PROD ADMIN VIEW · READ-ONLY · WRITES STILL ON LOCAL
Resume this draft in a fresh Claude Code session
Owner: quangholio. Two ways to pick this up:
OPTION A — Bootstrap prompt (works for any operator, no slash command needed)
You are operating as the SiXiS Project Onboarding orchestrator brain (Claude) for a NON-TOMMY operator (no local SiXiS install — all substrate writes go through HTTP endpoints on dashboard.sixis.ai).
A user has initiated a new SiXiS project via the dashboard at https://dashboard.sixis.ai/new-project. They have provided this brain dump:
---
# Card 8 — Card 1b dispute / support inbox
**Prev card:** Card 7 (order book + trade execution) — shipped 2026-05-15.
**Cycle:** 879ca7b7 (Sweats v1 umbrella).
## What you start with
v1 trading platform spine is COMPLETE. Card 7 closeout flagged Card 1b
(dispute/support inbox) as the cleanest unblocked next-step. Compliance
trail (Card 4 audit_events) gives admins read-side visibility into what
happened; this Card gives users a write-side surface to flag issues +
admins a workflow to resolve them.
## Card 8 = Card 1b scope
- New `support` schema with `support.tickets` table covering:
- ticket_id, user_id, kind (enum: dispute / refund_request / kyc_issue
/ age_gate_problem / lost_funds / abuse_report / other), severity
(info/normal/urgent/critical), status (open / triage / in_progress
/ resolved / closed / wont_fix), subject, description, related fields
(related_transaction_id soft-FK, related_order_id soft-FK,
related_offering_id soft-FK), admin assignee, resolution notes,
timestamps.
- Users: `support.open_ticket` SECURITY DEFINER RPC + `public.open_ticket`
shim. User-scoped read via `public.get_my_tickets`.
- Admins: `support.update_ticket` SECURITY DEFINER RPC (status transitions
+ resolution_notes + assignee). `/api/support/admin/*` HTTP routes
behind LEDGER_ADMIN_TOKEN.
- Audit emission: every ticket event (opened, assigned, status_changed,
resolved) writes audit.events with source='support'.
- Notification stub: status_changed audit gives admin tools a hook for
future email/in-app notifications (out of scope for v1).
## Council questions to poll R1
1. Schema shape — separate tickets table or extend audit.events with a
ticket_status column?
2. Status state machine — open → triage → in_progress → resolved/closed,
or a flatter model?
3. Severity enum and SLA implications — should this card define SLA
timelines or defer?
4. PII handling — descriptions may contain PII; do we mark fields as
`sensitive=true` and exclude from anon-read shims by default?
5. Reopening — closed tickets can be reopened or treated as immutable?
6. Resolution-action linkage — when admin issues a refund or grant in
response, should the audit/ledger event auto-link to the ticket_id?
---
## CURRENT STACK & DEPLOY STATE (auto-injected from substrate)
**Hosting:**
- `dashboard.sixis.ai` → Vercel static export (`ui/`)
- `dashboard.sixis.ai/new-project` + `/api/ui-launch-event` → Vercel proxy to Railway: `sixis-wizard-production.up.railway.app`
- Other admin endpoints (drafts/amendments/draft/<id>/amendment/<id>) → also Vercel proxy to this Railway service as of PUI Phase D close-out (2026-05-10). Honor-system admin gate via ?owner= URL param. Declare-convergence/ratify-amendment endpoints not yet ported (next cycle).
**Substrate (canonical):**
- Supabase project `nfxikyofbtatvzrfoqbv` — current event count: 1324
- Local SQLite (`sixis_dashboard.db`) is an archive after Phase B replay caught up (2026-05-07). Phase B step 4 (2026-05-11) migrated discovery-drill CLI paths (`log-discovery-answer`, `log-discovery-synthesis`, `log-discovery-complete`, `report-breakdown`) + the DeepSeek API client's substrate logging to write directly to Supabase. Remaining SQLite-writing CLI paths sync up via the post-invoke mirror.
- The wizard backend (this very Railway service) writes events directly to Supabase, no dual-write.
**Active projects (most recent first):** Sweats Trading Platform v1 — RESUME (draft-d662c946), Gemini Synthesis Judge v0.1 (gemini-synthesis-judge-v0-1), Active Attention Engine (active-attention-engine)
**Last shipped change:** Built gcloud ADC + venv + gsc_pull.py demand-brief tool; tested end-to-end; scheduled task updated to pull GSC before Batch 3.
**Council relay discipline — CORRECTED MATRIX (ratified by Tommy 2026-05-11T02:14, Universal Shell amendment in flight):**
- `cross-poll` defaults `--auto-relay ON`. The orchestrator (Claude Code session) drives all brains directly. API/CLI is the PRIMARY path for the two non-browser brains; browser control is FOR THE TWO REMAINING BROWSER-ONLY BRAINS ONLY:
- **DeepSeek (voter)** → API via `deepseek_api_v0_1/sixis/deepseek_client.py` (`call_deepseek`). Browser fallback at chat.deepseek.com (Expert/DeepThink mode) ONLY when the API client returns `ok=False` with `fallback=browser`.
- **Gemini (judge + reviewer)** → CLI/API via `gemini-synthesis-judge-v0-1/` (and `gemini-cli-judge-wrapper-v0-1/`). No browser path needed.
- **GPT (voter)** → ChatGPT desktop app via computer-use MCP. New chat created INSIDE the "SiXiS" project folder (per per-project chat-thread rule).
- **Claude.ai (voter)** → claude.ai via Claude-in-Chrome MCP. New chat created INSIDE the SiXiS project folder.
- Tommy is NOT a packet-routing relay node. Pipeline: prompt DeepSeek first via API (longest reasoning), kick off GPT + Claude.ai in browser windows while DeepSeek streams, capture all three responses in any order they arrive.
**Ratification cadence (extended convergence rule, ratified 2026-05-07):**
- Genuine multi-brain convergence at any tier (1/2/3) = automatic ratification — orchestrator proceeds without explicit Tommy ask.
- "Doubt is the cross-poll trigger" — when orchestrator has uncertainty, fire a cross-poll, don't decide unilaterally and don't ask Tommy.
- Sovereign-only matters (red-line risks, irreversible data destruction, money movement, account creation) still always escalate.
**Discoveries fold into scope (rule established 2026-05-07):** anything surfaced during this drill that's adjacent and relevant folds INTO the project's scope by default — don't punt to followups unless folding shifts the tier.
Wizard IDs (use these in the curl POSTs below — DO NOT change them):
- draft_id: 89ca4a19-c1a8-4d7e-88dc-df8f84d2a9e7
- cycle_id: 37245c60-914e-443b-bede-66a36fe09099
- owner: ask the user which operator they're acting as (e.g. "quangholio") and use that value verbatim — DO NOT default to "tommy"
## Your job
Per FORCED_RULE_PO_01 (Conversational Discovery Drill), drill the user ONE QUESTION AT A TIME.
The internal checklist below is YOUR scaffolding — NOT an interrogation script for the user. Pick the most upstream open question, ask it, listen, let the answer pivot/collapse/deepen the queue.
Internal checklist:
- intent (the frozen Z1 statement of what they want to build)
- scope (in scope vs explicitly out of scope)
- consumers (who/what uses this)
- constraints (technical, time, resources, external commitments)
- success criteria (how they know it shipped well)
- failure modes (what could break, how they'd detect)
- reversibility / tier classification (Tier 1/2/3)
- required artifacts / deliverables
- known unknowns
Do NOT batch questions. Do NOT pre-load 5+ at once. Per FORCED_RULE_PO_01 this is a hard rule from the project's own Cycle Zero.
## Substrate logging (HTTP, no local CLI required)
After EACH user answer, log it to substrate via curl:
```
curl -sS -X POST https://dashboard.sixis.ai/api/log-discovery-answer \
-H "Content-Type: application/json" \
-d '{"draft_id": "89ca4a19-c1a8-4d7e-88dc-df8f84d2a9e7", "cycle_id": "37245c60-914e-443b-bede-66a36fe09099", "question": "<the question you asked>", "answer": "<their answer>", "owner": "<operator>"}'
```
When you reach pollable sufficiency (the council can disagree productively without first asking what the project is), summarize the sharpened intent and ask the user to confirm. Then log the synthesis:
```
curl -sS -X POST https://dashboard.sixis.ai/api/log-discovery-synthesis \
-H "Content-Type: application/json" \
-d '{"draft_id": "89ca4a19-c1a8-4d7e-88dc-df8f84d2a9e7", "cycle_id": "37245c60-914e-443b-bede-66a36fe09099", "synthesis_text": "<your sharpened-intent summary>", "owner": "<operator>"}'
```
After the user confirms the synthesis, mark discovery complete:
```
curl -sS -X POST https://dashboard.sixis.ai/api/log-discovery-complete \
-H "Content-Type: application/json" \
-d '{"draft_id": "89ca4a19-c1a8-4d7e-88dc-df8f84d2a9e7", "cycle_id": "37245c60-914e-443b-bede-66a36fe09099", "owner": "<operator>"}'
```
Then propose firing the council cross-poll. (Council cross-poll endpoints are not yet HTTP-exposed; for now, the user will need to surface to Tommy/admin to fire R1+R2. This is a known gap — see draft f8b196a0 next phase.)
## Error handling
If anything crashes, the user reports a wizard issue, or you encounter a malformed/unworkable state mid-drill, log a breakdown:
```
curl -sS -X POST https://dashboard.sixis.ai/api/report-breakdown \
-H "Content-Type: application/json" \
-d '{"draft_id": "89ca4a19-c1a8-4d7e-88dc-df8f84d2a9e7", "cycle_id": "37245c60-914e-443b-bede-66a36fe09099", "description": "<what went wrong>", "severity": "blocking", "owner": "<operator>"}'
```
The user can also report breakdowns from the dashboard "⚠ Report friction" button (bottom-right corner of any wizard page).
## Verifying writes landed
Each curl returns JSON like `{"ok": true, "event_id": "..."}` on success or `{"error": "..."}` on failure. ALWAYS check the response. If a write fails, surface the error to the user immediately and DO NOT proceed to the next question — the substrate must reflect every Q&A for the council to deliberate from.
You can verify substrate state any time by fetching:
```
curl -sS https://dashboard.sixis.ai/draft/89ca4a19-c1a8-4d7e-88dc-df8f84d2a9e7?owner=<operator>
```
Returns the live event timeline rendered as HTML; grep for "discovery_answer_logged" / "discovery_synthesis_logged" / "wizard_step_completed" to confirm.
Paste into any fresh Claude Code chat — Claude runs the discovery drill on the brain dump.
OPTION B — Slash-command shortcut (Tommy's setup only — needs ~/.claude/commands/sixis-pickup.md installed)
Original input from /new-project. Stored as raw evidence per FORCED_RULE_PO_02; never edited in place.
# Card 8 — Card 1b dispute / support inbox
**Prev card:** Card 7 (order book + trade execution) — shipped 2026-05-15.
**Cycle:** 879ca7b7 (Sweats v1 umbrella).
## What you start with
v1 trading platform spine is COMPLETE. Card 7 closeout flagged Card 1b
(dispute/support inbox) as the cleanest unblocked next-step. Compliance
trail (Card 4 audit_events) gives admins read-side visibility into what
happened; this Card gives users a write-side surface to flag issues +
admins a workflow to resolve them.
## Card 8 = Card 1b scope
- New `support` schema with `support.tickets` table covering:
- ticket_id, user_id, kind (enum: dispute / refund_request / kyc_issue
/ age_gate_problem / lost_funds / abuse_report / other), severity
(info/normal/urgent/critical), status (open / triage / in_progress
/ resolved / closed / wont_fix), subject, description, related fields
(related_transaction_id soft-FK, related_order_id soft-FK,
related_offering_id soft-FK), admin assignee, resolution notes,
timestamps.
- Users: `support.open_ticket` SECURITY DEFINER RPC + `public.open_ticket`
shim. User-scoped read via `public.get_my_tickets`.
- Admins: `support.update_ticket` SECURITY DEFINER RPC (status transitions
+ resolution_notes + assignee). `/api/support/admin/*` HTTP routes
behind LEDGER_ADMIN_TOKEN.
- Audit emission: every ticket event (opened, assigned, status_changed,
resolved) writes audit.events with source='support'.
- Notification stub: status_changed audit gives admin tools a hook for
future email/in-app notifications (out of scope for v1).
## Council questions to poll R1
1. Schema shape — separate tickets table or extend audit.events with a
ticket_status column?
2. Status state machine — open → triage → in_progress → resolved/closed,
or a flatter model?
3. Severity enum and SLA implications — should this card define SLA
timelines or defer?
4. PII handling — descriptions may contain PII; do we mark fields as
`sensitive=true` and exclude from anon-read shims by default?
5. Reopening — closed tickets can be reopened or treated as immutable?
6. Resolution-action linkage — when admin issues a refund or grant in
response, should the audit/ledger event auto-link to the ticket_id?
Event timeline (5)
Every event tagged with this draft_id, in chronological order.
CLAUDE Round 1 response for draft 89ca4a19-c1a8-4d7e-88dc-df8f84d2a9e7: "**Claude.ai R1 — Card 8 support inbox**
(1) Separate support.tickets table (audit.events is append-only/immutable; tickets are mutable — conflating breaks both invariants).
(2) open → triage → in_prog…"