📘 Blueprint — Project Documentation

pcblueprint — Session Runbook · 52 sessions across 4 repos · click any session card to get its prompt

0 of 52

0 done 0 ready 0 blocked 0 waiting ·

👋 How to use: Click a session card to open its full prompt, info, and mark-complete button. Sessions unlock automatically as prereqs are marked done.

🤝 Onboarding doc for a new Claude Code chat — open this if you're a fresh session picking up from 2026-04-25.

📍 Status as of 2026-04-25

S00–S04e, S04g, S04h, S05a, S05b, S05c, and S06a are ✅ done (all R0). S04f is ⏸ deferred (post-S12 cleanup). The 2026-04-25 evening pivot reorganised the remaining work into five releases (R0 Foundation → R1 Private Archive Browser → R2 AI Chat → R3 Visual Identity → R4 Mobile + Offline) with a strict "default styling first, dazzle last" discipline — see the 🎯 Product re-focusing tile in the Changelog tab. Total: 52 sessions (was 55; dropped 9 Next.js+MUI scaffolding sessions, added 6 server-rendered HTML sessions). S06b is currently ⏳ waiting on Zepp/Strava credential resets; the rest of R0 (S06c/d/e/f, S16a/b) plus all of R1 (R1-01..R1-09) are pickable. Recommended next pickup: R1-01 (Auth core — first R1 session, gates the whole release).

💻 Machine / working context

Working dir: C:\Users\apcan\Downloads\Blueprint Tasks\ (this runbook HTML)
Local clones: C:\Users\apcan\pcblueprint-api, C:\Users\apcan\pcblueprint-archive, C:\Users\apcan\pcblueprint-website, C:\Users\apcan\pcblueprint-sync.
Always git fetch && git pull before starting a session — the local clones lag behind origin.
Claude memory files live at C:\Users\apcan\.claude\projects\C--Users-apcan-Downloads-Blueprint-Tasks\memory\ — MEMORY.md is the index. Auto-loaded by Claude Code; read on session start for the most up-to-date conventions, gotchas, and cross-session decisions.

🐙 GitHub (via `gh` CLI)

Installed at C:\Program Files\GitHub CLI\gh.exe, authed as apcanario (HTTPS, token stored in keyring, scopes include repo + workflow).
Repos: apcanario/pcblueprint-api, apcanario/pcblueprint-archive, apcanario/pcblueprint-website, apcanario/pcblueprint-sync.
PR flow: push branch → gh pr create → wait for Pedro's approval → gh pr merge <n> --squash --delete-branch.

🖥️ NAS (Synology DS423+ — the production server)

SSH: ssh apcanario@192.168.1.69 — keyless, ed25519 key already authorized (~/.ssh/id_ed25519 on this machine).
Live archive path: /volume2/pcblueprint-archive (api reads/writes here via the bind mount at /data/archive). Owned node:node (set by the api entrypoint; see Dockerfile). Do not read from /volume1/pcblueprint-archive — orphan, slated for S04f deletion.
Env vars are inline in /volume2/docker/api/compose.yaml under the environment: key (no separate .env file on the api side). Contains API_KEY, GIT_AUTHOR_*. Never echo values to chat; reference by name only.
api is reachable on the NAS at http://localhost:3030 (host) → 3001 (container). Externally via the Cloudflare tunnel (see cloudflared container).
Docker CLI: at /usr/local/bin/docker (not on apcanario's default PATH — always use the full path). apcanario is in the docker group and the socket (/var/run/docker.sock) is chgrp'd to docker with g+rw. Caveat: that socket perm reverts on NAS reboot — S06c makes it permanent via DSM Task Scheduler.
Inside-container work: ssh apcanario@192.168.1.69 "/usr/local/bin/docker exec -u node pcblueprint-api sh -c 'cd /data/archive && <git cmd>'". Git works because the Dockerfile sets safe.directory /data/archive and the entrypoint chowns the mount to node.
Archive remote URL on NAS bakes in the GitHub PAT (works, but rotating means rewriting .git/config — S06c can switch to a credential helper).

🐳 Docker projects on the NAS (Container Manager → Project)

/volume2/docker/api/compose.yaml — api project. Runs pcblueprint-api + Watchtower + cloudflared. Auto-updates on new image push to ghcr.io/apcanario/pcblueprint-api:latest. Joined to the pcblueprint external network for inter-container DNS.
/volume2/docker/sync/compose.yaml — sync project (created in S06b). Runs pcblueprint-sync; image pulled from ghcr.io/apcanario/pcblueprint-sync:latest; joined to the same pcblueprint external network. Currently waiting on Zepp/Strava credentials before first docker compose up -d.
/volume2/docker/git-clone2/compose.yaml — git-clone2 project. Confirmed in S06a as a one-shot alpine/git clone; never ran past initial. Slated for deletion in S04f.
/volume2/docker/compose.yaml — orphan git-clone project. Clones to /volume1. Harmless but slated for deletion in S04f.

📜 Standing rules (follow strictly — encoded in every session prompt too)

Never paste secret values into chat or PR bodies — reference by env var name only.
Don't modify package-lock.json. If npm install drifts it, git checkout -- package-lock.json. The drift is owned by S04h, not other sessions.
Never read files >30 KB. Use git mv for moves. Don't boot the dev server — Pedro does runtime verification. Commit in small chunks.
If scope widens past the session's stated goal, STOP and hand back a note.
Don't modify the live NAS system unless the session explicitly says to. Touch the git repos; let deploys propagate via Watchtower.
After every merge, run the closing checklist (HTML done-flip + scrum-master increment + downstream-impact triage). Encoded in every session prompt.

pcblueprint — Project PRD

Companion to pcblueprint-checklist_<date>.html. The runbook is the how (per-session prompts, branching, PR flow); this doc is the what + why — the product we're building and how we'll know each piece is done.

Vision

A private, web-accessible system for one person (Pedro Canário) to store, browse, expand, and act on the full record of their life — biographical text, medical history, fitness data, journal entries, memoirs, and identity context — across phone and laptop, with archive-first persistence to a versioned git repository.

North-star user experience

Browse structured pages per domain (medical, memoirs, journal, chronology, sports, blueprint, identity), polished docs-site feel.
Use a stateless natural-language interface to the archive with three verbs — every interaction is one task, no conversation history retained:

- WRITE — "log bp 118 over 76, pulse 62, left arm", "new memory tagged 'family' titled X", "upload this PDF as my latest blood test". Agent classifies intent, parses, dedupes against existing records, auto-tags from the canonical vocabulary, surfaces a confirm preview, then commits with links back to the saved file.

- QUERY — "any of dad's memoirs that mention me", "how did training load correlate with sleep last month", "is this blood test result normal compared to my history". Agent reads relevant archive files, cross-references, cites sources inline. Short structured answer for fact queries; prose only when the question is interpretive.

- EXPORT — "give me a PDF report of my HRV trends in April", "download all my 2024 medical files". Agent generates a deliverable (PDF / CSV / Markdown / .zip) following a universal filename convention.

Access all of the above from a phone, over the public internet, behind a real login with recovery — no shared password.

System map

Repo	Role
`pcblueprint-archive`	Source of truth. Markdown + JSON files in lifecycle buckets (`records/`, `writing/`, `source-files/`, `_legacy/`, etc.). Every write is a git commit.
`pcblueprint-api`	Express/TypeScript api over the archive. Mounts at `/health`, `/biography`, `/blueprint`, `/identity`, `/timeline`, `/search`, `/archive`, `/chat` (planned). As of R1 (2026-04-25): also serves the user-facing HTML pages directly via EJS — no separate frontend until R3.
`pcblueprint-sync`	Docker cron worker. Pulls from Zepp + Strava, posts to api ingest endpoints.
`pcblueprint-meta`	Coordination repo (this PRD's home). Hosts the runbook HTML, helpers, and the GitHub Pages deploy of the runbook. New as of 2026-04-25.
`pcblueprint-website`	Originally: Next.js 16 (App Router) with MUI + Tailwind + Emotion. Status post-2026-04-25 release pivot: dormant until R3 (Visual Identity), at which point a Tailwind-vs-Next.js call gets made with real R1+R2 usage data informing the choice.

Roadmap structure

52 sessions across 5 releases (R0–R4) — restructured 2026-04-25 from the prior 55-session flat list. R3 has no sessions yet (planned at R3 kickoff). EPIC 0 is the pre-runbook foundation; the historical EPIC 1–19 sections below remain for context, with dropped epics marked inline.

Chat architecture (codified 2026-04-25)

The chatbot is not conversational. It is a stateless natural-language task endpoint with three verbs (WRITE / QUERY / EXPORT — see North-star §2). Every interaction is one task; the agent's internal tool loop within a single request is unbounded (capped at 10 tool calls), but no state crosses requests.

WRITE contract applied to every active user-data bucket (records/, writing/, raw/, source-files/, sessions/; system buckets _legacy/, meta/, scripts/, claude-code-prompts/ are off-limits): classify intent → parse + extract → propose multi-domain split if applicable → call get_tag_vocabulary → run identity-based dedup (3-way: all-new / partial overlap silently merged / full duplicate escalated to user with side-by-side comparison) → surface confirm preview with editable per-domain fields → commit → return {saved_path, github_url, viewer_url, tags_applied}.
QUERY contract: always cite source files. Reference ranges for medical comparisons prefer PDF-embedded ranges, fall back to web_search. Auto-save fresh inputs used in cross-reference (dedup contract still applies).
EXPORT contract: universal filename convention <verb>-<scope>-<YYYY-MM-DD>.<ext>; simple PDF default, CSV as utility format (storage, not human-reading), .zip for source-file bundles (never .tar.gz).
Cost ceilings (3 layers): per-request (max_tokens + max-iterations + 60s timeout); app-level monthly budget guard refusing requests at 100% and warning at 80%; vendor-level prepaid credits + workspace spend cap.

See memory chat_architecture_three_verbs.md for the full operational record.

Release plan (2026-04-25 pivot)

The prior 55-session flat arc was "everything, everywhere, all at once": Next.js + MUI + Tailwind + Emotion + custom auth + mobile responsiveness all interleaved with no shippable intermediate before ~S20. The 2026-04-25 pivot replaces that with five releases under a strict "default styling first, dazzle last" discipline.

Release	Goal	Sessions
R0 — Foundation (largely done)	Archive structure, API CRUD, sessions log, prod sync.	S00–S06f, S16a, S16b
R1 — Private Archive Browser	Read-only, server-rendered HTML directly from the API, default browser CSS only, real auth (Argon2id + Resend) from day one. No Next.js, no MUI, no Tailwind.	R1-01 (auth core, was S20a), R1-02 (auth UX, was S20b), R1-03 (auth hardening, was S20c), R1-04 (HTML rendering layer), R1-05 (index pages), R1-06 (detail pages), R1-07 (search/filter), R1-08 (public deploy, replaces S18a/b), R1-09 (observability minimum)
R2 — AI Chat over the archive	Stateless WRITE / QUERY / EXPORT command interface. Same default-CSS philosophy — `<form>` posting to `/chat`, results rendered server-side, vanilla-JS SSE. No React.	S10a–d, S11a–c (rewritten — replace React panel with EJS), S12, S13a–b, S14a–c, S15a–b
R3 — Visual Identity (no sessions yet)	Branding, typography, color, charts. Tailwind-vs-Next.js call made here with real usage data informing the choice.	TBD — planned at R3 kickoff
R4 — Mobile + Offline (blocked on R3 planning)	Responsive 375px viewport, drawer, optional PWA install + offline-read.	S19a, S19b, S19c

Sessions dropped (Next.js+MUI scaffolding superseded by R1-04..R1-07): EPIC 7 (S07a, S07b), EPIC 8 (S08a, S08b, S08c), EPIC 9 (S09a, S09b). Their per-EPIC sections below stay for historical record but are flagged DROPPED.

Sessions folded: EPIC 17 (S18a, S18b — original Vercel website deploy + DNS) → folded into R1-08 (single deploy of the API+HTML unit on Cloudflare tunnel or Fly.io).

Sessions moved: EPIC 19 (S20a–c — Auth Hardening) → pulled forward to R1 as R1-01..R1-03; archive is private from first public deploy, no APP_PASSWORD-only window.

EPIC 0 — Precursor Work (pre-runbook foundation)

Phase: Pre-S00 · Status: ✅ Shipped (manual, before formal sessions began) · Sessions: none — done by hand over weeks/months before the runbook existed

Outcome

The entire foundation the runbook stands on: personal data gathered + curated, four GitHub repos created with initial code that builds, a Synology NAS configured as the production server, an end-to-end deploy chain wired up (cloudflared tunnel → api → archive → GitHub mirror), and Claude Code tooling installed with custom skills + MCP servers. None of S00–S20 would be runnable without this base.

What was done

Personal data gathered + curated (the actual content of the system, sourced over years):

Seven memoir-voice files written in 2014 — intro 2014.md, pedro canario 2014.md, graça gomes 2014.md, francisco canario 2014.md, teresa faria 2014.md, rita canario 2014.md, domingos araujo 2014.md.
The "1934 to now, a Story of Remembrance" book + InDesign source (.idml) + ZIP bundle of family-book assets.
Biographical baseline (biography-baseline.original.md, ~40KB) and biographical protocol (protocol.md, ~36KB).
Chronology timeline of life events from 1934 onward.
Compiled medical history (pedro_medical.md) plus 14 medical imaging PDFs — cardio ECGs, holters, MRIs, x-rays, ecographies, stress tests.
Personal context + identity documents, pattern registry, blueprint v1 (psychological assessment), Word source (pedro_blueprint.docx).
Personal journal (pedro_journal.md) + Word source.
Coros Training Hub bulk export — ~562 historical workouts, ~20MB ZIP.
Omron Connect CSV export of historical blood pressure readings.

Repo scaffolding — 4 GitHub repos created (pcblueprint-archive, pcblueprint-api, pcblueprint-website, pcblueprint-sync) with initial commits, package.json, tsconfig.json, Dockerfile + compose where applicable, GitHub Actions for image build/publish on pcblueprint-api, and initial README.md / CLAUDE.md / PRIVACY.md per repo.

Initial pcblueprint-api implementation (pre-S04 realign): Express + TypeScript, requireAuth Bearer middleware, full health endpoint surface (tracking, sports, medical, blood-pressure CRUD, ingest), biography read endpoints (protocol, chronology, journal, memories, identity, blueprint), schema/types, vitest infrastructure, gitService.commitArchive().

Initial pcblueprint-website: Next.js 16 (App Router) with all major routes already scaffolded — /sports, /sleep, /journal, /chronology, /medical, /memories, /protocol, /identity, /blueprint, /timeline, /search, /dashboard, /archive, /blood-pressure, /login. MUI + Tailwind + Emotion stack. Auth flow (APP_PASSWORD → JWT cookie). lib/api.ts Bearer-token client.

Initial pcblueprint-sync (PR #1 in that repo): custom Zepp HTTP client (email + password, no third-party dep), Strava OAuth v3 client, daily/nightly cron jobs (Zepp 11:00, Strava 03:00), structured logger with optional webhook alerting, Dockerfile + compose.

NAS production chain (Synology DS423+): DSM configured, SSH key-auth set up, Container Manager projects deployed: api stack (api container + cloudflared tunnel + Watchtower), git-clone and git-clone2 projects for archive seeding, ARCHIVE_PATH bind-mounted, GitHub PAT issued for container-side push/pull, Cloudflare tunnel routing public traffic to the api.

Claude Code tooling: custom domain skills (/biography, /medical, /activity, /sleep, /psychology, /schema), local MCP servers (knowledge-rag semantic search, strava-mcp OAuth, sleep-decoder), Stop hook validating schema.json on session end, GitHub Actions Claude Code review workflow (later removed in S04 cleanup once it became failure-noise), the runbook HTML itself with sessions S00–S12 sketched out.

Why this matters

The runbook starts at S00 (manual binary prep) on the assumption that the data, code, infrastructure, and tooling listed above already exist and work. The total invested effort here easily matches or exceeds the formal-session work that follows — every session depends on it. Documented retrospectively so future readers (or fresh Claude Code sessions) understand what they're standing on.

Acceptance criteria (retrospective)

✅ Personal data exists in some form across all domains (medical, biographical, fitness, journal, memories, identity, blueprint).
✅ All 4 GitHub repos exist with code that builds and tests pass.
✅ Production deploy chain functional in concept: api container running on NAS; cloudflared exposing it publicly; Watchtower polling ghcr.io for image updates.
✅ Claude Code can read the codebase + operating rules + memories.
✅ Runbook HTML exists with sessions S00–S12 sketched.

Caveats discovered later

The 2026-04-25 prod reconciliation surfaced that several of the "✅ functional in concept" pieces above had latent gaps — the api had never successfully written to the archive (silent push failures), the NAS archive was 41 commits stale (no scheduled pull was actually running), the docker socket wasn't writable by apcanario. Those gaps are now closed (see Changelog and EPIC 6).

EPIC 1 — Manual Binary Prep

Phase: Prep · Status: ✅ Shipped · Sessions: S00

Outcome

One-time clean-up of binary blobs and large originals before the main IA migration, so subsequent sessions don't churn on giant files.

User story

As Pedro, I want oversized binary originals (16MB PDFs, IDML sources, ZIP exports) handled correctly before they pollute the git history.

Acceptance criteria

✅ External backups taken before any moves.
✅ Decision recorded per file (keep / archive / move out of repo).
✅ Files with spaces renamed to kebab-case where applicable.
✅ Single PR landed cleanly with no large untracked binaries left behind.

Out of scope

Git LFS setup (left as optional follow-up).

EPIC 2 — Archive IA + Migration

Phase: Archive · Status: ✅ Shipped · Sessions: S01, S02a, S02b, S03a, S03b

Outcome

The archive folder structure is reorganised into nine canonical lifecycle buckets (records/, writing/, source-files/, raw/, _legacy/, meta/, scripts/, sessions/, claude-code-prompts/) with a published spec at meta/ia-spec.md, so every future write knows exactly where it goes.

User stories

As Pedro, I want a stable folder structure I can navigate by lifecycle (active vs. cold storage), not by content type alone.
As an api, I want one canonical path per logical resource so PATHS constants stay simple.

Acceptance criteria

✅ meta/ia-spec.md v1.2 approved and committed.
✅ All pre-migration top-level directories mapped to a new bucket (no orphans).
✅ Bilingual .en.md / .pt.md suffixes dropped — primary file is .md.
✅ _legacy/2026-04-16/ retains pre-migration copies for reversibility.
✅ schema.json keys updated to new bucket paths (v1.3).
✅ meta/part2-manifest.json reflects new tree (v1.1.0).
✅ Health folder audit confirms /sports duplication is intentional (Coros + Zepp = different schemas).

Out of scope

Migrating the api code to match — that's Epic 3.

Sessions

S01 (IA spec + first migration), S02a (memories-wip + _legacy/ READMEs), S02b (source-files/ + binary recovery), S03a (health audit), S03b (schema.json + import scripts + manifest).

EPIC 3 — API Path Realign (S04a–c)

Phase: API — Realign · Status: ✅ Shipped · Sessions: S04a, S04b, S04c

Outcome

Every api route reads/writes via a PATHS constant or path helper instead of hardcoded strings, so future archive moves require a one-line change in fileService.ts rather than a repo-wide grep.

Acceptance criteria

✅ PATHS const exported from src/services/fileService.ts covering every archive file the api touches.
✅ Parameterised helpers added: pathBloodPressureMonth, pathWorkoutStream, pathMedicalNote, pathBlueprintVersion.
✅ All /health/* routes adopt PATHS (S04b).
✅ All /biography/, /blueprint, /identity/ routes adopt PATHS (S04c).
✅ Test fixtures use the new bucket prefixes; vitest 86/86 green.

Caveat

PATHS constants and several hardcoded strings were not fully aligned with the post-S01 archive at the time S04c shipped — that gap was fixed retroactively on 2026-04-25 (see Changelog block "Prod reconciliation + path realign"). All routes now correctly point at the post-S01 tree.

EPIC 4 — Hardening / Backlog (S04d–h)

Phase: Hardening / Backlog · Status: ✅ Mostly shipped (S04f deferred)

Outcome

A grab-bag of cross-repo housekeeping: shared operating-rules doc, cleanup of orphaned NAS state, lockfile drift resolution, and bot reviews.

Sessions + status

✅ S04d — Shared "Working with Claude — Operating Rules" section in CLAUDE.md of all 4 repos.
✅ S04e — Stray medical/notes audit (manual).
⏸ S04f — Remove orphan /volume1/pcblueprint-archive (deferred to post-S12 cleanup).
✅ S04g — Investigate Claude PR Review bot (decision: removed the failing workflow).
✅ S04h — package-lock.json drift resolution + Node 22 pin via .nvmrc and engines.

Acceptance criteria

✅ Operating rules section identical across all 4 repos.
✅ pnpm-lock.yaml removed; package-lock.json regenerated cleanly; future npm install produces no diff on Node 22.
⏸ /volume1/pcblueprint-archive deletion deferred — left for post-S12 sweep.

EPIC 5 — API CRUD Gaps (S05a–c)

Phase: API — CRUD Gaps · Status: ✅ Shipped · Sessions: S05a, S05b, S05c

Outcome

Every biographical resource has a complete CRUD surface, so the website (and the future chat tools) can write any entity without dropping to filesystem tricks.

Acceptance criteria

✅ POST /biography/memories, PATCH/DELETE /biography/memories/:slug — slug-scoped.
✅ PATCH/DELETE /blueprint/:version — handles "delete current latest" by picking the previous version + setting identity_stale: true.
✅ GET/POST /biography/sessions — append-only AI session log; auto-incrementing session_number.
✅ POST/PATCH/DELETE /biography/chronology/events — slug = ${date}-${slugify(title)}; category enum; preserves the  marker on POST.
✅ Vitest coverage for happy path + key validation failures on every endpoint.

EPIC 6 — Prod Stability & API Sync (S06a–f)

Phase: Prod Stability & API Sync · Status: 🟡 Planned (foundation work)

Outcome

Production deploy is actually stable end-to-end: the api on the NAS bidirectionally syncs with GitHub, the sync worker is deployed and pulling Zepp/Strava data, infrastructure quirks (docker socket reset, PAT rotation) have permanent fixes, and the api exposes a manifest that the website can bind to.

Sub-sessions

S06a — Archive bidirectional sync (cron git pull --rebase inside api container; commitArchive retries on non-FF).
S06b — Sync worker containerise + deploy (GHA publish → ghcr.io → Watchtower → NAS compose).
S06c — Prod infra hardening (DSM Task Scheduler for docker socket persistence; PAT credential helper).
S06d — Memoir endpoints cleanup (decide remove vs. recreate for athletic-record, family-book, reconstruction, book endpoints currently 404'ing).
S06e — Archive Manifest Endpoint (GET /archive/manifest reading meta/ia-spec.md for the website's docs sidebar).
S06f — Sync Path Audit (verify every write path in pcblueprint-sync/src/** matches post-S03 paths).

Acceptance criteria

☐ After a laptop-side push to pcblueprint-archive, the next NAS api write succeeds without merge-conflict (proven by 10-min cron pull).
☐ pcblueprint-sync container running on the NAS, registered with Watchtower; first scheduled cron tick (Zepp 11:00 / Strava 03:00) writes data to api ingest endpoints; archive shows API update: commits in git log.
☐ NAS reboot does not break docker access for apcanario (Task Scheduler restores socket perms).
☐ PAT rotation procedure documented; new PAT can be deployed without manually editing .git/config.
☐ All four memoir endpoints either return 200 with content or are removed cleanly (no silent 404s).
☐ GET /archive/manifest returns { sections: [{ slug, label, description, routes, counts }], generated_at } matching meta/ia-spec.md.
☐ pcblueprint-sync write paths in code match the post-S03 archive tree (audited).

Out of scope

Real-time conflict resolution UI (alerts log to webhook + leave repo in conflict state for manual fix).
Cross-archive multi-write atomic transactions.

EPIC 7 — Website Homepage (S07a–b) — ❌ DROPPED 2026-04-25

Release pivot: superseded by R1-04 (API HTML rendering layer) + R1-05 (archive index pages). Original Next.js/MUI scaffolding no longer needed under the server-rendered approach. Section retained below for historical reference.

Phase: Website — Homepage · Status: 🟡 Planned · Sessions: S07a, S07b

Outcome

Replace the current dashboard-first homepage with a chat-first homepage that has a centered chat panel, a collapsible sidebar with archive section tiles + today-snapshot, and preserves the existing dashboard at /today.

User stories

As Pedro on his phone in the morning, I want to land on a chat input ready to receive "how'd I sleep" without navigating.
As Pedro at his desk, I want the existing dashboard still reachable at /today so my muscle memory still works.

Acceptance criteria

☐ /today renders the full pre-existing dashboard verbatim.
☐ / renders <HomeShell> with <ChatPanel> (stub) + collapsible left sidebar.
☐ Sidebar has tiles for at least 3 archive sections + today-snapshot card (HR, sleep, last workout — placeholder data OK at this stage).
☐ app/api/chat/route.ts exists as a stub returning "Chat backend coming soon." (real wiring in S11a).
☐ No regressions in existing routes (auth, archive, etc.).

EPIC 8 — Website Archive Docs (S08a–c) — ❌ DROPPED 2026-04-25

Release pivot: superseded by R1-05 (archive index pages) + R1-06 (record detail pages). The "docs-shell + manifest sidebar + tiled landing" pattern collapses into plain semantic HTML lists rendered server-side; no React, no client-side data fetching. Section retained below for historical reference.

Phase: Website — Archive Docs · Status: 🟡 Planned · Sessions: S08a, S08b, S08c

Outcome

A polished docs-site experience for browsing the archive: persistent collapsible sidebar, breadcrumbs, manifest-driven section list, tiled landing page, and consistent docs-shell wrapping for every existing sub-page.

Acceptance criteria

☐ app/archive/layout.tsx renders a sticky sidebar + breadcrumbs + content area on every /archive/* route.
☐ <ArchiveSidebar> renders from manifest data (S06e), not hardcoded.
☐ app/archive/page.tsx shows a tile per section with label, description, and record count.
☐ Every existing /archive/<section> page is wrapped in the docs shell (no rebuilds, just wrapping).
☐ MUI Card visual pass — Stripe/Vercel docs feel.
☐ pnpm build green.

Out of scope

Generic file-tree browser (Pedro confirmed the docs-site feel is the goal, not Drive-like).

EPIC 9 — Website Activity Detail (S09a–b) — ❌ DROPPED 2026-04-25

Release pivot: the per-workout hero + HRZones + Splits + Pace/Effort cards depend on MUI X Charts and a styled component layer that are explicitly deferred to R3 (Visual Identity). For R1, activity records render via the same generic detail-page template (R1-06) as everything else — tabular data, no charts. Charts are reintroduced in R3 with whatever stack R3 picks. Section retained below for historical reference.

Phase: Website — Activity Detail · Status: 🟡 Planned · Sessions: S09a, S09b

Outcome

The /sports/[id] page becomes a useful single-workout view: hero with map + headline stats, HR zone breakdown, splits table, pace zones, and an effort/relative-effort card.

Acceptance criteria

☐ Hero shows <WorkoutMap> + distance, duration, avg HR, elevation, pace.
☐ <HRZones> 5-zone time-in-zone bar chart renders for any real workout (using existing MUI X Charts; no new chart libs).
☐ Splits table includes split #, pace, avg HR, elevation gain/loss.
☐ Pace/speed zones block + relative-effort card with documented formula.
☐ Renders correctly on a 375px viewport (preview; full mobile pass in S19b).

EPIC 10 — Chatbot Backend (S10a–d)

Phase: Chatbot — Backend · Status: 🟡 Planned · Sessions: S10a, S10b, S10c, S10d

Outcome

A streaming stateless task endpoint on the api with a provider abstraction (so Anthropic/OpenAI/open-weight can swap), basic write tools (BP + journal) that set the response-shape contract, basic read tools (health + journal) plus get_tag_vocabulary, and a single cross-domain orchestrator (analyze_wellbeing).

Acceptance criteria

☐ POST /chat streams assistant text via SSE/chunked. Stateless body: { messages: [<single user turn>], file?: <multipart>, intent?: <hint> } — no session_id, no cross-request state.
☐ LLMProvider interface in src/chat/providers/index.ts; stub.ts deterministic provider for tests.
☐ CHAT_PROVIDER env var (default stub).
☐ Write tools: log_blood_pressure, create_journal_entry — both end-to-end (chat → tool_call → archive commit). Each returns the standard response shape {saved_path, github_url, viewer_url, tags_applied} and implements identity-based dedup (3-way: all-new / partial-overlap silently merged / full duplicate escalated). Pattern used by every later write tool.
☐ Read tools: query_health_window, query_journal, get_tag_vocabulary — return well-formed JSON; get_tag_vocabulary reads writing/identity/tags for canonical-tag lookups used by every WRITE flow.
☐ Orchestrator: analyze_wellbeing(window_days) bundles journal + sleep + HRV + HR.
☐ Full vitest round-trip per tool.

Out of scope

Real LLM provider (S15a).
Expanded tool surface beyond these five (S14a/b).
Export tools (S14c).
Transaction audit log (S15b — replaces the original "conversation persistence" scope).

EPIC 11 — Chatbot Frontend (S11a–c)

Phase: Chatbot — Frontend · Status: 🟡 Planned · Sessions: S11a, S11b, S11c

Outcome

The <ChatPanel> component becomes a command-bar + result-panel + deliverable-download slot (not a chat thread). Each task is a single round-trip: input → streaming agent response → final result with confirm flows for writes and download links for exports. No persistent conversation history.

Acceptance criteria

☐ Chat input streams responses via /api/chat proxy (server-side bearer-token forwarding).
☐ Markdown rendering for assistant prose.
☐ No persistent chat thread. After each task completes, the input clears for the next task. Optional: in-memory session-only history strip showing the last few tasks for visual context (cleared on page reload, not synced).
☐ <ToolCallCard> renders inline per tool call within the active task.
☐ Read tools render meaningful UI (mini sleep chart for query_health_window, entry list for query_journal).
☐ Write tools render an editable preview per domain (lab values table for medical, markdown editor for journal/memory, metadata form for chronology), with Confirm / Cancel buttons. Confirm executes via the api proxy and surfaces the response-shape links (saved_path / github_url / viewer_url) as clickable.
☐ Dedup outcomes surfaced: partial overlap shows the breakdown ("added X, skipped Y"); full duplicate shows side-by-side comparison + 3-way choice [Keep existing / Replace / Keep both].
☐ Multi-domain split proposal surfaced when one input contains records for multiple domains.
☐ Deliverable-download slot in the result panel for EXPORT verb outputs (clickable filename + .zip / PDF download).
☐ No write tool fires without an explicit Confirm tap.

EPIC 12 — Cross-Repo Docs Sweep (S12)

Phase: Close-out · Status: 🟡 Planned

Outcome

Final consistency pass across all four repos before declaring v1 shipped: README + CLAUDE.md fresh in every repo, session-log entries appended for every session that deferred them, branch hygiene confirmed.

Acceptance criteria

☐ Every repo's README mentions /archive/manifest, /chat, and the post-S01 IA.
☐ Every repo's CLAUDE.md reflects current conventions.
☐ Session-log entries appended to pcblueprint-archive/sessions/session-log.{en,pt}.md for every session from S04a through the current point.
☐ Final S12 summary entry lists all sessions with dates + PR URLs.
☐ No orphan branches on any of the 4 repos (local + remote).

Note

Originally scoped to also backfill missing CHANGELOG entries — that work was done inline during the 2026-04-24/25 reconciliation, so S12 only needs to verify consistency, not create.

EPIC 13 — File Upload Pipeline (S13a–b) — new

Phase: Chatbot — File Upload · Status: 🟡 Planned

Outcome

Pedro can upload binary files (medical PDFs, photos, voice memos, IDML/Word originals) into the archive — via website drop-zones on each section page or via a chat tool that accepts file attachments. Files land in the right source-files/, writing/memories/drafts/, or _legacy/ bucket and a git commit lands within seconds.

User stories

As Pedro at the doctor, I want to drag-drop a PDF onto /medical and have it filed under source-files/medical/ automatically.
As Pedro recording a voice memoir on his phone, I want to attach the .m4a to a chat message saying "save this as a new memoir draft" and have it land in writing/memories/drafts/.

Acceptance criteria

☐ POST /upload/{bucket} accepts multipart with file + optional metadata; 50MB max; allowed types: pdf, png, jpg, jpeg, webp, heic, docx, idml, m4a, mp3, wav.
☐ Buckets allowlist: source-files/{medical,sports,writing}, writing/memories/drafts, _legacy/2026-04-25.
☐ Path traversal guards (reject ../, sanitise basename).
☐ Drop-zone UI on /medical, /memories, /journal with bucket auto-selected by section.
☐ Standalone /upload page for uncategorised files.
☐ Chat tool attach_file({ filename, base64, bucket, metadata? }) works end-to-end.
☐ Vitest: happy path, oversize 413, bad type 415, traversal 400.
☐ commitArchive runs on every successful upload with a meaningful message.

Out of scope

Server-side virus scanning (defer until needed).
Image thumbnail generation (manual or later epic).

EPIC 14 — Chatbot Tool Surface (S14a–c) — new

Phase: Chatbot — Tool Surface · Status: 🟡 Planned · Sessions: S14a, S14b, S14c

Outcome

The chat can ingest into, query, and export every active user-data bucket in the archive. Cross-domain orchestrators support the questions that motivated this project ("dad's memories where I'm mentioned", "any chronology event near my hospitalization"). Deliverable-generation tools turn QUERY answers into downloadable PDF / CSV / Markdown / .zip artifacts.

User stories

As Pedro, I want to say "add a memory about Avó's last birthday tagged 'family' and 'avó'" and have it written to drafts with the canonical tags applied.
As Pedro, I want to ask "any of dad's memoirs that mention me" and get back the relevant passages with cited sources.
As Pedro, I want to ask "give me everything tagged 'cardio' across journal, medical, and chronology since 2024" and get a merged timeline.
As Pedro, I want to say "export my Q1 2026 medical records as a PDF for my doctor" and get a download link.
As Pedro, I want to upload a blood-test PDF and ask "is this normal compared to my history" — the agent saves the new panel (silently deduping prior dates), compares against PDF-embedded reference ranges (or web-searches if absent), and answers with citations.

Acceptance criteria

Write tools (S14a) — covers all active user-data buckets, not just five examples:

☐ writing/: append_memory({ slug?, name, body_markdown, tags?, author? }) (default author Pedro Canário); update_identity_context; add_identity_pattern.
☐ records/: add_blood_test, add_medical_note, add_medical_exam, add_medication, add_medical_flag, post_blueprint_version. (S10b already covers log_blood_pressure; S14a inherits its response-shape contract.)
☐ raw/: add_raw_record (generic raw-bucket write).
☐ sessions/: covered by existing POST /biography/sessions from S05b.
☐ Tags: add_tag_to_vocabulary (canonical-tag write).
☐ Chronology: covered by existing POST /biography/chronology/events from S05c.
☐ Likely api gaps to fill in this session (verify + implement if missing): PATCH /identity/context, POST /identity/patterns, POST /identity/tags, write coverage for medical sub-resources (/health/medical/notes, /exams, /medications, /flags), POST /raw/....
☐ Every write tool inherits the contract from S10b: standard response shape, identity-based dedup (3-way), auto-tag from canonical vocabulary, multi-domain-split proposal.

Read tools (S14b):

☐ query_chronology({ from?, to?, category?, contains? }).
☐ query_memories({ author?, contains?, tags?, since? }).
☐ query_blueprint({ version? }).
☐ query_identity().
☐ query_medical({ contains?, since? }).
☐ web_search(query) — required by QUERY when comparing fresh inputs (blood tests, etc.) against medical reference values not embedded in source PDFs. Agent prefers PDF-embedded ranges first, falls back to web_search.

Orchestrators (S14b):

☐ cross_reference({ query, domains?, window? }) — single search across any combination of domains; returns grouped hits with snippets.
☐ timeline_summary({ from, to }) — chronology + journal + sessions + medical + sports merged + deduped.

*Export tools (S14c) — new:*

☐ export_to_pdf({ query, scope, options? }) — simple PDF (header: name + date + scope; body; page numbers; footer). Default minimal template; iterate when needed.
☐ export_to_csv({ query, scope }) — flat CSV, descriptive columns, ISO dates. Storage / downstream-tooling format, not for direct human reading.
☐ export_to_markdown({ query, scope }) — concatenated Markdown for printable docs.
☐ bundle_source_files({ query }) — .zip of selected source files with per-domain subdirs. Universal compatibility — never .tar.gz.
☐ generate_report({ template, scope }) — composite: data + simple chart(s) + commentary, rendered to PDF.
☐ Universal filename convention: <verb>-<scope>-<YYYY-MM-DD>.<ext> (e.g. report-hrv-2026-04.pdf, bundle-medical-2024.zip).
☐ Deliverables stored at <archive>/exports/<YYYY-MM>/ with TTL cleanup script (does not pollute user-data buckets).

Each tool has a stub-provider canned phrase + vitest round-trip.

EPIC 15 — Real Chat Provider + Audit Log (S15a–b) — new

Phase: Chatbot — Real Provider · Status: 🟡 Planned

Outcome

Anthropic's Claude replaces the deterministic stub provider. Default model is Haiku 4.5 (cheap + fast for simple tasks); router escalates to Sonnet 4.6 for hard cross-domain or interpretive queries. The system prompt encodes the stateless 3-verb router protocol (WRITE / QUERY / EXPORT) with full bucket knowledge, tool catalog, and citation conventions. A 3-layer cost ceiling makes runaway bills physically impossible. S15b replaces the original "conversation persistence" scope with a "Transaction Audit Log" — sqlite log of every chat task (verb, intent, tools called, result, tokens, cost) for debugging and accountability, not for chat-history continuity.

Acceptance criteria

S15a — provider + system prompt:

☐ src/chat/providers/anthropic.ts implements LLMProvider.generate streaming both content_block_delta and tool_use events.
☐ System prompt encodes the 3-verb task-router protocol: classify intent (WRITE / QUERY / EXPORT) → dispatch to tools → return result with the appropriate response shape (saved-file links / cited answer / deliverable URL).
☐ System prompt covers: bucket structure, full tool catalog with usage hints (writes / reads / orchestrators / exports), citation conventions, dedup-contract behavior.
☐ CHAT_PROVIDER=anthropic requires ANTHROPIC_API_KEY; default still stub for tests.
☐ Model routing: Haiku 4.5 by default; escalation heuristic to Sonnet 4.6 for cross-domain / interpretive queries (per-request decision).
☐ Three-layer cost ceiling:

- Per-request: max_tokens=1024 default, max-iterations cap (≤10 tool calls), hard timeout (~60s).

- App-level: monthly token-budget guard tracked in a small JSON/sqlite ledger; refuse new /chat with 429 at 100% of cap, warn at 80%.

- Vendor-level: prepaid credits + workspace spend limit set in the Anthropic console (outside the codebase).

☐ Real one-shot task: ask "find me family memories from before 1995" → assistant calls a read tool, returns prose with cited sources, then /chat connection closes (no continuation).

S15b — Transaction Audit Log (replaces original "Conversation Persistence" scope):

☐ sqlite schema: transactions(id, ts, verb, intent, tools_called, args, result_summary, error, tokens_in, tokens_out, cost_usd, model). Append-only, indexed by date + verb.
☐ DB lives at <archive>/.chat/audit.db (gitignored).
☐ Every /chat request writes one row on completion (success or error).
☐ Read endpoint GET /chat/audit?from=&to=&verb= for ops visibility (no UI in this session).
☐ No conversation-persistence functionality. The chat is stateless. There is no chat history to retrieve.

Out of scope

Multi-provider routing UI (env switch only).
Token-budget billing UI (the ledger is debug-only for now).
"Recent activity" frontend view consuming the audit log (defer).

EPIC 16 — Observability & Backup (S16a–b) — new

Phase: Production — Observability · Status: 🟡 Planned

Outcome

Failures stop being silent. The api alerts on push/pull errors via the same webhook pattern the sync worker already uses. A /healthz endpoint exposes archive state for external monitoring. A nightly tarball lands in /volume2/backups/ for off-NAS recovery.

Acceptance criteria

☐ src/services/alert.ts shared by api + sync; payload shape { severity, source, message, details }.
☐ commitArchive() and the S06a archive puller call postAlert on failure.
☐ GET /healthz (no auth) returns { status, version, archive_head, last_commit_at }.
☐ DSM Task Scheduler runs nightly tar -czf /volume2/backups/archive-YYYY-MM-DD.tar.gz (excluding .git/).
☐ 14-day retention on local snapshots.
☐ Documented in pcblueprint-archive/CLAUDE.md.

Out of scope

Cloud (B2/S3/R2) off-NAS sync — flagged as optional follow-up requiring a paid provider decision.

EPIC 17 — Public Deployment (S18a–b) — 🔁 FOLDED 2026-04-25 → R1-08

Release pivot: under R1, the archive HTML lives inside the API (server-rendered EJS), so deploying "the website" and "the API" is one operation, not two. S18a (Vercel website deploy) + S18b (DNS / custom domain) collapse into a single R1-08 (Public deploy — Cloudflare tunnel or Fly.io, with custom domain inline). Section retained below for the original framing.

Phase: Production — Public Deploy · Status: 🟡 Planned · Hard prereq: EPIC 19 (Auth Hardening)

Outcome

The website is reachable from the public internet on a custom domain, served via Vercel, talking to the existing public api (Cloudflare tunnel). Pedro can hit it from cellular, log in, and use everything.

User story

As Pedro on the train, I want to open the URL on my phone, log in once, then use chat + browse + write — same as on my desktop at home.

Acceptance criteria

☐ Site deployed to Vercel; reachable on the custom domain.
☐ Production env vars set (API_URL → cloudflared hostname, fresh COOKIE_SECRET, RESEND_API_KEY, etc.).
☐ Cookies + CORS work correctly across the website + api subdomains.
☐ SSL provisioned (Cloudflare or Vercel).
☐ Verified end-to-end: open on cellular (not home wifi), log in, send a chat message, write a journal entry, see archive commit on GitHub.

Out of scope (and non-negotiable hard rule)

Deploying with the placeholder APP_PASSWORD from .env.local. EPIC 19 must land first.

EPIC 18 — Mobile Responsive (S19a–c) — new

Phase: Production — Mobile UX · Status: 🟡 Planned

Outcome

Every page works comfortably at 375px iPhone width. Sidebar collapses into a drawer; charts and tables reflow; chat input is keyboard-aware.

Acceptance criteria

☐ Hamburger toggle + swipeable Drawer replaces the persistent docs-shell sidebar below 768px.
☐ No horizontal scroll on any page at 375px.
☐ MUI X Charts on /sports/[id], /blood-pressure, /sleep reflow responsively.
☐ DataGrid swaps to a stacked-card list (<ResponsiveList>) below 768px.
☐ Chat input pinned to bottom with keyboard-aware padding (visualViewport API).
☐ Tool call cards stack full-width and are collapsible by default on mobile.
☐ File-attach button inline with text input.
☐ Real conversation completed on a phone, including a write-tool confirm flow.

EPIC 19 — Auth Hardening (S20a–c) — 🔁 MOVED 2026-04-25 → R1-01..R1-03

Release pivot: the original plan deferred auth to the very end of the arc (S20). The 2026-04-25 pivot pulls it forward — the archive is private from first public deploy, so auth gates everything before R1 ships. S20a→R1-01, S20b→R1-02, S20c→R1-03. Scope is unchanged; only the release tag and ID change. Section retained below for the original framing.

Phase: Production — Auth Hardening · Status: 🟡 Planned · Hard blocker: EPIC 17 (Public Deploy)

Outcome

The single shared APP_PASSWORD is replaced with a real account: argon2id-hashed credentials in sqlite, proper session management, email-based password reset via Resend, an account settings UI, and optional TOTP 2FA. Schema is multi-user-ready even though only one user exists today.

User stories

As Pedro, I want to change my password from the website without editing env vars.
As Pedro, if I forget my password, I want to receive a reset link by email and recover access without manual intervention.
As Pedro, I want to revoke a session if I log in on a borrowed device and forget to log out.
As Pedro, I want to optionally enable 2FA for a stronger second factor.

Acceptance criteria

Core (S20a):

☐ sqlite schema: users(id, email UNIQUE, password_hash, created_at, last_login_at, totp_secret nullable), sessions(id, user_id, created_at, expires_at, user_agent, ip), password_resets(token UNIQUE, user_id, expires_at).
☐ argon2id hashing on password write/verify.
☐ scripts/seed-user.ts bootstraps Pedro's account once.
☐ /api/login: argon2id verify + httpOnly + secure + sameSite=Lax cookie + 30-day sliding expiration.
☐ /api/logout: deletes session row, clears cookie.
☐ Middleware: every page except /login + auth API routes checks session validity.

Reset (S20b):

☐ Resend integration; RESEND_API_KEY env.
☐ /api/auth/request-reset always returns 200 (no enumeration).
☐ /reset-password?token=... page accepts new password; complete-reset endpoint invalidates token + all user sessions.

Settings + 2FA (S20c):

☐ /account page: change password, view + revoke active sessions, "sign out everywhere".
☐ Optional TOTP via authenticator app; QR provisioning; verified at next login.

Out of scope

Multi-user / family sharing.
WebAuthn / passkeys (defer; can add later as a second factor option).
SSO providers.

Cross-cutting non-goals

These are intentionally NOT in the roadmap, even if related:

Generic file-tree "Drive" UI — confirmed out of scope; docs-site is the target.
Public sharing / anonymous read links — not needed for v1.
Multi-tenant / family accounts — schema is forward-compatible (Epic 19), but no UI for inviting users.
Native mobile apps — responsive web is the v1 deliverable.
Automatic LLM-driven content generation — the LLM only classifies, routes, parses, and summarises; it does not author memoir or medical text on its own.
Conversational chat with persistent history (codified 2026-04-25) — the chat is stateless. Each interaction is one task (WRITE / QUERY / EXPORT); no session_id, no cross-request memory, no chat threads, no cross-device sync of conversation state. An audit log of what the agent did is kept (S15b), but not what was said.
Chat writes to system buckets — _legacy/, meta/, scripts/, claude-code-prompts/ are off-limits to chat WRITE. Schema-evolving changes belong in code PRs, not natural-language prompts.

Sequencing notes (post-S12 picking order)

After S12 closes out the original 33-session arc, the recommended order for the new epics is:

S20 (Auth) ──┐
             ├─→ S18 (Public Deploy)
S19 (Mobile)─┘
S13 (Uploads) ──→ S14 (Tool surface) ──→ S15 (Real provider)
S16 (Observability) — can run any time after S06a/b

S20 + S19 are the hard blockers for going public; S13 → S14 → S15 unlocks the chat vision; S16 makes everything maintainable.

Last updated: 2026-04-25 (chat architecture pivot — see runbook 📒 Changelog). Companion runbook: pcblueprint-checklist_25 april.html.

📒 Out-of-scope work done outside the numbered sessions. Why this exists: the numbered sessions assume a working prod deploy + in-sync archive + stable infra. The 2026-04-25 reconciliation found those assumptions were not met, which triggered a cascade of unplanned fixes. Logging here so future sessions can see the full history. Going forward, entries include HH:MM alongside the date.

2026-04-25 ~21:54 UTC

🚀 R1-02 shipped: login form polish + password reset (Resend)

Increment: The auth UX is now complete end-to-end. The login page is a plain HTML form (view-source has zero JS) and the email value is preserved across a wrong-password retry. There's a "Forgot your password?" link, and the reset flow runs front-to-back: request → email (Resend in production, stdout in dev/test when RESEND_API_KEY is unset) → click → set new password → every session for that user dies the moment the reset commits, including any logged-in tab on a second browser. POST /auth/request-reset always returns 200 with the same body whether the email exists, doesn't exist, or is malformed — no enumeration via status, body, or branching.

Trade-offs accepted:

Flash messages are a ?flash=key query-string scheme with a small allow-list (reset, signed_out) — no cookie-backed flash bag, no enumeration via unknown keys (anything off the allow-list renders nothing).
Resend failures are logged but never thrown, so a Resend outage can't leak via the request-reset response code. The token row is still inserted; the link just doesn't reach the user — Pedro can re-trigger from the form.
POST /auth/login kept its JSON contract for API/cron/legacy clients. The new POST /login is the urlencoded form-post entry; the two coexist and share the credential-check + session-create code path.
Password reset is single-use + 1h expiry, but there's no rate limit on /auth/request-reset yet — that's R1-03's responsibility (along with TOTP enrolment and login-attempt throttling).

PRs: pcblueprint-api#27 (squash-merged at f306d76) + pcblueprint-api#28 (docs-only CHANGELOG follow-up, awaiting approval).

Downstream-impact triage (from the closing api session, applied here):

R1-03 — TOTP + rate limiting: scope addition needed. R1-02 introduced two new public POST endpoints that are brute-force / abuse targets and need rate limiting alongside the existing POST /auth/login: (1) POST /login (the new urlencoded form-post — same brute-force surface as POST /auth/login, just a different URL), and (2) POST /auth/request-reset (rate-limit by IP and by destination email to prevent inbox flooding). R1-03's prompt currently mentions only POST /auth/login. Recommendation: update R1-03 prompt — extend the rate-limit list to all three. Also add the 2FA challenge step into the new POST /login handler, not just the legacy POST /auth/login.
R1-05 — Archive index pages: no change. R1-04's reuse note still stands.
R1-06 — Record detail pages: no change.
R1-07 — Search + tag filter: no change.
R1-08 — Public deploy: scope addition needed. R1-02 added two new env vars: RESEND_API_KEY (required in production for the reset flow to actually send email — without it the link only logs to stdout) and RESET_EMAIL_FROM (optional, default is a placeholder noreply@pcblueprint.local; should be a real verified Resend sender domain in production). R1-08 must wire both into compose.yaml on the NAS alongside the existing BUILD_VERSION and AUTH_DB_PATH notes. Recommendation: add a Resend bullet to R1-08 covering both env vars + the Resend domain-verification step.
R1-09 — Observability: no change.

Closing checklist split: the api session opened PR #28 with the ### Increment entry in pcblueprint-api/CHANGELOG.md (api-side step). This tile + the COMPLETED_SESSIONS bump + the recommended R1-03 / R1-08 prompt edits are the meta-side step. Third R1 session shipped — auth is done; the rest of R1 is content rendering + deploy.

2026-04-25 ~21:21 UTC

🚀 R1-04 shipped: HTML rendering layer + base layout

Increment: Pedro now opens / in a browser and sees an auth-gated, server-rendered landing page listing the five archive buckets (records / writing / raw / source-files / sessions). Sign in via the new /login form (posts to the existing /auth/login over fetch, lands on / on success); the footer shows your email + BUILD_VERSION. The auth middleware was already redirecting browsers to /login; this session makes that destination exist. Stack stays minimal — EJS only, no express-ejs-layouts, no Tailwind, no MUI. One ~95-line stylesheet at /_/runbook.css.

Trade-offs accepted:

Login form uses 18 lines of inline JS to keep the existing JSON /auth/login contract untouched. A JS-free urlencoded form post is a follow-up if a no-JS fallback is wanted later.
Bucket links on / currently fall through to the new HTML 404 when signed in — that's the intended end state until R1-05 lands the per-bucket index handlers. Anonymous visits still get the auth-gate redirect to /login.
Single base layout emulated via a tiny renderPage() two-pass helper (page → layout) instead of pulling in express-ejs-layouts. One less dep; same UX.

PRs: pcblueprint-api#25 (squash-merged at 008d221) + pcblueprint-api#26 (docs-only CHANGELOG follow-up, awaiting approval).

Downstream-impact triage (from the closing api session, applied here):

R1-02 — Login Form + Password Reset: scope partially absorbed by R1-04. R1-04 already shipped a working GET /login rendering an EJS form with email + password fields posting to /auth/login. R1-02 should be re-scoped to focus on the password-reset flow (the actual unmet need): POST /auth/forgot (Resend email), GET /auth/reset/:token (renders reset form using renderPage()), POST /auth/reset/:token, plus form polish (server-side error rendering instead of inline JS, "forgot your password?" link on /login). Recommendation: update R1-02 prompt — narrow scope to reset + polish, since the form ships.
R1-03 — Account Settings UI + 2FA + Rate Limiting: no scope change. R1-04 gave it the rendering scaffold (renderPage() + _layout.ejs nav slot). R1-03 just plugs settings views into the layout.
R1-05 — Archive index pages (one route per top-level bucket): no scope change; one note. The bucket links and the EJS scaffold already exist on /; R1-05 only needs to add the route handlers + per-bucket index templates. Recommendation: add a "scaffold already exists — see src/views/render.ts + _layout.ejs" reuse note to the R1-05 prompt so it doesn't redo the layout work.
R1-06 — Record detail pages: no scope change. Same scaffold reuse as R1-05.
R1-08 — Public deploy: scope addition needed. R1-04 added a BUILD_VERSION env var (defaults to dev) shown in the rendered footer. R1-08 must wire BUILD_VERSION into compose.yaml on the NAS (probably from the GitHub Actions image tag or a build arg). Recommendation: add a BUILD_VERSION bullet to R1-08 alongside the existing AUTH_DB_PATH volume-mount note.
R1-09 — Observability: no change.

Closing checklist split: the api session opened PR #26 with the ### Increment entry in pcblueprint-api/CHANGELOG.md (api-side step). This tile + the COMPLETED_SESSIONS bump + the recommended R1-02 / R1-05 / R1-08 prompt edits are the meta-side step. Second R1 session shipped — the chain keeps moving.

2026-04-25 ~19:53 UTC

🚀 R1-01 shipped: auth foundation lands

Increment: Pedro now has real user accounts on pcblueprint-api. Argon2id password hashing, sqlite-backed sessions, HttpOnly + Secure + SameSite=Lax cookies with sliding 30-day expiry, and a global requireAuth middleware that gates every route except an explicit bypass list (/auth/login, /auth/logout, /login, /healthz, future reset routes). Seed via npm run db:seed.

Trade-offs accepted:

Legacy timing-safe Bearer-token compare kept as a cron fallback (checkLegacyBearer inlined in requireAuth.ts) so the sync worker keeps ingesting without a flag day. Will be removed when sync also moves to cookie auth (post-R2 concern).
per-route requireAuth deleted from all 16 protected route files in favour of one global gate — eliminates the "did I forget to wrap this route?" failure mode. Verified by 127/127 vitest green + tsc clean across 8 commits.
.data/auth.db path is configurable via AUTH_DB_PATH env var, but the NAS docker-compose volume mount is NOT yet wired. Persisting the db across container restarts is a deploy concern that R1-08 (Public deploy) must own — flagged in its triage update below.

PRs: pcblueprint-api#23 (squash-merged at 4a55e92) + pcblueprint-api#24 (docs-only CHANGELOG follow-up).

Downstream-impact triage (from the closing api session, applied here):

R1-02 — Login form + reset: scope unchanged, now unblocked on the R1-01 prereq. The /login path is already in the global bypass list, and the password_resets table is already provisioned in the schema. R1-02 just adds the EJS view at GET /login + the email-driven reset routes (POST /auth/forgot, GET /auth/reset/:token, POST /auth/reset/:token). Recommendation: no change. (Still gated on R1-04 for the EJS rendering layer.)
R1-03 — TOTP + rate limiting: the rate limiter must specifically wrap POST /auth/login — it's now public-by-bypass and is the obvious brute-force target. The users.totp_secret column is already provisioned. Recommendation: no prompt change needed — current wording already specifies the correct routes.
R1-08 — Public deploy: scope addition needed. R1-01 made AUTH_DB_PATH configurable but did NOT touch docker-compose.yml on the NAS at /volume2/docker/api/compose.yaml. R1-08 must add a volume mount so .data/auth.db persists across container restarts. Recommendation: update R1-08 prompt — bullet added in this commit.
R1-09 — Observability minimum: /healthz is already in the bypass list, so R1-09 just adds the handler. No change.
Any session that touched src/middleware/auth.ts directly: that file no longer exists — its logic moved into src/middleware/requireAuth.ts as checkLegacyBearer. None of the remaining sessions reference it directly, but worth knowing.

Closing checklist split: the api session opened PR #24 with the ### Increment entry in pcblueprint-api/CHANGELOG.md (api-side step). This tile + the COMPLETED_SESSIONS bump + the R1-08 prompt update are the meta-side step. First R1 session shipped — the chain is moving.

2026-04-25 ~22:30

🔀 R1-01..R1-03 auth rescoped from website to api

Caught a real bug just before starting R1-01. The S-META-02 rebrand renamed S20a/b/c → R1-01/02/03 and updated the session header + branch name, but didn't fix the prompt bodies. They still referenced Next.js concepts (/api/login page routes, Vercel Postgres, Next middleware, "every page" framing) that don't match R1's actual stack — under R1, the archive HTML lives in pcblueprint-api served via EJS, and auth has to live there too.

This was the kind of "downstream impact triage" step that should have happened in S-META-02's closing checklist; it slipped through. Caught now, fixed cleanly before the session starts.

What changed:

New idempotent helper helpers/_rescope_r1_auth.js. Sentinel = string "R1 RESCOPE 2026-04-25" embedded in each rewritten prompt's RELEASE NOTE.
R1-01 prompt rewritten for Express: pnpm add argon2 better-sqlite3 cookie-parser; auth DB at .data/auth.db; service in src/services/auth.ts; Express routes POST /auth/login + POST /auth/logout; middleware src/middleware/requireAuth.ts with bypass list and HTML/JSON content-type branching for redirect-vs-401; vitest tests in src/__tests__/. Curl-based manual smoke checklist included. Prereqs note updated to "no prereqs (R1-01 starts the R1 chain)".
R1-02 prompt rewritten: EJS views (views/login.ejs, views/reset-request.ejs, views/reset-form.ejs, views/email/reset-email.ejs) instead of React pages. Express routes GET/POST /login, GET/POST /reset-password, POST /auth/request-reset, POST /auth/complete-reset. Resend integration unchanged. No-enumeration on /auth/request-reset preserved. Title updated to "Auth — Login Form + Password Reset (Resend)". Prereqs now R1-01 + R1-04 (R1-04 = the EJS rendering layer this session adds views into).
R1-03 prompt rewritten: views/account.ejs + intermediate 2FA login view. Express routes for change-password / session revoke / sign-out-everywhere / 2FA enroll-verify-disable / login-2fa second-step. Added rate limiting via express-rate-limit (10/min on login, 3/min on reset) — not in the original S20c scope but landed here since it's the same touch points. Title updated to "Auth — Account Settings UI + Optional 2FA + Rate Limiting".
SESSIONS array: R1-01, R1-02, R1-03 entries' repos field flipped from ["website"] → ["api"]. Titles for R1-02/R1-03 updated. Branch names unchanged.

Implication for the wider plan: the role of pcblueprint-website shrinks further. Under R1 it has zero sessions touching it (auth was the last website-resident work item). The repo stays dormant until R3 visual identity, when a "Tailwind on EJS" or "extract a Next.js frontend" call is made with real R1+R2 usage data informing the choice.

PRs: none — meta change. Single commit on pcblueprint-meta: helper + runbook HTML + prompts_line.txt mirror.

Impact on tasks: R1-01..R1-03 are now self-consistent and ready to start. Prereq rewrites also landed inline: R1-02 prereqs ["R1-01"] → ["R1-01", "R1-04"], R1-03 prereqs ["R1-01", "R1-02"] → ["R1-01", "R1-02", "R1-04"] — both depend on R1-04's EJS rendering layer for their views. The Next-ready widget will now correctly hold R1-02 / R1-03 back until R1-04 ships. No other sessions are affected — R1-04..R1-09 already pointed at pcblueprint-api from the start (they were defined fresh under R1, not rebranded from older S* sessions).

2026-04-25 ~22:00

🎬 S-META arc closed: meta repo + release plan live

End of the four-session meta arc that promoted the runbook to its own repo, restructured the work into R0–R4 releases, and added a release-grouped UI on top. From this point forward, "next pickup" is unambiguous (Next-ready widget surfaces it; default is R1-01).

What shipped across S-META-01..04:

S-META-01 — pcblueprint-meta repo created at github.com/apcanario/pcblueprint-meta; runbook deployed at apcanario.github.io/pcblueprint-meta via GitHub Pages workflow. Replaces the prior zip-and-transfer sync flow.
S-META-02 — runbook restructured under R0–R4. Idempotent helper _restructure_releases.js: dropped 9 Next.js+MUI scaffolding sessions, renamed S20a–c→R1-01..03 (auth pulled forward), added R1-04..R1-09 with full prompts, retagged everything else, rewrote affected prereqs. PRD updated. Subtitle bumped 55→52.
S-META-03 — UI rework. Release tabs at top of Tasks pane (R0/R1/R2/R3/R4 with done counts), filter the phase grid below. Next-ready widget auto-computes (walks releases R0→R4, picks first ready session). Recruiter view replaced with 5 release-level outcome cards showing real completion. Stale NEXT_RECOMMENDED.id = "S07a" cleared.
S-META-04 — polish. README updated with live URL, helper inventory, R0–R4 status table. Stale helpers/prompts_line.txt mirror removed (canonical lives at repo root). This closing tile.

Recommended next pickup: R1-01 — Auth core (Argon2id + sqlite sessions + JWT cookies). It's the start of R1, gates the whole release, and is the session the Next-ready widget surfaces by default. ~60 min, single repo (pcblueprint-website in the prompt — though the actual implementation may move to pcblueprint-api under the R1 server-rendered approach; flag at session-time if a re-scope is needed).

What's NOT done (deliberately deferred):

R3 sessions — visual identity work is undefined. Decision waits for real R1+R2 usage data so the framework choice (Tailwind-on-EJS vs Next.js extraction) is informed, not pre-locked.
Auto-fire on PR merge — the runbook doesn't yet auto-kick the next session when a PR merges. One-PR-per-session human checkpoint preserved per S01 rules. Future S-META if Pedro wants it.
Recruiter-view drill-down — clicking a release card doesn't expand into its sessions yet. Flat outcome list is fine for a first cut.
Sidebar heading — still says "Phases" in normal mode. Could become release-aware. Cosmetic, low priority.
Pages action versions — pinned to current latest (checkout@v4, upload-pages-artifact@v3, deploy-pages@v4). Node-24-compatible bumps to be revisited around May 2026 before the June 2026 forced cutover.

PRs: none — three commits on pcblueprint-meta main: 21f0aee (initial), f6520e0 (S-META-02 restructure), 94f8cfd (S-META-03 UI), plus this S-META-04 commit. All deployed via the auto-Pages workflow.

Impact on tasks: none directly. Every numbered session retains its prompt content; only IDs / release tags / prereqs were rewritten. The R1-01..R1-09 prompts are fresh and ready to be picked up.

2026-04-25 ~21:00

🧱 Runbook restructured under R0–R4

Executed S-META-02 — the structural rewrite of the runbook that implements the release plan landed earlier today (see the "🎯 Product re-focusing" tile below). One PR-style commit; runbook still loads cleanly; _extract.js works on every new ID.

What landed:

New idempotent helper helpers/_restructure_releases.js. Re-running is a no-op (sentinel = presence of R1-01 in PROMPTS).
Every kept session in the SESSIONS array now carries a release: "R0" | "R1" | "R2" | "R4" field. R0=25 sessions (foundation, mostly done), R1=9, R2=15, R4=3. R3 sessions will be defined at R3 kickoff.
9 sessions dropped from SESSIONS + PROMPTS: S07a, S07b, S08a, S08b, S08c, S09a, S09b (Next.js+MUI scaffolding superseded by R1-04..R1-07), and S18a, S18b (folded into R1-08).
3 auth sessions renamed: S20a→R1-01, S20b→R1-02, S20c→R1-03. Prompt bodies retained, branch names updated, "RELEASE NOTE (2026-04-25): pulled forward to R1" header inserted.
6 new sessions added with full prompts: R1-04 (HTML rendering layer + EJS base layout), R1-05 (archive index pages), R1-06 (per-domain detail pages), R1-07 (search + tag filter), R1-08 (public deploy on Cloudflare tunnel or Fly.io), R1-09 (observability minimum).
Prereq rewrites: S11a, S13b, S12 had old refs to dropped sessions cleaned up; S19a–c (R4) marked with waitingFor: "R3 visual identity sessions to be planned" so the Next-ready widget never surfaces them prematurely.
Subtitle + progress text bumped 55 → 52 sessions (55 - 9 dropped + 6 added; 3 renames don't change count).
📍 Status as of tile rewritten: recommended next pickup is R1-01 (Auth core).
PRD updated (history/PROJECT-PRD.md): added a "Release plan (2026-04-25 pivot)" section with the R0–R4 mapping table; marked EPIC 7/8/9 as ❌ DROPPED, EPIC 17 as 🔁 FOLDED → R1-08, EPIC 19 as 🔁 MOVED → R1-01..R1-03, all with one-line rationales. Re-rendered into the embedded 📋 PRD pane via _embed_prd.js.

What's still on S-META queue: S-META-03 (release tabs in the 📌 Tasks pane + "Next ready" widget + recruiter-view rework to show release-level outcomes instead of the 52-row session grid) and S-META-04 (Pages action version bump + final polish).

PRs: none (runbook + helpers + PRD only — single commit on pcblueprint-meta main branch). The closing-checklist memo refers approximately to ~line 1986 in older prompts and ~line 2135 in newer ones; both are approximate (the line shifts with every completion). Future Claude sessions should grep for const COMPLETED_SESSIONS rather than chase the line number.

Impact on tasks: the largest structural rewrite the runbook has had. Every not-yet-done session was touched in some way (release tag, prereq update, or rename). All shipped sessions (S00–S06a) untouched. COMPLETED_SESSIONS array unchanged.

2026-04-25 ~19:00

🎯 Product re-focusing: MVP-driven release plan

Why: Pedro flagged that the current 37-session arc is "everything, everywhere, all at once" — Next.js, MUI, Tailwind, Emotion, custom auth, mobile responsiveness, chat backend and frontend all interleaved with no shippable intermediate before ~S20. That's not an agile shape. It also risks a messy foundation: frontend choices made before the archive's display surface has been pressure-tested with real use; visual polish blocking functional access. The fix is to parcel work into deliverable releases with a strict "default styling first, dazzle last" discipline.

What changed:

Five-release structure replaces the flat session list:
- R0 — Foundation (largely shipped). Archive bucket tree, API CRUD, sessions log, prod sync. Remaining: close S06b (waiting on vendor) + S06c/d.
- R1 — Private Archive Browser: read-only, server-rendered HTML directly from the API, default browser CSS only, real auth (Argon2id + Resend) from day one. No Next.js, no MUI, no Tailwind. Pedro logs in at a public URL and browses every archive bucket with semantic HTML and link-throughs.
- R2 — AI Chat over the archive: stateless 3-verb (WRITE / QUERY / EXPORT) chat layered on top, same default-CSS philosophy. <form> posting to /chat, results rendered server-side, vanilla-JS SSE for streaming. No React.
- R3 — Visual identity: branding, typography, color, charts. Tailwind-vs-Next.js call deferred to R3 kickoff once we have real usage data.
- R4 — Mobile + offline: responsive 375px viewport, drawer, optional PWA install + offline-read.
Auth pulled forward to R1: S20a–c (Argon2id + sqlite sessions + Resend email + optional TOTP) become R1-01..R1-03. Archive is private from first public deploy — no APP_PASSWORD-only window.
Sessions dropped (Next.js+MUI scaffolding superseded): S07a, S07b, S08a, S08b, S08c, S09a, S09b. Replaced by R1-04..R1-09 (HTML rendering layer, archive index pages, record detail pages, search/tag filters, public deploy, observability minimum). Their original prompts assumed a stack we're moving away from — easier to rewrite than to patch.
Sessions rewritten (frontend bits, same intent): S11a/b/c — replace React chat panel + streaming UI + editable preview with EJS templates and <50 lines of vanilla JS.
Sessions retained, retagged to R2: S10a–d (chat backend, already aligned with the 2026-04-25 stateless 3-verb pivot), S13a–b (file upload), S14a–c (write/read/export tools), S15a–b (Anthropic SDK + transaction audit log).
Sessions moved to R4: S19a–c (mobile responsive — comes after visual identity exists).

Tasklist site → its own repo: the Blueprint Tasks/ folder gets promoted to a new GitHub repo pcblueprint-meta, replacing the manual zip-sync flow. Holds the runbook HTML, helpers, PROJECT-PRD source. Deployed via GitHub Pages so the recruiter view becomes a shareable URL instead of a file. Becomes the fourth pcblueprint repo (api, archive, sync, meta).

Runbook chaining work: sessions get a new release: 'R0'..'R4' field; UI groups by release with done/total counts per tab; new "Next ready" widget computes the highest-priority session whose prereqs are all merged and surfaces it as a one-click action. One-PR-per-session preserved — small reviewable commits remain non-negotiable per S01 rules; what disappears is the "what's next?" hunt, not the merge gate.

Execution sequence (meta-sessions, before R1-01 starts):

S-META-01 — promote folder to pcblueprint-meta repo (git init + README + Pages workflow + initial commit + push).
S-META-02 — write idempotent helper _restructure_releases.js; run it to renumber sessions, add release field, drop S07a–S09b, add R1-04..R1-09 prompts, migrate COMPLETED_SESSIONS to new IDs.
S-META-03 — runbook UI: release tabs, "Next ready" widget, recruiter-view rework (release-level outcomes instead of 55-row grid).
S-META-04 — GitHub Pages deploy + repo README; verify recruiter URL works.

Plan record: full plan saved to ~/.claude/plans/ok-let-s-ask-some-fluttering-donut.md (approved 2026-04-25). PRD will be reorganized under R0–R4 headings as part of S-META-02; _embed_prd.js re-renders the embedded section automatically.

Impact on tasks: all not-done sessions are affected. The renumbering is the largest structural rewrite the runbook has had. The recruiter-readable framing improves substantially: a release-level outcome list is a stronger portfolio signal than a flat 55-row checklist.

2026-04-25 ~17:00

🌙 End-of-day summary

Long working session. Three substantive workstreams progressed; one paused on external dependencies; the runbook itself was substantially redesigned. Logged here as a single index entry pointing at the per-workstream tiles below.

S06b — Sync Worker deploy: 4 PRs landed (workflow, lockfile, dead-code, cross-repo lockfile audit) + NAS phase 2 infra (shared pcblueprint docker network, api stack rejoin, sync compose + env template). Final step (fill .env + docker compose up -d) paused on Zepp password reset + Strava email change. See "🚧 S06b in flight" tile below.
Chat architecture pivot: realized mid-session that the chatbot was the wrong frame — it's a stateless 3-verb (WRITE/QUERY/EXPORT) command interface, not a conversational agent. PRD updated, 11 affected session prompts patched, new S14c (Export Tools) added. See "🧭 PRD pivot" tile below.
Runbook redesign: tabs + sidebars + WCAG sizing + tiles + new 📐 Approach tab + new color palette + settings cog + reversible recruiter view (with two iterations — first cut had a baseline-leak bug Pedro caught). See "🎨 Runbook UI overhaul" + "👁 Recruiter view becomes a proper toggle" tiles below.

Process notes (worth preserving):

The standing closing-checklist rule fires on session merges; it does NOT fire on out-of-scope work like infra refactors. Pedro had to remind me twice today to log significant out-of-scope changes here. Adopting as a personal rule: any work session that materially changes the runbook, helpers, palette, or shared protocols gets a tile, regardless of whether a session merged.
The recruiter-view first-cut bug (left DEFAULT_DONE hardcoded while clearing only localStorage) is a good example of where rapid execution outran the design — Pedro's catch saved a half-broken feature from shipping. The post-mortem fix simplified the model AND the standing rule. Net win.
The "this is becoming bigger than I expected" → tabs decision was the right inflection point. Pulling the trigger before the single-scroll layout became unmanageable kept the document navigable as it grew into a portfolio piece.

Open at end of day: S06b waiting on credentials. 34 other not-done sessions are picked-from-able. Recommended next pickup: S07a (~30m, unblocks the website + chatbot frontend chain).

2026-04-25 (across day)

🚧 S06b in flight: image pipeline + NAS shell ready, awaiting vendor credentials

Why this is in flight, not done: S06b is an end-to-end deploy session covering code → image → NAS infra → container start. Each piece needs the prior to land. Today the first three pieces shipped; the fourth (container start) needs Pedro's Zepp/Strava credentials before docker compose up -d can run.
Shipped (4 PRs + 1 NAS reconfig):
- pcblueprint-sync#5: GHA publish workflow mirroring pcblueprint-api's docker.yml exactly. Image now builds + pushes to ghcr.io/apcanario/pcblueprint-sync:latest on every merge to main, multi-arch.
- pcblueprint-sync#6: Missing package-lock.json — first build failed because the Dockerfile uses npm ci which requires one. Added.
- pcblueprint-sync#7: Removed dead getActivities() Zepp function that imported a never-defined ZeppActivity type — long-standing tsc failure that surfaced now that CI actually runs the build.
- pcblueprint-archive#11: Cross-repo lockfile audit during S06b found the same gap in archive's import scripts (loose reproducibility for the migration/import scripts). Fixed.
- NAS phase 2: created shared external docker network pcblueprint; recreated pcblueprint-api stack joined to it (~5s Cloudflare 502 window during recreate); appended pcblueprint-sync to Watchtower's command: list; scaffolded /volume2/docker/sync/compose.yaml + .env template (mode 0600). API_TOKEN auto-pulled from /volume2/docker/api/compose.yaml via inline grep — never piped through chat.
Pending: 5 secret values in /volume2/docker/sync/.env — ZEPP_EMAIL, ZEPP_PASSWORD, STRAVA_CLIENT_ID, STRAVA_CLIENT_SECRET, STRAVA_REFRESH_TOKEN (plus optional ALERT_WEBHOOK_URL). Pedro waiting on Zepp password reset email + Strava email change. Once received, fill the values and run cd /volume2/docker/sync && /usr/local/bin/docker compose -p pcblueprint-sync up -d.
New runbook UI capability spawned by this: 4th session status "waiting" with amber styling and inline "Waiting on:" reason. Marked S06b accordingly so it reads as paused-on-vendor-info, not blocked-on-prereqs. Convention saved to memory runbook_waiting_status.md.
Downstream triage: only 3 sessions depend on S06b — S06f (direct), S16a (direct, but the api side is independent so prereq is relaxable), S12 (transitive via S06f). 34 sessions remain pickable while S06b waits. Net cost of the wait: low.
Closing checklist (post-merge protocol) will fire when S06b actually completes (i.e. container running and verified end-to-end with a successful Zepp/Strava ingest commit landing in the archive). Until then the session sits in "waiting" status.

2026-04-25 ~16:30

👁 Recruiter view becomes a proper toggle

Why: the first cut of the recruiter-view button cleared localStorage but left DEFAULT_DONE (the hardcoded baseline of completed sessions) intact. Result: clicking "Reset" still showed S00–S06a as done, defeating the purpose. Pedro caught this immediately.
What changed:
- Renamed DEFAULT_DONE → COMPLETED_SESSIONS for semantic clarity ("what the project has shipped" vs "default state").
- Recruiter view is now a flag persisted at localStorage["pcblueprint-runbook-recruiter-mode-v1"]. When set, loadState() returns {} — ignoring BOTH the project's completion record AND any in-flight UI toggles. Both are preserved (nothing destroyed) and re-apply when the flag is cleared.
- Removed the BACKUP_KEY + backup/restore-of-localStorage dance — unnecessary now that recruiter view is non-destructive. Removed the bootstrapInitialState() function — also unnecessary; COMPLETED_SESSIONS covers the same ground without re-seeding localStorage.
- Standing rule simplified: post-merge HTML done-flip used to require dual-writing to DEFAULT_DONE AND the bootstrapInitialState seed. Now: just append the session id to COMPLETED_SESSIONS. Single location, no drift risk.
- Migrated existing prompts: 38 not-done session prompts had the old dual-write instruction baked into their closing checklist. Updated in place via idempotent helper helpers/_update_closing_checklist_to_v2.js. _append_closing_checklist.js + _patch_chat_architecture.js updated so any future prompt additions emit the v2 text.
- Memory record closing_checklist_rule.md updated to reflect the simpler protocol.
Verification: ⚙️ → Reset → task grid now shows everything as not-done (Tasks sidebar still populates phases). Banner appears, Restore brings the project's completion record + UI toggles back exactly as they were. Refresh the page while in recruiter view and the flag persists — banner re-appears on load.
PRs: none — runbook HTML + helpers + memory only.
Impact on tasks: zero. Pure architecture cleanup. Future closing-checklist execution gets simpler (one location to edit instead of two).

2026-04-25 ~15:00

🎨 Runbook UI overhaul: tabs, sidebars, palette, Approach tab

Why: the runbook outgrew the simple-tasklist framing it started with. Pedro flagged he wanted to send this to recruiters as a portfolio piece, which raised the polish bar — single-scroll layout with collapsed <details> blocks no longer cut it. Needed a navigable, accessible, brand-consistent doc shell.
What changed:
- Tabbed app-shell layout: 5 panes (📌 Tasks · 📋 PRD · 📒 Changelog · 🤝 Handoff · 📐 Approach) replace the prior <details> blocks. Header + tabs stay fixed; the active pane scrolls inside itself. URL-hash sync (#prd, #approach, etc.), arrow-key navigation, ARIA tablist roles.
- Auto-populated sidebar nav per pane: scans the active pane for [data-anchor] elements, builds a sticky list, highlights the current section via IntersectionObserver, smooth-scrolls inside the pane on click.
- WCAG-AA sizing pass: body 14→16px, notice/tabs/cards proportionally up, line-height 1.55+. No new fonts, no library.
- Tile-based content blocks across Handoff, Changelog, and Approach (6 tiles each) — visual grouping, monospace date label, consistent spacing.
- New 📐 Approach tab (recruiter-readable, ~600 words): "What this is", "How to read this document" (5/15/30-min reading guide), "What this demonstrates" (product strategy / AI orchestration / IA / technical decisions / iteration discipline / docs as deliverable), "What I learned", "About me".
- New color palette: cool blue-black gradient (#0b0c14 → #dedede) replaces the prior near-neutral grays. Brand accents: salmon #cf2754 (notices, blockers, danger) and cyan-teal #0eb3c2 (active tab, ready badges, focus rings, sidebar highlights). Status pastels: mint, yellow, blue-gray. 17 unique hex values total, all on-theme.
- Header swap: 📘 Blueprint — Project Documentation as the title; pcblueprint — Session Runbook · 55 sessions across 4 repos demoted to subhead.
- Emoji peppering across tab labels and section headings — adds visual rhythm without injecting an icon library.
- Helper bug fix: _embed_prd.js had a stale var(--surface, ...) reference (a variable that has never been defined in this stylesheet) — every PRD <pre> block was silently rendering on the hardcoded fallback. Now uses var(--bg-elevated). Other dead fallbacks (#2a2a2e, #6b6bff, #aaa) cleaned out for future palette changes.
New convention: Changelog entries from this point forward include HH:MM alongside the date. Backfilling old entries with fake times was rejected as dishonest.
PRs: none — runbook HTML + _embed_prd.js only. Lives in Blueprint Tasks/, which is the source of truth (Pedro syncs by zip-and-transfer between machines).
Impact on tasks: zero. Pure documentation-shell work; no session prompts changed; no numbered-session prereqs touched. Sidebar/anchors infrastructure is generic — any future tile or section that wants to appear in the sidebar just needs a data-anchor attribute.

2026-04-25 (late)

🧭 PRD pivot: chatbot reframed as stateless 3-verb task interface

Why: mid-session (during S06b's deploy pause) Pedro clarified the chat's intended UX: "every chat is a one and done. i open the website and enter a journal entry, the chat reads that as a journal entry, archives it, tags it, names it, done… etc." This is fundamentally different from the conversational-chatbot framing in the original PRD (EPIC 10/11/14/15) which assumed multi-turn dialogue with persistent history. The original framing would have built ~4 sessions of work on the wrong shape.
What changed in the PRD:
- Vision + North-star: "store, browse, expand, and converse with" → "store, browse, expand, and act on". Chat described as a stateless natural-language interface with three verbs (WRITE / QUERY / EXPORT), with concrete examples of each.
- New "Chat architecture" section codifies the 3-verb model, the WRITE contract (intent classification → parse → multi-domain split proposal → tag-vocabulary lookup → 3-way duplicate detection → confirm preview → response with file links), the QUERY contract (always cite sources; web_search fallback for medical reference ranges), the EXPORT contract (universal filename convention; .zip for source-files, never .tar.gz), and the 3-layer cost ceiling.
- EPIC 10 (Chatbot Backend): dropped session_id from request body; chat is a stateless task endpoint; added get_tag_vocabulary read tool; explicit response-shape contract {saved_path, github_url, viewer_url, tags_applied} for every write tool.
- EPIC 11 (Chatbot Frontend): dropped localStorage persistence; UI becomes command-bar + result-panel + deliverable-download slot, not a chat thread. Editable per-domain preview replaces yes/no confirm. Dedup outcomes + multi-domain split surface in the preview.
- EPIC 14 (renamed: Chatbot Tool Surface, S14a–c): scope expanded to cover ALL active user-data buckets (not just the curated 5 examples). Added S14c — Export Tools (~40 min, new session). Added web_search read tool. Likely api gaps to fill enumerated (identity context PATCH, patterns POST, tag vocabulary POST, raw record POST).
- EPIC 15 (renamed: Real Chat Provider + Audit Log, S15a–b): S15b's scope completely replaced — was "Server-Side Conversation Persistence" (sqlite chat history); now "Transaction Audit Log" (sqlite log of every chat task — verb, intent, tools, tokens, cost — for debugging and accountability, not chat continuity). S15a model defaults changed to Haiku 4.5 with Sonnet 4.6 escalation. Three-layer cost ceiling spelled out.
- Cross-cutting non-goals: explicitly added "conversational chat with persistent history" and "chat writes to system buckets (_legacy/, meta/, scripts/, claude-code-prompts/)".
- Roadmap structure: 54 → 55 sessions.
What changed in the runbook: 10 affected session prompts (S10a/b/c, S11a/c, S13a, S14a/b, S15a/b) carry an "ARCHITECTURE PIVOT (2026-04-25)" block before their closing checklist. New session S14c added to SESSIONS array + PROMPTS object. S15a's prereqs extended to include S14c. Subtitle + progress text bumped to 55 sessions. All applied via idempotent helper helpers/_patch_chat_architecture.js.
PRs: none — runbook + PRD update only. Operational record kept in memory chat_architecture_three_verbs.md.
Impact on tasks: S10a, S11a, S15a, S15b have meaningfully different scopes than originally written; future Claude Code sessions opening those prompts will see the pivot block at the top and adjust accordingly. No task is blocked by the pivot.

2026-04-25

🚀 S06a shipped: archive bidirectional sync

Pedro can now push to pcblueprint-archive from his laptop and the NAS clone catches up within ten minutes via a container-side cron — no more silently-rejected commitArchive() pushes after a manual edit. Real merge conflicts ping ALERT_WEBHOOK_URL instead of failing silently. PR pcblueprint-api#22.

2026-04-25 (late)

🔭 Full-vision scope-out (S13–S20)

Why: after the prod reconciliation closed all infrastructure gaps, Pedro asked what's still missing for the full vision: chat with records, upload to them via chat (binary files included), browse them on a phone over the public internet with a proper login. The existing roadmap (S07–S12) covers ~70% but leaves gaps.
What: 16 new sub-sessions added in 7 phases, slotted after S12.
- S13a/b — File Upload pipeline (multipart api endpoint + drop-zone UI + chat attach_file tool). The api is JSON-only today; you can't upload PDFs/photos/audio.
- S14a/b — Expanded chat tool surface (write tools for memories/chronology/medical/blueprint/imaging; read tools for every domain; cross-domain orchestrators for queries like "dad's memories where I'm mentioned").
- S15a/b — Real chat provider (Anthropic SDK replacing the stub; sqlite-backed conversation persistence so history survives across phone + laptop).
- S16a/b — Observability + backup (standardized webhook alerting, /healthz endpoint, daily off-site tarball snapshot).
- S18a/b — Public deploy (Vercel + cookie domain + DNS).
- S19a/b/c — Mobile responsive pass (sidebar drawer, charts/DataGrid reflow, chat keyboard-aware UX).
- S20a/b/c — Real auth (argon2id user schema replacing single APP_PASSWORD; email-based password reset via Resend; account settings UI + optional TOTP 2FA). Critical: must land before S18 — never deploy publicly with the placeholder shared password.
PRs: none — runbook update only.
Impact on tasks: total session count 33 → 49. Suggested execution order after S12 close-out: S20 (auth) → S19 (mobile) → S13 (uploads) → S14 (tools) → S15 (real provider) → S16 (observability) → S18 (public deploy). The auth + mobile work has to land before the public deploy, full stop.

2026-04-25

🛠️ Prod reconciliation + path realign

Why: smoke test of commitArchive() revealed the NAS archive was frozen 41 commits behind GitHub at pre-S01 state (commit 0c12945), and the api's PATHS constants still pointed at pre-S01 paths that no longer exist. Container had never successfully written to the archive.
What: Rotated GitHub PAT, fixed git remote URL format, pulled archive 41 commits forward, added apcanario to docker group, chgrp'd docker socket, chowned archive bind mount to node, baked safe.directory + ownership entrypoint into the api Dockerfile, realigned every PATHS constant + hardcoded archive path across src/** for the post-S01 bucket tree (writing/, records/, etc.), updated tests. Verified end-to-end with a live POST that committed + pushed to GitHub.
PRs: apcanario/pcblueprint-api#21 (realign + Dockerfile fix).
Impact on tasks: foundation sessions S06a–S06d were inserted into the runbook to close remaining gaps (bidirectional sync, sync worker deploy, infra hardening, memoir endpoints). All downstream tasks now assume a working prod archive.

2026-04-24 → 2026-04-25

📝 CHANGELOG backfills across all four repos

Why: CHANGELOG.md in api + archive + sync had drifted many sessions behind. Agreed with Pedro mid-session that CHANGELOG stays current per session rather than being deferred to S12.
What: Backfilled entries for S04b..S05c in api; S02a..S04d in archive; S04d in sync. Added a standing "keep CHANGELOG current" memory rule for future sessions.
PRs: pcblueprint-api#20, pcblueprint-archive#10, pcblueprint-sync#3.
Impact on tasks: S12 — Cross-Repo Docs Sweep no longer has to backfill — scope reduces to verifying consistency across repos.

2026-04-25

📘 Sync worker deploy docs rewrite

Why: pcblueprint-sync README assumed git-clone-onto-NAS + docker compose up -d --build. Api has long since moved to image-based deploy via ghcr.io + Watchtower; sync should match.
What: Rewrote Setup + Updating sections to describe image-based deploy at /volume2/docker/sync/, fixed the stale pcblueprint.env reference.
PR: pcblueprint-sync#4.
Impact on tasks: docs lead the implementation — the deploy path is documented, but the infrastructure (GHA workflow, Watchtower list, compose file) to actually follow it is S06b.

2026-04-24

🧹 Local repo cleanup + branch pruning

Why: Local clones had stale branches for merged PRs + one superseded feature branch (reorganize-archive-structure in archive) that had been abandoned on the remote.
What: Fast-forwarded main across all 4 repos; deleted local stale branches; pruned remote-tracking refs. Cloned pcblueprint-sync locally for the first time.
Impact on tasks: none — pure hygiene.

📐 A short, recruiter-readable framing of what this is, how to read it, and what it demonstrates. Five-minute version of the entire document.

🎯 What this is

pcblueprint is a private, web-accessible system for storing, browsing, expanding, and acting on a single person's full life record — biographical text, medical history, fitness data, journal entries, memoirs, identity context. The interface is a Next.js web app; the storage layer is markdown + JSON files in a versioned git repository; the agentic layer is a stateless natural-language interface that classifies user intent into one of three verbs (WRITE · QUERY · EXPORT) and dispatches to typed tools.

The "user" is one person — me. The system runs on a Synology NAS in my home, exposed publicly via a Cloudflare tunnel, with a continuous deploy chain (GitHub Actions → ghcr.io → Watchtower) that lets me ship code from my laptop and see it land in production in under five minutes.

This document is the project's outer shell. The runbook (📌 Tasks) lists every implementation session; the 📋 PRD captures the product reasoning; the 📒 Changelog records the iteration loop; the 🤝 Handoff is the operational onboarding for a fresh AI session. This 📐 Approach tab is the meta layer for an outside reader.

🧭 How to read this document

If you have 5 minutes:

Stay on this 📐 Approach tab — it's the executive summary.
Glance at 📋 PRD § Vision + North-star user experience for the product framing in 200 words.

If you have 15 minutes, add:

📒 Changelog — the iteration story. The architectural pivots are documented with the original framing, the user observation that triggered the rethink, and the surgical changes propagated downstream.
🤝 Handoff §Status + §Standing rules — operational maturity at a glance.

If you have 30+ minutes:

📋 PRD end-to-end — the full product spec, 19 epics with outcomes + acceptance criteria.
📌 Tasks — every individual implementation session. Click any card to read the actual prompt that drove it. The Closing checklist at the bottom of each prompt is the standing protocol that fires after every merge.

💡 What this demonstrates

Skills the project surfaces by virtue of the work itself, not by claim:

🎯 Product strategy. The 3-verb chat architecture (write / query / export) wasn't the original design — it emerged mid-project when the use cases became concrete. The pivot is documented in the Changelog with the prior framing, the user-observation that triggered the rethink, and the surgical changes propagated across 11 affected sessions.
🤖 AI orchestration. The implementation is built session-by-session by Claude Code (Anthropic's CLI) running locally, with custom skills, hooks, and MCP servers. The runbook is the orchestration interface — each card is a self-contained prompt. A standing closing-checklist rule fires after every merge and runs a 3-step protocol: persist completion, write a scrum-master-style increment narrative, re-evaluate downstream tasks.
🗂️ Information architecture. The archive's bucket model (records/, writing/, raw/, source-files/, _legacy/, etc.) was the foundation for everything downstream — paths, route helpers, type safety, deduplication contracts, the chat's WRITE-verb scope. Getting it right early saved a multi-session refactor later.
⚙️ Technical decision-making. When the chat needed an LLM provider, the decision wasn't "Anthropic" — it was a structured trade-off across availability, cost predictability, vendor lock-in, and quality-per-dollar. The conversation is recorded in the Changelog, with the chosen path (Anthropic prepaid + 3-layer cost ceiling) and the alternatives I rejected (open-weight via OpenRouter, local Ollama on a GPU box).
🔁 Iteration discipline. Every session ends with three protocol steps: state flip in the runbook, scrum-master-style increment paragraph in the per-repo CHANGELOG, and a downstream-impact triage of remaining sessions. This is encoded in every prompt and verified per merge.
📚 Documentation as deliverable. This document is the deliverable. The product is a side effect.

🌱 What I learned

The hardest part of LLM-driven development isn't the LLM — it's keeping a coherent specification across N sessions when the architecture is still moving. The runbook + PRD + memory pattern emerged as the answer.
Cost ceilings need to be in three layers (vendor / app / per-request). Any one alone is breakable; all three together are effectively uncrossable.
"Conversational AI" was the wrong frame for this product. It's a command interface in natural language — closer to a CLI than to a chatbot. Recognizing this saved several sessions of implementation against the wrong shape.
Auto-tagging from a canonical vocabulary beats free-text tags every time. Search degrades fast without it.
Treating an AI agent as a remote senior engineer — with onboarding (the Handoff tab), conventions (standing rules), explicit prompts (the runbook), and feedback loops (the closing checklist) — is more productive than treating it as a code completion engine.

👋 About me

Pedro Canário · Senior Director of UX Design by trade. This project is me treating AI orchestration as a UX problem: the prompts are the design system, the runbook is the product roadmap, and the agent is a teammate that needs onboarding, conventions, and feedback loops. What you see is what happens when a designer leans into the parts of engineering that are about clarity, sequencing, and protocol — and uses an AI senior engineer for the parts that aren't.

If you want to talk about this — building AI-orchestrated systems, designing for agentic interfaces, or hiring someone who can think across product · design · engineering — apcanario@gmail.com.

📍 Status as of 2026-04-25

💻 Machine / working context

🐙 GitHub (via gh CLI)

🖥️ NAS (Synology DS423+ — the production server)

🐳 Docker projects on the NAS (Container Manager → Project)

📜 Standing rules (follow strictly — encoded in every session prompt too)

pcblueprint — Project PRD

Vision

North-star user experience

System map

Roadmap structure

Chat architecture (codified 2026-04-25)

Release plan (2026-04-25 pivot)

EPIC 0 — Precursor Work (pre-runbook foundation)

Outcome

What was done

Why this matters

Acceptance criteria (retrospective)

Caveats discovered later

EPIC 1 — Manual Binary Prep

Outcome

User story

Acceptance criteria

Out of scope

EPIC 2 — Archive IA + Migration

Outcome

User stories

Acceptance criteria

Out of scope

Sessions

EPIC 3 — API Path Realign (S04a–c)

Outcome

Acceptance criteria

Caveat

EPIC 4 — Hardening / Backlog (S04d–h)

Outcome

Sessions + status

Acceptance criteria

EPIC 5 — API CRUD Gaps (S05a–c)

Outcome

Acceptance criteria

EPIC 6 — Prod Stability & API Sync (S06a–f)

Outcome

Sub-sessions

Acceptance criteria

Out of scope

EPIC 7 — Website Homepage (S07a–b) — ❌ DROPPED 2026-04-25

Outcome

User stories

Acceptance criteria

EPIC 8 — Website Archive Docs (S08a–c) — ❌ DROPPED 2026-04-25

Outcome

Acceptance criteria

Out of scope

EPIC 9 — Website Activity Detail (S09a–b) — ❌ DROPPED 2026-04-25

Outcome

Acceptance criteria

EPIC 10 — Chatbot Backend (S10a–d)

Outcome

Acceptance criteria

Out of scope

EPIC 11 — Chatbot Frontend (S11a–c)

Outcome

Acceptance criteria

EPIC 12 — Cross-Repo Docs Sweep (S12)

Outcome

Acceptance criteria

Note

EPIC 13 — File Upload Pipeline (S13a–b) — new

Outcome

User stories

Acceptance criteria

Out of scope

EPIC 14 — Chatbot Tool Surface (S14a–c) — new

Outcome

User stories

Acceptance criteria

EPIC 15 — Real Chat Provider + Audit Log (S15a–b) — new

Outcome

Acceptance criteria

🐙 GitHub (via `gh` CLI)