← ORBIS Cockpit

ORBIS Alter - Master Plan

Steady-state at ~130 readiness. Maintenance + LOCK-001 sync tracking. 22 tasks. Single source of truth.
All 46 0 0 18 27
Color transition law (read once, apply forever)
TransitionStatusTrigger
🔴 to 🟢AllowedExternal barrier lifted
🟡 to 🟢AllowedFounder provided data / decision / document / input
🟢 to 🔵AllowedTask completed; commit landed
🔵 to anythingForbidden🔵 is irreversible
🟢 to 🟡Exception onlyRequires written explanation in commit
🟢 to 🔴ForbiddenCannot quietly punt to "external"
New 🔴ForbiddenFrozen as of 2026-05-07
Recurring task exception: monthly + quarterly maintenance items cycle 🟢 → 🔵 → new 🟢 row spawned for next cycle. The 🔵 row is historical, never reverted.

MAINT - Maintenance recurring 5 tasks

IDTaskCycleColorDateCommit
AM.1Monthly Alter health check: review uptime % over past 30 days from systemd journal, error rate from Sentry orbis-alter project, memory growth (table sizes in Alter Supabase project peceprzqoivfdqezaofj)monthly2026-05-07audit-2026-05-08
AM.2Quarterly Alter dependency audit: npm audit in Alter/alter/, review package.json vs current security advisories, upgrade major-version-aged packages where safe (currently @sentry/node 7.x is on the older but supported branch)quarterly2026-05-07audit-2026-05-08
AM.3Monthly Alter Gmail OAuth token refresh check: confirm oauth-grace-expiry.js cron is firing correctly, no near-expiry tokens, no auth errors in logsmonthly2026-05-07audit-2026-05-08
AM.4Monthly Alter knowledge base size check: count rows in agent_memory, archived vs active, growth pace. Archive cycle running per memory-summarizermonthly2026-05-07audit-2026-05-08
AM.5Quarterly Alter feature roster review: walk through Alter/alter/src/services/ and confirm each active service is still used by founder. Decommission unused services to reduce surface areaquarterly2026-05-07audit-2026-05-08

LOCK - LOCK-001 sync tracking Alter ↔ Personal 3 tasks

IDTaskCycleColorDateCommit
AL.1Pending port: Decision Support (Alter services/decision-support.js, 256 LOC) to Personal Universal as lib/decision-support.js. Module already copied to Personal but NOT WIRED. See Personal master plan PD.2. This row is the Alter-side mirrorone-shot2026-05-0766b4a74
AL.2Annual review of 3 ALTER-ONLY exceptions confirmed 2026-05-02: Voice Profile (identity-bound calibration), YouTube Posting Suite (founder MindsetMaverick channel, OAuth scope risk without F&B-audience case), Dating Coach (out of Personal positioning, sensitive data). Verify each exception still warrantedannual2026-05-07audit-2026-05-08
AL.3Document any Alter feature added since previous LOCK-001 audit. Founder names new service, Claude assesses portability and recommends ALTER-ONLY mark or port plantriggered2026-05-0999e00a6
AL.4WhatsApp Outbound foundation deployed across all 3 products: 6 DB tables, 4 lib modules (wa-contacts, wa-stop-detector, wa-audit, wa-outbound-relay), addon catalog entry, template-fallback mappings. orbis-universal + Alter commit chain. LOCK-001 satisfiedone-shot2026-05-11ed21ee2
AL.518 Meta WhatsApp templates (6 base x 3 langs en/ru/ka) submitted via Graph API + all APPROVED. Idempotent submission script alter/src/scripts/wa-submit-templates.js. All UTILITY categoryone-shot2026-05-11920d002
AL.6First real WhatsApp outbound deliveries via Alter-number to third-party contacts: Pavel Lobanov (+13476342560) + Shorena (+13236830801). Both via ai_message_relay_ru template with AI Act disclosure header. Meta webhook confirmed deliveryone-shot2026-05-11manual-relay
AL.7615 unique contacts bulk-imported into wa_contacts from founder's Google Contacts + iPhone vCard. Dedup at E.164 (libphonenumber + Georgian-prefix fallback). Two import scripts (Google + vCard)one-shot2026-05-104ee6640
AL.8Contact-share intercept live: when founder forwards vCards via WhatsApp "+ → Contacts → Send" to Alter number, message-handler.js saves them to wa_contacts and replies with summary. Raw payload DLQ at /opt/alter/var/wa-contact-share-dlq.jsonlone-shot2026-05-1099e00a6

CANARY - Canary protocol process discipline 4 tasks

IDTaskCycleColorDateCommit
AC.1Pre-feature checklist: any new Alter cron or service requires LOCK-001 evaluation BEFORE implementation. Document expected disposition (port to Personal or ALTER-ONLY rationale) before writing codetriggered2026-05-0999e00a6
AC.2Validation period: any new Alter feature runs in production on founder's data for at least 14 days before considering Personal port. This is the canary's whole point - prove value on real data firsttriggered2026-05-09
AC.3Port quality gate: when porting an Alter service to Personal, the Personal version must reach the same calibration depth (synthetic E2E plus real founder-data E2E) as the Alter version had at port timetriggered2026-05-07
AC.4Maintain personal_port_gap_<date>.md memory file as the live ledger of pending/completed/ALTER-ONLY ports. Update on any Alter feature change. Successor ledger project_wa_outbound_foundation_2026-05-08.md for active buildtriggered2026-05-0999e00a6
AC.5Georgian transliteration in lib/wa-contacts.expandQueryVariants: extend Cyrillic-Latin map with Georgian script. Query like "შორინა" should match "Shorena". 33-letter Mkhedruli mapping + Georgian nickname dictionaryone-shot2026-05-11
AC.6Personal + Business outbound endpoint wiring: /api/{personal,business}/addons/whatsapp-outbound/{activate,deactivate} with compliance checkbox + DPA signature; contacts CRUD + CSV import. LLM tools already registered (06fb2aa), endpoints pendingone-shot2026-05-11
AC.7Google Contacts sync cron: daily delta sync via People API. Per-tenant for Personal/Business (per-manager OAuth); single-tenant for Alter. Auto-upsert into wa_contactsone-shot2026-05-11
AC.8Quality monitor cron: hourly check of WABA quality_rating + messaging_tier. Auto-pause outbound when rating drops to YELLOW/RED, Sentry alert, manual resume gateone-shot2026-05-11
AC.9Double opt-in flow worker: cron that ages wa_opt_in_state pending rows. YES -> add to wa_contacts. STOP or 7-day TTL -> auto-suppress. Required for CSV-import pathone-shot2026-05-11
AC.10DPA generator: produces Data Processing Agreement PDF with EU SCCs + sub-processor disclosure (Meta, Supabase, DigitalOcean) when manager activates manage_whatsapp_outbound. Manager signs electronically; signature_metadata captured in client_addonsone-shot2026-05-11
AC.11Single source of truth for template definitions: wa-submit-templates.js currently hardcodes 18 templates' bodies which also live in audits/2026-05-08-whatsapp-template-pack-v1.md. Merge into one data file consumed by bothone-shot2026-05-11

PRIVACY - Founder data protection 4 tasks

IDTaskCycleColorDateCommit
AP.1Quarterly Alter database backup verification: pull Supabase backup snapshot for project peceprzqoivfdqezaofj, restore to staging, verify integrity. (Companion to Business Universal GAP-E)quarterly2026-05-07audit-2026-05-08
AP.2KMS encryption decision for Alter at-rest data (linked to Business Universal item H.1 in tech-debt). Founder picked GCP KMS 2026-05-09 (already-paid GCP account, single login, cheapest). Implementation pending: provision keyring, integrate via google-cloud/kms node SDK, migrate sensitive fields from env-key to KMS-wrapped DEKone-shot2026-05-09
AP.3Annual Alter access scope review: list all Google OAuth scopes Alter currently holds (Gmail full, Calendar, Drive, YouTube force-ssl), confirm each still required, drop unusedannual2026-05-07audit-2026-05-08
AP.4Founder Alter data export ability: documented procedure for the founder to export his own Alter data (memory rows, contacts, briefs). Right-to-data-portability principle even for sole user. Estimated: 2 to 3 hours to write export script + runbookone-shot2026-05-0762f9fc4

HEALTH - Health-of-stand 4 tasks

IDTaskCycleColorDateCommit
AH.1Sentry orbis-alter project: alert rule calibration after 30 days of production data (matches Business GAP-D pattern but for Alter). Tune thresholds based on actual error volumeone-shot2026-05-07audit-2026-05-08
AH.2Monthly Alter Sentry digest: founder reads error summary from orbis-alter Sentry project, decides whether each open issue is "fix now" / "fix later" / "wontfix"monthly2026-05-07audit-2026-05-08
AH.3Service uptime SLO definition for alter.service: target 99% over 30 days (about 7.2 hours acceptable downtime). Define measurement method via systemd journal and Sentry session-trackingone-shot2026-05-07c030ee0
AH.4Cron observability for Alter service-side crons: any Alter cron failure should fire Sentry alert via the existing orbis-alter DSN routing. Verify wiring (companion to Business GAP-J but Alter-specific)one-shot2026-05-0708bf324
AH.5Close 8 behavioral failure modes caught in May 6-7 prod log: time-hallucination, ask-vs-act, no-repeat-of-visible, hard-rule-consistency, vision-prereq, URL-invention, fact-confabulation, parallel-question+action. Implemented as BEHAVIORAL GUARDRAILS section in system-prompt.md + VISION-PREREQ guard + RED override-line in dating-coach.js. LOCK-001: ported to Personal Universal personal-prompt.md commit e56d8b3one-shot2026-05-07868949f
AH.6Fix YouTube monitor: passes video ID where YouTube API expects channel ID for allThreadsRelatedToChannelId parameter; 144 errors per 30 days. Patch youtube-monitor.js to use correct ID typeone-shot2026-05-08already-fixed-2026-04-28
AH.7sendTemplate header_params bug closed on BOTH sides of LOCK-001: Alter services/whatsapp.js + orbis-universal lib/whatsapp-client.js. Component ordering preserved (header before body before buttons). Verified by real Shorena delivery post-fixone-shot2026-05-11ed21ee2
AH.8Banned the phantom "разработчик" attribution: system-prompt WHO DOES WHAT HARD RULE + TOP-OF-PROMPT NON-NEGOTIABLE block. Triggered after Alter confabulated "жду шаблон от разработчика" atop real Meta 132000 errorone-shot2026-05-11d798b60
AH.9Code review round-1 fixes: wa-audit return shape upgraded to {id, ok, skipped, error}; relay propagates audit_failed + audit_error; contact-share intercept writes raw vCard to DLQ before parse; expandQueryVariants extracted into shared lib/wa-contacts so 3 product agents reuse itone-shot2026-05-1099e00a6