Auset Brain

2026-04-16

4 min read

Daily Note — 2026-04-16

Early AM — Session 82 Continuation

/open-tabs Second Review (Mary + Granville)

Ran second /review-code pass on .claude/scripts/open-tabs.sh to verify corrective prompt 129’s shell-injection fixes.

Verdict: B grade. Four of five fixes correct (H1, M1, M2, M3). H2 closed the injection surface but introduced a HIGH functional regression on --cursor-qcs1.

The regression: Cursor agent wrapped the remote SSH command in bash -lc AND %q-escaped the leading ~/ in the path. Two independent defects stacked:

  1. bash -lc cd <path> — OpenSSH joins argv with spaces; remote login shell parses && before bash -lc runs. Only cd is treated as the -c script; the path becomes $0. cd with no args goes to $HOME.
  2. \~/projects/... — a backslash-escaped tilde is never subject to tilde expansion. bash -lc 'cd \~/'cd: ~/: No such file or directory.

Net: every --cursor-qcs1 tab drops the Cursor agent into $HOME on QCS1 instead of ~/projects/<heru>. Safe but non-functional.

Deliverables

  • docs/review/20260415-234633-code-review.md — full review with bash adversarial trace.
  • prompts/2026/April/15/1-not-started/129-fix-open-tabs-qcs1-cd-regression.md — corrective prompt (drop bash -lc, interpolate $RHOST unquoted — safe because validate_remote_path allowlist already gates it).
  • Live feed updated.

Decisions Made

  • Hold /sync-herus --commands --push until H2b fix verified. /open-tabs --cursor-qcs1 must cd to target on QCS1 before it ships to 55 Herus.
  • /open-tabs --claude and --cursor are safe to use now.

Next

  1. QCS1 Cursor agent picks up 129-fix-open-tabs-qcs1-cd-regression.md.
  2. Re-run /review-code when fix lands → expect grade A-.
  3. Once green, /sync-herus --commands --push to fleet.

00:09 — /session-continue (pre-clear save)

Mo ran /clear → /rename Headquarters → /session-continue. No intermediate work between last checkpoint (00:04) and this save. State persisted:

  • Open threads: prompt 129 (QCS1 cd regression) still queued for Cursor.
  • /sync-herus --commands --push still on HOLD pending H2b verification.
  • 129 is the only uncommitted path blocker for the /open-tabs fleet rollout.

Safe to /clear. Next: Mo runs /session-update on re-entry.

04:29 — /session-continue (pre-clear save, context 55%)

Heavy build window. Four things shipped since last save:

  1. Bedrock (A- grade). 23-00 prompt + 01-fix corrective landed clean. RaIntelligence now routes through AWS Bedrock when BEDROCK_PRIMARY_MODEL is set, DeepSeek-R1 default, throttle-retry + cost logging. 19 tests pass on 3 suites.

  2. Hook bug fixed. .claude/settings.json hook commands now use git -C rev-parse --show-toplevel so they fire correctly even when Claude Code’s cwd has drifted to a subdir.

  3. /git-sweep v1.1.1 shipped. Three modes: default (delete already-merged), --merge-prs (merge open MERGEABLE PRs via gh), --force-merge-all (raw git merge every branch into develop, abort on conflict). Fleet-run landed 6 PRs, deleted 103 branches across 41 Herus. 43 CONFLICTING PRs still need human rebase.

  4. /sync-herus v1.1. Now syncs .claude/scripts/*.sh alongside command docs. Fixes the long-standing bug where command docs shipped to Herus without their shell implementations.

Mo’s correction this window: stop centralizing execution, sync commands and let each Heru run them in its own tab. Pattern applied going forward.

Boilerplate working tree is 189+ uncommitted paths. Needs a clean commit pass before next sync wave.

10:58 — /session-end

Session 82 closed. Heavy build window.

Shipped

  • /branch-cleanup (one command, no flags) replacing /git-sweep. Syncs to all Herus.
  • /sync-herus v1.1 now ships .claude/scripts/*.sh alongside command docs.
  • AWS Config disabled on Quik Nation account → docs/aws/CONFIG-RECORDER-DISABLED.md.
  • Fleet ran: 6 PRs merged, 103 branches deleted across 41 Herus.
  • Commit 2baf5187 local; push deferred.

Corrections filed

  • feedback-one-command-no-flags.md — stop over-parameterizing; separate verbs = separate commands.
  • Distributed > centralized execution is the standing pattern now.

Pending for next session

  • Push 2baf5187 to origin
  • Distribute central prompt queue to each Heru’s repo
  • 43 CONFLICTING PRs need human rebase
  • dreamihaircare push (needs git pull --rebase)

Watch inbox: AWS Cost Anomaly auto-close expected by 2026-04-18.

claraagents Session — /review-code PR #58 + /session-end

What was done

  • Reviewed PR #58 (22-fix-eas-script-ssm-path) — Grade A
    • 2-line fix: SSM paths /clara-agents//claraagents/ in mobile/scripts/eas-testflight-qcs1.sh
    • Low-priority cosmetic finding: warn echo strings on lines 68/86 still say old path (no corrective prompt needed)
    • Merged → develop, branch deleted
    • Review doc: docs/review/20260415-193300-prompt-22-review.md

Final state

  • April 14 sprint: 22/22 prompts complete, 0 open issues, 0 open PRs
  • Clara Agents quality arc closed at A
  • All 8 mobile screens shipped (Clerk auth, voice, subscription, invoices, team)
  • EAS build pipeline ready (eas-testflight-qcs1.sh correct SSM paths)

Key decisions

  • SSM naming confirmed: /claraagents/<env>/<KEY> (no hyphen) — NOT /clara-agents/
  • Cosmetic warn strings on lines 68/86 of EAS script noted; fix opportunistically, not a blocker

Next

  • No queued prompts. Next sprint would be: TestFlight production build or new feature work.

Graph View