Sources First Governance Hub
The MANDATORY Sources First protocol (CLAUDE.md §“MANDATORY: Sources First”) requires that before writing any code or recommending any architecture, Claude must check the nearest source of truth, list what was checked (paths + last_verified dates), verify field names against live API responses, and label any ungrounded suggestion SOURCE MISSING or NEEDS VERIFICATION. Enforcement mode is memory-load — this rule fires at every session start from on-session-start.sh. Read this hub when starting any new integration, extending any existing API handler, or authoring any plan with external platform dependencies.
Quick reference
| Field | Value |
|---|---|
| Gate ID | n/a (protocol, not a cascade-failure gate) |
| CLAUDE.md section | §“MANDATORY: Sources First” (line ~41) |
| Enforcement mode | memory-load (fires via on-session-start.sh) |
| Validator script | n/a |
| Discord alert | pending |
| Feedback rules | feedback_no_assumptions, feedback_never_assumptive_audit, feedback_audit_before_architect, feedback_live_over_memory, feedback_source_master_env_before_checking, feedback_systemctl_cat_before_env_claims |
| Incidents derived from | binance-eu-plan-miss-2026-05-03 (modal case — 51% KB docs invisible), salesmsg-field-name-bugs (event.contact_phone didn’t exist), direction-field-miss (m.direction didn’t exist), message-object-miss (event.message was object not string) |
| Violable by | Claude, agent |
| Last known violation | 2026-05-03: Binance/EU plan drafted without checking moonshot KB — SOURCE MISSING flag not emitted |
| Amendment | n/a |
| Phase status | active |
| Last audit | 2026-05-03 |
Components
~/CLAUDE.md§“MANDATORY: Sources First” — authoritative rule text + 7-step procedure/home/opsadmin/.openclaw/workspace/knowledge-base/— 138 KB platform dirs (canonical source list)/home/opsadmin/.openclaw/tools/hooks/on-session-start.sh— loads protocol into context at session start/home/opsadmin/.openclaw/workspace/TOOLS.md— credential reference (G-NO-PLAINTEXT-CREDS crossover)/home/opsadmin/.openclaw/workspace/ARCHITECTURE.md— system-level source of truth for service topology
KB platform list (138 dirs — authoritative)
Full enumeration from CLAUDE.md §“Platforms with KB docs”:
Original 34: airtable, anthropic, betteracquisitions, betterescrows, betterfiles, cloudflare, crewai, crmls, discord, docusign, elevenlabs, github, glide, google-workspace, hubspot, llamaindex, make, n8n, openai, openclaw, openphone, openrouter, opentoclose, portkey, postgresql, quickbooks, salesmsg, slack, stripe, supabase, twilio, voyage, whatsapp, zapier
Audit 2026-05-01 added 35 (G-KB-SYNC-WITH-CLAUDEMD): 1password, 1stbet, 21st-dev, anthropic-frontend, bencium-ux, binance-us, bitsgap, bluebubbles, coinbase, crypto-arbitrage, crypto-trading, deribit, equinedge, hiver, hummingbot, hyperliquid, interactive-brokers, investorbase, investorlift, kalshi, manifold, metaculus, polybacktest, polymarket, predexon, prediction-trading, security, sent-dm, sportradar, sportsdataio, templates, ui-ux-pro-max, vercel-composition, vercel-react-perf, vercel-web-design
OSIL 2026-05-03 added 27: dspy, gepa, reflexion, voyager, honcho, mem0, letta, textgrad, karpathy-autoresearch, agentskills, evoagentx, self-improving-agent, halo, langfuse, phoenix-arize, deepeval, promptfoo, trulens, patronus, livekit-agents, vapi, retell, elevenlabs-conversational, instructor, langgraph, autogen, metagpt
Drift backfill 2026-05-03 added 56: apollo-io, argilla, aws, bark-tts, binance, bitfinex, bitmart, bls, brave, bybit, chattts, deepseek, dune, estonia-eresidency, f5-tts, fal, figma, firecrawl, fred, gate-io, gemini, godaddy, google-cloud-console, google-search-console, groq, hf, htx, hunter-io, kimi, kraken, langfuse, lovable-dev, metabase, mexc, moonshot, newsapi, odds, okx, ollama, openvoice, perplexity, polymarket-us, promptfoo, propertychecker, redis, replicate, resend, retool, runpod, shortio, sim, spark-tts, temporal, together, tortoise-tts, trigger
Voice substrate added 2026-05-03: cartesia, deepgram, assemblyai, playht, hume, resemble, inworld, google-cloud-voice
How it’s used
- Trigger condition: Any time Claude is about to write code, recommend architecture, or reference an API field name
- Workflow: (1) Identify platform → (2) Check
knowledge-base/<platform>/→ (3) List what was checked with paths + last_verified date → (4) Verify field names against live API/docs → (5) If doc missing, write SOURCE MISSING and ask - Agents involved: All agents (protocol is universal); _summary most frequent trigger
- Failure mode: Ungrounded suggestion shipped as code → field-name bugs, broken webhook handlers, wrong API endpoint paths
- Success criteria: Every code PR has a “Sources Checked” section in its delivery; zero undeclared SOURCE MISSING in shipped code
Seven-step protocol (verbatim from CLAUDE.md)
- Check nearest source of truth — KB docs in
knowledge-base/{platform}/; API.md, WEBHOOKS.md, CREDENTIALS.md - List what you checked — include paths/links and last_verified date
- Verify field names, endpoint paths, response shapes, and rate limits from the docs
- Never assume field names — check actual API responses
- Test with a live API call first if docs don’t cover the exact use case —
curl+ inspect response shape - If you cannot find the source — write SOURCE MISSING and ask where it is
- Any suggestion not grounded in sources — label NEEDS VERIFICATION
Past bugs prevented by this protocol
| Bug | Platform | Field assumed | Actual field | Date |
|---|---|---|---|---|
| Contact phone missing | SalesMsg | event.contact_phone | event.contact.number (after spread) | pre-2026 |
| Direction flag wrong | SalesMsg | m.direction === 'out' | user_id > 0 for outbound | pre-2026 |
| Message object | SalesMsg | event.message (string) | object (not string) | pre-2026 |
| Binance/EU KB miss | Moonshot/Kimi | (entire KB) | SOURCE MISSING — kimi KB is _audit-only | 2026-05-03 |
Cross-links
Agents that touch this
- _summary — highest-frequency trigger; all CH outreach API calls
- _summary — HubSpot + InvestorLift API calls
- _summary — data enrichment, Supabase queries
Skills that invoke this
- acquisitions-outreach — 5-gate compliance with KB-verified SMS fields
- il-marketplace-pull — IL API calls; SOURCE MISSING for Playwright path
- hubspot-deal-ingest — HubSpot field verification before writes
Plans that govern this
- openclaw-fragmentation-fix-2026-05-01 — Phase 1.7: enforcement crons
- openclaw-self-improvement-layer-2026-05-03 — B6: KB coverage expansion
- nemoclaw-audit-2026-05-03 — cred-proxy pattern adoption
Feedback rules
- feedback_no_assumptions — never assume field names without verification
- feedback_never_assumptive_audit — don’t claim X works without checking
- feedback_audit_before_architect — run audit phase before proposing architecture
- feedback_live_over_memory — prefer live API response over training memory
- feedback_source_master_env_before_checking — master.env is canonical credential source
- feedback_systemctl_cat_before_env_claims — check live unit file before env claims
- feedback_check_resources_before_asking — grep first before escalating to Henry
KB / source docs
- WEBHOOKS — salesmsg webhook field names (past bugs here)
- API — HubSpot pipeline IDs + field names
- API — OpenPhone event shapes
- README — Supabase project IDs + table schemas
System maps
- request-lifecycle — full data flow from webhook to agent
- agents-tier-structure — which agent touches which platform
Related cluster
Governance enforcement cluster (anchor: g-gates-network):
- blockers-first — Q+R protocol before acting
- action-gate — confirmation before side-effects
- plan-governance — plan Q&A + amendments
- compliance-gates — 5 pre-send compliance gates
- 1password — credential layer (G-NO-PLAINTEXT-CREDS crossover)
Feedback rule inventory
| Rule | Cluster | Enforcement | Last fire |
|---|---|---|---|
| feedback_no_assumptions | governance | memory-load | 2026-05-03 (Binance/EU) |
| feedback_never_assumptive_audit | governance | memory-load | 2026-05-03 |
| feedback_audit_before_architect | governance | memory-load | 2026-05-03 |
| feedback_live_over_memory | governance | memory-load | unknown |
| feedback_source_master_env_before_checking | security | memory-load | 2026-05-02 |
| feedback_systemctl_cat_before_env_claims | infra | memory-load | 2026-05-01 |
| feedback_check_resources_before_asking | governance | memory-load | 2026-05-03 |
| feedback_verify_schema_before_designing | data | memory-load | unknown |
| feedback_pre_build_index_verification | governance | memory-load | unknown |
Open issues / TODOs
- No enforcement cron yet — Phase 2 of fragmentation-fix will ship
weekly-index-audit.timer - 14 pending G-gates from Phase 1.7 not yet published as enforcement rules; see g-gates-network
_audit-only KB dirs (moonshot/kimi, propstream, tailscale) are SOURCE MISSING — track via openclaw-self-improvement-layer-2026-05-03 B6- G-KB-SYNC-WITH-CLAUDEMD gap: 138 listed in CLAUDE.md but KB dir count should be verified live
Recent activity
- 2026-05-03: hub created (W2-S1)
- 2026-05-03: Binance/EU plan loss caused by moonshot KB miss — incident_derived rule confirmed