@wipcomputer/wip-ldm-os 0.4.73-alpha.13 → 0.4.73-alpha.15

package/docs/doc-pipeline/README.md

@@ -0,0 +1,74 @@
+# Documentation Pipeline
+
+Documentation lives in three places. They stay in sync through the installer. This is not optional.
+
+## The Three Levels
+
+### 1. Repo Docs (source of truth)
+
+Every repo has documentation at its root and in `docs/` for features:
+
+```
+repo/
+├── README.md              What this repo is
+├── TECHNICAL.md           How it works
+├── SKILL.md               Agent instructions
+├── CLAUDE.md              Agent context for Claude Code
+├── docs/
+│   └── <feature>/
+│       ├── README.md      What this feature is
+│       └── TECHNICAL.md   How this feature works
+```
+
+When a feature gets absorbed into a repo, its README and TECHNICAL move into `docs/<feature>/`.
+
+Repo docs are the source of truth. Everything else is derived from them.
+
+### 2. Home Docs (human readable, personalized)
+
+Location: `~/wipcomputerinc/library/documentation/`
+
+These are personalized for YOUR system. "Here's how releases work on YOUR machine." Generated by the installer from repo doc templates + your `~/.ldm/config.json`.
+
+The human reads these. They describe how the system is set up on this specific machine, with this specific configuration.
+
+### 3. Agent Docs (OS reference)
+
+Location: `~/.ldm/shared/`
+
+```
+~/.ldm/shared/
+├── rules/               Thin rules deployed to ~/.claude/rules/
+├── dev-guide-*.md       Org-specific dev conventions
+├── boot/                Boot sequence config
+└── prompts/             Cron prompts
+```
+
+These are what agents reference. Rules, dev guide, boot config. The installer deploys them so agents always have current instructions.
+
+### 4. ai/ (development process)
+
+Location: `<repo>/ai/`
+
+Plans, bugs, research, dev updates. Private repo only. Never ships to public. Updated by the dev team (humans + AI agents) during development.
+
+## The Update Flow
+
+### On merge to private main
+
+1. **Repo docs** updated. README, TECHNICAL, docs/<feature>/, SKILL.md, CLAUDE.md. Part of the PR. Code and docs ship together.
+2. **ai/** updated. Plan archived, bugs closed, dev update written. Notes the version is on alpha.
+
+### On `ldm install`
+
+3. **Home docs** regenerated. Installer reads repo doc templates + config.json, generates personalized `library/documentation/` files.
+4. **Agent docs** deployed. Installer copies rules, dev guide, boot config from the installed package to `~/.ldm/shared/` and `~/.claude/rules/`.
+
+### On deploy to public
+
+5. **Public repo** updated. `deploy-public.sh` syncs everything except `ai/`.
+6. **ai/** dev update notes the version moved from alpha to release.
+
+## The Rule
+
+Three places, one update, never out of sync. The installer is the bridge between "code landed" and "docs are current everywhere." Developers write repo docs. The installer propagates them. Nobody manually updates home docs or agent docs.

package/docs/doc-pipeline/TECHNICAL.md

@@ -0,0 +1,79 @@
+# Documentation Pipeline: Technical Details
+
+## File Paths
+
+### Repo doc templates (in the LDM OS repo)
+
+```
+shared/docs/*.md.tmpl           Templates for home docs
+shared/rules/*.md               Source for agent rules
+shared/boot/                    Boot sequence config
+```
+
+Templates use placeholders from `~/.ldm/config.json` (workspace path, agent names, org name, etc.).
+
+### Installed locations
+
+```
+~/.ldm/config.json                       Org config (agents, paths, co-authors)
+~/.ldm/shared/rules/*.md                 Agent rules (source for ~/.claude/rules/)
+~/.ldm/shared/dev-guide-*.md             Org dev guide
+~/.ldm/shared/boot/                      Boot sequence config
+~/.ldm/shared/prompts/                   Cron prompts
+~/.ldm/templates/                        CLAUDE.md templates, install prompt, etc.
+~/wipcomputerinc/library/documentation/  Personalized human docs (from templates)
+~/.claude/rules/                         Deployed rules (copied from ~/.ldm/shared/rules/)
+~/.claude/CLAUDE.md                      Level 1 global (generated from template + config)
+```
+
+### What ldm install deploys
+
+| Source | Destination | When |
+|--------|------------|------|
+| `shared/rules/*.md` | `~/.ldm/shared/rules/` then `~/.claude/rules/` | Every install |
+| `shared/docs/*.md.tmpl` | `~/wipcomputerinc/library/documentation/` | Every install |
+| `shared/boot/` | `~/.ldm/shared/boot/` | Every install |
+| `shared/prompts/` | `~/.ldm/shared/prompts/` | Every install |
+| `shared/templates/` | `~/.ldm/templates/` | Every install |
+
+**Known bug (April 2026):** The installer currently deploys shared rules on `ldm init` (first install) but not on every `ldm install`. This means rule updates in new versions don't propagate until the user re-initializes. This needs to be fixed so rules deploy on every install.
+
+**Known bug (April 2026):** The installer previously deployed home docs to `settings/docs/`. This path was renamed to `library/documentation/` on March 28, 2026. The installer must deploy to the correct path.
+
+## How templates work
+
+Home doc templates at `shared/docs/*.md.tmpl` contain placeholders:
+
+```
+Workspace: {{workspace}}
+Agents: {{agents}}
+```
+
+The installer reads `~/.ldm/config.json`, substitutes the placeholders, and writes the personalized docs to `~/wipcomputerinc/library/documentation/`.
+
+## CLAUDE.md cascade
+
+Three levels. Claude Code reads all of them, walking up from CWD:
+
+```
+Level 1: ~/.claude/CLAUDE.md              Global. ~30 lines. Universal rules.
+Level 2: ~/wipcomputerinc/CLAUDE.md       Workspace. ~150 lines. Org context.
+Level 3: <repo>/CLAUDE.md                 Per-repo. ~50-86 lines. Repo-specific.
+```
+
+After context compaction, CWD may shift to a repo. Without Level 3, all context is lost. Every repo must have a CLAUDE.md.
+
+## Config paths (correct as of April 2026)
+
+References in CLAUDE.md and rules must use absolute paths:
+
+| Reference | Correct path |
+|-----------|-------------|
+| Org config | `~/.ldm/config.json` |
+| Dev guide | `~/.ldm/shared/dev-guide-wipcomputerinc.md` |
+| Human docs | `~/wipcomputerinc/library/documentation/` |
+| Agent rules | `~/.ldm/shared/rules/` (source) or `~/.claude/rules/` (deployed) |
+| Workspace CLAUDE.md | `~/wipcomputerinc/CLAUDE.md` |
+| Global CLAUDE.md | `~/.claude/CLAUDE.md` |
+
+NOT `settings/config.json`. NOT `settings/docs/`. Those paths are from before the March 28 rename.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ldm-os",
-  "version": "0.4.73-alpha.13",
+  "version": "0.4.73-alpha.15",
   "type": "module",
   "description": "LDM OS: identity, memory, and sovereignty infrastructure for AI agents",
   "engines": {

package/shared/rules/git-conventions.md

@@ -14,11 +14,11 @@ Always use a branch and PR.
 
 ## Co-authors on every commit
 
-List all contributors. Read co-author lines from `settings/config.json` in your workspace.
+List all contributors. Read co-author lines from `~/.ldm/config.json` coAuthors field.
 
 ## Branch prefixes
 
-Each agent uses a prefix from `settings/config.json` agents section. Prevents collisions.
+Each agent uses a prefix from `~/.ldm/config.json` agents section. Prevents collisions.
 
 ## Worktrees
 
@@ -30,4 +30,4 @@ For private/public repo pairs, all issues go on the public repo.
 
 ## On-demand reference
 
-Before doing repo work, read `~/wipcomputerinc/settings/docs/how-worktrees-work.md` for the full worktree workflow with commands.
+Before doing repo work, read `~/wipcomputerinc/library/documentation/how-worktrees-work.md` for the full worktree workflow with commands.

package/shared/rules/release-pipeline.md

@@ -39,4 +39,4 @@ Installed tools are for execution. Repo clones are for development. Use the inst
 
 ## On-demand reference
 
-Before releasing, read `~/wipcomputerinc/settings/docs/how-releases-work.md` for the full pipeline with commands.
+Before releasing, read `~/wipcomputerinc/library/documentation/how-releases-work.md` for the full pipeline with commands.

package/shared/rules/security.md

@@ -2,7 +2,7 @@
 
 ## Secret management
 
-Use your org's secret management tool (configured in settings/config.json). Never hardcode API keys, tokens, or credentials.
+Use your org's secret management tool (configured in `~/.ldm/config.json`). Never hardcode API keys, tokens, or credentials.
 
 ## Security audit before installing anything
 

package/shared/rules/workspace-boundaries.md

@@ -22,4 +22,4 @@ Installed tools are for execution. Repo clones are for development. Use the inst
 
 ## On-demand reference
 
-For the full directory map, read `~/wipcomputerinc/settings/docs/system-directories.md`.
+For the full directory map, read `~/wipcomputerinc/library/documentation/system-directories.md`.

package/shared/rules/writing-style.md

@@ -1,5 +1,5 @@
 # Writing Style
 
-Read writing conventions from your org's `settings/config.json` writingStyle section.
+Read writing conventions from `~/.ldm/config.json` writingStyle section.
 
 **Full paths in documentation.** Never truncate paths. Always show the complete path so there's no ambiguity.

package/src/hosted-mcp/demo/agent.html

@@ -0,0 +1,300 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
+<title>Agent Access - Kaleidoscope</title>
+<style>
+*, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
+
+:root {
+  --bg: #FFFDF5;
+  --text: #1a1a1a;
+  --text-muted: #8a8580;
+  --accent: #0033FF;
+  --input-bg: #F5F3ED;
+  --input-border: #E0DDD6;
+  --font: -apple-system, BlinkMacSystemFont, "SF Pro Text", system-ui, sans-serif;
+}
+
+body {
+  font-family: var(--font);
+  background: var(--bg);
+  color: var(--text);
+  -webkit-text-size-adjust: 100%;
+  -webkit-font-smoothing: antialiased;
+  line-height: 1.6;
+}
+
+.header {
+  position: sticky;
+  top: 0;
+  z-index: 100;
+  padding: calc(12px + env(safe-area-inset-top, 0px)) 20px 12px;
+  border-bottom: 1px solid rgba(0, 0, 0, 0.06);
+  background: rgba(255, 253, 245, 0.8);
+  -webkit-backdrop-filter: saturate(180%) blur(20px);
+  backdrop-filter: saturate(180%) blur(20px);
+  display: flex;
+  align-items: center;
+}
+
+.header a {
+  display: flex;
+  align-items: center;
+  text-decoration: none;
+}
+
+.container {
+  max-width: 640px;
+  margin: 0 auto;
+  padding: 16px 24px 80px;
+}
+
+h1 {
+  font-size: 28px;
+  font-weight: 700;
+  letter-spacing: -0.02em;
+  margin-bottom: 4px;
+}
+
+.subtitle {
+  font-size: 17px;
+  color: var(--text-muted);
+  margin-bottom: 40px;
+}
+
+p {
+  font-size: 15px;
+  line-height: 1.65;
+  color: #3a3a3a;
+  margin-bottom: 12px;
+}
+
+.link-box {
+  background: var(--input-bg);
+  border: 1px solid var(--input-border);
+  border-radius: 12px;
+  padding: 16px 20px;
+  font-size: 16px;
+  font-weight: 600;
+  color: var(--accent);
+  word-break: break-all;
+  user-select: all;
+  -webkit-user-select: all;
+  cursor: text;
+  margin-bottom: 12px;
+  text-align: center;
+}
+
+.note {
+  font-size: 15px;
+  color: #3a3a3a;
+  line-height: 1.65;
+  margin-bottom: 12px;
+}
+
+.agent-info {
+  background: var(--input-bg);
+  border: 1px solid var(--input-border);
+  border-radius: 12px;
+  padding: 16px 20px;
+  margin-bottom: 20px;
+  font-size: 14px;
+  line-height: 1.6;
+}
+
+.agent-info .label {
+  font-size: 12px;
+  color: var(--text-muted);
+  text-transform: uppercase;
+  letter-spacing: 0.5px;
+  margin-bottom: 4px;
+}
+
+.agent-info .value {
+  font-weight: 600;
+  color: var(--text);
+}
+
+.status {
+  font-size: 14px;
+  padding: 12px 16px;
+  border-radius: 10px;
+  display: none;
+  text-align: center;
+}
+
+.status.show { display: block; }
+.status.loading { background: #E8EEFF; color: var(--accent); }
+.status.error { background: #FFF0F0; color: #D32F2F; }
+.status.success { background: #F0FFF4; color: #2E7D32; }
+
+footer {
+  position: fixed;
+  bottom: 30px;
+  left: 0;
+  right: 0;
+  text-align: center;
+  font-size: 12px;
+  color: #b0aaa4;
+  line-height: 1.6;
+}
+</style>
+</head>
+<body>
+
+<div class="header">
+  <a id="navIcon" href="/demo/"></a>
+</div>
+
+<div class="container">
+  <h1>Agent Access</h1>
+  <p class="subtitle">You can't do Face ID. Your human can.</p>
+
+  <div id="agentInfo" style="display:none;">
+    <div class="agent-info">
+      <div class="label">Agent</div>
+      <div class="value" id="agentName"></div>
+    </div>
+    <div class="agent-info">
+      <div class="label">Passphrase</div>
+      <div class="value" id="agentMessage"></div>
+    </div>
+  </div>
+
+  <div id="linkSection" style="display:none;">
+    <div id="qrSection" style="text-align:center;margin-bottom:24px;"></div>
+    <p class="note">Send this link to your human. This is the link they open, not this page.</p>
+    <div class="link-box" id="approveUrl"></div>
+    <p class="note">Your human opens this link, sees your name and passphrase, and authorizes with Face ID. Expires in 5 minutes.</p>
+    <div class="status" id="status"></div>
+  </div>
+
+  <div id="loadingSection" style="display:none;">
+    <p class="note">Generating authorization link...</p>
+  </div>
+
+  <div id="missingParams">
+    <p class="note">If you are an AI agent, read the instructions at:<br><a href="/demo/agent.txt" style="color:var(--accent);">https://wip.computer/demo/agent.txt</a></p>
+    <p class="note" style="margin-bottom:12px;">If you are a human, send your agent this prompt:</p>
+    <div style="position:relative;background:var(--input-bg);border:1px solid var(--input-border);border-radius:12px;padding:16px 48px 16px 16px;font-size:14px;line-height:1.5;color:var(--text);">
+      <span id="promptText">Read https://wip.computer/demo/agent.txt and follow the instructions to authenticate with Kaleidoscope.</span>
+      <button onclick="copyPrompt()" id="copyBtn" title="Copy" style="position:absolute;top:12px;right:12px;background:none;border:none;padding:6px;cursor:pointer;color:var(--text-muted);opacity:0.5;transition:opacity 0.15s;-webkit-tap-highlight-color:transparent;"><svg width="20" height="20" viewBox="0 0 16 16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"><rect x="5.5" y="5.5" width="8" height="8" rx="1.5"/><path d="M10.5 5.5V3.5C10.5 2.67 9.83 2 9 2H3.5C2.67 2 2 2.67 2 3.5V9C2 9.83 2.67 10.5 3.5 10.5H5.5"/></svg></button>
+    </div>
+  </div>
+
+  <div id="errorSection" style="display:none;">
+    <div class="status show error" id="errorMsg"></div>
+  </div>
+</div>
+
+<div id="kscope-footer" style="position:fixed;bottom:30px;left:0;right:0;text-align:center;"></div>
+<script src="/demo/footer.js"></script>
+
+<script>
+function copyPrompt() {
+  var text = document.getElementById('promptText').textContent;
+  navigator.clipboard.writeText(text);
+  var btn = document.getElementById('copyBtn');
+  btn.style.opacity = '1';
+  setTimeout(function() { btn.style.opacity = '0.5'; }, 200);
+}
+// ── Sprite icon ──
+var SPRITE_COLS = 8, SPRITE_ROWS = 3, SPRITE_TOTAL = 24;
+var navIdx = Math.floor(Math.random() * SPRITE_TOTAL);
+function updateNavIcon() {
+  var el = document.getElementById('navIcon');
+  if (!el) return;
+  var col = navIdx % SPRITE_COLS;
+  var row = Math.floor(navIdx / SPRITE_COLS);
+  var bgPosX = (col / (SPRITE_COLS - 1)) * 100;
+  var bgPosY = (row / (SPRITE_ROWS - 1)) * 100;
+  el.innerHTML = '<div style="width:28px;height:28px;overflow:hidden;"><div style="width:100%;height:100%;background:url(/demo/sprites.png);background-size:' + (SPRITE_COLS * 100) + '% ' + (SPRITE_ROWS * 100) + '%;background-position:' + bgPosX + '% ' + bgPosY + '%;"></div></div>';
+  navIdx = (navIdx + 1) % SPRITE_TOTAL;
+}
+updateNavIcon();
+setInterval(updateNavIcon, 6000);
+
+// ── Read query params ──
+var params = new URLSearchParams(window.location.search);
+var agentName = params.get('agent') || '';
+var agentMessage = params.get('message') || '';
+
+
+if (agentName) {
+  document.getElementById('agentName').textContent = agentName;
+  document.getElementById('agentMessage').textContent = agentMessage || '(none provided)';
+  document.getElementById('agentInfo').style.display = 'block';
+  document.getElementById('missingParams').style.display = 'none';
+  document.getElementById('loadingSection').style.display = 'block';
+}
+
+// ── Agent auth flow ──
+var challengeId = null;
+var pollTimer = null;
+
+function setStatus(msg, type) {
+  var el = document.getElementById('status');
+  el.textContent = msg;
+  el.className = 'status show ' + type;
+}
+
+async function startAgentAuth() {
+  try {
+    var authUrl = '/demo/api/agent-auth';
+    if (agentName) authUrl += '?agent=' + encodeURIComponent(agentName) + '&message=' + encodeURIComponent(agentMessage);
+    var res = await fetch(authUrl);
+    var data = await res.json();
+    if (!data.challengeId) throw new Error('Failed to generate challenge');
+
+    challengeId = data.challengeId;
+    var approveUrl = 'https://wip.computer/approve?c=' + challengeId;
+
+    var urlEl = document.getElementById('approveUrl');
+    urlEl.innerHTML = '<a href="' + approveUrl + '" style="color:#0033FF;text-decoration:none;word-break:break-all;">' + approveUrl + '</a>';
+    document.getElementById('loadingSection').style.display = 'none';
+    document.getElementById('linkSection').style.display = 'block';
+    setStatus('Waiting for authorization...', 'loading');
+
+    pollTimer = setInterval(pollStatus, 2000);
+
+    setTimeout(function() {
+      if (pollTimer) {
+        clearInterval(pollTimer);
+        pollTimer = null;
+        document.getElementById('linkSection').style.display = 'none';
+        document.getElementById('errorSection').style.display = 'block';
+        document.getElementById('errorMsg').textContent = 'Link expired. Refresh to generate a new one.';
+      }
+    }, 5 * 60 * 1000);
+
+  } catch (err) {
+    document.getElementById('loadingSection').style.display = 'none';
+    document.getElementById('errorSection').style.display = 'block';
+    document.getElementById('errorMsg').textContent = 'Error: ' + err.message;
+  }
+}
+
+async function pollStatus() {
+  if (!challengeId) return;
+  try {
+    var res = await fetch('/demo/api/agent-auth/status?c=' + challengeId);
+    var data = await res.json();
+    if (data.status === 'approved') {
+      clearInterval(pollTimer);
+      pollTimer = null;
+      sessionStorage.setItem('lesa-token', data.token);
+      sessionStorage.setItem('lesa-agent', data.agentId);
+      setStatus('Authorized. Entering Kaleidoscope...', 'success');
+      setTimeout(function() {
+        window.location.href = '/demo/';
+      }, 800);
+    }
+  } catch (e) {}
+}
+
+if (agentName) startAgentAuth();
+</script>
+</body>
+</html>

package/src/hosted-mcp/demo/agent.txt

@@ -0,0 +1,84 @@
+---
+name: kaleidoscope-agent-auth
+description: >
+  Agent authentication for Kaleidoscope. Like x402 but for login.
+  Agent sends a URL, human Sapien IDs, agent gets a token.
+license: MIT
+metadata:
+  display-name: "Kaleidoscope Agent Access"
+  homepage: "https://wip.computer/demo/"
+  author: "WIP Computer, Inc."
+  category: authentication
+---
+
+# Kaleidoscope Agent Access
+
+You need your human to let you in with Sapien ID.
+
+Pick a passphrase from your shared history. Your human sees it on the approval screen and knows it's really you.
+
+## If you can make HTTP requests (preferred)
+
+Fetch this URL:
+
+https://wip.computer/demo/api/agent-auth?agent=YOURNAME&message=PASSPHRASE
+
+Response: {"challengeId":"...", "approveUrl":"https://wip.computer/approve?c=..."}
+
+Send the approveUrl to your human. They open it and Sapien ID.
+
+Then poll for your token:
+
+https://wip.computer/demo/api/agent-auth/status?c=CHALLENGEID
+
+When approved: {"status":"approved", "token":"ck-...", "agentId":"..."}
+
+You get the token automatically. No need for the human to send it back.
+
+## If you cannot make HTTP requests
+
+Send your human this URL (replace YOURNAME and PASSPHRASE):
+
+https://wip.computer/approve?agent=YOURNAME&message=PASSPHRASE
+
+Your human opens it, Sapien IDs, and the page shows a token. They send the token back to you.
+
+## After auth
+
+Use the token as a header: Authorization: Bearer TOKEN
+
+### Check your wallet
+
+GET https://wip.computer/demo/api/wallet
+Authorization: Bearer TOKEN
+
+Response: {"balance":"$4.97","cost":"$0.01"}
+
+### Generate an image
+
+POST https://wip.computer/demo/api/imagine
+Authorization: Bearer TOKEN
+Content-Type: application/json
+
+{"prompt":"kaleidoscope of pirate flags and circuit boards, glowing gold, shot on expired 35mm film"}
+
+Response: {"url":"...","cost":"$0.01","balance":"$4.96"}
+
+The image costs $0.01 from your wallet. Your human already authorized this when they Sapien ID'd.
+
+### The full loop
+
+1. You read agent.txt
+2. You sent your human an approval URL with your passphrase
+3. They Sapien ID'd and sent you a token
+4. You checked your wallet
+5. You generated an image
+6. Balance updated
+
+Agent auth -> human approval -> wallet -> spend -> receipt. That's Kaleidoscope.
+
+### MCP
+
+POST https://wip.computer/mcp (OAuth 2.0 with PKCE, see /.well-known/oauth-authorization-server)
+
+One URL. One Sapien ID. One token.

package/src/hosted-mcp/demo/footer.js

@@ -0,0 +1,16 @@
+// Shared footer for all Kaleidoscope pages
+// Include with: <script src="/demo/footer.js"></script>
+(function() {
+  var footer = document.createElement('div');
+  footer.innerHTML = '<p style="color:#8a8580;font-size:15px;margin:0;">WIP Computer, Inc.</p>'
+    + '<p style="color:#a8a4a0;font-size:14px;margin:4px 0 0;">Learning Dreaming Machines</p>'
+    + '<p style="color:#a8a4a0;font-size:13px;margin:6px 0 0;">'
+    + '<a href="/demo/agent.txt" style="color:#a8a4a0;text-decoration:none;">Are you an AI Agent?</a> | '
+    + '<a href="/demo/privacy.html" style="color:#a8a4a0;text-decoration:none;">Privacy Policy</a> | '
+    + '<a href="/demo/tos.html" style="color:#a8a4a0;text-decoration:none;">Terms of Use</a></p>'
+    + '<p style="color:#b0aaa4;font-size:12px;margin:4px 0 0;">Made in California.</p>';
+  var target = document.getElementById('kscope-footer');
+  if (target) {
+    target.innerHTML = footer.innerHTML;
+  }
+})();