title: "Sprint S001 — Post-TICKET_031 Deliverables"
type: manifest
purpose: "Rule taxonomy update for TICKET/PROMPT/LOG triplet, smoke test ticket, secrets scrub ticket, and audit log governance."
STRUXIO_Logic/rules/RULE_markdown_taxonomy.mdUpdate frontmatter: Change last_updated to "2026-03-14".
Replace Section 1 "Core Prefixes" with:
## 1. Core Prefixes
* **`RULE_`** | **Laws & Prompts:** Dictates behavior, coding standards, system prompts.
* **`BLUEPRINT_`** | **Architecture:** Describes how a system *should* be built.
* **`STATE_`** | **Current Reality:** Describes what *is currently* built or tracks dynamic variables.
* **`TICKET_`** | **Execution Plans:** Formal task specification from the Architect to the Coder Swarm. Contains objective, constraints, acceptance criteria, execution steps, and rollback plan.
* **`PROMPT_`** | **Coder Directives:** The formatted instruction payload handed to Roo Code / Sonnet 4.6. Derived from one or more TICKETs. This is what the Founder pastes into Monitor 2.
* **`LOG_`** | **Execution Summaries:** The result report returned from the Coder Swarm after execution. Contains status, files changed, test results, empirical proof, and open issues. This is what the Founder pastes back to Monitor 1 for Architect review.
* **`MANIFEST_`** | **Setup Instructions:** Ordered sequence of file creates, file edits, and terminal commands. Executed top-to-bottom to initialize a sprint or environment.
* **`SKILL_`** | **Agent Capabilities:** Localized tools and scripts for agent execution.
### 1.1 The Sprint Triplet Pattern
Every ticket execution produces a triplet of files in the sprint folder:
| File | Purpose | Created By |
| :--- | :--- | :--- |
| `TICKET_NNN_Name.md` | The plan | Architect (Monitor 1) |
| `PROMPT_NNN_Name.md` | The Roo Code instruction | Architect (Monitor 1) |
| `LOG_NNN_Name.md` | The execution result | Founder (pasted from Monitor 2) |
All three files share the same `NNN` number and live in the same sprint folder (e.g., `STRUXIO_OS/03_tickets/sprints/S001_base_and_mvp1/`).
Detailed audit logs (full stdout, raw terminal traces) go to `STRUXIO_OS/work-in-progress/hot_logs/` and are strictly gitignored.
### 1.2 Suffix Convention for Multi-Phase Tickets
If a ticket has distinct setup and execution phases, use letter suffixes:
* `LOG_031A_Sprint_Setup.md` — setup phase result
* `LOG_031B_Sledgehammer_Cleanup.md` — main execution result
The suffix is ONLY for LOGs. The TICKET and PROMPT keep the base number.
STRUXIO_Logic/rules/RULE_dev_execution.mdAdd new Section 8 at the end (after the Two-Monitor Protocol section added earlier):
# 8. AUDIT LOG GOVERNANCE
### 8.1 The Two-Tier Log Architecture
* **Tier 1 — Sprint Logs (`LOG_NNN_*.md`):** Human-readable summaries in the sprint folder. Committed to Git. Contains: status, files changed, test results, empirical proof snippet, open issues.
* **Tier 2 — Audit Logs (`work-in-progress/hot_logs/`):** Full terminal stdout/stderr, raw traces, verbose test output. Gitignored. Ephemeral — cleared at sprint boundary or retained for debugging.
### 8.2 Log Integrity Rule
The AI is forbidden from self-declaring success without empirical proof. The LOG file MUST contain actual terminal output (not a prediction of what the output should be). If the Founder cannot independently verify the claim from the LOG content, the ticket is not closed.
### 8.3 Smoke Test Mandate
For any ticket that modifies runtime behavior (frontend rendering, WebSocket connections, API endpoints, Docker services), the Coder Swarm MUST execute a runtime smoke test AFTER the build passes. A green `npm run build` proves compilation; it does NOT prove the application works. The smoke test must produce empirical proof that the live system responds correctly (e.g., `curl` response, browser console screenshot, WebSocket handshake log).
STRUXIO_OS/03_tickets/sprints/S001_base_and_mvp1/TICKET_032_Secrets_Scrub.md---
# IDENTITY
title: "Secrets Scrub — Purge Plaintext Keys from Git History"
type: ticket
subtype: security
purpose: "Remove plaintext service account key from STRUXIO_OS git history and rotate compromised credentials."
# GOVERNANCE
status: PLANNED
priority_index: 1
budget_cap: "$0.10"
assigned_agent: "Coder Swarm (Claude Sonnet 4.6)"
approved_by: "Principal Architect (Claude Opus 4.6)"
sprint: "S001_base_and_mvp1"
depends_on: ["TICKET_031"]
last_updated: "2026-03-14 20:00"
---
# TICKET_032: Secrets Scrub — Purge Plaintext Keys from Git History
## 1. OBJECTIVE
Remove `01_state/struxio-vertex-service-account.json` from the entire Git history of STRUXIO_OS. After this ticket, the file must not appear in any commit, branch, or reflog.
## 2. CONSTRAINTS
* This requires a force-push to `main`. All team members must `git clone` fresh after.
* The Hetzner server copy must also be re-cloned.
* The actual `.json` file on disk should be preserved (it's gitignored now) but the KEY MUST BE ROTATED in Google Cloud Console by the Founder.
## 3. ACCEPTANCE CRITERIA
- [ ] AC-1: `git log --all --full-history -- 01_state/struxio-vertex-service-account.json` returns zero commits.
- [ ] AC-2: `git log --all --full-history -- 01_state/infrastructure_secrets.yaml` returns zero commits (scrub this too if found).
- [ ] AC-3: Fresh clone of STRUXIO_OS contains neither file in any commit.
- [ ] AC-4: Founder confirms Google Vertex service account key has been rotated in Google Cloud Console.
## 4. EXECUTION PLAN
[QUICK-CHECK]: Files: git history only. No cross-boundary impact. Proceed.
### Step 1: Install git-filter-repo (if not present)
pip install git-filter-repo --break-system-packages
### Step 2: Run the scrub
cd ~/STRUXIO_Workspace/STRUXIO_OS
git filter-repo --path 01_state/struxio-vertex-service-account.json --invert-paths --force
git filter-repo --path 01_state/infrastructure_secrets.yaml --invert-paths --force
### Step 3: Re-add remote and force push
git remote add origin git@github.com:STRUXIO-ai/struxio-os.git
git push origin main --force
### Step 4: Verify
git log --all --full-history -- 01_state/struxio-vertex-service-account.json
# Expected: no output
### Step 5: Re-clone on Hetzner
ssh root@89.167.96.154
cd ~/STRUXIO_Workspace
rm -rf STRUXIO_OS
git clone git@github.com:STRUXIO-ai/struxio-os.git STRUXIO_OS
## 5. FOUNDER ACTION REQUIRED (Cannot be delegated to AI)
After this ticket completes:
1. Go to Google Cloud Console → IAM → Service Accounts
2. Find the STRUXIO Vertex service account
3. Delete the old key
4. Generate a new key
5. Save the new key to `STRUXIO_OS/01_state/struxio-vertex-service-account.json` on both local machine and Hetzner
6. Update any services that reference this key (LiteLLM config, etc.)
## 6. ROLLBACK
If force-push breaks anything, the pre-filter-repo state is preserved in Git reflog for 90 days. But the safest approach: take a full backup of the `.git` directory before running filter-repo.
---
> **STRUXIO.ai** // Confidential & Proprietary // Generated by Claude Opus 4.6 // © 2026
STRUXIO_OS/03_tickets/sprints/S001_base_and_mvp1/TICKET_033_Runtime_Smoke_Test.md---
# IDENTITY
title: "Runtime Smoke Test — Verify DEVXIO Portal After Sledgehammer Cleanup"
type: ticket
subtype: verification
purpose: "Empirically prove the DEVXIO portal renders correctly and WebSocket connects after TICKET_031 changes."
# GOVERNANCE
status: PLANNED
priority_index: 2
budget_cap: "$0.10"
assigned_agent: "Coder Swarm (Claude Sonnet 4.6)"
approved_by: "Principal Architect (Claude Opus 4.6)"
sprint: "S001_base_and_mvp1"
depends_on: ["TICKET_031"]
last_updated: "2026-03-14 20:00"
---
# TICKET_033: Runtime Smoke Test
## 1. OBJECTIVE
Verify that the DEVXIO portal at `http://89.167.96.154:3002` actually loads and the WebSocket actually connects after the TICKET_031 changes. Build success ≠ runtime success.
## 2. ACCEPTANCE CRITERIA
- [ ] AC-1: `curl -s -o /dev/null -w "%{http_code}" http://89.167.96.154:3002` returns `200`.
- [ ] AC-2: `curl -s http://89.167.96.154:3002 | grep -c "<div"` returns a number > 0 (HTML rendered, not blank page).
- [ ] AC-3: The FastAPI bridge responds: `curl -s http://89.167.96.154:8002/health` returns a valid JSON response (or document the actual health endpoint).
- [ ] AC-4: Docker containers are all running: `docker ps --format "table {{.Names}}\t{{.Status}}"` shows all expected services as "Up".
- [ ] AC-5: No JavaScript console errors related to WebSocket. If Sonnet cannot access a browser, use `wscat` or a Python websocket client to verify the WS handshake:
python3 -c "
import asyncio, websockets
async def test():
try:
async with websockets.connect('ws://89.167.96.154:8002/ws/execute') as ws:
print('WS CONNECTED OK')
except Exception as e:
print(f'WS FAILED: {e}')
asyncio.run(test())
"
## 3. EXECUTION PLAN
[QUICK-CHECK]: No file changes. Read-only verification. Proceed.
### Step 1: Rebuild and restart Docker
cd ~/STRUXIO_Workspace/STRUXIO_OS
docker compose -f 02_infra/docker-compose.yml down
docker compose -f 02_infra/docker-compose.yml up -d --build
### Step 2: Wait for startup (30 seconds)
sleep 30
### Step 3: Run all smoke tests
Execute each AC check above. Paste raw terminal output.
### Step 4: If any AC fails
Do NOT attempt to fix. Report the exact failure output in the LOG file. The Architect will diagnose and generate a fix ticket.
## 4. DELIVERABLE
Paste all raw terminal output into the LOG. No interpretation — just the evidence.
---
> **STRUXIO.ai** // Confidential & Proprietary // Generated by Claude Opus 4.6 // © 2026
STRUXIO_OS/03_tickets/sprints/S001_base_and_mvp1/LOG_031A_Sprint_Setup.md(Founder: paste the Task 1 result you shared earlier into this file)
STRUXIO_OS/03_tickets/sprints/S001_base_and_mvp1/LOG_031B_Sledgehammer_Cleanup.md(Founder: paste the Task 2 result you shared above into this file)
— STRUXIO.ai // Sprint S001 Post-031 Deliverables // Generated by Claude Opus 4.6 // © 2026