Categories 6 (both edited) and 5 (VM newer) executed during this Phase 2 walkthrough with verification gates. Categories 1 (PC-only deployment-intent), 2 (VM-only classification), and 8 (secrets inventory) presented here as proposals with checkboxes for your review. Categories 3 (identical), 4 (no PC-newer files), and 7 (generated artifacts) need no Phase 2 work and are marked closed. After your review, an executable proceeds with the approved subset.
/opt/iexdg-mcp/iexdg_content_mcp_v3_2_apr22.py contains the full patcher block as of 2026-04-27 23:06 UTC. Provenance unconfirmed (another Claude session, manual run, or automation). Decision #4 lock revised to LOCKED + EXECUTED. Robert was correct earlier in the session when he said Perplexity was already wired. Changelog updated.TOOLS/automation_scripts/, TOOLS/automation_output/, TOOLS/mcp/ but NOT TOOLS/ root. Four PC secrets at TOOLS/ root were missed: brain_bearer_token.txt, gmail_token.pickle, iexdg_apps_script_token.pickle, youtube_client_secrets.json. VM scope did not include /var/lib/iexdg-brain/, missing ~40 fastmcp OAuth state files. Phase 2 inventory below incorporates the remediated scan.SQLiteStorage import was the persistence path, with in-memory fallback. Reality: fastmcp 3.2.4 falls back to a JSON-file-based KeyValue store at /var/lib/iexdg-brain/fastmcp/oauth-proxy/. Tokens, refresh tokens, JTI mappings, DCR client registrations all persist as individual JSON files. Decision #5 lock framing about "in-memory token store doesn't survive restart" was wrong on the actual deployed behavior. The SQLiteStorage upgrade is still a Phase 3 quality-of-life improvement (proper transactional storage vs. one-file-per-token), but it is no longer a correctness fix.STRATEGY/IEXDG_Complete_Action_Ledger.html. Diagnosis confirmed: PC strictly newer with three appended sprint sections (Sprints 23, 24, 25 totalling +40,490 chars), no VM-side edits to PC content. Resolution: pushed PC โ VM via scp + sudo install -m 644 -o caddy -g caddy. Three-layer verification: VM file size 260,703 B + sha256 c96963d7โฆ matches PC; HTTP 200 from https://brain.iexdg.com/strategy/IEXDG_Complete_Action_Ledger.html with 260,703 served bytes; content markers Sprint 25 ร3, Culture Talkz ร7, Bootcamp Breakthrough ร1, PFDI ร5 all live in the served response. Rollback target preserved at _audit_apr27/vm_ledger_snapshot.html.
iexdg_content_mcp_v3_2_apr22.py ยท sha ff367600โฆ ยท 80,473 B ยท contains Apr 27 brand patches + ideogram auto-inject + the corrective-finding Perplexity research() tool. PC backup at TOOLS/mcp/iexdg_content_mcp_v3_2_apr22.py.pre_phase2_backup.Caddyfile ยท sha 663c6fe3โฆ ยท 5,640 B ยท contains Apr 27 OAuth proxy routes (/auth/callback, /authorize, /register, RFC 8414 + RFC 9728 metadata, :8766 upstream). PC backup at vm_deploy/Caddyfile.pre_phase2_backup.Heuristic scan of 26 top-level STRATEGY/*.html files for brain.iexdg.com, /srv/brain/public, and canonical-link markers. 4 files surfaced. The other 435 PC-only entries (TOOLS scripts, memory, archived dashboards, working artifacts, subdirectories of STRATEGY) are PC-by-design and need no Phase 2 action. Per-row recommendations below; the deploy-intent calls fall to your judgment.
| Approve | STRATEGY HTML (PC) | Size ยท mtime | Markers | Proposed action |
|---|---|---|---|---|
| STRATEGY/Apr27_Session_Changelog.html | 44.2 KB 2026-04-28 02:48 UTC | brain.iexdg.com x2/srv/brain/public x1 | Likely PC-only by design (internal session log). brain.iexdg.com mentions are reference, not deploy intent. Recommend: do not deploy. | |
| STRATEGY/IEXDG_Brand_Rules_Apr27.html | 38.3 KB 2026-04-27 13:15 UTC | brain.iexdg.com x1 | Internal documentation of brand-rule enforcement matrix. brain.iexdg.com mention is contextual, not deploy intent. Recommend: do not deploy. | |
| STRATEGY/IEXDG_Google_Cloud_Architecture_Apr27.html | 53.9 KB 2026-04-27 07:42 UTC | brain.iexdg.com x21/srv/brain/public x1 | Per Apr 27 changelog row: 'lives at brain.iexdg.com after deploy' (intended deploy target). 21 mentions of brain.iexdg.com confirm deploy intent. Recommend: deploy to /srv/brain/public/strategy/. | |
| STRATEGY/IEXDG_MCP_Connection_Paths_Apr27.html | 52.6 KB 2026-04-27 06:49 UTC | brain.iexdg.com x5 | Per Apr 27 changelog row: visual aid built for DNicole's Mac connector confusion. 5 mentions of brain.iexdg.com. Recommend: deploy to /srv/brain/public/strategy/. |
0 unexplained. Every VM-only file maps to one of four explained buckets. The Sprint 21+ deploys missed PC-mirror-creation step at the time, so 15 files exist on VM that should ideally have a PC mirror in vm_deploy/. That is the actual Phase 2 work , pull these 15 down so PC source-of-truth is complete before Phase 3 Git init.
Already accounted for in changelog. No Phase 2 action.
| Approve | VM path | Size | Note |
|---|---|---|---|
| /opt/iexdg-mcp/iexdg_content_mcp_v3_2_apr22.py.bak-apr27 | 68.6 KB | Apr 27 backup of v3.2 pre-patch. Intentionally VM-only. |
Pull each from VM to vm_deploy/ (or appropriate PC sub-path), establish PC source-of-truth. Verify byte-identical post-pull.
| Approve | VM path | Size | Note |
|---|---|---|---|
| /opt/iexdg-mcp/rag/ingest_session.py | 3.3 KB | RAG engine module. Per Sprint 21+ deploys. | |
| /opt/iexdg-mcp/rag/iexdg_rag_hook.py | 3.8 KB | RAG engine module. Per Sprint 21+ deploys. | |
| /opt/iexdg-mcp/rag/dashboard.py | 7.3 KB | RAG engine module. Per Sprint 21+ deploys. | |
| /opt/iexdg-mcp/rag/iexdg_rag_engine.py | 17.9 KB | RAG engine module. Per Sprint 21+ deploys. | |
| /opt/iexdg-mcp/rag/search_kb.py | 4.2 KB | RAG engine module. Per Sprint 21+ deploys. | |
| /opt/iexdg-mcp/rag/ingest_all.py | 14.0 KB | RAG engine module. Per Sprint 21+ deploys. | |
| /srv/brain/public/library.html | 22.9 KB | Static dashboard HTML or asset. Per Sprint 21+ deploys. | |
| /srv/brain/public/brain_system_explained.html | 17.1 KB | Static dashboard HTML or asset. Per Sprint 21+ deploys. | |
| /srv/brain/public/system_map.html | 28.4 KB | Static dashboard HTML or asset. Per Sprint 21+ deploys. | |
| /etc/systemd/system/iexdg-shadow-crawl.timer | 132 B | shadow-crawl.timer systemd unit. Per Sprint 21-23 deploys. PC mirror should exist in vm_deploy/. | |
| /etc/systemd/system/iexdg-analytics-advisor.service | 275 B | analytics-advisor.service systemd unit. Per Sprint 21-23 deploys. PC mirror should exist in vm_deploy/. | |
| /etc/systemd/system/iexdg-analytics-advisor.timer | 132 B | analytics-advisor.timer systemd unit. Per Sprint 21-23 deploys. PC mirror should exist in vm_deploy/. | |
| /etc/systemd/system/iexdg-brain-evolution.timer | 130 B | brain-evolution.timer systemd unit. Per Sprint 21-23 deploys. PC mirror should exist in vm_deploy/. | |
| /etc/systemd/system/iexdg-brain-evolution.service | 271 B | brain-evolution.service systemd unit. Per Sprint 21-23 deploys. PC mirror should exist in vm_deploy/. | |
| /etc/systemd/system/iexdg-shadow-crawl.service | 265 B | shadow-crawl.service systemd unit. Per Sprint 21-23 deploys. PC mirror should exist in vm_deploy/. |
Caddyfile backups from Apr 27 OAuth deploy. Keep on VM, do not migrate.
| Approve | VM path | Size | Note |
|---|---|---|---|
| /etc/caddy/Caddyfile.bak-pre-consent-115316 | 5.3 KB | Pre-OAuth Caddyfile backups. Apr 27 deploy artifacts. Intentionally VM-only. | |
| /etc/caddy/Caddyfile.oauth.staged | 5.3 KB | Pre-OAuth Caddyfile backups. Apr 27 deploy artifacts. Intentionally VM-only. | |
| /etc/caddy/Caddyfile.bak-pre-oauth-apr27 | 3.7 KB | Pre-OAuth Caddyfile backups. Apr 27 deploy artifacts. Intentionally VM-only. |
Runtime data files. Do not commit to PC. Phase 3 Git init excludes these paths.
| Approve | VM path | Size | Note |
|---|---|---|---|
| /opt/iexdg-mcp/ghl_posture.json | 9.0 KB | GHL posture observer output. Live state. | |
| /opt/iexdg-mcp/ghl_posture.db | 592.0 KB | GHL posture observer output. Live state. |
0 files in Unexplained , investigate.
| Category | Status | Phase 3 implication |
|---|---|---|
| 3 ยท Identical (53 files) | No reconciliation needed. Hashes match. | Files stay where they are. Git init treats these as already-canonical. |
| 4 ยท PC newer (0 files) | Empty category. No work. | n/a |
| 7 ยท Generated ยท skip migration (387 entries) | Working artifacts (logs, content drops, audit outputs, RAG db, etc.). Listed for completeness only. | Add to .gitignore patterns at Phase 3 Git init. Sample patterns: TOOLS/automation_output/, _audit_apr27/, _brain_research_apr23_out*/, *.log, iexdg_knowledge.db*. |
Per your earlier decision, secrets handling is deferred to its own work item , this section is inventory only, not action proposals. Recommendations are for the eventual handling pass, not for tonight.
| PC path | Size | Kind | Phase 2/3 handling |
|---|---|---|---|
| STRATEGY/client_secret_918058969668-34gdqpptimgnq9jpvs5uorbbukthvqdk.apps.googleusercontent.com.json | 429 B | gcp oauth client secret (.json) | MOVE Move to TOOLS/secrets/, add to .gitignore. Regenerate + revoke before Phase 3 Git init. |
| TOOLS/automation_scripts/client_secret_918058969668-aqjshutnlbhp43ksu1d6u592usrg2a7r.apps.googleusercontent.com.json | 414 B | gcp oauth client secret (.json) | MOVE Move to TOOLS/secrets/, add to .gitignore. Different OAuth client (installed) than the STRATEGY one (web). Regenerate together. |
| TOOLS/automation_scripts/youtube_token.pickle | 1.2 KB | pickle (oauth token, NOT READ) | MOVE OAuth refresh token. Move to TOOLS/secrets/, .gitignore. Re-auth flow if rotated. |
| vm_deploy/iexdg-mcp.env | 1.8 KB | env file (NOT READ) | MOVE Real env file with API keys. NEVER commit. Phase 3: migrate to GCP Secret Manager (Gate 7). |
| vm_deploy/iexdg-mcp.env.template | 1.5 KB | unknown | KEEP Template file (no real keys). Safe to commit. Reclassify out of secrets bucket. |
| TOOLS/brain_bearer_token.txt | 819 B | bearer token (txt, archived per Apr 24 deploy memory) | MOVE Caddy bearer token archive. Move to TOOLS/secrets/, .gitignore. |
| TOOLS/gmail_token.pickle | 2.3 KB | pickle (oauth token, NOT READ) | MOVE OAuth refresh token. Move to TOOLS/secrets/, .gitignore. Re-auth flow if rotated. |
| TOOLS/iexdg_apps_script_token.pickle | 1.2 KB | pickle (oauth token, NOT READ) | MOVE OAuth refresh token. Move to TOOLS/secrets/, .gitignore. Re-auth flow if rotated. |
| TOOLS/youtube_client_secrets.json | 361 B | gcp oauth client secret (.json) | MOVE Move to TOOLS/secrets/, add to .gitignore. |
| VM path | Size | Kind | Phase 2/3 handling |
|---|---|---|---|
| /etc/default/iexdg-mcp | 3.9 KB | env file (NOT READ) | PATH-ONLY Real env file. Phase 3 Gate 7: migrate to GCP Secret Manager. Already partially scaffolded per Sprint 23 (3 of 3 secrets created in Secret Manager, VM scope flip pending). |
| /var/lib/iexdg-brain/fastmcp/ (directory tree, ~40 files) | ~80 KB total | fastmcp OAuth proxy state (JSON files): registered DCR clients, refresh tokens, JTI mappings, transaction state, upstream tokens | PATH-ONLY Persistent OAuth state. Phase 3: explicit handling spec for OAuth state migration (Git init must NOT include this directory; live VM data only). Backup strategy if VM rebuilt. |
TOOLS/ , most plausibly used by:
gmail_token.pickle ยท the email-sending scripts: _send_dnicole_audit_digest_apr27.py, _send_format_email_apr25.py, send_apr13_progress_email.py, plus daily_content_drop.py and content_drop_v2.py for the nightly drop email. Scopes per memory: readonly + send + modify.iexdg_apps_script_token.pickle ยท the Apps Script Web App bridge that proxies the VIS Captures Google Sheet (vis_sheets_bridge.gs). Used by content drop pipeline to read captures + set status.youtube_token.pickle at TOOLS/automation_scripts/ ยท YouTube API access for youtube_watcher.py, youtube_manager.py, batch_transcribe.py, the daily content drop pipeline.Use the per-row checkboxes above to approve specific actions. Once approved subset is identified, the executable Phase 2 wraps as one mechanical pass:
| Approve | Action | Effect |
|---|---|---|
Deploy approved Category 1 HTMLs to /srv/brain/public/strategy/ | Static HTMLs become reachable at brain.iexdg.com/strategy/. Caddy serves immediately. Sub-second per file. | |
Pull approved Category 2 CHANGELOG_PRIOR files to vm_deploy/ (and PC subdirectories as appropriate) | Establishes complete PC source-of-truth for the 15 Sprint 21+ deploy artifacts. No VM changes. Verify byte-identical post-pull. | |
| Defer secrets handling to Phase 3 prep work item | No action tonight. Phase 3 Git init pre-work creates TOOLS/secrets/, builds .gitignore, plans Secret Manager migration. |
.gitignore draft exists for Phase 3, (d) the three Apr 28 verification corrections are reflected in their source documents (changelog row updates already done for Perplexity; Decision #5 framing correction pending). After close-out, Phase 3 Git init is the next step.