Wave 2 Hub-Authoring Spec — 2026-05-03
Delta from Wave 1 spec. Read
WAVE-1-DISPATCH-SPEC.mdfirst for universal template + integration variant + 7 Wave 1 clusters. This file ADDS governance + system variants, 9 new fields, 5 new clusters, dependency-ordered sub-agent grouping, and mandatory scope-change inserts surfaced by 4-parallel pre-flight scans (PF-A/B/C/D, 2026-05-03 19:00 UTC).
File paths (governance/ + systems/ dirs PRE-CREATED)
- Tier 2 integrations:
~/.openclaw/workspace/_hubs/integrations/<name>.md+ vaultwiki/_hubs/integrations/<name>.md - Governance hubs (NEW):
~/.openclaw/workspace/_hubs/governance/<name>.md+ vaultwiki/_hubs/governance/<name>.md - System hubs (NEW):
~/.openclaw/workspace/_hubs/systems/<name>.md+ vaultwiki/_hubs/systems/<name>.md
9 new universal fields (extend Wave 1’s 6)
For governance hubs:
enforcement-mode: cron | manual | memory-load | linter | n/a
incidents-derived-from: [<incident-id-list>]
validator-script: <path> | n/a
discord-alert-on-violation: yes:#ops | no | pendingFor system hubs:
live-state-probe: "<bash command>"
documented-count: <int> | n/a
live-count: <int> (probed at hub creation)
drift-percentage: "<N%>" | "0%"Both governance + system:
last-audit: 2026-05-03 # NEW; semantically distinct from last-drift-check (which is automated)Per-type variant tables
Governance hub Quick reference
| Field | Value |
|---|---|
| Gate ID | G-<NAME> | n/a |
| CLAUDE.md section | §<section> |
| Enforcement mode | cron | manual | memory-load | linter |
| Validator script | <path> | n/a |
| Discord alert | yes:#ops | no | pending |
| Feedback rules | [[memory/feedback_<x>]], ... |
| Incidents derived from | [<id-list>] |
| Violable by | Claude | agent | cron | external |
| Last known violation | <date + incident> | never recorded |
| Amendment | §A1 2026-05-01 | n/a |
| Phase status | active | planned | deprecated |
| Last audit | 2026-05-03 |Required body section (governance only):
## Feedback rule inventory
| Rule | Cluster | Enforcement | Last fire |
|---|---|---|---|
| [[memory/feedback_<x>]] | <11-cluster-enum> | <how> | <date> |System hub Quick reference
| Field | Value |
|---|---|
| Canonical file | <path> |
| Live state probe | `<bash>` |
| Documented count | <N> (source: <CLAUDE.md §X>) |
| Live count | <N> (probed: 2026-05-03) |
| Drift | <N%> | 0% |
| Last audit | 2026-05-03 |
| Drift alert | cron | manual | none |
| Governance gate | G-<NAME> | n/a |
| Owner agent | <name> |Required body section (system only):
## Live state snapshot (2026-05-03)
| Metric | Documented | Live (probed) | Drift | Status |
|---|---:|---:|---:|---|
| Total count | N | M | ±X% | ok | stale | drifted |
| Undocumented items | 0 | Y | — | <status> |
| Stale entries | 0 | Z | — | flagged |5 new cross-hub clusters (extend Wave 1’s 7)
| Cluster | Anchor | Members |
|---|---|---|
| Governance enforcement | g-gates-network | All 7 governance hubs + Wave 1 compliance-gates + cost-tracking |
| System catalog | service-registry | All 8 system hubs + Wave 1 hetzner/aws/cloudflare cross-link |
| LLM provider tier (RENAMES + EXTENDS Wave 1’s “LLM routing”) | portkey | anthropic + openrouter + moonshot-kimi |
| Real-estate data platform (NEW) | crmls | crmls + propstream + opentoclose + Wave 1 hubspot/investorlift |
| Doc-signing + payment (NEW, loose) | docusign | docusign + stripe (only 2 members; no dedicated hub) |
Mandatory scope-change inserts (PF-A surfaced)
| Hub | Mandatory insert |
|---|---|
| systems/mcp-registry | ”## ⚠️ Drift: CLAUDE.md says 8 MCP servers, MCP-INVENTORY.md lists 21 (8 active + 13 additional: stripe, github, google-workspace, discord, supabase, slack, postgres-diag, firecrawl, sequential-thinking, memory, notion, airtable, hubspot, perplexity). Document both tiers; flag CLAUDE.md update needed.” |
| systems/cron-timer-registry | ”Live count: 57 timers (probed 2026-05-03 via systemctl --user list-timers). CLAUDE.md says 62. Drift: -5 (under-documented). Plus: security-audit-funnel.timer last fired 2026-04-27 — missed multiple Mondays, G-FAILED-SERVICE-MTTR violation candidate.” |
| systems/service-registry | ”## ⚠️ 2 NEW failed services: investorlift-cookie-refresh.service (Playwright fails when AWS Mac impaired) + perplexity-daily-summary.service (failed 16:00 UTC 2026-05-03).“ |
| systems/port-registry | ”Reserved: 127.0.0.1:18901 for NemoClaw cred-proxy (pending B1-B3 ratification per nemoclaw-audit-2026-05-03).“ |
| systems/skill-registry | ”Pending skill dispo-buyer-match-ai (OSIL B13) NOT YET CREATED. Forward-ref only.” |
| integrations/docusign | ”## ⚠️ WAF allowlist staleness: last security-audit-funnel.timer run was 2026-04-27 (>6 days). DocuSign 90-day IP rotation check is overdue. Recommend manual run pre-publish.” |
| integrations/voyage | ”Already powers 44 SQLite memory DBs (~5,568 chunks fleet-wide). Cross-link supabase (chunks_vec). Phase E.2 vault-wikilink suggester will reuse this stack.” |
| integrations/openrouter | ”Stale key sk-or-v1-275e42eac7... documented in P0 security queue — already replaced in master.env, NEVER REVOKED at vendor. Rotation pending.” |
| integrations/moonshot-kimi | ”Single hub for one provider with two product names. proxy.js Fix #1 (Kimi 404 → per-model gating) documented here. KB at knowledge-base/moonshot/ is _audit-only — SOURCE MISSING for kimi.” |
| integrations/tailscale | ”SOURCE MISSING — no knowledge-base/tailscale/ dir. Authored from CLAUDE.md + FUNNEL-REGISTRY.md + Wave 1 cloudflare/aws hubs only. G-KB-SYNC-WITH-CLAUDEMD gap noted.” |
| integrations/apollo-hunter | ”Multi-vendor combined hub (Apollo + Hunter). Cascade pattern: Apollo /v1/organizations/enrich → Hunter /v2/email-finder fallback. Both KBs _audit-only — SOURCE MISSING; authored from il-marketplace-pull SKILL.md + enrich-contacts.js.” |
| integrations/propstream | ”SOURCE MISSING — no knowledge-base/propstream/ dir. Authored from .secrets/propstream.json (cred only — DO NOT QUOTE) + scripts/dispo-propstream-blast.js inspection.” |
| governance/g-gates-network | ”8 documented gates + 1 PROPOSED G-SKILL-MUTATION-AUDIT (per OSIL audit, pending Henry ratification). Phase 1.7 promised 22 — gap noted.” |
| governance/decision-log | ”Major ratifications this session: OSIL B1-B3, B6, B8-B12, B16. Q1-Q7 visual mapping + wikilink ratifications with 9 sharpenings. Wave 1 framework validated. Pending: B4 (skill mutation governance), B5 (Hermes side-by-side), B7 (cloud accounts), B13a/B14a/B15.” |
Sub-agent assignments (10 total: S0 + 9 hub-authoring)
PF-C confirmed: dirs PRE-CREATED (no longer S0 dependency). Internal sequencing within sub-agents per spec.
| Sub-agent | Scope | Internal sequence | Inter-agent dep |
|---|---|---|---|
| W2-S0 | Frontmatter pre-fix batch (46 files): 7 cluster-enum violations + 8 stealth-hub hub:true patches + 24 Wave 1 hubs supersedes:[]+blocks:[] + 5 workspace-docs full frontmatter + 1 YAML parse repair (feedback_aurora_outbound_guardrails.md) | n/a | dispatch FIRST; others wait until complete |
| W2-S1 | Governance core (5): sources-first → blockers-first → action-gate → g-gates-network → plan-governance | sources-first FIRST (others ref it) | after S0 |
| W2-S2 | Governance ref (2): memory-rule-clusters, decision-log | parallel | after S0; aggregates governance hubs ideally after S1 partial |
| W2-S3 | Agent + skill registries (2): agent-registry, skill-registry | parallel | after S0 |
| W2-S4 | Infra registries (4): port-registry → service-registry → webhook-architecture → mcp-registry | strict order; mcp-registry handles 8-vs-21 drift | after S0 |
| W2-S5 | workspace-registry, cron-timer-registry | parallel | WAIT for S3 (agent-registry must exist) |
| W2-S6 | Contracts/payments (2): docusign, stripe | parallel | after S0 |
| W2-S7 | LLM tier (3): voyage → openrouter → moonshot-kimi | voyage first (cross-links supabase) | after S0 |
| W2-S8 | Networking + enrichment (2): tailscale, apollo-hunter | parallel; both flag SOURCE MISSING | after S0 |
| W2-S9 | Real-estate platforms (3): crmls → opentoclose → propstream | strict order; propstream LAST flags SOURCE MISSING | after S0 |
Mandatory cross-references Wave 2 → Wave 1 (per PF-C)
These are HARD links (Wave 1 hubs all exist, no forward-refs):
- voyage → supabase, portkey, anthropic
- openrouter → portkey, anthropic
- moonshot-kimi → portkey, anthropic
- docusign → cloudflare (WAF), 1password, hubspot
- stripe → 1password, supabase
- tailscale → cloudflare, aws (Mac Ultra SSH), hetzner
- apollo-hunter → investorlift, 1password, supabase
- crmls → hubspot, 1password
- propstream → hubspot
- opentoclose → hubspot, 1password
- All 7 governance hubs → Wave 1 integration + process hubs as enforcement targets
- All 8 system hubs → Wave 1 hubs as catalog members
Plus: governance/g-gates-network → ALL 24 Wave 1 hubs (gate enforcement scope).
W2-S0 Detailed Patch List (46 files)
Cluster enum violations (7 files, P1):
1. wiki/system-map/_index.md cluster: 'vault-governance' → ['vault','governance']
2. plans/_index.md same
3. memory/_index.md same
4. wiki/workspace-docs/_index.md same
5. wiki/runbooks/_index.md same
6. sources/kb/_index.md same + add depends-on, supersedes, blocks, auto-link
7. memory/project_openclaw_vault_wikilink_optimization_2026-05-03.md same
Stealth hub elevations (8 files, P2 — hub:false → hub:true):
8. wiki/agents/aurora/_summary.md (84 incoming)
9. wiki/agents/acquisitions/_summary.md (58 incoming)
10. wiki/agents/atlas/_summary.md (55 incoming)
11. wiki/agents/anthropic/_summary.md (50 incoming)
12. wiki/agents/dispo/_summary.md (41 incoming)
13. wiki/agents/backfill/_summary.md (38 incoming)
14. wiki/system-map/tier1/agents-tier-structure.md (99 incoming) + add depends-on/supersedes/blocks
15. wiki/system-map/tier1/request-lifecycle.md (50 incoming) + add depends-on/supersedes/blocks
Wave 1 hub residual fields (24 files):
16-39. ALL 24 wiki/_hubs/integrations/*.md + wiki/_hubs/processes/*.md + wiki/_hubs/_index.md
fix: add supersedes: [] AND blocks: [] to frontmatter
Workspace-docs reference files (5 files, P3):
40. wiki/workspace-docs/ARCHITECTURE.md
41. wiki/workspace-docs/FUNNEL-REGISTRY.md
42. wiki/workspace-docs/AGENT-REGISTRY.md
43. wiki/workspace-docs/WORKSPACE-REGISTRY.md
44. wiki/workspace-docs/HENRY-PREFERENCES.md
fix: add full 7-field frontmatter (cluster per file: see PF-D output)
Other (2 files):
45. memory/feedback_aurora_outbound_guardrails.md REPAIR malformed YAML
46. wiki/system-map/tier1/ports-topology.md add depends-on:[], supersedes:[], blocks:[]
Important: most cluster violations + frontmatter additions apply to RSYNC MIRROR zone files. Wave 1 W1-S0 already learned this — fixes must go to canonical paths AND vault paths to survive next vault-sync. Specifically:
- Fixes 1-7 + 16-39 + 40-44 + 46 → APPLY AT CANONICAL SOURCE FIRST, then vault picks up via rsync (or apply to both for immediate visibility)
- Fix 45 (canonical memory) → APPLY AT
~/.claude/projects/-home-opsadmin/memory/feedback_aurora_outbound_guardrails.md - Fixes 8-15 (vault wiki/agents/, vault wiki/system-map/) → vault-native, fix in vault directly
Idempotency, secrets, governance
Same as Wave 1:
- All hubs new files; if exists, append
_v2and flag for Henry merge - G-NO-PLAINTEXT-CREDS: zero secrets; reference via
op://Aurora/<platform>/<field> - Asymmetry policy: incident → rule one-way (don’t auto-back-link)
- Density cap exemption via
hub: true
Output format (per sub-agent)
W2-S<N> RESULT: PASS | FAIL
HUBS_CREATED: <count> + paths
WIKILINKS_PER_HUB: avg / max / min
FORWARD_REFS_USED: <list>
SCOPE_CHANGE_INSERTS_APPLIED: <list>
CROSS_REFS_AUTHORED: <list>
SOURCE_MISSING_FLAGS: <list of hubs flagged>
ANOMALIES: <list>
NOTES: <Henry-relevant>
End spec.