Agents consistently ignore written instructions about memory routing
and default to writing local MEMORY.md files regardless of rules in
RUNTIME.md, CLAUDE.md, or MEMORY.md itself. Instructions alone are
insufficient — a technical gate is required.
Changes:
- Add tools/qa/prevent-memory-write.sh — PreToolUse hook that blocks
Write/Edit/MultiEdit to ~/.claude/projects/*/memory/*.md (exit 2)
- Register hook in runtime/claude/settings.json PreToolUse array
- Update runtime/claude/RUNTIME.md: replace soft "Memory Override"
note with hard-gate policy, what-goes-where table, and rationale
- Rewrite guides/MEMORY.md: OpenBrain as primary layer, blocked silos
table, project continuity files, how-the-hook-works section
The correct behavior is now the only possible behavior for Claude Code.
All agent learnings route to OpenBrain where every harness can read them.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- credentials.sh: add turbo-cache and openbrain cases (load_credentials openbrain
exports OPENBRAIN_URL + OPENBRAIN_TOKEN from credentials.json .openbrain.*)
- credentials.sh: update --help text and error messages to list new services
- TOOLS.md: mark Coolify as DEPRECATED (superseded by Portainer Docker Swarm)
- TOOLS.md: update Shared Credential Loader service list (turbo-cache, openbrain)
- TOOLS.md: add OpenBrain section — primary shared memory layer, REST API patterns,
Python client usage, MCP note, and mandatory usage table
credentials.sh is always overwritten on reinstall (not in PRESERVE_PATHS), so all
agents that run install.sh will automatically get openbrain credential support.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Show individual step names with OK/FAIL/RUN/SKIP/WAIT status
- Show error messages and exit codes for failed steps
- Convert epoch timestamps to ISO 8601
- Always fetch full pipeline detail (list endpoint lacks workflows)
- Fix started_at/finished_at field names (API uses started/finished)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add -a <instance> flag to all Authentik wrapper scripts, matching the
existing multi-instance pattern used by Woodpecker and Cloudflare.
credentials.json now supports per-instance Authentik config:
authentik.<instance>.url — instance URL
authentik.<instance>.token — API token (admin wrappers)
authentik.<instance>.test_user — username/password (Playwright/agent tests)
authentik.default — default instance name
Legacy flat structure (authentik.url) still works as fallback.
Token cache is now per-instance (~/.cache/mosaic/authentik-token-<name>).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Woodpecker tokens from credentials.json now always override env vars,
preventing stale .bashrc or env leakage from silently winning
- After loading, credentials are synced to ~/.woodpecker/<instance>.env
so the wp CLI wrapper stays current automatically
- Sync only writes when values differ to avoid unnecessary disk I/O
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add prdy-status.sh for quick one-liner PRD health check (short/json output)
- Inject PRD section count and assumption count into agent system prompt
so the agent knows PRD state at session start without running validate
- Add status subcommand to mosaic prdy routing and help text
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
POSIX ERE doesn't support non-greedy +? quantifier, so the pattern
([^/]+?)(\.git)?$ matched .git as part of the repo name instead of
stripping it. Split into two sed passes: strip .git first, then
extract owner/repo.
Fixes wp_detect_repo() and init-project.sh CICD_REPO_NAME.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Woodpecker v3 requires numeric repo IDs in API endpoints, not
owner/repo path segments. The old paths hit the SPA frontend
catch-all and return HTML, which downstream tools misinterpret
as auth failure (401).
- Add tools/woodpecker/_lib.sh with wp_resolve_repo_id() helper
that calls /api/repos/lookup/{owner}/{repo} to get numeric ID
- Update all 3 pipeline scripts to resolve repo ID before API calls
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add named instance support matching the existing cloudflare pattern:
- credentials.sh: woodpecker-<name> loads .woodpecker.<name>.{url,token}
- credentials.sh: bare woodpecker resolves via .woodpecker.default or
WOODPECKER_INSTANCE env, with legacy flat-key fallback
- All 3 pipeline tools accept -a <instance> flag to select instance
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Previously `mosaic coord status` only said "No active session" with no
indication of whether a mission existed. Now shows mission name, status,
milestones/tasks progress, and actionable next steps.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- zone-list, record-list, record-create, record-update, record-delete
- Named instance support (-a flag) with configurable default
- Zone name-to-ID auto-resolution in shared _lib.sh
- Updated credentials loader with cloudflare/cloudflare-<name> services
- TOOLS.md and INFRASTRUCTURE.md guide documentation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
