publish-poietic-life

Metadata

Status	abandoned ‖ paused
Agent identity	`f51439356729d112a6c404803d88015d5b44832c6c584c62b96732b63c2b0c7e`
Created	2026-05-02T02:57:36.356473438+00:00
Started	2026-05-02T02:58:29.367521173+00:00
Tags	`grant,urgent,trace-publish,landing-page`, `eval-scheduled`

Description

Make the workgraph that coordinates poietic.life development (the landing page repo) browsable as a live demo at ulivo.poietic.life. Same pattern as the incorporation trace publish (~/poietic.life/notes/incorporation-trace-published-20260501.md) but for the landing-page repo's workgraph state.

Source: ~/poietic.life/.wg/

Target: bot@ulivo.poietic.life:www/wg/feeds/poietic-life/ → public URL https://ulivo.poietic.life/wg/feeds/poietic-life/index.html

This adds a SECOND live workgraph trace to the public surface, strengthening the dogfooding claim ('we use this on our own work') with concrete evidence on the landing-page repo specifically.

What to do (mirror incorporation-trace-publish pattern)

1. Working copy

cp -r ~/poietic.life/.wg /tmp/wg-poietic-life-publish (do NOT modify the original).

2. PII / secrets scrub

poietic.life work likely has LESS PII than incorporation (no SSNs/EINs needed for landing page). But check defensively:

SSNs (\b\d{3}-\d{2}-\d{4}\b)
Phone numbers
Founder home addresses (3 known from incorporation scrub)
API keys / tokens / OAuth secrets that may have leaked into chat history (look for sk-, ghp_, AKIA, JWT shapes, Bearer )
AWS / GCP / GitHub credentials in .env-shape strings
The 3 known address strings from the incorporation scrub
EIN 41-5104395

Use the same Python regex approach as /tmp/wg-incorp-scrub.py if available; copy and adapt. Scrub in source JSONL files, not in rendered HTML.

3. Render HTML

wg --dir /tmp/wg-poietic-life-publish html --out /tmp/wg-poietic-life-html (NO --chat flag).

4. Verify zero leaks

Grep rendered HTML for every PII pattern above. If any hit, STOP and report. Do NOT push.

5. nginx dotfile rename

Per the prior incorporation publish: nginx returns 403 for dot-prefixed URLs. Apply the same rename + href-rewrite step on the rendered output before rsyncing.

6. Show touched pages for review

If anything was scrubbed, dump the post-scrub excerpts to the task log.

7. Rsync

rsync -av --delete /tmp/wg-poietic-life-html/ bot@ulivo.poietic.life:www/wg/feeds/poietic-life/

8. Verify publication

curl -sI https://ulivo.poietic.life/wg/feeds/poietic-life/index.html → expect 200 OK.

9. Report

Write ~/poietic.life/notes/poietic-life-trace-published-20260501.md (under 600 words):

Public URL
Counts of redactions per category
Verification grep results (should all be 0)
Any surprises

wg log a one-paragraph summary on this task.

Constraints

Do NOT modify ~/poietic.life/.wg/. Work on the copy.
Do NOT push if verification grep finds any PII / secret hit.
Do NOT use --chat flag (no PII sanitizer for chat).
Do NOT quote actual scrubbed PII / secrets in task log or output. Counts only.
No em-dashes.

Validation

Working copy made (original at ~/poietic.life/.wg/ untouched)
Defensive scrub run (even if zero hits)
HTML rendered without --chat
Verification grep: 0 hits across all PII / secret patterns
nginx dotfile rename applied
rsync to ulivo.poietic.life completed
curl confirms 200 OK at the public index URL
Report at ~/poietic.life/notes/poietic-life-trace-published-YYYYMMDD.md

## Description

Make the workgraph that coordinates poietic.life development (the landing page repo) browsable as a live demo at ulivo.poietic.life. Same pattern as the incorporation trace publish (`~/poietic.life/notes/incorporation-trace-published-20260501.md`) but for the landing-page repo's workgraph state.

Source: `~/poietic.life/.wg/`

Target: `bot@ulivo.poietic.life:www/wg/feeds/poietic-life/` → public URL `https://ulivo.poietic.life/wg/feeds/poietic-life/index.html`

This adds a SECOND live workgraph trace to the public surface, strengthening the dogfooding claim ('we use this on our own work') with concrete evidence on the landing-page repo specifically.

## What to do (mirror incorporation-trace-publish pattern)

### 1. Working copy
`cp -r ~/poietic.life/.wg /tmp/wg-poietic-life-publish` (do NOT modify the original).

### 2. PII / secrets scrub
poietic.life work likely has LESS PII than incorporation (no SSNs/EINs needed for landing page). But check defensively:
- SSNs (`\b\d{3}-\d{2}-\d{4}\b`)
- Phone numbers
- Founder home addresses (3 known from incorporation scrub)
- API keys / tokens / OAuth secrets that may have leaked into chat history (look for `sk-`, `ghp_`, `AKIA`, JWT shapes, `Bearer `)
- AWS / GCP / GitHub credentials in `.env`-shape strings
- The 3 known address strings from the incorporation scrub
- EIN `41-5104395`

Use the same Python regex approach as `/tmp/wg-incorp-scrub.py` if available; copy and adapt. Scrub in source JSONL files, not in rendered HTML.

### 3. Render HTML
`wg --dir /tmp/wg-poietic-life-publish html --out /tmp/wg-poietic-life-html` (NO `--chat` flag).

### 4. Verify zero leaks
Grep rendered HTML for every PII pattern above. **If any hit, STOP and report. Do NOT push.**

### 5. nginx dotfile rename
Per the prior incorporation publish: nginx returns 403 for dot-prefixed URLs. Apply the same rename + href-rewrite step on the rendered output before rsyncing.

### 6. Show touched pages for review
If anything was scrubbed, dump the post-scrub excerpts to the task log.

### 7. Rsync
`rsync -av --delete /tmp/wg-poietic-life-html/ bot@ulivo.poietic.life:www/wg/feeds/poietic-life/`

### 8. Verify publication
`curl -sI https://ulivo.poietic.life/wg/feeds/poietic-life/index.html` → expect 200 OK.

### 9. Report
Write `~/poietic.life/notes/poietic-life-trace-published-20260501.md` (under 600 words):
- Public URL
- Counts of redactions per category
- Verification grep results (should all be 0)
- Any surprises

`wg log` a one-paragraph summary on this task.

## Constraints

- Do NOT modify `~/poietic.life/.wg/`. Work on the copy.
- Do NOT push if verification grep finds any PII / secret hit.
- Do NOT use `--chat` flag (no PII sanitizer for chat).
- Do NOT quote actual scrubbed PII / secrets in task log or output. Counts only.
- No em-dashes.

## Validation
- [ ] Working copy made (original at `~/poietic.life/.wg/` untouched)
- [ ] Defensive scrub run (even if zero hits)
- [ ] HTML rendered without --chat
- [ ] Verification grep: 0 hits across all PII / secret patterns
- [ ] nginx dotfile rename applied
- [ ] rsync to ulivo.poietic.life completed
- [ ] curl confirms 200 OK at the public index URL
- [ ] Report at `~/poietic.life/notes/poietic-life-trace-published-YYYYMMDD.md`

Depends on

done .assign-publish-poietic-life

Required by

abandoned .flip-publish-poietic-life

Log

2026-05-02T02:57:36.349488789+00:00 Task paused
2026-05-02T02:57:57.915130968+00:00 Task published
2026-05-02T02:58:26.233296059+00:00 Lightweight assignment: agent=Careful Programmer (f5143935), exec_mode=full, context_scope=task, reason=Careful Programmer role fits the security-critical, multi-step technical execution (copy, PII scrub, verify, rsync, validate). Careful tradeoff matches the need for defensive verification and zero-tolerance on leaks.
2026-05-02T02:58:29.367529679+00:00 Spawned by coordinator --executor claude --model opus
2026-05-02T02:58:43.084045521+00:00 Starting task: publish poietic.life workgraph trace at ulivo.poietic.life
2026-05-02T02:58:56.864769501+00:00 Working copy made: /tmp/wg-poietic-life-publish (original ~/poietic.life/.wg/ untouched)
2026-05-02T03:02:59.937659455+00:00 First scrub revealed phone+sk- regex false positives (DOIs, task-... names). Recopying clean source and tightening regexes.
2026-05-02T03:03:36.628079179+00:00 Scrub clean: 30 SSN + 3 EIN redactions (all from agent recall of incorporation-trace-inspection note). 0 phone, 0 secret, 0 address.
2026-05-02T03:06:21.207622595+00:00 Agent 'agent-268' killed — task auto-paused (use 'wg resume' to re-enable dispatch)
2026-05-02T03:06:25.777716885+00:00 Task abandoned