Wave 1 Hub-Authoring Spec — 2026-05-03

Authoritative spec for all Wave 1 sub-agents. Read in full before authoring. References pre-flight findings PF-A/B/C/D + WikiLink Plan Δ2 + MISSING-LAYERS-BACKLOG.md.

Where files go (canonical paths — Wave 1 writes here, NOT vault)

Integration hubs: /home/opsadmin/.openclaw/workspace/_hubs/integrations/<name>.md
Process hubs: /home/opsadmin/.openclaw/workspace/_hubs/processes/<name>.md
Hub-of-hubs: /home/opsadmin/.openclaw/workspace/_hubs/_index.md

After writing, vault-sync timer (every 15 min) propagates to vault wiki/_hubs/. Wave 1 also writes to vault for immediate visibility: /home/opsadmin/openclaw-vault/wiki/_hubs/<...> — same content, both paths. This is the “always backfill canonical” pattern.

Universal frontmatter (every hub — 10 fields)

---
title: <Hub Name>
type: integration-hub | process-hub
domain: <crm | sms | voice | llm | data | infra | governance | comms | devops | identity>
status: production | staging | retired | planned
criticality: critical | high | normal | low
ownership: claude-authored
hub: true
auto-link: false
audience: [henry, claude]
cluster: [<canonical enum: governance|vault|ops|trading|messaging|infra|agent|ai-arch|security|data|system-map>]
last-reviewed: 2026-05-03
 
# Six new universal fields (PF-B):
cred-proxy-eligible: pending | yes | no | n/a
dedup-table: <Supabase table name + TTL> | n/a
tool-calls-write: yes | no | n/a
governance-gates-enforced: [<list of G-* gate IDs>]
last-drift-check: 2026-05-03 | n/a
infra-config-change-row: yes | no | n/a
 
related: ["[[wiki/_hubs/<sibling>]]"...]   # 5+ peer hubs
depends-on: []                              # prerequisite hubs
---

Universal body skeleton

# <Hub Name>
 
<one paragraph: what this hub is, when to read it, who owns it. ≤80 words.>
 
## Quick reference
 
| Field | Value |
|---|---|
| (per-type variant — see below) |
 
## Components
 
- `<file-path-1>` — <one-line>
- `<file-path-2>` — <one-line>
- (3-8 bullets — these become wikilinks where applicable)
 
## How it's used
 
- <bullet 1: trigger condition>
- <bullet 2: workflow>
- <bullet 3: agents involved>
- <bullet 4: failure mode>
- <bullet 5: success criteria>
 
## Cross-links
 
### Agents that touch this
- [[wiki/agents/<name>/_summary]] — <role>
 
### Skills that invoke this
- [[wiki/skills/<name>]] — <role>
 
### Plans that govern this
- [[plans/<name>]] — <status>
 
### Feedback rules
- [[memory/feedback_<name>]] — <rule summary>
 
### KB / source docs
- [[sources/kb/<platform>/README]] — <doc type>
 
### System maps
- [[wiki/system-map/<map>]] — <which view>
 
## Open issues / TODOs
- <item>
 
## Recent activity
- 2026-05-03: hub created

Per-type Quick Reference variants

Integration hub (15 hubs in Wave 1)

| Vendor | <name> |
| URL | <vendor.com> |
| KB doc | [[sources/kb/<platform>/README]] |
| Auth method | <HMAC | Bearer | query-param token | OAuth | API key> |
| Auth credential | `op://Aurora/<platform>/<field>` |
| Cred-proxy port | n/a (until B1-B6 ratified) | 127.0.0.1:18901 |
| Webhook port | :NNNN | n/a |
| Webhook handler | [[wiki/webhooks/<handler>]] | n/a |
| Webhook dedup table | processed_webhook_events (24h TTL) | n/a |
| Tunnel path | /webhook/<platform> | n/a |
| Outbound API base | <url> |
| Rate limits | <documented limits> |
| Rate-limit action | <429 → exp backoff (3 retries), Discord #ops alert> |
| Cost | <pricing model + monthly typical> |
| Backup/recovery | <vendor-owned | PITR | manual> |
| Discord alert channel | #ops | #incidents |
| Drift cadence | weekly (security-audit-funnel.timer) | on-API-change | manual |
| Status | production | staging | retired |

Process hub (8 hubs in Wave 1)

| Stages | <Stage 1 → Stage 2 → ...> |
| Primary agent | [[wiki/agents/<name>/_summary]] |
| Supporting agents | [[wiki/agents/<x>/_summary]], [[wiki/agents/<y>/_summary]] |
| Agent handoff chain | <Acq → Aurora → Dispo → Atlas> (ordered) |
| Compliance gates list | [<gate-computer, blast-safety, TCPA quiet-hours, opt-out, 10DLC>] |
| Skills invoked | [[wiki/skills/<skill1>]], [[wiki/skills/<skill2>]] |
| Success metrics | <KPI + Supabase view> |
| Cost per stage | <approx LLM/SMS cost> |
| Throughput | <volume/day> |
| Last run result | <date + outcome (pass/fail, volume, cost)> |
| Failure modes | <list of common failures + recovery> |

7 cross-hub clusters — embed cross-links in each hub

Each hub MUST have a ## Related cluster section linking peers:

Cluster	Member hubs	Cluster anchor
SMS/Carrier compliance	salesmsg, twilio, openphone-quo, compliance-gates, project_osil_twilio_10dlc_resubmission_2026-05-03	Twilio hub
LLM routing	anthropic, portkey, (openrouter Tier 2), (moonshot-kimi Tier 2)	Portkey hub
Credential layer	1password, (cred-proxy plan ref), all integration hubs as consumers	1password hub
Webhook/tunnel	hubspot, openphone-quo, twilio, salesmsg, discord, cloudflare	Cloudflare hub
Infra/compute	hetzner, aws, cloudflare, github	Hetzner hub
Voice subsystem	twilio, openphone-quo, livekit-deferred (B10 deferred to CTIE pipeline)	Twilio hub
Memory/embeddings	anthropic, portkey, supabase, (voyage Tier 2)	Supabase hub

Mandatory scope-change inserts (PF-A findings)

Embed in the relevant hub:

Hub	Mandatory insert
twilio	”## ⚠️ A2P 10DLC repeat-denial active — TCPA risk uncapped, gates ALL OSIL SMS tiers. See osil-twilio-10dlc-resubmission-2026-05-03 B14 (pending B14a Henry signoff).“
openphone-quo	Same 10DLC blocking flag. Cross-link Twilio hub.
compliance-gates	List the 5 pre-send gates (gate-computer, compliance-gate, blast-safety, thread-context, response-generator). Reference 10DLC additions from B14.
anthropic	Document dual Max plan path: `:18900` (primary, henryRERI) + `:18903` (teamsteph@betterfiles.com Max via anthropic-max-router serving 40 agents). Reference proxy.js Fix #1 (Kimi 404) + Fix #16 (cache_control on max-plan path).
portkey	Same dual-port. CHOKEPOINT-1 (tool_calls write) is enforced here. tool-calls-health-check.timer runs every 5 min for drift detection.
aws	”## Status: AWS EC2 Mac Ultra `impaired` since 2026-05-02 22:15 UTC. EBS state preserved. Resume next session via AWS Console reboot. ROOT KEY ROTATION P0 PENDING (used in this session, plaintext in master.env).“
salesmsg	”## ⚠️ P0 security: `/etc/systemd/system/salesmsg-gateway.service` hardcodes `ANTHROPIC_API_KEY=sk-ant-api03-C4A75YcCl...` plaintext. Rotation pending.”
investorlift	”Mandatory: scraping ALWAYS via AWS Mac Ultra (ec2-user@100.123.248.46). VPS IP CloudFront-blocked (403). See CLAUDE.md InvestorLift Scraping section.” Plus: cross-reference osil-il-ai-replication-2026-05-03 (B13 displacement track).
hubspot	Document dual pipeline: acq 877963314 + dispo 816046. H2 sections per pipeline. KB has 13 files including ASSOCIATIONS-API.md, CALLING-SDK.md, COMMUNICATIONS-API.md, CONVERSATIONS-API.md, TIMELINE-EVENTS-API.md.
github	Reference `traewayrer/openclaw-vault` private repo (the vault). 21+ overnight sub-agent commits.
discord	Reference all alert types: vault-sync, security-audit-funnel, friction-report, cost-overage.
1password	LiveKit creds added (OSIL B10 ratified). Aurora vault structure.
cloudflare	Tunnel + WAF (DocuSign IP allowlist 90-day rotation) + DNS. 3 H2 sections. FUNNEL-REGISTRY.md governance.

10 cross-references between Tier 1 hubs (PF-A)

Author each at the LINKING-FROM end:

salesmsg → twilio (SMS/voice cluster)
openphone-quo → twilio (voice fallback + 10DLC compliance)
anthropic → portkey (LLM routing)
portkey → cost-tracking (CHOKEPOINT-1 → cost flow)
investorlift → aws (Mac Ultra dependency)
anthropic → nemoclaw (pending B1 ratification — link as [[plans/nemoclaw-audit-2026-05-03]])
1password → aws (root key rotation pending)
github → cloudflare (vault security posture)
compliance-gates → twilio (10DLC additional gates)
supabase → cost-tracking (tool_calls + infra_config_changes tables)

Sub-agent assignments (PF-C revised, 9 + 1 = 10 total)

Sub-agent	Scope (with sequencing)	Dependencies
W1-S0	Frontmatter pre-fix batch (vault-native files only): 42 agent _summary cluster fixes (`agents` → `["agent"]`); 8 _index.md cluster fixes (`vault-governance` → `["vault","governance"]`); 3 tier1 maps add `auto-link: false`; 3 OSIL maps add full schema; AGENTS.md root → add hub frontmatter; create OSIL stub redirect file	none
W1-S1	1password.md (FIRST anchor — establishes op:// pattern)	none
W1-S2	salesmsg.md, openphone-quo.md, twilio.md (SMS/voice cluster)	forward-ref 1password (S1)
W1-S3	hubspot.md, investorlift.md (deal-source CRMs)	forward-ref 1password, supabase (S4), aws (S7)
W1-S4	supabase.md (alone — largest data dependency, 5 projects)	forward-ref 1password
W1-S5	portkey.md THEN anthropic.md (portkey first per CHOKEPOINT-1; anthropic references portkey)	forward-ref 1password
W1-S6	discord.md, slack.md, github.md (notifications + DevOps)	forward-ref 1password, cloudflare (S7)
W1-S7	cloudflare.md, hetzner.md, aws.md (infra layer)	forward-ref 1password
W1-S8	compliance-gates.md → deal-ingestion.md → outreach-stage1.md → followup-stages-2-3-4.md (dependency-ordered)	forward-ref all integrations from S1-S7
W1-S9	acquisitions-lifecycle.md, dispo-lifecycle.md, buyer-blast.md, cost-tracking.md, _index.md (orchestrating + index LAST)	forward-ref all integrations + S8 process hubs

Forward-reference policy

Sub-agents authoring in parallel cannot see each other’s outputs. Forward-references like [[wiki/_hubs/integrations/1password]] are OK and EXPECTED — both files will exist by Wave 1 completion. Audit phase verifies all wikilinks resolve. The Pass 1 overnight already proved this works (5 tier1 maps forward-ref’d _index.md before it existed; both ended up coherent).

Idempotency

All hubs are NEW files. Sub-agents must NOT overwrite if the file exists from a prior run — instead append _v2 and flag in output for Henry to merge.

NemoClaw + LiveKit — DO NOT add hubs in Wave 1

Per PF-C: pre-operational, no KB content, no production data flow. Reference as wikilinks to [[plans/nemoclaw-audit-2026-05-03]] and [[livekit-deferred]] (broken link OK; will be resolved when OSIL Phase 6 ships in Wave 2 or Wave 3).

OSIL master hub

Create as STUB redirect at /home/opsadmin/.openclaw/workspace/_hubs/_OSIL.md (and vault wiki/_hubs/_OSIL.md) — single short page that points to:

openclaw-self-improvement-layer-2026-05-03 (master plan)
project_openclaw_self_improvement_layer_2026-05-03 (project memory)
vm-osil-overview (visual map)
Sub-projects: osil-il-ai-replication-2026-05-03, osil-twilio-10dlc-resubmission-2026-05-03, nemoclaw-audit-2026-05-03

Frontmatter: type: domain-hub | hub: true | cluster: ["ai-arch", "vault"] | auto-link: false. Owner: W1-S0 creates this alongside the frontmatter pre-fix batch.

Output format (per sub-agent)

W1-S<N> RESULT: PASS | FAIL
HUBS_CREATED: <count + list with file paths>
WIKILINKS_PER_HUB: <avg + max + min>
FORWARD_REFS_USED: <count + which hubs they target>
SCOPE_CHANGE_INSERTS_APPLIED: <which mandatory inserts shipped>
CROSS_REFS_AUTHORED: <which inter-hub cross-refs added>
ANOMALIES: <list>
NOTES: <Henry-relevant>

Time budget per sub-agent

W1-S0: ~30 min (mass frontmatter fixes)
W1-S1, S4: ~30 min each (1 hub)
W1-S2, S3, S5, S6, S7: ~45-60 min each (2-3 hubs)
W1-S8: ~60 min (4 process hubs in dependency order)
W1-S9: ~60-90 min (5 hubs including final _index.md)

Wave 1 clock time at full parallelism: ~90 min.

Rule constraints (universal)

G-NO-PLAINTEXT-CREDS: zero secrets in any hub. All credentials referenced as op://Aurora/<platform>/<field> or “stored in 1Password vault Aurora”.
Asymmetry policy: don’t auto-bidirectional links. Incident → rule is one-way.
Density cap: hub: true exempts; max 100 wikilinks otherwise.
Idempotent: if file exists from prior run, append _v2 instead of overwrite.

End spec.

Quartz 4

Explorer

Wave 1 Hub-Authoring Spec