRUE
  - Extend brain-writeback E2E to the other 4 planning skills (extract
    makeFakeGbrain to test/helpers/fake-gbrain.ts when second consumer
    arrives)

CHANGELOG.md v1.50.0.0: add a "Save-results path: works under any CLI
when gbrain is on PATH" section that documents the headline:
  - Conditional inclusion at setup-time (zero overhead for non-gbrain
    users, ~250 tokens with gbrain)
  - Wiring symmetry fix (5 of 5 planning skills now write a page)
  - Token cost table comparing detection states
  - Test coverage map (resolver unit + override mechanism + fake-CLI
    agent obedience + real PGLite round-trip)
  - Why remote routing isn't tested here (gbrain's contract)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(brain): tighten prompt + relax slug assertion in writeback E2E

Two fixes:

1. Prompt: "Slug it 'pixel-fund'" was ambiguous — agent could read it
   as "use pixel-fund as the FULL slug" instead of "substitute
   pixel-fund for <feature-slug>". Replaced with explicit guidance:
   "The feature-slug value to substitute into the SAVE_RESULTS
   template's <feature-slug> placeholder is exactly 'pixel-fund' (no
   path prefix — the template already provides the prefix). Apply the
   SAVE_RESULTS template literally." Also added "Do NOT explore gbrain
   --help" to short-circuit the discovery loop the agent fell into.

2. Slug assertion: was a strict /gbrain put .*office-hours\/pixel-fund/
   regex. This conflated two concerns — agent obedience (does the
   agent actually invoke gbrain put?) vs resolver output shape (does
   the template emit the right prefix?). The latter is already pinned
   by test/resolvers-gbrain-save-results.test.ts at the resolver level
   (free, hermetic). The E2E now asserts /gbrain put .*pixel-fund/
   (slug contains pixel-fund somewhere) plus a recursive payload-file
   search that accepts either office-hours/pixel-fund.md (template-
   faithful) or pixel-fund.md (agent dropped prefix). The YAML
   frontmatter + tag assertions on the payload remain strict — those
   are the real agent-obedience contract.

3. Entity-stub regex: was looking for entities/<name>; agent
   variability uses entity/<name>, people/<name>, companies/<name>.
   Loosened to match entit(y|ies) only. The soft-warning path stays
   (no hard fail) because entity extraction is best-effort prose, not
   a CLI contract.

Verified passing locally: 7 expect() calls, 268s, ~$0.50.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: bump version to 1.51.1.0

main advanced to 1.51.0.0 while this branch was in development. Bump
to 1.51.1.0 (PATCH above main) so the branch lands cleanly above the
current main version per the monotonic-ordered-release invariant.

Renames the branch-internal [1.50.0.0] CHANGELOG entry to [1.51.1.0] —
1.50.0.0 never landed on main (main skipped to 1.51.0.0), so this
consolidates the branch's brain-aware planning + save-results work
under a single shipping version with no orphaned entry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-29 08:35:00 -07:00

1082 lines
44 KiB
Cheetah
Raw Blame History

---
name: setup-gbrain
preamble-tier: 2
version: 1.0.0
description: |
Set up gbrain for this coding agent: install the CLI, initialize a
local PGLite or Supabase brain, register MCP, capture per-remote trust
policy. One command from zero to "gbrain is running, and this agent
can call it." Use when: "setup gbrain", "connect gbrain", "start
gbrain", "install gbrain", "configure gbrain for this machine". (gstack)
triggers:
- setup gbrain
- install gbrain
- connect gbrain
- start gbrain
- configure gbrain
allowed-tools:
- Bash
- Read
- Write
- Edit
- Glob
- Grep
- AskUserQuestion
---
{{PREAMBLE}}
# /setup-gbrain — Coding-Agent Onboarding for gbrain
You are setting up gbrain (https://github.com/garrytan/gbrain), a persistent
knowledge base, on the user's local Mac so that this coding agent (typically
Claude Code) can call it as both a CLI and an MCP tool.
**Scope honesty:** This skill's MCP registration step (5a) uses
`claude mcp add` and targets Claude Code specifically. Other local hosts
(Cursor, Codex CLI, etc.) will still get the gbrain CLI on PATH — they can
register `gbrain serve` in their own MCP config manually after setup.
**Audience:** local-Mac users. openclaw/hermes agents typically run in cloud
docker containers with their own gbrain; "sharing" a brain between them and
local Claude Code is only possible through shared Postgres (Supabase).
## User-invocable
When the user types `/setup-gbrain`, run this skill. Three shortcut modes:
- `/setup-gbrain` — full flow (default)
- `/setup-gbrain --repo` — only flip the per-remote policy for the current repo
- `/setup-gbrain --switch` — only migrate the engine (PGLite ↔ Supabase)
- `/setup-gbrain --resume-provision <ref>` — re-enter a previously interrupted
Supabase auto-provision at the polling step
- `/setup-gbrain --cleanup-orphans` — list + delete in-flight Supabase projects
Parse the invocation args yourself — these are prose hints to the skill, not
implemented as a dispatcher binary.
---
## Step 1: Detect current state
```bash
~/.claude/skills/gstack/bin/gstack-gbrain-detect
```
Capture the JSON output. It contains: `gbrain_on_path`, `gbrain_version`,
`gbrain_config_exists`, `gbrain_engine`, `gbrain_doctor_ok`, `gbrain_mcp_mode`,
`gstack_brain_sync_mode`, `gstack_brain_git`, `gstack_artifacts_remote`, and
the v1.34.0.0+ `gbrain_local_status` field (one of: `ok`, `no-cli`,
`missing-config`, `broken-config`, `broken-db`).
Skip downstream steps that are already done. Report the detected state in
one line so the user knows what you found:
> "Detected: gbrain v0.18.2 on PATH, engine=postgres, doctor=ok,
> sync=artifacts-only. Nothing to install; jumping to the policy check."
Branch on the `--repo`, `--switch`, `--resume-provision`, `--cleanup-orphans`
invocation flags here and skip to the matching step.
---
## Step 1.5: Broken-local-engine remediation (plan D4)
Read `gbrain_local_status` from the Step 1 detect output. **If it's `broken-db`
or `broken-config` AND no shortcut flag was passed**, the user has a
non-working local engine (Garry's repro: `~/.gbrain/config.json` points at a
dead Postgres URL). Fire a targeted AskUserQuestion BEFORE Step 2:
> D# — Your local gbrain engine isn't responding. How do you want to fix it?
> Project/branch/task: <one-sentence grounding using detected slug + branch>
> ELI10: gbrain has a config at `~/.gbrain/config.json` but the engine it points
> at isn't reachable. That could be a transient outage (Postgres container
> stopped, Tailscale down) OR a stale config you want to abandon. Different
> remediation for each case.
> Stakes if we pick wrong: "Switch to PGLite" overwrites your existing config
> (one-way door if the user actually wanted the broken engine). "Retry" preserves
> existing state for transient cases.
> Recommendation: A (Retry) — always try the cheap option first; if engine is
> just temporarily down it'll come back without any destructive change.
> Note: options differ in kind, not coverage — no completeness score.
> A) Retry — re-probe the engine (recommended; ~80ms)
> ✅ Cheapest test: re-runs `gbrain sources list` to see if engine is back
> ✅ Zero side effects; existing config preserved
> ❌ If engine is permanently dead, retries forever; user must choose another option
> B) Switch to local PGLite (one-way — moves existing config to .bak)
> ✅ Fastest path to a working local engine if user has abandoned the old one
> ✅ ~30s; no accounts; private to this machine
> ❌ Destructive — existing config moved to ~/.gbrain/config.json.gstack-bak-{ts}
> C) Switch brain mode (continue to Step 2 path picker)
> ✅ Lets user pick Path 1/2/3/4 to re-init from scratch
> ✅ Preserves existing config until they explicitly init the new one
> ❌ Longer flow if user just wants to repair to PGLite
> D) Quit (do nothing)
> ✅ No cons — this is a hard-stop choice
> ❌ N/A
> Net: A is the right starting move; B/C are explicit destructive paths; D bails.
**If A (Retry)**: re-run `~/.claude/skills/gstack/bin/gstack-gbrain-detect`
with `GSTACK_DETECT_NO_CACHE=1` (busts the 60s cache). If the new
`gbrain_local_status` is `ok`, continue to Step 2. If still `broken-db` or
`broken-config`, fire the same AskUserQuestion again (the user picks again).
**If B (Switch to PGLite)** — execute the rollback-safe init sequence (plan D7):
```bash
BACKUP="$HOME/.gbrain/config.json.gstack-bak-$(date +%s)"
mv "$HOME/.gbrain/config.json" "$BACKUP"
# gstack default: voyage-code-3 (1024d) when VOYAGE_API_KEY is set — best for
# code retrieval. Without the key, fall back to gbrain's own auto-selected
# embedding provider chain (OpenAI 1536d when OPENAI_API_KEY is present, etc.).
GBRAIN_EMBED_FLAGS=""
if [ -n "${VOYAGE_API_KEY:-}" ]; then
GBRAIN_EMBED_FLAGS="--embedding-model voyage:voyage-code-3 --embedding-dimensions 1024"
fi
if ! gbrain init --pglite --json $GBRAIN_EMBED_FLAGS; then
# Restore on failure
mv "$BACKUP" "$HOME/.gbrain/config.json"
echo "gbrain init failed. Your previous config was restored at $HOME/.gbrain/config.json." >&2
echo "PGLite directory at ~/.gbrain/pglite/ may be in a partial state — \`rm -rf ~/.gbrain/pglite\` if needed before retrying." >&2
exit 1
fi
echo "Switched to local PGLite. Previous config saved at $BACKUP — review before deleting."
```
Then jump to Step 5a (MCP registration; the new PGLite engine is registered as
local-stdio).
**If C (Switch brain mode)**: continue to Step 2's normal path picker.
**If D (Quit)**: STOP the skill cleanly.
For `gbrain_local_status` values of `no-cli` or `missing-config`, do NOT fire
Step 1.5 — fall through to Step 2 (where `no-cli` triggers Step 3 install and
`missing-config` triggers Step 4 init).
---
## Step 2: Pick a path (AskUserQuestion)
Only fire this if Step 1 shows no existing working config AND no shortcut
flag was passed. **Special case:** if `gbrain_mcp_mode=remote-http` in the
detect output, an HTTP MCP is already registered — skip directly to Step 5a
verification (re-test the registration) and Step 6 onward, treating this run
as idempotent. Don't ask Step 2 again.
The question title: "Where should your brain live?"
Options (present based on detected state):
- **1 — Supabase, I already have a connection string.** Cloud-agent users
whose openclaw/hermes provisioned one already. Paste the Session Pooler
URL from the Supabase dashboard (Settings → Database → Connection Pooler
→ Session). *Trust-surface caveat to include in the prompt:* "Pasting this
URL gives your local Claude Code full read/write access to every page your
cloud agent can see. If that's not the trust level you want, pick PGLite
local instead and accept the brains are disjoint."
- **2a — Supabase, auto-provision a new project.** You'll need a Supabase
Personal Access Token (~90 seconds). Best choice for a shared team brain.
- **2b — Supabase, create manually.** Walk through supabase.com signup
yourself; paste the URL back when ready.
- **3 — PGLite local.** Zero accounts, ~30 seconds. Isolated brain on this
Mac only. Best for try-first.
- **4 — Remote gbrain MCP.** Someone else (or another machine of yours) is
already running `gbrain serve` with HTTP transport. You paste the MCP URL
+ a bearer token; this skill registers it as your MCP. No local brain DB,
no local install needed. Recommended when the brain is shared across
machines or run by a teammate.
- **Switch** (only if Step 1 detected an existing engine): "You already have
a `<engine>` brain. Migrate it to the other engine?" → runs
`gbrain migrate --to <other>` wrapped in `timeout 180s` (D9).
Do NOT silently pick; fire the AskUserQuestion.
---
## Step 3: Install gbrain CLI (if missing)
**SKIP entirely on Path 4 (Remote MCP).** Path 4 doesn't need a local gbrain
binary — all calls go through MCP to the remote server. Jump to Step 4 (the
Path 4 subsection).
For Paths 1, 2a, 2b, 3, switch — only if `gbrain_on_path=false`:
```bash
~/.claude/skills/gstack/bin/gstack-gbrain-install
```
The installer runs D5 detect-first (probes `~/git/gbrain`, `~/gbrain` first),
then D19 PATH-shadow validation (post-link `gbrain --version` must match
install-dir `package.json`). On D19 failure the installer exits 3 with a
clear remediation menu; surface the full output to the user and STOP. Do not
continue the skill — the environment is broken until the user fixes PATH.
---
## Step 4: Initialize the brain
Path-specific.
### Path 1 (Supabase, existing URL)
Source the secret-read helper, collect URL with `read -s` + redacted preview:
```bash
. ~/.claude/skills/gstack/bin/gstack-gbrain-lib.sh
read_secret_to_env GBRAIN_POOLER_URL "Paste Session Pooler URL: " \
--echo-redacted 's#://[^@]*@#://***@#'
```
Then validate structurally:
```bash
printf '%s' "$GBRAIN_POOLER_URL" | ~/.claude/skills/gstack/bin/gstack-gbrain-supabase-verify -
```
If the verify exit code is 3 (direct-connection URL), the verifier's own
message explains the fix; surface it and re-prompt for a Session Pooler URL.
On success, hand off to gbrain via env var (D10, never argv):
```bash
GBRAIN_DATABASE_URL="$GBRAIN_POOLER_URL" gbrain init --non-interactive --json
```
Then `unset GBRAIN_POOLER_URL GBRAIN_DATABASE_URL` immediately. The URL is
now persisted in `~/.gbrain/config.json` at mode 0600 by gbrain itself.
### Path 2a (Supabase, auto-provision — D7)
Show the D11 PAT scope disclosure verbatim BEFORE collecting the token:
> *This Supabase Personal Access Token grants full read/write/delete access
> to every project in your Supabase account, not just the `gbrain` one we're
> about to create. Supabase doesn't currently support scoped tokens. We use
> this PAT only to: create one project, poll it until healthy, read the
> Session Pooler URL — then discard it from process memory. The token
> remains valid on Supabase's side until you manually revoke it at
> https://supabase.com/dashboard/account/tokens — we recommend revoking
> immediately after setup completes.*
Then:
```bash
. ~/.claude/skills/gstack/bin/gstack-gbrain-lib.sh
read_secret_to_env SUPABASE_ACCESS_TOKEN "Paste PAT: "
```
Ask the D17 tier prompt via AskUserQuestion: "Which Supabase tier?" Present
Free (2-project limit, pauses after 7d inactivity) vs Pro ($25/mo, no
pauses, recommended for real use). Explain that tier is **org-level** (per
the Management API contract) — user picks their org based on its current
tier. Pro may require them to upgrade the org first at supabase.com.
List orgs, pick one (AskUserQuestion if multiple):
```bash
orgs=$(~/.claude/skills/gstack/bin/gstack-gbrain-supabase-provision list-orgs --json)
```
If the `.orgs` array is empty, surface: "Your Supabase account has no
organizations. Create one at https://supabase.com/dashboard, then re-run
`/setup-gbrain`." STOP.
Ask the user for a region (default `us-east-1`; valid values are the 18
enum values in the Supabase Management API — list a few common ones, let
them pick "Other" for a full list).
Generate the DB password (never shown to the user):
```bash
export DB_PASS=$(openssl rand -base64 24)
```
Set up a SIGINT trap (D12 basic recovery):
```bash
trap 'echo ""; echo "gstack-gbrain: interrupted. In-flight ref: $INFLIGHT_REF"; \
echo "Resume: /setup-gbrain --resume-provision $INFLIGHT_REF"; \
echo "Delete: https://supabase.com/dashboard/project/$INFLIGHT_REF"; \
unset SUPABASE_ACCESS_TOKEN DB_PASS; exit 130' INT TERM
```
Create + wait + fetch:
```bash
result=$(~/.claude/skills/gstack/bin/gstack-gbrain-supabase-provision \
create gbrain "$REGION" "$ORG_SLUG" --json)
INFLIGHT_REF=$(echo "$result" | jq -r .ref)
~/.claude/skills/gstack/bin/gstack-gbrain-supabase-provision wait "$INFLIGHT_REF" --json
pooler=$(~/.claude/skills/gstack/bin/gstack-gbrain-supabase-provision \
pooler-url "$INFLIGHT_REF" --json)
GBRAIN_DATABASE_URL=$(echo "$pooler" | jq -r .pooler_url)
export GBRAIN_DATABASE_URL
gbrain init --non-interactive --json
unset SUPABASE_ACCESS_TOKEN DB_PASS GBRAIN_DATABASE_URL INFLIGHT_REF
trap - INT TERM
```
After success, emit the PAT revocation reminder:
> "Setup complete. Revoke the PAT you pasted at
> https://supabase.com/dashboard/account/tokens — we've already discarded
> it from memory and don't need it again. The gbrain project will continue
> working because it uses its own embedded database password."
### Path 2b (Supabase, manual)
Walk the user through the supabase.com steps:
1. Login at https://supabase.com/dashboard
2. Click "New Project," name it `gbrain`, pick a region, copy the generated
database password (you'll need it for paste-back? no — it's embedded in
the pooler URL we collect next)
3. Wait ~2 min for the project to initialize
4. Settings → Database → Connection Pooler → Session → copy the URL (port
6543)
Then follow the same secret-read + verify + init flow as Path 1.
### Path 3 (PGLite local)
```bash
# gstack default: voyage-code-3 (1024d) when VOYAGE_API_KEY is set — code
# retrieval beats general-purpose embeddings on real code queries (validated
# A/B). Without the key, gbrain auto-selects (OpenAI 1536d when available).
GBRAIN_EMBED_FLAGS=""
if [ -n "${VOYAGE_API_KEY:-}" ]; then
GBRAIN_EMBED_FLAGS="--embedding-model voyage:voyage-code-3 --embedding-dimensions 1024"
fi
gbrain init --pglite --json $GBRAIN_EMBED_FLAGS
```
Done. No network, no secrets (beyond Voyage embedding API calls during sync, if
`VOYAGE_API_KEY` is set — ~$0.18 per 1M tokens, pennies per repo).
### Path 4 (Remote gbrain MCP — HTTP transport with bearer token)
For users whose brain runs on another machine (Tailscale, ngrok, internal
LAN, or a teammate's server). No local gbrain CLI install, no local DB.
This skill registers the remote MCP and stops; ingestion + indexing happens
on the brain host.
**4a. Collect MCP URL.** Prompt the user:
```
Paste your gbrain MCP URL (e.g. https://wintermute.tail554574.ts.net:3131/mcp):
```
Read with plain `read -r` (no secret hygiene needed — the URL alone isn't
a credential). Validate it starts with `https://` (require TLS for any
non-loopback host); refuse `http://` for non-localhost.
**4b. Collect bearer token via the secret-read helper (D10, never argv).**
```bash
. ~/.claude/skills/gstack/bin/gstack-gbrain-lib.sh
read_secret_to_env GBRAIN_MCP_TOKEN "Paste bearer token: " \
--echo-redacted 's/.\{6\}$/***REDACTED***/'
```
**4c. Verify via gstack-gbrain-mcp-verify.** Run the helper; capture the
classified JSON output:
```bash
verify_json=$(GBRAIN_MCP_TOKEN="$GBRAIN_MCP_TOKEN" \
~/.claude/skills/gstack/bin/gstack-gbrain-mcp-verify "$MCP_URL")
status=$(echo "$verify_json" | jq -r .status)
```
If `status != "success"`, the helper has already classified the failure
into NETWORK / AUTH / MALFORMED and emitted a one-line remediation hint.
Surface the hint above the raw error from `error_text` and **STOP** with
a clear "fix and re-run /setup-gbrain" message. Do NOT continue to Step 5a
on a failed verify — partial registration would leave the user with a
half-broken state.
Capture two values from the verify output for downstream steps:
- `SERVER_VERSION` (e.g., `0.27.1`) — written to the CLAUDE.md block in Step 8.
- `URL_FORM_SUPPORTED` (`true|false`) — passed to `gstack-artifacts-init` in
Step 7 to control which form of the brain-admin hookup command is printed.
**4d. (Path 4) Offer local PGLite for code search.** Per plan D10/D11, ask:
> D# — Want symbol-aware code search on this machine?
> Project/branch/task: <one-sentence grounding using detected slug + branch>
> ELI10: The remote brain at `<MCP_URL>` is great for cross-machine knowledge,
> but symbol queries like `gbrain code-def` / `code-refs` / `code-callers` need
> a local index of THIS machine's code. We can spin up a tiny isolated PGLite
> database (~30 seconds, no accounts, ~120 MB disk) just for code, separate
> from your remote brain. Transcripts and artifacts continue routing through
> the artifacts repo to the remote brain — local PGLite stays code-only.
> Stakes: without it, semantic code search in this repo's worktrees falls
> back to Grep.
> Recommendation: A — 30 seconds, no ongoing cost, unlocks the symbol tools.
> Completeness: A=10/10 (full split-engine), B=7/10 (remote-only).
> A) Yes, set up local PGLite for code (recommended)
> ✅ Unlocks `gbrain code-def`, `code-refs`, `code-callers` per worktree
> ✅ Independent engine — won't disturb remote brain or share transcripts
> B) No, remote MCP only
> ✅ Zero local state — only `~/.claude.json` MCP registration
> ❌ Symbol code queries fall back to Grep in this repo's worktrees
> Net: A = full split-engine; B = remote-only.
**If A (Yes)**: install + init local PGLite with rollback-safe semantics (D7):
```bash
~/.claude/skills/gstack/bin/gstack-gbrain-install || exit $?
# At this point the local gbrain CLI is on PATH. Init PGLite, but back up any
# existing ~/.gbrain/config.json first (rollback if init fails).
if [ -f "$HOME/.gbrain/config.json" ]; then
BACKUP="$HOME/.gbrain/config.json.gstack-bak-$(date +%s)"
mv "$HOME/.gbrain/config.json" "$BACKUP"
fi
# gstack default for local code-search PGLite: voyage-code-3 (1024d) when
# VOYAGE_API_KEY is set. It wins the A/B over voyage-4-large and OpenAI
# text-embedding-3-large on this codebase's symbol queries. Falls back to
# gbrain's auto-selected provider when the key isn't present.
GBRAIN_EMBED_FLAGS=""
if [ -n "${VOYAGE_API_KEY:-}" ]; then
GBRAIN_EMBED_FLAGS="--embedding-model voyage:voyage-code-3 --embedding-dimensions 1024"
fi
if ! gbrain init --pglite --json $GBRAIN_EMBED_FLAGS; then
if [ -n "${BACKUP:-}" ] && [ -f "$BACKUP" ]; then mv "$BACKUP" "$HOME/.gbrain/config.json"; fi
echo "gbrain init failed. Existing config (if any) was restored. PGLite at ~/.gbrain/pglite/ may be in a partial state — \`rm -rf ~/.gbrain/pglite\` to reset." >&2
echo "Continuing setup without local code search; you can re-run /setup-gbrain to retry." >&2
fi
```
Then continue to Step 5a. The remote-http MCP registration in 5a runs as
today; the local PGLite is independent of MCP registration (Claude Code talks
to the remote brain via MCP for queries; `gbrain` CLI talks to local PGLite
for code-def/refs/callers).
**If B (No)**: skip the install + init. The local engine stays absent.
`gbrain_local_status` will be `missing-config` (or `no-cli` if gbrain isn't
installed). `/sync-gbrain` will SKIP the code stage cleanly per plan D12.
**4e. Skip Steps 3, 4 (other paths) and 5 (local doctor) when B was picked.**
When A was picked, Step 3 already ran (via gstack-gbrain-install) and Step 4
already ran (via `gbrain init --pglite`); jump straight to Step 5a. When B
was picked, Steps 3/4/5 are no-ops; also skip Step 7.5 (transcript ingest)
since memory-stage routes through the artifacts pipeline in remote-http mode
per plan D11.
The bearer token (`GBRAIN_MCP_TOKEN`) stays in process env until Step 5a's
`claude mcp add --header` consumes it; then `unset GBRAIN_MCP_TOKEN`
immediately. Token security trade-off documented in
`setup-gbrain/memory.md`: brief argv exposure during `claude mcp add`,
resting state in `~/.claude.json` mode 0600.
### Switch (from detect's existing-engine state)
```bash
# Going PGLite → Supabase, collect URL first (Path 1 flow), then:
timeout 180s gbrain migrate --to supabase --url "$URL" --json
# Going Supabase → PGLite:
timeout 180s gbrain migrate --to pglite --json
```
If `timeout` returns 124 (exit code for timeout): surface D9 message
("Migration didn't complete in 3 minutes — another gstack session may be
holding a lock on the source brain. Close other workspaces and re-run
`/setup-gbrain --switch`. Your original brain is untouched."). STOP.
---
## Step 5: Verify gbrain doctor
**SKIP entirely on Path 4 (Remote MCP).** The brain host runs its own
doctor; we don't have local DB access to introspect. Step 4c's verify
round-trip already proved the server is reachable, authed, and on a
compatible MCP version.
For Paths 1, 2a, 2b, 3, switch:
```bash
doctor=$(gbrain doctor --json)
status=$(echo "$doctor" | jq -r .status)
```
If status is `ok` or `warnings`, proceed. Anything else → surface the full
doctor output and STOP.
---
## Step 5a: Register gbrain as Claude Code MCP (D18)
Only if `which claude` resolves. Ask: "Give Claude Code a typed tool surface
for gbrain? (recommended yes)"
The registration form depends on the path picked in Step 2:
### Path 4 (Remote MCP — HTTP transport with bearer)
Tear down any prior registration (could be local-stdio from an old setup,
or stale remote-http with a rotated token), then register with HTTP +
bearer at user scope:
```bash
claude mcp remove gbrain -s user 2>/dev/null || true
claude mcp remove gbrain 2>/dev/null || true
claude mcp add --scope user --transport http gbrain "$MCP_URL" \
--header "Authorization: Bearer $GBRAIN_MCP_TOKEN"
unset GBRAIN_MCP_TOKEN # zero from process env after registration
claude mcp list | grep gbrain # verify: should show "✓ Connected"
```
**Token-storage note:** `claude mcp add --header "Authorization: Bearer ..."`
puts the bearer on argv during process startup, briefly visible to `ps` for
~10ms. The token's resting state is `~/.claude.json` (mode 0600 — Claude
Code's own credential surface for every MCP server). This trade-off is
documented in `setup-gbrain/memory.md`. If a future Claude Code release adds
a stdin or env-var input form for headers, switch to that.
### Paths 1, 2a, 2b, 3 (Local stdio)
Register at **user scope** with an **absolute path** to the gbrain
binary. User scope makes the MCP available in every Claude Code session on
this machine, not just the current workspace. Absolute path avoids PATH
resolution issues when Claude Code spawns `gbrain serve` as a subprocess.
```bash
GBRAIN_BIN=$(command -v gbrain)
[ -z "$GBRAIN_BIN" ] && GBRAIN_BIN="$HOME/.bun/bin/gbrain"
claude mcp remove gbrain -s user 2>/dev/null || true
claude mcp remove gbrain 2>/dev/null || true
claude mcp add --scope user gbrain -- "$GBRAIN_BIN" serve
claude mcp list | grep gbrain # verify: should show "✓ Connected"
```
### Both paths
If `claude` is not on PATH: emit "MCP registration skipped — this skill is
Claude-Code-targeted; register `gbrain serve` (or your remote MCP URL) in
your agent's MCP config manually." Continue to step 6.
**Heads-up for the user:** an already-open Claude Code session will not
pick up the new MCP tools until restart. Tell them: "Restart any open
Claude Code sessions to see `mcp__gbrain__*` tools — they're loaded at
session start, not mid-session."
---
## Step 6: Per-remote policy (D3 triad, gated repo-import)
If we're in a git repo with an `origin` remote, check the policy:
```bash
current_tier=$(~/.claude/skills/gstack/bin/gstack-gbrain-repo-policy get)
```
Branches:
- `read-write` → import this repo: `gbrain import "$(pwd)" --no-embed` then
`gbrain embed --stale &` in the background.
- `read-only` → skip import entirely (this tier is enforced by the future
auto-import hook + by gbrain resolver injection, not here).
- `deny` → do nothing.
- `unset` → AskUserQuestion: "How should `<normalized-remote>` interact with
gbrain?"
- `read-write` — agent can search AND write new pages from this repo
- `read-only` — agent can search but never write
- `deny` — no interaction at all
- `skip-for-now` — don't persist, ask next time
On answer (other than skip-for-now):
```bash
~/.claude/skills/gstack/bin/gstack-gbrain-repo-policy set "$REMOTE" "$TIER"
```
Then import iff `read-write`.
If outside a git repo OR no origin remote: skip this step with a note.
For `/setup-gbrain --repo` invocations, execute ONLY Step 6 and exit.
---
## Step 7: Offer artifacts sync + wire it into gbrain
Renamed from "session memory sync" in v1.27.0.0 — the on-disk concept is
artifacts (CEO plans, designs, /investigate reports, retros) rather than
"session memory," which was a confusing name for what was always a
human-readable artifact bucket. Behavioral transcript ingest is its own
step (7.5) with its own option set.
Separate AskUserQuestion: "Also sync your gstack artifacts (CEO plans,
designs, reports, retros) to a private git repo that gbrain can index
across machines?"
Options:
- Yes, full sync (everything allowlisted)
- Yes, artifacts-only (plans, designs, retros — skip behavioral data)
- No thanks
If yes, run the artifacts-init helper. It asks the user to pick a git host
(GitHub via `gh`, GitLab via `glab`, or paste a URL manually), creates
`gstack-artifacts-$USER` (private), and writes the canonical HTTPS URL to
`~/.gstack-artifacts-remote.txt`. Pass `--url-form-supported` from Step 4c's
verify output (Path 4) or `false` (Paths 1/2/3 — local mode doesn't probe):
```bash
URL_FORM=${URL_FORM_SUPPORTED:-false}
~/.claude/skills/gstack/bin/gstack-artifacts-init --url-form-supported "$URL_FORM"
~/.claude/skills/gstack/bin/gstack-config set artifacts_sync_mode artifacts-only
# or "full" if user picked yes-full
```
`gstack-artifacts-init` always prints a "Send this to your brain admin" block
at the end with the exact `gbrain sources add` command. Per codex Finding #3:
the skill never auto-executes server-side gbrain commands; even if the user
IS the brain admin, copy-pasting the printed command is the consistent UX.
### Path 4 (Remote MCP) — done after artifacts-init
In remote mode, the local `gstack-gbrain-source-wireup` helper does NOT run
(it shells out to a local `gbrain` CLI which Path 4 doesn't install). The
brain admin runs the printed command on the brain host instead. Skip to Step 7.5.
### Paths 1, 2a, 2b, 3 (Local stdio) — wire up the federated source
Then wire the artifacts repo into gbrain so its content is searchable from
any gbrain client. The helper creates a `git worktree` of `~/.gstack/`,
registers it as a federated source via `gbrain sources add --path
--federated`, and runs an initial `gbrain sync`. Local-Mac only.
Capture the database URL out of `~/.gbrain/config.json` first and pass it
explicitly so the wireup is robust against any other process rewriting
`~/.gbrain/config.json` mid-sync (e.g., concurrent `gbrain init` runs
elsewhere on the machine):
```bash
GBRAIN_URL=$(python3 -c "
import json, os, sys
try:
c = json.load(open(os.path.expanduser('~/.gbrain/config.json')))
print(c.get('database_url', ''))
except Exception:
pass
")
~/.claude/skills/gstack/bin/gstack-gbrain-source-wireup --strict \
${GBRAIN_URL:+--database-url "$GBRAIN_URL"}
```
`--strict` exits non-zero on missing prereqs (gbrain not installed, < 0.18.0,
or no `~/.gstack/.git` yet) so the user sees the failure rather than silently
ending up with an unwired brain. On non-zero exit, surface the helper's
output and STOP per skill rules — search-across-machines won't work until
the prereq is fixed.
---
## Step 7.5: Transcript & memory ingest gate
**SKIP entirely on Path 4 (Remote MCP).** Transcript ingest shells out to
the local `gbrain` CLI which Path 4 doesn't install. Remote-mode users
rely on the brain server's own ingest cadence — if your brain admin wants
this machine's transcripts indexed, they pull from your `gstack-artifacts-$USER`
repo (set up in Step 7) on whatever schedule they prefer. Set
`gstack-config set transcript_ingest_mode off` and continue to Step 8.
For Paths 1, 2a, 2b, 3:
After memory sync is wired (Step 7) but before persisting the CLAUDE.md
config (Step 8), offer to bring this Mac's coding-agent transcripts +
curated `~/.gstack/` artifacts into gbrain so the retrieval surface
(per-skill manifests, salience block) has data to surface.
Run the probe to size the operation:
```bash
~/.claude/skills/gstack/bin/gstack-memory-ingest --probe
```
Read the output. If `Total files in window: 0`, skip — there's nothing
to ingest. Set `gstack-config set transcript_ingest_mode incremental`
silently and continue to Step 8.
If `New (never ingested)` is < 200 AND total bytes are < 100MB: silent
bulk via `gstack-memory-ingest --bulk --quiet`. Set
`transcript_ingest_mode=incremental` and continue.
Otherwise (the "many transcripts on disk" path): AskUserQuestion with
the exact counts AND the value promise. Default scope is **current repo
only, last 90 days**:
> "Found <N_repo> transcripts in THIS repo (<repo-slug>) over the last
> 90 days, plus <N_other> across other repos on this machine (<bytes>
> total if all ingested). Ingest THIS repo's transcripts into gbrain?
>
> What you get after this: every gstack skill auto-loads recent salience
> from your past sessions in this repo, so the agent finds your prior
> work without you describing it. You can query 'what was I doing on
> day X' and get a real answer. Per-session pages are searchable,
> taggable, and deletable. Secret scanning runs before any push.
>
> What stays the same: nothing leaves your machine unless gbrain sync
> is enabled (Step 7). Per-repo trust policies still apply.
>
> Multi-Mac note: if you HAVE enabled brain sync (Step 7), these
> transcript pages will sync across your Macs. Caveat: deleting a
> transcript page later removes it from gbrain but git history retains
> it in prior commits. Use `gstack-transcript-prune` to delete in bulk;
> use `git filter-repo` on the brain remote for hard-delete from
> history."
Options:
- A) Yes — this repo, last 90 days (recommended; ~est min)
- B) Yes — this repo, ALL history
- C) Yes — this repo + other repos on this machine
- D) Skip historical, track new from now (`transcript_ingest_mode=incremental`)
- E) Never ingest transcripts (`transcript_ingest_mode=off`)
After answer:
```bash
~/.claude/skills/gstack/bin/gstack-config set transcript_ingest_mode <choice>
~/.claude/skills/gstack/bin/gstack-gbrain-sync --full --no-brain-sync
```
(`--no-brain-sync` because Step 7 already wired that path; this just
runs the code import + memory ingest stages. Brain-sync will run on the
next preamble hook.)
If A/D/E, ingest is incremental from this point on; preamble-boundary
hook runs `gstack-gbrain-sync --incremental --quiet` on every skill
start (cheap mtime fast-path).
Reference doc for users: `setup-gbrain/memory.md` (linked from CLAUDE.md
Step 8).
---
## Step 8: Persist `## GBrain Configuration` in CLAUDE.md
Find-and-replace (or append) the section. Block format depends on mode:
### Path 4 (Remote MCP)
```markdown
## GBrain Configuration (configured by /setup-gbrain)
- Mode: remote-http
- MCP URL: {MCP_URL}
- Server version: gbrain v{SERVER_VERSION} (from Step 4c verify)
- Setup date: {today}
- MCP registered: yes (user scope)
- Token: stored in ~/.claude.json (do not commit; never written to CLAUDE.md)
- Artifacts repo: {gstack_artifacts_remote URL or "none"}
- Artifacts sync: {off|artifacts-only|full}
- Current repo policy: {read-write|read-only|deny|unset}
```
The bearer token is **never** written to CLAUDE.md (CLAUDE.md is checked
in to git in many projects). It lives only in `~/.claude.json` where
`claude mcp add` placed it.
### Paths 1, 2a, 2b, 3 (Local stdio)
```markdown
## GBrain Configuration (configured by /setup-gbrain)
- Mode: local-stdio
- Engine: {pglite|postgres}
- Config file: ~/.gbrain/config.json (mode 0600)
- Setup date: {today}
- MCP registered: {yes/no}
- Artifacts sync: {off|artifacts-only|full}
- Current repo policy: {read-write|read-only|deny|unset}
```
**After Step 9 (smoke test) passes, also write the `## GBrain Search Guidance`
block** so the coding agent learns when to prefer `gbrain` over Grep. This
block is gated on the smoke test passing — write the Configuration block
first (so the user knows what state they're in even if the smoke test fails),
then return here after Step 9 and write the guidance block only if smoke
test succeeded.
When Step 9 passes, find-and-replace (or append) this block. Use HTML-comment
delimiters so removal regex is unambiguous and never eats user content. The
block content is machine-AGNOSTIC — no engine type, no page counts, no
last-sync time. Machine state stays in the Configuration block above.
```markdown
## GBrain Search Guidance (configured by /sync-gbrain)
<!-- gstack-gbrain-search-guidance:start -->
GBrain is set up and synced on this machine. The agent should prefer gbrain
over Grep when the question is semantic or when you don't know the exact
identifier yet. Two indexed corpora available via the `gbrain` CLI:
- This repo's code (registered as `gstack-code-<repo>` source).
- `~/.gstack/` curated memory (registered as `gstack-brain-<user>` source via
the existing federation pipeline).
Prefer gbrain when:
- "Where is X handled?" / semantic intent, no exact string yet:
`gbrain search "<terms>"` or `gbrain query "<question>"`
- "Where is symbol Y defined?" / symbol-based code questions:
`gbrain code-def <symbol>` or `gbrain code-refs <symbol>`
- "What calls Y?" / "What does Y depend on?":
`gbrain code-callers <symbol>` / `gbrain code-callees <symbol>`
- "What did we decide last time?" / past plans, retros, learnings:
`gbrain search "<terms>" --source gstack-brain-<user>`
Grep is still right for known exact strings, regex, multiline patterns, and
file globs. The brain auto-syncs incrementally on every gstack skill start.
Run `/sync-gbrain` to force-refresh, `/sync-gbrain --full` for full reindex.
<!-- gstack-gbrain-search-guidance:end -->
```
If Step 9 smoke test fails, skip the guidance block write entirely. The user's
next `/sync-gbrain` run will re-evaluate capability and write the block when
the round-trip works.
---
## Step 9: Smoke test
### Path 4 (Remote MCP)
The `mcp__gbrain__*` tools aren't visible mid-session — they're loaded at
Claude Code session start. So the live smoke test in this same skill run is
informational: print the curl-equivalent the user can run after restarting
Claude Code. The verify round-trip in Step 4c already proved the server is
reachable + authed + on a compatible MCP version, so we don't re-test that.
Print to stdout:
```
After restarting Claude Code, the `mcp__gbrain__*` tools become callable.
Smoke test: ask the agent to run `mcp__gbrain__search` with any query
("test page" works). You should see a JSON list of pages.
To verify from the shell right now (without waiting for restart):
curl -s -X POST -H 'Content-Type: application/json' \
-H 'Accept: application/json, text/event-stream' \
-H 'Authorization: Bearer <YOUR_TOKEN>' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' \
<YOUR_MCP_URL>
```
Do NOT print the actual token in the curl command — leave the placeholder
`<YOUR_TOKEN>` so the snippet is safe to copy into chat / share.
### Paths 1, 2a, 2b, 3 (Local stdio)
```bash
SLUG="setup-gbrain-smoke-test-$(date +%s)"
echo "Set up on $(date). Smoke test for /setup-gbrain." | gbrain put "$SLUG"
gbrain search "smoke test" | grep -i "$SLUG"
```
Confirms the round trip. On failure, surface `gbrain doctor --json` output
and STOP with a NEEDS_CONTEXT escalation.
---
## Step 9.5: Brain trust policy (v1.48 brain-aware planning, D4 / Phase 1.5)
The brain trust policy controls whether gstack auto-pushes `~/.gstack/`
artifacts and writes calibration takes back to this brain. It's per-
endpoint: a user with both a local PGLite (personal) and a team remote
MCP (shared) gets both policies tracked separately.
Detect the active endpoint hash + current policy:
```bash
_HASH=$(~/.claude/skills/gstack/bin/gstack-config endpoint-hash 2>/dev/null)
_POLICY=$(~/.claude/skills/gstack/bin/gstack-config get brain_trust_policy@$_HASH 2>/dev/null || echo unset)
echo "ENDPOINT_HASH: $_HASH"
echo "BRAIN_TRUST_POLICY: $_POLICY"
```
Branch on transport + current policy:
**If `_POLICY` is `personal` or `shared`:** policy already set. Print
"Trust policy for this endpoint: $_POLICY" and skip to Step 10.
**If `_POLICY` is `unset` AND `_HASH == "local"`:** auto-set personal
(local engines are inherently single-tenant). No AskUserQuestion.
```bash
~/.claude/skills/gstack/bin/gstack-config set brain_trust_policy@$_HASH personal
echo "Trust policy auto-set to 'personal' for local PGLite (single-tenant by construction)."
```
**If `_POLICY` is `unset` AND `_HASH != "local"` (remote MCP):** ask the
trust policy question via AskUserQuestion:
> The brain at this MCP endpoint — is it your personal brain or a
> shared/team brain?
>
> Personal: gstack auto-pushes ~/.gstack/ artifacts (CEO plans, design
> docs, retros, learnings) and writes calibration takes back as you make
> decisions. Your brain gets smarter every session. Pick this if you
> alone set up this brain.
>
> Shared/team: read-only by default. gstack reads context but prompts
> before any write. Safer for brains where your individual takes
> shouldn't pollute the shared corpus.
Options:
- A) Personal (recommended for self-hosted remote brains)
- B) Shared/team
After answer, persist:
```bash
~/.claude/skills/gstack/bin/gstack-config set brain_trust_policy@$_HASH <personal|shared>
```
If `personal` was selected AND `artifacts_sync_mode` is still `off`, also
default it to `full` (D4 auto-push convention):
```bash
_CURRENT_SYNC=$(~/.claude/skills/gstack/bin/gstack-config get artifacts_sync_mode 2>/dev/null || echo off)
if [ "$_CURRENT_SYNC" = "off" ]; then
~/.claude/skills/gstack/bin/gstack-config set artifacts_sync_mode full
echo "artifacts_sync_mode auto-set to 'full' (personal brain default)."
fi
```
Backwards compat: existing users whose `artifacts_sync_mode_prompted` is
already `true` keep their answer; this gate only fires for new endpoints
or first-time-after-upgrade users.
## Step 10: GREEN/YELLOW/RED verdict block (idempotent doctor output)
After Steps 1-9 complete, summarize. Re-running `/setup-gbrain` on a
configured Mac is a first-class doctor path: every step detects existing
state, repairs only what's missing, and reports here.
```bash
~/.claude/skills/gstack/bin/gstack-gbrain-detect 2>/dev/null || true
~/.claude/skills/gstack/bin/gstack-config get transcript_ingest_mode 2>/dev/null || echo "off"
~/.claude/skills/gstack/bin/gstack-config get artifacts_sync_mode 2>/dev/null || echo "off"
[ -f ~/.gstack/.gbrain-sync-state.json ] && cat ~/.gstack/.gbrain-sync-state.json || echo "{}"
```
Read `gbrain_mcp_mode` from the detect output and pick the right verdict
template. Each row is `[OK]/[FIX]/[WARN]/[ERR]`.
### Path 4 (Remote MCP)
```
gbrain status: GREEN (mode: remote-http)
MCP ............. OK {SERVER_NAME} v{SERVER_VERSION} at {MCP_URL}
Auth ............ OK bearer accepted (verified via /tools/list)
Engine .......... N/A remote mode
Doctor .......... N/A remote mode (brain admin runs `gbrain doctor`)
Repo policy ..... OK {read-write|read-only|deny}
Artifacts repo .. OK {gstack_artifacts_remote URL}
Artifacts sync .. OK {artifacts_sync_mode}
Transcripts ..... OK route to artifacts repo → remote brain (plan D11)
Code search ..... {OK local-pglite (~/.gbrain/pglite) | N/A declined at Step 4d}
CLAUDE.md ....... OK
Smoke test ...... INFO printed for post-restart manual verification
Restart Claude Code to pick up the `mcp__gbrain__*` tools.
Re-run `/setup-gbrain` any time the bearer rotates or the URL moves.
```
The **Code search** row reflects the choice at Step 4d:
- If user picked A (Yes): `OK local-pglite` and `gbrain_local_status == "ok"` going forward.
- If user picked B (No): `N/A declined at Step 4d` — `gstack-config set local_code_index_offered true` to silence future migration notices.
The **Transcripts** row changed in v1.34.0.0: in remote-http mode,
gstack-memory-ingest now persists staged transcripts to
`~/.gstack/transcripts/run-<pid>-<ts>/` and gstack-brain-sync pushes them
to the artifacts repo. Brain admin's pull job indexes into the remote brain.
Local PGLite (when present) stays code-only — no transcript pollution.
### Paths 1, 2a, 2b, 3 (Local stdio)
```
gbrain status: GREEN (mode: local-stdio)
CLI ............. OK <gbrain version>
Engine .......... OK <pglite|supabase> at <path>
doctor .......... OK
MCP ............. OK registered (user scope)
Repo policy ..... OK <read-write|read-only|deny>
Code import ..... OK <last_imported_head>
Artifacts sync .. OK <artifacts_sync_mode> to <remote>
Transcripts ..... OK <N> sessions, last ingest <when>
CLAUDE.md ....... OK
Smoke test ...... OK put → search → delete round-trip
Run `/setup-gbrain` again any time gbrain feels off; it's safe and idempotent.
```
If any row is YELLOW or RED, the verdict line says so and the failing rows
surface a one-line "next action" (e.g.,
`Engine .......... ERR PGLite corrupt — run \`gbrain restore-from-sync\` (V1.5)`).
For V1, restore-from-sync is a V1.5 P0 cross-repo TODO; until it ships,
the user's brain remote (with brain-sync enabled) holds curated artifacts
as markdown + git, recoverable manually via `gbrain import` from a clone.
---
## `/setup-gbrain --cleanup-orphans` (D20)
Re-collect a PAT (Step 4 path-2a scope disclosure), then:
```bash
# List user's Supabase projects (user has to pipe this through their own
# shell to review; we don't rely on a stored PAT).
export SUPABASE_ACCESS_TOKEN="<collected from read_secret_to_env>"
projects=$(curl -s -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" \
https://api.supabase.com/v1/projects)
```
Parse the response, identify any project named starting with `gbrain` whose
`ref` doesn't match the user's active `~/.gbrain/config.json` pooler URL.
For each orphan, AskUserQuestion per project: "Delete orphan project
`<ref>` (`<name>`, created `<created_at>`)?" — NEVER batch; per-project
confirm is a one-way door.
On confirmed delete:
```bash
curl -s -X DELETE -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" \
https://api.supabase.com/v1/projects/$REF
```
Never delete the active brain without a second explicit confirmation.
At end: `unset SUPABASE_ACCESS_TOKEN`. Revocation reminder.
---
## Telemetry (D4)
The preamble's Telemetry block logs skill success/failure at exit. When
emitting the event, add these enumerated categorical values to the
telemetry payload (SAFE — no free-form secrets, never the URL or PAT):
- `scenario`: `supabase-existing` | `supabase-auto-provision` |
`supabase-manual` | `pglite-local` | `switch-to-supabase` |
`switch-to-pglite` | `repo-flip-only` | `cleanup-orphans` |
`resume-provision`
- `install_performed`: `yes` | `no` (D5 reuse) | `skipped` (pre-existing)
- `mcp_registered`: `yes` | `no` | `claude-missing`
- `trust_tier_set`: `read-write` | `read-only` | `deny` |
`skip-for-now` | `n/a` (outside git repo)
Never pass `SUPABASE_ACCESS_TOKEN`, `DB_PASS`, `GBRAIN_POOLER_URL`,
`GBRAIN_DATABASE_URL`, or any `postgresql://` substring to the telemetry
invocation. The CI grep test in `test/skill-validation.test.ts` enforces
this at build time.
---
## Important Rules
- **One rule for every secret.** PAT, DB_PASS, pooler URL: env-var only,
never argv, never logged, never persisted to disk by us. The only file
that holds the pooler URL long-term is `~/.gbrain/config.json`, written
by gbrain's own `init` at mode 0600 — that's gbrain's discipline, not
ours.
- **STOP points are hard.** Gbrain doctor not healthy, D19 PATH shadow, D9
migrate timeout, smoke test failure — each is a STOP. Do not paper over.
- **Concurrent-run lock.** At skill start, `mkdir ~/.gstack/.setup-gbrain.lock.d`
(atomic). If the mkdir fails, abort with: "Another `/setup-gbrain` instance
is running. Wait for it, or `rm -rf ~/.gstack/.setup-gbrain.lock.d` if
you're sure it's stale." Release on normal exit AND in the SIGINT trap.
- **CLAUDE.md is the audit trail.** Always update it in Step 8 after a
successful setup.
Reference in New Issue View Git Blame Copy Permalink