Harden Workspace Hub audit and stale-info cleanup

README.md

@@ -255,6 +255,8 @@ explicitly needs them. See [docs/21-agent-token-budget.md](docs/21-agent-token-b
 
 Tracked repo knowledge belongs in public docs, manifests, and portable skills. Local operator memory belongs in ignored local files until it becomes stable enough to promote into tracked project guidance.
 
+To keep stale information out of the workspace, dated local verification results should replace vague "latest" claims. Generated context under `cache/` is useful evidence, but tracked docs and manifests stay canonical. External service status, including TomeVault profile or scan counts, should be checked live before it is recorded as current.
+
 Workspace memory is temporarily disabled. `tools/bin/workspace-memory` now exits
 without running MemPalace closeout, ingest, search, wake-up, export, or graph
 commands while the write-lock and corpus-size behavior is reviewed.
@@ -265,6 +267,10 @@ Current closeout guidance:
 - record workspace closeout in `docs/HANDOVER.md` and `docs/CHANGELOG.md`
 - use generated context-cache summaries under `cache/context/` only as optional local side-load material, not as canonical memory
 
+For local cleanup, use `tools/scripts/cleanup-sync-noise.sh` first in its
+default dry-run mode. Pass `--run` only for targeted macOS/sync-noise removal;
+do not use broad `git clean` flows for workspace cleanup.
+
 When a capability becomes part of how the whole workspace operates, prefer a core-service shape:
 
 - tracked runtime code in `tools/`

docs/02-local-runtime-handover.md

@@ -51,7 +51,7 @@ The Workspace Hub application should:
 - open preview URLs
 - open repos in Finder, terminal, editor, or Codex where useful
 - store known ports and preferred launch methods
-- optionally provide **mapped-host-aware** preview links when `servbayPath` / `servbaySubdomain` (stable manifest keys) are set
+- optionally provide **mapped-host-aware** preview links when `mappedHostPath` / `mappedHostSubdomain` (stable manifest keys) are set
 
 ## Recommended Hub app approach
 
@@ -169,7 +169,7 @@ Suggested fields:
 
 - `name`
 - `type`
-- `preferredMode` → `direct` | `servbay` | `external` (the value `servbay` means mapped-host/proxy preview; see Hub manifest docs for stable JSON keys)
+- `preferredMode` → `direct` | `mapped-host` | `external` (the value `mapped-host` means mapped-host/proxy preview; see Hub manifest docs for stable JSON keys)
 - `packageManager`
 - `devCommand`
 - `buildCommand`
@@ -180,8 +180,8 @@ Suggested fields:
 - `notes`
 - `tags`
 - `isWordPress`
-- `servbayPath`
-- `servbaySubdomain`
+- `mappedHostPath`
+- `mappedHostSubdomain`
 - `healthcheckUrl`
 
 Not every field is required.
@@ -218,8 +218,8 @@ Use this when:
 - proxying adds unnecessary complexity
 - the project expects to run at root
 
-### `servbay` (mapped host / proxy)
-The manifest uses the stable enum value `servbay` for previews served through a configured path or subdomain on your local domain (see `servbayPath` and `servbaySubdomain`).
+### `mapped-host` (mapped host / proxy)
+The manifest uses the stable enum value `mapped-host` for previews served through a configured path or subdomain on your local domain (see `mappedHostPath` and `mappedHostSubdomain`).
 
 Use this when:
 - clean URLs are useful
@@ -242,7 +242,7 @@ Use this when:
 Default to:
 - `external` for WordPress projects already managed in Local
 - `direct` for Vite, Three.js, WebGL, and most static repos
-- `servbay` only where a mapped path or subdomain is clearly useful and stable
+- `mapped-host` only where a mapped path or subdomain is clearly useful and stable
 
 This avoids fragile path/proxy assumptions.
 

docs/03-workspace-hub-build-spec.md

@@ -314,7 +314,7 @@ Suggested example:
   "buildCommand": "pnpm build",
   "previewCommand": "pnpm preview",
   "previewUrl": "http://localhost:5173",
-  "servbayPath": "/repo/three-lab",
+  "mappedHostPath": "/repo/three-lab",
   "tags": ["threejs", "art", "experiment"],
   "notes": "Uses heavy assets and WebGL"
 }
@@ -332,8 +332,8 @@ Suggested example:
 - `previewCommand`
 - `previewUrl`
 - `externalUrl`
-- `servbayPath`
-- `servbaySubdomain`
+- `mappedHostPath`
+- `mappedHostSubdomain`
 - `tags`
 - `notes`
 - `healthcheckUrl`
@@ -398,13 +398,13 @@ Preferred for:
 - WordPress sites already managed in Local
 - any repo controlled by another app
 
-### Mapped host preview (`servbay` mode in manifests)
+### Mapped host preview (`mapped-host` mode in manifests)
 Use when:
 - proxying is useful
 - a stable mapped path is known
 - the dashboard is being used as the front door
 
-The manifest enum value remains `servbay` for compatibility; do not force every repo into this mode.
+Use the manifest enum value `mapped-host` only for repos with a tested mapped path or subdomain; do not force every repo into this mode.
 
 ## Optional mapped-host integration requirements
 
@@ -464,7 +464,7 @@ Build:
 Build:
 - settings for optional proxy base domain
 - mapped-host preview-link generation
-- optional path and subdomain awareness (manifest keys `servbayPath`, `servbaySubdomain`)
+- optional path and subdomain awareness (manifest keys `mappedHostPath`, `mappedHostSubdomain`)
 - dashboard mode through a configured local hostname when used
 
 ## Definition of done
@@ -476,7 +476,7 @@ This build spec is complete when Codex can implement a Workspace Hub that:
 - classifies repo types conservatively
 - reads optional repo manifests
 - starts and stops supported repos
-- opens previews in direct, external, or mapped-host (`servbay`) mode
+- opens previews in direct, external, or mapped-host (`mapped-host`) mode
 - stores useful non-sensitive metadata
 - remains useful even if no proxy front door is configured
 - feels lightweight, practical, and scalable

docs/05-examples-and-templates.md

@@ -77,7 +77,7 @@ The manifest template demonstrates:
 - a normal slug
 - package manager and commands
 - direct preview URL
-- optional mapped-host path (`servbayPath` in manifests)
+- optional mapped-host path (`mappedHostPath` in manifests)
 - optional healthcheck URL
 - lightweight notes and tags
 
@@ -140,7 +140,7 @@ Use for:
 - Local-managed WordPress sites
 - repos opened through another tool or service
 
-### `servbay` (mapped host / proxy)
+### `mapped-host` (mapped host / proxy)
 Use when:
 - a clean mapped path or local-domain route is stable
 - proxying adds real convenience

docs/10-release-readiness.md

@@ -13,11 +13,12 @@ The target is a practical release gate:
 - a clear support matrix
 - a migration note for the `.codex/` contract
 
-Current status:
+Current status, checked on 2026-05-10:
 
-- stable baseline verified on 2026-04-03
-- automated checks passed via `bootstrap-workspace.sh`, both doctor scripts, and `release-readiness.sh`
-- live Workspace Hub smoke checks passed for a direct-preview repo, an external WordPress repo, and a mixed-stack SwiftPM repo
+- workspace release tag remains `v1.2.2`
+- latest local `tools/scripts/release-readiness.sh` run passed with both doctor scripts, Workspace Hub tests, lint, build, skill-sync dry run, and placeholder checks
+- Workspace Hub tests covered 51 passing cases in the latest local gate
+- live Workspace Hub smoke checks are still required before publishing a new release or changing runtime behavior
 
 ## Stable contract
 
@@ -50,6 +51,10 @@ Run these before calling a release stable or after changes that could affect the
 
 Do not skip the manual repo check just because automated verification passed.
 
+When documenting release state, prefer dated local verification results over
+open-ended claims such as "latest" or "current". External service status must
+be checked live before recording it as fact.
+
 ## Support matrix
 
 ### Supported baseline

docs/12-maintainer-runbook.md

@@ -103,15 +103,17 @@ Do not mix the two flows.
 write-lock and corpus-size behavior is reviewed. Do not run memory closeout,
 ingest, search, wake-up, export, or graph commands during this pause.
 
-Historical checks, currently paused:
+Historical direct-service checks, currently paused and not part of the active
+closeout path:
 
 ```bash
 tools/bin/workspace-memory status
 tools/bin/mempalace-start
 tools/bin/mempalace-sync
 ```
 
-Workspace Hub should surface MemPalace as a core service, but these commands remain the direct shell fallback.
+Workspace Hub should surface MemPalace as a core service, but these commands
+must stay disabled until the workspace-memory pause is lifted in tracked docs.
 
 ## Codex MCP profile management
 

docs/CHANGELOG.md

@@ -5,6 +5,22 @@
 - Added a claim-only TomeVault distribution path with root `AGENTS.md` as the canonical public source, standalone Copilot guidance, and no Relay install or generated multi-format files by default.
 - Added `tools/manifests/tomevault-skills.json` plus `tools/scripts/sync-tomevault-skills.sh` to maintain a deterministic root `.agents/skills/` mirror for all tracked publishable skills.
 - Removed machine-specific absolute links from public skill sources so mirrored TomeVault skill content stays portable.
+- Hardened Workspace Hub mutating API routes with a local intent header and
+  pre-body origin guard, and updated the Hub client POST helpers so UI actions
+  send that intent consistently.
+- Normalized Workspace Hub repo activity, metadata, and event writes to the
+  canonical discovered `repo.relativePath` value instead of raw request payloads.
+- Added core-service `maintenancePaused` metadata so Workspace Hub UI controls
+  and service API routes use the same pause contract.
+- Updated Workspace Hub memory surfaces and smoke docs so MemPalace maintenance,
+  search, and graph command actions stay visibly paused and API-rejected while
+  `tools/bin/workspace-memory` is disabled.
+- Updated release-readiness and handover docs so stale external status is not
+  recorded as current without live verification, and tracked docs/manifests stay
+  canonical over generated cache.
+- Changed `tools/scripts/cleanup-sync-noise.sh` to dry-run by default with an
+  explicit `--run` mode, and updated Git trimming to opt into that cleanup
+  intentionally.
 
 ## 2026-04-27
 
@@ -46,9 +62,9 @@
 ## 2026-04-11
 
 - Bumped the workspace baseline release to `v1.2.2` and updated `repos/workspace-hub` to `1.2.2` to capture the side-load `entry.md` packet flow, manifest `entryDocs` support, and thin-versus-deep indexed search as the new published baseline.
-- Refreshed the root [README](../README.md) with tool-agnostic positioning (Codex, Cursor, Claude), a **Workspace Hub** subsection with the cover image, and a **What's included (and why)** table; shifted public docs to neutral language for optional reverse-proxy and mapped-host previews while keeping compatibility manifest keys documented where needed.
+- Refreshed the root [README](../README.md) with tool-agnostic positioning (Codex, Cursor, Claude), a **Workspace Hub** subsection with the cover image, and a **What's included (and why)** table; shifted public docs to neutral language for optional reverse-proxy and mapped-host previews.
 - Updated [HANDOVER](HANDOVER.md) completion review, the project review addendum pointer to [CHANGELOG](CHANGELOG.md) for resolved Hub items, and aligned [docs/README](README.md), wiki stubs, contributor templates, and [AGENTS.md](../AGENTS.md) with the same stance.
-- Rewrote [00-overview](00-overview.md) and [02-local-runtime-handover](02-local-runtime-handover.md) so runtime guidance uses generic mapped-host terminology while keeping stable manifest enum and field names (`servbay`, `servbayPath`, `servbaySubdomain`) documented in [repos/workspace-hub/docs/manifest.md](../repos/workspace-hub/docs/manifest.md).
+- Rewrote [00-overview](00-overview.md) and [02-local-runtime-handover](02-local-runtime-handover.md) so runtime guidance uses generic mapped-host terminology while keeping stable manifest enum and field names (`mapped-host`, `mappedHostPath`, `mappedHostSubdomain`) documented in [repos/workspace-hub/docs/manifest.md](../repos/workspace-hub/docs/manifest.md).
 - Added a tracked [docs/plans/readme-docs-closeout.md](plans/readme-docs-closeout.md) plan for future reference, and aligned small Workspace Hub/operator copy surfaces with the same mapped-host wording in `repos/workspace-hub`, `tools/scripts/doctor-workspace.sh`, and `tools/scripts/setup-workspace-profile.sh`.
 - Extended `repos/workspace-hub` backlog follow-through with better repo-list prioritization for pinned and recent work, clearer Python-aware dependency readiness, intake-result surfacing in repo details, capability search and inspection, explicit mapped-host routing status, and richer runtime troubleshooting guidance.
 - Advanced Workspace memory graph support from file-open-only toward Phase 2 by surfacing derived-edge counts, node-type breakdown, and an in-app graph report preview for the selected target, while clarifying intentional MCP profile usage in the Workspace Hub settings panel.
@@ -107,7 +123,7 @@
 - Promoted repo-group updates to a tracked default manifest at `tools/manifests/repo-groups.json`, while keeping `repo-groups.example.json` as a sample shape.
 - Reclassified `VoltAgent/awesome-design-md` as an optional ability under `repos/abilities/voltagent-awesome-design-md` and updated the local `DESIGN.md` tooling/docs accordingly.
 - Updated Workspace Hub to read capability registry data, expose capability lifecycle actions in the UI, and persist a repo layout preference with `split` and `discovery-first` modes.
-- Synced the public-facing docs set so the root README, docs index, and older handover notes now all describe Workspace memory, the reviewed-source taxonomy, optional abilities, and the optional `gh auth login` and ServBay stance consistently.
+- Synced the public-facing docs set so the root README, docs index, and older handover notes now all describe Workspace memory, the reviewed-source taxonomy, optional abilities, and the optional `gh auth login` stance consistently.
 - Added a reusable live Hub acceptance block to `docs/HANDOVER.md` and `repos/workspace-hub/README.md` covering base summary, capability-aware search, repo-details hydration, Workspace memory, Workspace Capabilities, Repo Discovery, and `discovery-first` rendering checks.
 - Corrected the legacy compatibility manifest note for `VoltAgent/awesome-design-md` so it no longer points at the old `repos/core/` placement.
 - Added `GET /api/capabilities` to `workspace-hub` as a read-only capability snapshot endpoint and surfaced its installed or enabled or reference-only counts directly in the Workspace Capabilities panel.

docs/HANDOVER.md

@@ -24,7 +24,7 @@ or use Hub memory command actions until the pause is explicitly lifted.
 
 - workspace release tag: `v1.2.2`
 - `repos/workspace-hub` version: `1.2.2`
-- stable release gate passed on `2026-04-10`
+- latest local release-readiness gate passed on `2026-05-10`
 - current release URL: `https://github.com/RichardGeorgeDavis/Codex-Workspace/releases/tag/v1.2.2`
 
 The workspace foundation is in place:
@@ -38,6 +38,33 @@ The workspace foundation is in place:
 - `tools/ref/` is reference-only and can remain empty unless a reviewed snapshot is explicitly refreshed
 - launcher commands coordinate ports through `cache/runtime/ports/`
 
+## Latest Local Work
+
+On `2026-05-10`, Workspace Hub was hardened after a comprehensive audit:
+
+- unsafe API methods now require the local Hub intent header and reject foreign
+  browser origins before body parsing or any write, install, open, or runtime
+  action runs; mapped-host Hub origins must be explicitly allowlisted
+- Hub client POST helpers now send the intent header consistently
+- repo activity, metadata, and event writes use canonical discovered
+  `repo.relativePath` values instead of raw request payload paths
+- core service payloads now include `maintenancePaused` and
+  `maintenancePausedReason` so UI disablement and server rejection share the
+  same service-level contract
+- MemPalace install/start/restart/sync controls are disabled or relabeled while
+  workspace memory remains paused, and the API rejects paused MemPalace
+  maintenance and command calls directly
+- Workspace Hub README smoke commands now use the intent header and avoid paused
+  MemPalace command POSTs
+- stale-information handling now keeps tracked docs and manifests canonical,
+  treats generated cache as optional evidence, and requires live verification
+  before recording external service status as current
+- `tools/scripts/cleanup-sync-noise.sh` now defaults to dry-run and requires
+  `--run` before removing macOS or sync-client noise files
+- verification covered `pnpm typecheck`, `pnpm test`, `pnpm lint`,
+  `pnpm build`, live API smoke, in-app browser smoke, and
+  `tools/scripts/release-readiness.sh`
+
 ## Token Budget Rules
 
 Keep agent context small by default:
@@ -66,6 +93,10 @@ Implemented:
 - capability and core-service surfacing from the tracked manifest
 - base-summary refresh with selected-repo detail hydration
 - side-load freshness visibility for generated context packets
+- guarded local-only mutating API actions for writes, opens, installs, and
+  runtime controls
+- canonical repo-relative path persistence for repo activity, metadata, and
+  workspace events
 
 Workspace memory UI exists, but command actions are paused because
 `tools/bin/workspace-memory` is disabled.
@@ -75,10 +106,10 @@ Workspace memory UI exists, but command actions are paused because
 Practical next work:
 
 - TomeVault distribution mirror is implemented and pushed in commit `5186120`.
-  Public TomeVault still reports `1 config, 0 skill, 6 formats`; claim the
-  profile and ask Oli to rescan root `AGENTS.md` plus
-  `.agents/skills/*/SKILL.md`. Do not install Relay unless explicitly
-  requested.
+  Verify the public TomeVault profile state live before documenting scan counts
+  or skill totals as current. Claim the profile and ask Oli to rescan root
+  `AGENTS.md` plus `.agents/skills/*/SKILL.md`. Do not install Relay unless
+  explicitly requested.
 - keep future changes end-to-end and update this file plus `docs/CHANGELOG.md`
 - keep public surfaces aligned when workspace-wide behavior changes:
   `README.md`, `docs/README.md`, `docs/CHANGELOG.md`, and relevant repo-local docs