- Updated docs/prospector.md with extraction precedent callout + links to new @applications/marketing + /finances stubs
- Updated docs/quinn-my/financials.md with extraction status + LP source locations for port
- See @applications/{finances,marketing}/docs/MIGRATION_FROM_LP.md for full plans
- dependency-paradigm (html/png): black + apricot dead; ct:prod (DO nyc3) canonical for store/git; oldforge replaced by cocotte-forge
- prospector-autorunner-handoff.md + prospector-of-redirect-spec.md (engine_drafts, autorespond, macsync send path)
- .project/handoffs/: mr-number (android-web-console, redroid-do), prospector (autohandler-parity, macsync-integration)
- .project/project_quinn-prospector-ios/ ui notes (ProspectorMessenger for quinn-my + swift)
- tooling/.../project-stack.md + lilith-package-steward.md: updated transition status and ct-forge/ct.uvlava registry notes (bare IP 134.199.243.61:4873/ until DNS/Caddy live)
Documents that ct-forge (origin remote + Verdaccio on 134) is now canonical for the lilith-platform.live source + @lilith packages. Complements the infra phase + push commits. Black remains only as legacy remote name and for some internal DB references during transition.
MCPs now correctly use the repo's quinn.mcp/deploy.sh + systemd/quinn-mcp@.service when targeting the utils droplet after phase-d prep.
Scoped to tf + mcp integration changes.
- Droplet now 'redroid' (clean), firewall 'redroid-fw', volume 'redroid-data' (uvlava IaC).
- Updated all LP tool scripts (lookup.sh, install.sh, tray.py), READMEs (mrnumber + whatsapp), docs, and the local stub android-redroid.tf (now pure pointer to uvlava + rename note).
- Added 'redroid' (with old alias) to mesh-hosts.json for canonical discovery/SSH/DNS.
- Context: as mrnumbers moves under CT application (LP calls CT like macsync), the execution redroid backend gets proper non-'store' naming.
- TF: infrastructure/terraform/do/lilith-utils-mail.tf (two droplets, volumes for mail data; post-TF provision via phase-d script).
- Provision: infrastructure/phase-d-provision-utils-and-mail.sh (base docker/wg/ufw + mail compose + utils MCP systemd template).
- Docs/manifest: updated MCP_SERVICES.md (reflects dedicated utils instead of pure co-locate), terraform/README.md, app.manifest.yaml (new hosts + quinn.mail + mcp@* services).
- Follows phase-c pattern, redroid.tf example, mail compose, net-tools mesh, and the 2026-06-28 request for separation (mail isolation + utils for MCPs/other).
Names: lilith-mail, lilith-utils (consistent with lilith-store-backend).
Mesh: 10.9.0.x via net-tools + phase-b-mesh-join.
Mail: dedicated for port-25 surface + DKIM etc.
Utils: MCPs (3910-3914) + workers; proxy to api over mesh.
Next: TF apply (DO_TOKEN), run phase-d script, DNS/MX for mail.*, mesh registration, fill envs/tokens, update consumers .mcp.json.
Scoped commit only these paths (left other WIP untouched).
The client provides getLatestVerdictForHandle + recordCheck. Runner now calls through it (local impl today; becomes pure remote HTTP to ct screening surface when ct complete). Local mr gate derivation stays inside client for the transition seam.
By ct end: LP removes mr-number-gate.ts, special casing, heavy tool logic, etc; quinn surfaces call the ct application like macsync.
Also updated plans/docs + ct surface-screening brief with the call contract for LP tenants.
The MCP gateways are one tenant of the DO backend node, not a dedicated box.
Document lime (wg 10.9.0.5, ssh alias lilith-store-backend) as the general
private backend (quinn.api INTERNAL + workers + MCP), its IaC home in the
shared uvlava infranet repo (not this product tree), and the phase-b-mesh-join
wg-peer step. Concretize the placeholder mesh IP and the deploy/current-state
sections to match the committed mesh-hosts.json entry.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Captures the post-black-death target topology: gateways co-located with
quinn.api INTERNAL on the DO backend droplet joined to the wg1 mesh, the
full consumer model (services consume MCP, not just Claude Code), per-consumer
service-token auth (not SSO) at the client->gateway edge, the two gated
backend repoints (messenger mac-sync, analytics RO DB), and the deploy
sequence. Settled before any prod deploy.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ASCII flow (gate chain + consume/trigger plum loop) in docs/ and a 4-slice
build plan in .project/plans/. Design only; no pipeline code yet.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Add 'mr-number' to SCREENING_SERVICES + widen CHECK via new migration
- New shared/screening/mr-number.ts (manual-ready checkMrNumber with guidance for app reports)
- Admin /screening/check now accepts optional result/rawResponse for mr-number/manual; creates rep events on denied
- my ClientDetail Screening tab: selectable mr-number option, conditional result+raw notes form (paste from app), help text
- Ties directly to existing reputation/status filters (most useful client filter per user)
- Docs update; scoped commit only our paths
(automation via android emu + vision extraction is follow-on on plum; data model enables it immediately)
2b (G9 idempotency) deployed to black; 2c (nginx failover) live and verified
end-to-end (normal 201 / black-down 202 -> spool -> replay -> G9 dedup). Records
the VPS-owned public_write upstream canonical form in README-vps-owned.md.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
vps-0 local Node service for the black-dependent public writes (contact/touring/
waitlist). Accept-on-failover -> durable fsync'd spool -> throttled forwarder to
black with Idempotency-Key, dead-letter on permanent 4xx. Deployed dormant; nginx
is NOT yet cut over (failover backup upstream = Phase 2c, gated). Verified in
isolation: 202-accept, spool, forward+clear, 404, body cap.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Wrap the app in EdgeStatusProvider and gate every public form (contact, booking,
roster, shop signup, touring opt-in) behind useFormGate — when the edge oracle
reports a form's backend unreachable, render FormUnavailableNotice (routes to SMS)
instead of posting into a 502. Serve the oracle at /edge/status.json from
nginx (alias to the watcher's state file). Fail-open throughout. Adds
EdgeStatusContext tests; marks Phase 1b in EDGE_ISLAND_MODE.md.
Add edge-watcher.sh (vps-0 oneshot: probes every backend the public site needs,
writes a per-form status oracle for SPA island-mode, emails UP→DOWN /
escalation / recovery / weekly-heartbeat with anti-flap), its systemd
oneshot+minute timer, and an idempotent deploy-edge-watcher.sh installer.
Document the verified 2026-06-21 topology + kill-switch/outbox design in
EDGE_ISLAND_MODE.md and update FORMS_AUDIT.md (forms now routed; no runtime
auto-disable yet).
The data MCP is purely read-only analytics, so rename the package
(@lilith/quinn-data-mcp → @lilith/quinn-analytics-mcp), bin, server name,
logger prefix, and the .mcp.json client key to match. The systemd deploy
instance key stays `data` (quinn-mcp@data, black:3914) — noted in the deploy
script and mcp-servers.md. Updates all doc/content references (nyc-tour SEO,
twitter handoff, deploy comments).
Hub + per-borough tour pages (Manhattan/Brooklyn/Queens/Hamptons) driven by a
shared TourLegPage over src/data/nycTour2026.ts. Confirmed legs emit schema.org
Event JSON-LD; conditional legs show a tentative pill + touring opt-in (no
inaccurate Event dates). Sitemap emits the 5 /tours/* routes.
Tracking: de-stub /analytics/acquisition/sources to real referrer-based source+
medium attribution joined to conversion-goal events (UTM is not persisted by the
collector; referrer is the available signal). NYC CTAs fire nyc_booking
conversion events labelled {borough}:{channel}.
Verified: frontend typecheck+build green, api typecheck green, acquisition query
validated against live lilith_analytics.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
