Phase Status
Audited 2026-05-05 evening; re-audited 2026-05-09 (Phase 13a-1 / 13b-1 / 14-1 redesign / 14-2 partial shipped between 2026-05-06 and 2026-05-09). Synthesizes the clenis branch state, the kanban project optimalos-fabric, and the threat audit.
Shipped 2026-05-06 → 2026-05-09 (post-Option-A wave)
| Phase / item | Status | Commit / merge | What it does |
|---|---|---|---|
| 13a-1 RFC 8628 OAuth device-grant pairing | Shipped 2026-05-06 | e1ef78d (merge 7d4f203) | Phone-friendly user-code flow; replaces token-paste UX papercut |
| 13b-1 full revocation cascade | Shipped 2026-05-07 | cbd6bbd (merge b100b03) | Daemon-side closeRevokedConnectionByPubkey, cockpit revoke UI, last-of-kind guards |
| MOTHER bridge — local LLM adapter + cockpit chat panel | Shipped 2026-05-07 | 4869422 | mother-llm harness adapter; cockpit MOTHER chat; SSE streaming over Sessions API |
| Phase 12-1.1 multiplex hardening | Shipped 2026-05-08 | 6fccb61 (pair-time caps durable, heartbeat MERGES), c125cfa (3 bugs blocking first paired install) | Pair-time capability tags survive heartbeat; scheduler hard-filter bugs fixed |
| Item B unified activity feed | Shipped 2026-05-08 | 565d8c4 | GET /api/activity + activity drawer |
| Item D tmux.list/attach multiplex envelopes | Shipped 2026-05-08 | 72d5055 | Fabric → device tmux multiplex |
Item E [+] tmux dropdown via multiplex | Shipped 2026-05-08 | e9c3032 | Cockpit attach to any paired device's tmux |
| 14-1 unified Sessions tab (list-then-form) | Shipped 2026-05-09 | 68cf6db | List of fabric/tmux/loom rows + start-new form below |
| 14-2 mobile-first TOPO renderer | Partially shipped | merge 098381e + 75cf5aa (NOW lane) + 12b44b2 (planet detail) + 2ab5b91 (chrome services slide-over) | TOPO home + planet drill-down landed; BOARD-wrapped variant still pending |
| Fabric tmux-attach live PTY relay | Shipped 2026-05-09 | 8da8e3a | tmux.attach.* end-to-end (was Item D stub) |
| Cross-device tmux fanout | Shipped 2026-05-09 | 1abb765 | Activity feed merges tmux.list replies from all paired devices |
| Phase A chrome cleanup | Shipped 2026-05-09 | c5cc6c1 (fuel meter + Pair Device nav retired), d008452 (alerts pill), 2ab5b91 (services slide-over), 75cf5aa (NOW lane), 12b44b2 (planet detail), cc3e2ba (delete 8 superseded widgets) | Legacy widget bloat removed as fabric ports went live |
| MOTHER scheduler accepts pop-os | Shipped 2026-05-12 | a290d7a | Capability detector maps mother-llm → ollama binary |
Recently shipped (2026-05-05 session)
Recently shipped (2026-05-05 session)
The bulk of remaining Phase 11/12/14 work landed today, plus the deployment-mode split (Option A) — the biggest architectural shift of the day. 40 commits pushed to origin/clenis on optimalOS, range b08f948..bf69427; +7 commits on optimal-cli.
| Phase / item | Commit | What it does |
|---|---|---|
| 11-1 Claude Code full harness adapter | d90a049 | Replaces claude --print escape hatch; adapter + registry, 25+4 tests |
| 11-2 four-harness adapter set | b19ae17 | kimi-code, codex, openclaw, opencode adapters; 126 unit tests |
| 12-1 capability-aware routing scheduler | 35c7f70 | Replaces device-router stub; RAM-aware, command-allowlist-aware, multi-device match |
| 14-1 Sessions tab UI | 85d8226 | Pick paired device + harness; SSE-ready |
| 14-3 terminal lock-in / two-pane | ee414b6 | Derived state (left) + raw stream (right); resizable splitter |
| 14-4 fuel meter chrome | a4807ba (top:44px in f81b412) | THROUGHPUT / MISSION / YIELD readings; moved below legacy [XFER] button |
| 14-5 mobile PWA polish | b815e17 | Manifest, service worker, touch targets |
| Sessions replay endpoint | 8931546 + lock-in wire-up 0eed264 | GET /api/sessions/:id/stream |
| Static-serve smoke regression | 9cfb550 | Closes the working-tree commit gap from yesterday |
| Hardware-aware vault recipient labels | e0f0d60 | "iPad Safari" / "MacBook Air M1 Safari" / "Windows Chrome" instead of opaque IDs |
Post-ceremony redirect → / | final 859fab5 | Was /vault/dashboard, was /; iterated to land on / |
/vault/setup auth-required UX fix | f2a1b87 | Resolves kanban f9abbb18 |
| Option A — deployment-mode conditional render | bf69427 | Same single bundle, two destinies; gated by hostname + DEPLOYMENT env |
| vault Add Entry dashboard UI | c3f3a7d | Drawer + form; encrypts client-side, posts ciphertext |
| Loom test pre-existing failures | 0ab217e | Fixed |
Operational fixes (not commits): Hetzner JWT_SIGNING_KEY was missing → set + restarted.
Deployment-mode split
Option A (commit bf69427) is the architectural shift of the day. Same bundle, two destinies:
- Server-side gate:
process.env.DEPLOYMENT === "hetzner-cloud"gates the/api/vault,/api/auth,/api/fuelroute mounts. Pi (legacy) returns410 Goneon these paths. - Client-side gate:
client/fabric-mode.tsisFabricMode()readswindow.location.hostname(matchesfabric.optimal.miamiorfabric.*subdomains). Sessions tab + fuel meter +/vault/*SPA routes are hidden in legacy mode. Override seam:window.__FABRIC_MODE__. - Result:
optimal.miami(Pi) is now a legacy backup serving Home / Board / Loom / Settings + the legacy [XFER] button, with no Fabric surfaces.fabric.optimal.miami(Hetzner) serves the full Fabric experience.
See fabric/deployment-modes.md for the full design.
Verified live (2026-05-05 22:00 UTC)
| Probe | Result |
|---|---|
curl https://optimal.miami/api/vault/recipients | 410 Gone (legacy mode, route unmounted) |
curl https://fabric.optimal.miami/api/vault/recipients | 401 Unauthorized (fabric mode, route live, auth required) |
curl https://fabric.optimal.miami/healthz | 200 |
| Hetzner bundle hash | index-BiNTgB37.css + latest server.js |
| Backup at | /opt/optimalos/app.bak.20260505-133711 |
Working
Original Phase 10 set + everything from today's session. Threat-model status now P0 = 5/5 cleared, P1 = 7/8 closed.
| Phase | Capability | Code | Tests |
|---|---|---|---|
| 10a-1 | Vault crypto core (age, KDF, BIP39, WebAuthn, canary) | src/vault/crypto/* | tests/vault/crypto/*.test.ts |
| 10a-2 | Schema + /api/vault/* routes | src/routes/vault.ts, src/vault/server/* | tests/vault/routes.test.ts |
| 10a-3 | Vault UI — setup, unlock, recovery, prewarm | client/vault/* | tests/vault/ui.test.ts + manual SMOKE.md |
| 10a-4 | Device daemon vault module | src/vault/device/* | tests/vault/device/*.test.ts |
| 10a-5 | Dashboard — revoke + access log UI | client/vault/dashboard.ts | tests/vault/dashboard.test.ts |
| 10a-6 | Add Entry UI + CLI parity | client/vault/{dashboard,add-entry,api}.ts, optimal-cli lib/vault/index.ts | 19 UI tests; commit c3f3a7d |
| 10a-7 | P0 security clear | src/server/csp.ts | Threat audit §2-§3 sign-off |
| 10b-1..3 | Hetzner provisioning + cloud build + JWT/pairing/invite | infrastructure/, Dockerfile, src/auth/* | Cloud config + auth tests |
| 10c-1..3 | Daemon WS + cloud multiplex + e2e smoke | src/daemon/*, src/server/{ws-multiplex,session-tracker}.ts | 7+ files |
| static-serve | /vault/* SPA fallback + smoke coverage | src/server/static.ts | tests/server/static.test.ts; commit 9cfb550 |
| 11-1 | Claude Code full harness adapter | src/daemon/adapters/{claude-code,registry}.ts | 25+4 tests; commit d90a049 |
| 11-2 | kimi-code / codex / openclaw / opencode adapters | src/daemon/adapters/* | 126 unit tests; commit b19ae17 |
| 12-1 | Capability-aware routing scheduler | src/server/scheduler.ts | commit 35c7f70 |
| 14-1 | Sessions tab — pick device + harness | client/sessions/{index,sse-parser}.ts, client/styles/sessions.css | 15 tests; commit 85d8226 |
| 14-3 | Terminal lock-in / two-pane | client/terminal-lockin/* | commit ee414b6 |
| 14-4 | Fuel meter chrome | client/fuel.ts, client/styles/fuel.css | commits a4807ba, f81b412 |
| 14-5 | Mobile PWA polish | manifest + SW + client/styles/sessions.css mobile | commit b815e17 |
| Option A | Deployment-mode split | client/fabric-mode.ts + server gates | commit bf69427 |
Left to build
| Phase | Title | Effort | Depends on | Notes |
|---|---|---|---|---|
| 11-3 | Detect-then-prompt installer | S | 11-2 ✓ | "Install Kimi on pop-os" CTA + install.sh over WS |
| 12-2 | TPM/Secure-Enclave device key sealing | L | 10c-1 | Today: mode 0600 file. Future: TPM seal on Linux, SE on macOS |
| 13a-1 | OAuth Device Authorization Grant (RFC 8628) | M | 10b-3 | ✅ SHIPPED 2026-05-06 (e1ef78d, merge 7d4f203) |
| 13b-1 | Full revocation cascade + WebAuthn-gated destructive ops | S | 10a-3 | ✅ SHIPPED 2026-05-07 (cbd6bbd, merge b100b03) |
| 14-1 | Unified Sessions tab (list-then-form) | M | 11-2 ✓, 12-1 ✓ | ✅ SHIPPED 2026-05-09 (68cf6db) |
| 14-2 | Mobile-first TOPO renderer | L | 11-2 ✓, 12-1 ✓ | 🟡 PARTIALLY SHIPPED 2026-05-05/09. TOPO home + planet detail + NOW lane + activity drawer + MOTHER chat shipped (merge 098381e + 75cf5aa + 12b44b2). BOARD-wrapped variant still pending. |
| 15-1..3 | Self-host Supabase / n8n / Strapi / Phoenix on Hetzner | L | 10b-1 | Decided to stay on managed Supabase v1 (Decision #7); revisit at scale |
| 16-1..2 | AI self-mod (bot-worktree → phone-push approval) | M | 14-2 | MOTHER moves from narrate to act behind approval |
| 17-1 | Hosted SaaS billing | S | 15-1, 14-2 | Stripe + per-user invite codes |
Left to test
Outstanding P1 threats (from 06-vault-auth-threat-rerun.md)
| ID | Finding | Status |
|---|---|---|
| T2 | RLS absent (single-tenant only) | Outstanding — Phase 14 dependency |
| T4 | Device-JWT revocation cross-check | CLOSED 5ff9ba4 (cached 60s) |
| T5b | localStorage trust marker → PRF-wrap | CLOSED 2ddf0e6 (WebCrypto non-extractable in IndexedDB) |
| T6b | Lock-file SRI pinning | CLOSED (implied by 14-5 manifest work) |
| T7 | Cloud TLS pubkey pinning | CLOSED f9142ec (TOFU + verify-every-fetch) |
| T8 | Postgres RPC for atomic re-wrap | CLOSED e41f9d8 + optimal-cli migration 19e8b5f |
| T11 | Per-install Argon2id salt | CLOSED ffbb8e2 + optimal-cli migration 6a05e9d |
| T13 | Access-log payload validation, JWT-bound x-session-id | CLOSED a9d9310 |
| P1-#9 | Recovery phrase DOM zeroize + 30s clipboard auto-clear | CLOSED 18fefd9 |
| P1-#10 | Origin pubkey pinning | CLOSED (part of T7 / f9142ec) |
P0 = 5/5 cleared. P1 = 7/8 closed today (was 0/8 this morning). Only T2 (RLS) remains as a P1, blocked on Phase 14.
Deferred to later phases
| Item | Phase |
|---|---|
| Playwright E2E for vault ceremony | 14-2 |
| OAuth Device Authorization Grant E2E tests | 13a-1 |
| Self-host Supabase tests | 15-1 |
| Stripe + per-user invite tests | 17-1 |
| AI-PR phone-push approval tests | 16-2 |
Recommended order for tomorrow
- (30 min) Pair the Pi as a Fabric
devicerecipient (kanban8f84c30e);optimal pairCLI now exists in optimal-cli (commitsc132faf,61b296d). Adds adevice-kind row tovault_recipients+ apaired_devicesentry. - (2–4 h) Add a real vault entry (today: 6 recipients enrolled, 0 entries).
optimal vault import-envdry-run shows 69 entries would be imported across 4 default.envfiles. - (1–2 d) Phase 14-2 — TOPO renderer. The remaining big Phase 14 piece. Starmap of devices / sessions / depots / token streams.
- (M) Phase 13a-1 OAuth Device Authorization Grant — replaces token-paste. Only major auth piece left.
- (L) Phase 15 service migrations onto Hetzner (deferred per Decision #7 unless scale forces it).
- (after Pi paired + everything stable) Real Claude session round-trip: vault entry → Sessions tab → adapter spawn on Pi.
Source links
- Charter:
~/.openclaw/workspace/optimalOS/docs/superpowers/specs/2026-05-03-fabric-charter.md - Plan:
~/.openclaw/workspace/optimalOS/docs/superpowers/plans/2026-05-03-fabric-implementation.md - Decision ledger:
~/.optimalos/transfers/fabric-design/03-decision-ledger.md - Threat audit:
~/.optimalos/transfers/fabric-design/06-vault-auth-threat-rerun.md - Deployment modes:
./deployment-modes - Kanban:
optimal board view -p optimalos-fabric