Per-User Hermes + GBrain Memory Runtime — Milestone 1 Plan
Source
This plan captures the outcome of the 2026-05-30 grill-me/shaping session about using full Hermes + full GBrain as a per-user clo0p memory runtime.
Connor's core intent:
I want to figure out how best to leverage supabse per user as cloop tools, readonly. The overall idea is that I want per user, to have this autonomous agent running in the background, on a cron. I have a few cloud options, cloudsflare, GCP, digital ocean, supabase. The tech stack should enable per user, hermes + gbrain setup, we should be able to have a correlated file system that enables the setup, and operation of hermes+gbrain, I need to think about how I set this up for users, how we get this setup for existing users, and when users sign up, and how we securely make sure that only a users set of data from integrations, heartbeats, cloop apis, supabase, or raw integrations, is only ever read only and locked down by user.
Key decisions Connor made during shaping:
- Use full real Hermes + full real GBrain, not a trimmed-down clone.
- Use per-user durable workspaces with ephemeral scheduled jobs, not always-on per-user daemons.
- Use GCP Cloud Run Jobs + GCS for milestone 1 real infrastructure.
- Use Supabase as source/control plane, not as the memory substrate.
- Use short-lived job-scoped memory export tokens, not Supabase service role in the worker.
- Preserve raw export JSONL permanently for milestone 1/internal-full.
- Use deterministic evidence renderers before Hermes/GBrain synthesis.
- Start with Charlie's existing user as the first rich internal/test target.
---
1. Product Goal
Build the first real end-to-end version of a per-user clo0p memory runtime that runs full Hermes + full GBrain on a schedule over a user's clo0p data.
The system should prove that clo0p can:
1. read high-signal user-scoped Supabase data;
2. preserve raw evidence into a per-user workspace;
3. render deterministic GBrain-readable source pages;
4. run full Hermes + full GBrain against that workspace;
5. run GBrain import/embed/extract/dream/insight behavior;
6. produce cited reports showing the system is learning, compounding, and useful;
7. do all source access through read-only job-scoped capabilities.
The milestone is intentionally internal-first and value-first. It should prove the magic before hardening the production-safe customer profile.
---
2. Non-Goals
Milestone 1 does not include:
- all-user fanout;
- production-safe locked-down customer rollout;
- user-facing dashboard/status page;
- user-facing delete/export UX;
- long-running per-user Hermes daemons;
- arbitrary source writes;
- Supabase service-role credentials in the memory worker;
- raw integration refresh tokens in the memory worker;
- replacing Hermes or GBrain with a simplified reimplementation;
- adapting GBrain into Supabase-native memory tables;
- using Cloudflare Workers/Supabase Edge Functions as the full runtime host.
Design should make multi-user fanout an easy next step, but fanout is out of scope for this plan.
---
3. Architecture Decision Summary
Selected shape
Use:
- GCP Cloud Run Jobs for ephemeral full-runtime execution.
- GCS for durable per-user workspace storage.
- Artifact Registry for the shared worker image.
- Secret Manager for memory runtime model credentials.
- Supabase for source data, control metadata, memory export APIs, and job completion APIs.
- Full Hermes and full GBrain installed in the worker image.
- Per-user mutable workspace hydrated from GCS to local disk per job.
- GBrain MCP launched by Hermes as stdio MCP only.
- Deterministic evidence rendering before Hermes/GBrain synthesis.
High-level flow
clo0p-app / Supabase control plane
├─ memory_workspaces
├─ memory_jobs
├─ memory_artifacts
├─ memory export API
└─ job completion API
│
│ create job + mint job-scoped token
▼
GCP Cloud Run Job
image: cloop-memory-runtime:<version>
env:
USER_ID
JOB_ID
JOB_TYPE
WORKSPACE_URI=gs://cloop-memory-workspaces/users/{user_id}/
RUNTIME_PROFILE=internal-full
TEMPLATE_VERSION=v1
CLOOP_MEMORY_EXPORT_TOKEN
OPENAI_API_KEY from Secret Manager
│
│ hydrate workspace from GCS
▼
Local /workspace/{job_id}
hermes-home/
gbrain-home/
brain/
runtime/
│
│ Hermes CLI starts with HERMES_HOME
│ Hermes launches `gbrain serve` via stdio MCP
│ GBrain sees GBRAIN_HOME
▼
Full Hermes + full GBrain runtime
│
│ write only inside user workspace
▼
GCS workspace persisted
clo0p job-completion API updated
Cloud Logging receives logs---
4. Runtime and Workspace Model
Runtime image
The shared runtime image contains:
- TypeScript/Bun worker orchestration;
- Python environment with Hermes Agent CLI installed;
- Bun/Node environment with GBrain CLI installed;
hermesexecutable onPATH;gbrainexecutable onPATH;- versioned workspace templates;
- source renderers;
- report generators;
- Cloud/GCS client libraries.
Per-user workspace
The durable per-user workspace lives under:
gs://cloop-memory-workspaces/users/{user_id}/Hydrated local shape:
/workspace/{job_id}/
hermes-home/
config.yaml
skills/
sessions/
logs/
cron/
plugins/
gbrain-home/
.gbrain/
config.json
brain.pglite/
migrations/
logs/
brain/
RESOLVER.md
ACCESS_POLICY.md
sources/
cloop/
people/
projects/
concepts/
meetings/
daily/
reports/
backfill/
digest/
insights/
runtime/
exports/
cursors/
manifests/
reports/
job-runs/Runtime env:
HERMES_HOME=/workspace/{job_id}/hermes-home
GBRAIN_HOME=/workspace/{job_id}/gbrain-home
GBRAIN_SOURCE=cloop-user
OPENAI_API_KEY=<injected from Secret Manager>Workspace template
Use a versioned full/real Hermes+GBrain workspace template:
cloop-memory-worker/templates/v1/
hermes-home/
config.yaml
skills/
cloop-memory-digest/
cloop-insight-report/
gbrain-home/
.gbrain/config.json
brain/
RESOLVER.md
ACCESS_POLICY.md
sources/
people/
meetings/
concepts/
reports/
runtime/
manifests/
cursors/Jobs should record and preserve template_version. Template migration should be supported before broader rollout, even if milestone 1 only has v1.
---
5. Hermes + GBrain Runtime Contract
Hermes invocation
The worker invokes Hermes as a CLI subprocess, not as an imported Python library.
Example shape:
hermes chat -q "<job prompt>" \
--provider openai \
--model gpt-5.4 \
--toolsets "skills,mcp,file,terminal"Exact toolsets can differ by runtime profile, but milestone 1 uses internal-full to feel the real value.
GBrain MCP
GBrain MCP must be launched by Hermes via stdio MCP only.
No HTTP sidecar in v1.
Hermes config template:
mcp_servers:
gbrain:
command: /usr/local/bin/gbrain
args:
- serve
timeout: 60
connect_timeout: 60When Hermes spawns the MCP child, gbrain serve inherits:
GBRAIN_HOME=/workspace/{job_id}/gbrain-home
GBRAIN_SOURCE=cloop-userAcceptance requires proving in Cloud Run that Hermes can launch GBrain MCP and call GBrain tools successfully.
---
6. Runtime Profiles
Milestone 1 starts with internal-full.
internal-full
Purpose: feel the full Hermes/GBrain value against a real rich internal user.
Allowed:
- full Hermes installed;
- full GBrain installed;
- GBrain MCP;
- filesystem writes inside the user workspace;
- deterministic renderers;
- GBrain import/embed/extract/dream;
- Hermes synthesis prompts;
- terminal subprocesses inside the worker container as needed by the runtime;
- read-only clo0p memory export API;
- job completion API.
Forbidden:
- Supabase service role in worker;
- raw integration refresh tokens in worker;
- source writes;
- cross-user workspace access;
- user-visible external actions unless explicitly added later.
user-memory-prod
Deferred. This is the future locked-down customer-grade profile.
Expected differences:
- narrower Hermes toolset;
- no arbitrary terminal in the agent loop;
- no browser/messaging/external-write tools;
- stricter network and cost controls;
- same workspace and export architecture.
---
7. Credential and Secret Model
OpenAI key
Use a separate GCP Secret Manager secret for the memory runtime OpenAI key.
Secret name suggestion:
cloop-memory-openai-api-keyIt may initially contain the same value as clo0p's existing OPENAI_API_KEY, but it should be operationally separate.
Rules:
- inject into Cloud Run Job at runtime;
- do not write it to GCS workspace;
- do not write it to
hermes-home/.env; - do not write it to
gbrain-home/.gbrain/config.json; - do not include it in logs/reports/JSONL/GBrain pages;
- tag model usage by
job_id,user_id,job_type,runtime_profile, andtemplate_versionwhere possible.
Supabase credentials
The Cloud Run worker must not receive Supabase service role credentials.
The worker receives:
CLOOP_MEMORY_EXPORT_URL;CLOOP_MEMORY_EXPORT_TOKEN;- job completion endpoint URL;
- job-scoped token with
memory_export:readandmemory_job:completescopes.
Supabase service role remains inside clo0p-app / control plane.
GCP service account
Use a dedicated service account:
cloop-memory-worker@...Minimal IAM:
- Secret Manager Secret Accessor for
cloop-memory-openai-api-key; - GCS read/write for the memory workspace bucket/prefix;
- Cloud Logging writer;
- Cloud Run Job execution basics;
- no project Editor;
- no Supabase secret;
- no integration OAuth secrets.
---
8. Source Access Model
Use short-lived job-scoped memory-export tokens.
Token claims should include:
{
"sub": "memory_job:<job_id>",
"user_id": "<target-user-id>",
"job_id": "<job-id>",
"job_type": "backfill_digest | hourly_digest | insight | inventory",
"runtime_profile": "internal-full",
"scope": ["memory_export:read", "memory_job:complete"],
"allowed_sources": ["..."],
"exp": "short expiry"
}The memory export API validates:
- signature;
- expiry;
- job_id;
- user_id;
- requested source allowlist;
- read-only scope;
- redaction policy.
The worker calls the job-completion API instead of writing Supabase rows directly.
---
9. Supabase Control Plane Tables
Add minimal control-plane tables in clo0p-app/supabase/migrations/.
Schema names/fields can be adjusted during implementation, but the model is:
memory_workspaces
Purpose: one row per enabled user workspace.
Fields:
iduser_idworkspace_uriruntime_profiletemplate_versionstatuslast_backfill_atlast_digest_atlast_insight_atcreated_atupdated_at
memory_jobs
Purpose: job queue/status/control metadata.
Fields:
iduser_idworkspace_idjob_type:inventory | backfill_digest | hourly_digest | insightruntime_profiletemplate_versionstatus:queued | running | completed | failed | cancelledattempttriggered_bysource_countsoutput_countserror_summaryreport_uristarted_atfinished_atcreated_atupdated_at
memory_artifacts
Purpose: pointers to workspace reports/artifacts.
Fields:
iduser_idjob_idartifact_type:inventory_report | backfill_report | digest_report | insight_report | raw_export_manifestworkspace_pathsummarymetadatacreated_at
Actual memory content stays in GCS workspace, not Supabase.
---
10. Memory Export API
Support both backfill and incremental from day one at the interface level.
Endpoint shape:
POST /api/internal/memory-export/jobs/{job_id}/batches
Authorization: Bearer <job-scoped-token>Request:
{
"mode": "backfill | incremental | inventory",
"cursor": {},
"source_keys": ["granola_transcripts", "chat_sessions"],
"limit": 500
}Response:
{
"records": [],
"next_cursor": {},
"source_counts": {},
"has_more": true,
"redactions": []
}Rules:
- paginated typed JSON/JSONL batches;
- stable order;
- full high-value raw text inline where practical;
- source-specific checksums;
- redaction report;
- supports inventory counts before full backfill;
- wrappers for private/sensitive sources such as Granola transcripts.
---
11. Source Inventory / Export Manifest
Milestone 1 must include a source inventory/export manifest before full backfill.
Suggested path:
cloop-memory-worker/manifests/memory-export-manifest.yamlEach source entry should define:
source_key: granola_transcripts
table_or_wrapper: granola1.granola_transcripts wrapper
signal_level: raw
backfill_strategy: all rows for user ordered by meeting_started_at
incremental_cursor: fetched_at/analyzed_at/content_hash
include_fields:
- title
- meeting_started_at
- attendees
- notes
- transcript
- analysis
- content_hash
exclude_fields: []
redaction_policy: private_user_memory_only
gbrain_mapping: brain/sources/cloop/granola-transcripts/
expected_volume: mediumInitial high-signal source list
Raw / high-value evidence
granola1.granola_transcripts- full transcript/notes, attendees, analysis, content_hash.
- private schema; wrapper required.
public.chat_sessions+public.chat_messages- full in-app chat sessions/messages.
public.meeting_notes- meeting note text/json linked to calendar events.
msg.inbound_messages- normalized inbound messages and parse results; raw payload only if redacted/needed.
Product-shaped memory
social.activity_events- cross-integration relationship/event rail.
- note:
rawis intentionally capped around 8KB, so not sufficient for full raw evidence. social.contacts- contact summaries/dossiers.
social.event_contacts- person/event edges and roles; may include per-edge notes.
public.checklist_items- tasks, commitments, reasoning, deadlines, checked/dismissed state, source refs.
public.checklists- daily checklist state.
public.checklist_containers- Compass grouping and priority landscape.
public.briefings- generated summaries and content markdown.
public.user_profiles- user root profile,
user_md, timezone, onboarding responses/preferences. public.user_rules- explicit standing rules/preferences.
public.user_preferences- focus/container UI preference signals.
public.feedback- product feedback and preferences.
Observability / source health
public.connections- redacted metadata only.
- include provider/display/status/heartbeat stats.
- exclude access_token/refresh_token/raw secrets.
public.heartbeat_poll_log- source volume/freshness coverage.
public.agentic_drafts- generated action drafts/history, treated as derived system output.
public.checklist_action_log- action audit history.
msg.outbound_messages,msg.delivery_log,msg.message_events- what clo0p sent and delivery state.
rules.digest_subscriptions- digest schedule/preferences.
Usually exclude or summarize only
wa.*operational/auth tables.- verification codes and channel verification secrets.
- raw token/cursor material unless redacted and explicitly useful.
- marketing/public form submissions unless relevant to the target user/admin case.
infra.jobsexcept memory job observability.
---
12. Evidence and Memory Layers
Backfill and hourly digest use two layers.
Layer 1 — Evidence/source layer
Deterministic and idempotent.
- Export typed JSONL batches.
- Preserve raw JSONL permanently for milestone 1/internal-full.
- Render deterministic source markdown pages from JSONL.
- Do not ask Hermes to freestyle evidence filing.
- Key by
record_id + checksum + renderer_version.
Raw export layout:
runtime/exports/
backfill/{job_id}/
manifest.json
granola_transcripts.batch-000.jsonl
chat_sessions.batch-000.jsonl
social_activity_events.batch-000.jsonl
checklist_items.batch-000.jsonl
hourly/{job_id}/
manifest.json
changed-records.batch-000.jsonlLayer 2 — Memory/value layer
Hermes + GBrain read the evidence and compound it.
- Run GBrain import/embed/extract.
- Run GBrain dream/maintenance where appropriate.
- Run Hermes/GBrain synthesis prompts.
- Promote people, meetings, projects, concepts, open loops, contradictions, and insights.
- Write cited reports and derived pages.
---
13. Evidence Rendering
Use deterministic source-specific renderers.
Initial renderer set:
renderUserProfilerenderUserRulesrenderConnectionSummaryRedactedrenderGranolaTranscriptrenderChatSessionrenderMeetingNoterenderSocialActivityEventrenderSocialContactrenderChecklistItemsrenderBriefingrenderFeedbackrenderMessagingInboundrenderHeartbeatSourceHealth
Markdown frontmatter should include:
---
title: "Granola: Weekly planning"
type: source
source_system: cloop
source_table: granola1.granola_transcripts
source_id: "..."
record_type: granola_transcript
user_id: "..."
occurred_at: "..."
updated_at: "..."
checksum: "sha256:..."
sensitivity: private
digest_job_id: "..."
renderer_version: "v1"
---Page granularity
Use hybrid granularity:
High-value raw artifacts get one page per artifact:
- Granola transcript: one page per meeting/transcript.
- Meeting note: one page per meeting note/event.
- Briefing: one page per briefing/date.
- Chat session: one page per chat session.
- Important social event: one page per event if rich enough.
Small/operational records get grouped pages:
- Checklist items: grouped by day/week/source with individual anchors.
- Social activity events: grouped by day/source unless high-value.
- Heartbeat poll logs: daily source-health pages.
- Messaging events: grouped by channel/day/thread.
- Connection metadata: one redacted source-coverage page.
- User profile/rules/preferences: one user root/profile page.
---
14. Idempotency and Cursors
Use both timestamps/cursors and checksums.
Discovery:
updated_atcreated_atfetched_atanalyzed_atmeeting_started_atcontent_hashsource_ref
Correctness:
- compute checksum over exported included/redacted fields.
Render skip:
skip if record_id + exported_record_checksum + renderer_version unchangedRe-render when:
- checksum changes;
- renderer_version changes;
- source grouping changes;
- manual re-render requested.
Synthesis can be re-run without re-exporting if only Hermes/GBrain prompts change.
---
15. Jobs
Inventory preflight
Purpose: verify Charlie has useful data before full backfill.
Inputs:
- target Charlie user_id;
- source manifest;
- job-scoped export token.
Outputs:
- source counts by key;
- approximate bytes where available;
- redaction/skipped field summary;
- workspace report;
memory_jobscompletion metadata.
Backfill digest
Purpose: initialize Charlie's full user memory workspace.
Steps:
1. hydrate or create workspace from template;
2. call memory export API in backfill mode;
3. preserve raw JSONL batches;
4. render deterministic source pages;
5. run gbrain import / embed / extract;
6. invoke Hermes CLI with GBrain MCP for synthesis;
7. run GBrain dream/maintenance if appropriate;
8. write backfill report;
9. persist workspace to GCS;
10. call job-completion API.
Hourly digest
Purpose: recurring incremental memory update.
Milestone 1 executes this manually as an hourly simulation, not scheduled fanout.
Steps:
1. hydrate workspace;
2. load cursor/checksum manifest;
3. call memory export API in incremental mode;
4. preserve raw incremental JSONL;
5. render changed evidence pages;
6. run lighter GBrain import/embed/extract;
7. write digest report;
8. persist workspace;
9. call completion API.
Insight cron
Purpose: prove the system is learning and compounding.
Boundary:
- reads only workspace/GBrain/export manifests;
- does not call Supabase/export API directly by default.
Output should include:
- what changed since last insight;
- emerging themes;
- important people/projects;
- open loops;
- contradictions or low-confidence items;
- cited evidence links;
- why the system is useful.
---
16. Reports and Observability
Full reports live in the workspace. Supabase stores pointers/summaries only.
Workspace report layout:
brain/reports/
backfill/2026-05-30__{job_id}.md
digest/2026-05-30T14__{job_id}.md
insights/2026-05-30__daily.md
runtime/reports/
backfill/{job_id}.json
digest/{job_id}.json
insights/{job_id}.json
runtime/job-runs/{job_id}.jsonMilestone 1 observability is:
- Supabase
memory_jobsrows; - Cloud Run logs;
- workspace job-run JSON;
- workspace markdown reports.
No internal status page for milestone 1.
Reports should include a capability summary:
Source write capability: none
Supabase service role in worker: no
Integration credentials in worker: no
Allowed API scopes:
- memory_export:read
- memory_job:complete
Workspace write capability: gs://cloop-memory-workspaces/users/{user_id}/...No explicit before/after Supabase source-write audit is required in milestone 1.
---
17. New Monorepo Service
Create:
cloop-memory-worker/Initial structure:
cloop-memory-worker/
Dockerfile
package.json
tsconfig.json
README.md
manifests/
memory-export-manifest.yaml
templates/
v1/
hermes-home/
config.yaml
skills/
gbrain-home/
.gbrain/config.json
brain/
RESOLVER.md
ACCESS_POLICY.md
sources/
people/
meetings/
concepts/
reports/
runtime/
manifests/
cursors/
src/
cli.ts
jobs/
inventory.ts
backfillDigest.ts
hourlyDigest.ts
insight.ts
workspace/
hydrate.ts
persist.ts
lock.ts
manifest.ts
export/
client.ts
types.ts
renderers/
granolaTranscript.ts
chatSession.ts
socialActivityEvent.ts
checklistItems.ts
briefing.ts
userProfile.ts
sourceHealth.ts
gbrain/
commands.ts
hermes/
runHermes.ts
prompts.ts
reports/
backfillReport.ts
digestReport.ts
insightReport.ts
tests/The worker orchestration is TypeScript/Node/Bun and shells out to Hermes/GBrain CLIs.
---
18. Staged E2E Verification Plan
Stage 0 — Spec and source inventory
Done when:
- this plan exists;
- source manifest exists;
- target Charlie user resolution path is defined;
- control table migration draft exists.
Stage 1 — Runtime smoke E2E
Done when a Cloud Run Job can:
- run the worker image;
- hydrate an empty/user workspace from GCS;
- set
HERMES_HOMEandGBRAIN_HOME; - invoke Hermes CLI;
- have Hermes launch GBrain stdio MCP;
- call at least one GBrain MCP tool;
- persist workspace back to GCS;
- log to Cloud Logging.
Stage 2 — Source inventory E2E
Done when:
- Charlie's user_id is resolved;
- a
memory_jobsrow is created; - a job token is minted;
- Cloud Run worker calls inventory/export API;
- source counts report is written to workspace;
- job completion API updates
memory_jobs.
Stage 3 — Backfill digest E2E
Done when:
- backfill exports JSONL for high-signal sources;
- raw JSONL is preserved;
- deterministic source pages are rendered;
- GBrain imports/embeds/extracts;
- Hermes synthesis runs with GBrain MCP;
- backfill report is generated;
- workspace persists to GCS.
Stage 4 — Insight E2E
Done when:
- insight job reads only workspace/GBrain;
- produces cited insight report;
- report is persisted and registered through completion API.
Stage 5 — Incremental/hourly simulation E2E
Done when:
- incremental export mode runs manually;
- cursors/checksums are used;
- changed pages are updated;
- digest report is generated.
Stage 6 — Broader E2E, out of scope but designed for
After Charlie works:
- second internal user;
- multiple selected internal users;
- scheduled hourly fanout;
- production-safe runtime profile.
---
19. Acceptance Criteria
Milestone 1 is complete when:
1. cloop-memory-worker/ exists and can build a Cloud Run Job image.
2. GCP infrastructure exists for:
- Artifact Registry image;
- Cloud Run Job;
- GCS workspace bucket;
- Secret Manager memory OpenAI key;
- worker service account.
3. Supabase has minimal memory workspace/job/artifact control tables.
4. clo0p-app exposes job-scoped:
- memory export inventory/batch API;
- job completion API.
5. Charlie's existing user can be selected as target by user_id/email/admin operation.
6. Runtime smoke proves Hermes CLI + GBrain stdio MCP works inside Cloud Run.
7. Inventory preflight produces source counts for Charlie.
8. Backfill digest preserves raw JSONL and renders deterministic evidence pages.
9. GBrain import/embed/extract runs over the rendered evidence.
10. Hermes uses GBrain MCP to synthesize a backfill/learning report.
11. Insight job produces a cited report using only workspace/GBrain inputs.
12. Incremental digest mode runs once manually and advances cursors/checksums.
13. Worker never receives Supabase service-role credentials.
14. Worker never persists OpenAI API key into workspace files.
15. Reports and job-run JSON are persisted in workspace and referenced from Supabase metadata.
---
20. Open Questions
These are not blockers for the plan but need decisions during implementation:
1. Exact Cloud Run Job trigger path from clo0p-app:
- direct GCP API call;
- Cloud Tasks;
- Pub/Sub.
2. Exact token signing mechanism:
- app secret JWT;
- asymmetric key;
- GCP/IAM-mediated signed token.
3. Exact GBrain model config:
- OpenAI embeddings vs ZeroEntropy vs existing GBrain defaults.
4. Exact Hermes model/provider config for the Cloud Run runtime.
5. How to capture token/cost metrics from Hermes/GBrain reliably.
6. Whether to group social.activity_events daily or one-page-per-rich-event in v1.
7. Whether to include msg.raw_payload at all or only normalized_text/parse_result.
8. Exact retention/lifecycle policy for raw JSONL after milestone 1.
9. Whether container_events exists in the current schema and should be included.
10. Whether Charlie's user has sufficient data across Granola/social/checklist/chat/briefings to prove value.
---
21. Implementation Contract for Agents
Objective:
Build milestone 1 of the per-user Hermes+GBrain memory runtime for one selected rich internal user, Charlie, on real GCP infrastructure.
Source of truth:
- This file.
AGENTS.mdmigration/auth discipline.cloop-memory-worker/manifests/memory-export-manifest.yamlonce created.- GCP deployment notes/status file once created.
Boundaries:
- Schema changes must be migrations in
clo0p-app/supabase/migrations/. - Never put Supabase service role into
cloop-memory-workerruntime env. - Never persist OpenAI keys into GCS workspace.
- Do not build all-user fanout in milestone 1.
- Do not build user-facing delete/export/status UI in milestone 1.
- Preserve full Hermes/GBrain behavior; do not replace them with simplified clones.
Validation evidence:
- local tests for source manifest/renderers;
- Supabase migration reset for schema changes;
- Cloud Run smoke job logs;
- GCS workspace artifacts;
- runtime smoke report;
- inventory report for Charlie;
- backfill report;
- insight report;
- incremental digest report.
Stop conditions:
- Hermes cannot launch GBrain stdio MCP inside Cloud Run;
- workspace cannot persist safely to GCS;
- Charlie has no meaningful source data;
- export API requires unsafe service-role leakage into the worker;
- OpenAI key would need to be written into per-user workspace.
---
22. Recommended Next Step
Write the implementation plan as a separate task breakdown, then execute Stage 0 and Stage 1 first.
The next implementation artifact should be:
cloop-memory-worker/README.md
cloop-memory-worker/manifests/memory-export-manifest.yaml
clo0p-app/supabase/migrations/<timestamp>_memory_runtime_control_plane.sqlStage 1 should prove the Cloud Run + GCS + Hermes CLI + GBrain stdio MCP runtime before building the full export/backfill path.