garrytan
diff --git a/‎CHANGELOG.md‎
Lines changed: 55 additions & 2 deletions b/‎CHANGELOG.md‎
Lines changed: 55 additions & 2 deletions
diff --git a/‎USING_GBRAIN_WITH_GSTACK.md‎
Lines changed: 1 addition & 0 deletions b/‎USING_GBRAIN_WITH_GSTACK.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎VERSION‎
Lines changed: 1 addition & 1 deletion b/‎VERSION‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎bin/gstack-brain-consumer‎
Lines changed: 5 additions & 0 deletions b/‎bin/gstack-brain-consumer‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎bin/gstack-brain-init‎
Lines changed: 6 additions & 69 deletions b/‎bin/gstack-brain-init‎
Lines changed: 6 additions & 69 deletions
diff --git a/‎bin/gstack-brain-restore‎
Lines changed: 8 additions & 20 deletions b/‎bin/gstack-brain-restore‎
Lines changed: 8 additions & 20 deletions
diff --git a/‎bin/gstack-brain-uninstall‎
Lines changed: 10 additions & 0 deletions b/‎bin/gstack-brain-uninstall‎
Lines changed: 10 additions & 0 deletions
@@ -1,5 +1,60 @@
 # Changelog
 
+## [1.17.0.0] - 2026-04-26
+
+## **Your gstack memory now actually lives in gbrain.**
+
+For everyone who ran `/setup-gbrain` in the last month and noticed `gbrain search` couldn't find their CEO plans, learnings, or retros: that's because Step 7 wrote a placeholder `consumers.json` with `status: "pending"` and called it done. The HTTP endpoint that placeholder pointed at was never built on the gbrain side. This release scraps that approach and uses the gbrain v0.18.0 federation surface (`gbrain sources` + `gbrain sync`) instead.
+
+After upgrading, `/setup-gbrain` adds a `git worktree` of your brain repo, registers it as a federated source on your gbrain (Supabase or PGLite), and runs an initial sync. Subsequent gstack skill end-of-run cycles also run `gbrain sync` so new artifacts land in the index automatically. Local-Mac only. No cloud agent required. `/gstack-upgrade` runs a one-shot migration for existing users.
+
+### Verify after upgrade
+
+```bash
+gbrain sources list --json | jq '.sources[] | {id, page_count, federated}'
+# Expect: two entries, your default brain plus a "gstack-brain-{user}"
+# entry, both federated=true.
+
+gbrain search "ethos" --source gstack-brain-{user} | head -5
+# Expect: hits from your gstack repo content (readme, ethos, designs, etc).
+```
+
+### What shipped
+
+`bin/gstack-gbrain-source-wireup` is the new helper. It derives a per-user source id from `~/.gstack/.git`'s origin URL (with multi-fallback to `~/.gstack-brain-remote.txt` and a `--source-id` flag), creates a detached `git worktree` at `~/.gstack-brain-worktree/`, registers it as a federated source on gbrain, runs initial backfill, and supports `--strict` (Step 7 strictness), `--uninstall` (full teardown including future-launchd plist), and `--probe` (read-only state inspection). All idempotent. The helper depends on `jq` (transitive via `gstack-gbrain-detect`).
+
+The helper locks the database URL at startup (precedence: `--database-url` flag > `GBRAIN_DATABASE_URL`/`DATABASE_URL` env > read once from `~/.gbrain/config.json`) and exports it as `GBRAIN_DATABASE_URL` for every child `gbrain` invocation. This means external rewrites of `~/.gbrain/config.json` mid-sync (e.g., a concurrent `gbrain init --non-interactive` running in another workspace) cannot redirect the wireup at a different brain. Per gbrain's `loadConfig()`, env-var URLs override the file. Step 7 of `/setup-gbrain` reads the URL out of `config.json` once and passes it explicitly via `--database-url`, so the wireup is robust against config flips during the seconds-to-minutes sync window.
+
+`/setup-gbrain` Step 7 now invokes the helper with `--strict` after `gstack-brain-init`. `/gstack-upgrade` invokes the helper without `--strict` via `gstack-upgrade/migrations/v1.12.3.0.sh` so missing/old gbrain is a benign skip during batch upgrade. `bin/gstack-brain-restore` invokes the helper after the initial clone so a 2nd Mac gets the wireup automatically. `bin/gstack-brain-uninstall` invokes `--uninstall` plus removes legacy `consumers.json`.
+
+`bin/gstack-brain-init` drops 60 lines of dead consumer-registration code (the HTTP POST block, the `consumers.json` writer, the chore commit). `bin/gstack-brain-restore` drops the 18-line `consumers.json` token-rehydration block (the only consumer that used it never had real tokens). `bin/gstack-brain-consumer` is marked deprecated in its header docstring; removal in v1.18.0.0 after one cycle of grace.
+
+`test/gstack-gbrain-source-wireup.test.ts` is new: 13 unit tests with a fake `gbrain` binary on `$PATH` covering fresh-state registration, idempotent re-runs, drift recovery (gbrain has no `sources update`, only `remove + add`), `--strict` failure modes, source-id fallback chain (`.git` → remote-file → flag), `--probe` non-mutation, sync errors, and `--uninstall`.
+
+### The numbers that matter
+
+These are reproducible on any machine after upgrade. Run the verify commands above to see your own delta.
+
+| Metric | Before (v1.16.0.0) | After (v1.17.0.0) |
+|---|---|---|
+| `gbrain sources list` size | 1 (default `/data/brain`) | 2 (default + `gstack-brain-{user}`) |
+| `consumers.json` status | `"pending"`, ingest_url `""` | file deleted from new installs |
+| Manual steps to wire up | 4 (clone + sources add + sync + cron) | 0, automatic in Step 7 |
+| Helper test coverage | 0 unit tests | 13 unit tests (`bun test test/gstack-gbrain-source-wireup.test.ts`) |
+| `bin/gstack-brain-init` size | 363 lines | 300 lines (60 lines of dead code removed) |
+
+Local Mac is the producer of artifacts and the worktree advances automatically with `~/.gstack/`'s commits. Cross-machine sync runs through GitHub via the existing `gstack-brain-sync --once` push hook. No new cron infrastructure needed today; when gbrain v0.21 code-graph features ship, the helper's `--enable-cron` flag is a clean extension.
+
+### What this means for builders
+
+Your gstack memory is searchable now. Run a CEO plan review or office-hours session, sync runs at skill-end automatically, and `gbrain search` finds the plan content from any gbrain client (this Claude Code session, future Macs, optional cloud agents like OpenClaw). One source of truth across machines. The placeholder is dead.
+
+### For contributors
+
+- `bin/gstack-brain-consumer` is deprecated in this release; removal in v1.18.0.0.
+- The `gbrain_url` and `gbrain_token` config keys are now no-ops. They remain readable for one cycle for back-compat, removed in v1.18.0.0.
+- Three pre-existing test failures on this branch (`gstack-config gbrain keys > GSTACK_HOME overrides real config dir`, `no compiled binaries in git > git tracks no files larger than 2MB`, `Opus 4.7 overlay — pacing directive`) were verified to fail on the base branch too. Out of scope for this PR; flagged for a follow-up.
+
 ## [1.16.0.0] - 2026-04-28
 
 ## **Paired-agent tunnel allowlist now matches what the docs already promised. Catch-22 resolved, gate is unit-testable.**
@@ -47,8 +102,6 @@ Three things change immediately. **First**, paired agents can actually open and
 - The plan was reviewed under `/plan-eng-review` plus 2 sequential codex outside-voice passes during plan mode. Round-1 codex caught a doc-target mistake (we were going to update `SIDEBAR_MESSAGE_FLOW.md` instead of `REMOTE_BROWSER_ACCESS.md`) and a wrong-layer test design. Round-2 codex caught that the round-1 correction was still wrong (the chosen test harness only binds the local listener) AND that the docs promised 6 more commands than the allowlist had. All 6 of 7 substantive findings landed in the implementation; the 7th (a pre-existing `/pair-agent` `/health` probe mismatch at `cli.ts:656-668`) is logged as out of scope.
 - One known accepted risk: `tabs` over the tunnel returns metadata for ALL tabs in the browser, not just tabs the agent owns. The user authored the trust relationship when they paired the agent, the agent already can't read CONTENT of unowned tabs (write commands blocked, the active tab can't be switched without a `tab <id>` command that's NOT in the allowlist), and tab IDs already leak via the 403 `hint` field on disallowed `goto`. Codex noted that tightening this requires touching the ownership gate itself (the gate falls back to `getActiveTabId()` BEFORE dispatch in `server.ts:603-614`), which is materially out of scope for a catch-22 fix. Logged in the plan failure-mode table as accepted.
 
-
-
 ## [1.15.0.0] - 2026-04-26
 
 ## **Real-PTY test harness ships. 11 plan-mode E2E tests, 23 unit tests, and 50K fewer tokens per invocation.**
 
@@ -159,6 +159,7 @@ The skill re-collects a PAT (one-time, discarded after), lists every project in
 | `gstack-gbrain-supabase-verify` | Structural URL check. Rejects direct-connection URLs (`db.*.supabase.co:5432`) with exit 3 |
 | `gstack-gbrain-supabase-provision` | Management API wrapper. Subcommands: `list-orgs`, `create`, `wait`, `pooler-url`, `list-orphans`, `delete-project`. All require `SUPABASE_ACCESS_TOKEN` in env. `create` and `pooler-url` also require `DB_PASS`. `--json` mode available on every subcommand. |
 | `gstack-gbrain-repo-policy` | Per-remote trust triad. Subcommands: `get`, `set`, `list`, `normalize` |
+| `gstack-gbrain-source-wireup` | Registers your `~/.gstack/` brain repo with gbrain as a federated source via `gbrain sources add` + `git worktree`, then runs an initial `gbrain sync`. Idempotent. Replaces the dead `consumers.json + /ingest-repo` HTTP wireup from v1.12.x. Flags: `--strict`, `--source-id <id>`, `--no-pull`, `--uninstall`, `--probe`. |
 
 ### gbrain CLI (upstream tool)
 
 
@@ -1 +1 @@
-1.16.0.0
+1.17.0.0
@@ -1,6 +1,11 @@
 #!/usr/bin/env bash
 # gstack-brain-consumer — manage the consumer (reader) registry.
 #
+# DEPRECATED in v1.17.0.0. This binary targets a gbrain HTTP /ingest-repo
+# endpoint that never shipped on the gbrain side. Live federation now uses
+# `gbrain sources` directly via bin/gstack-gbrain-source-wireup. This file
+# stays for one cycle to avoid breaking external scripts; removal in v1.18.0.0.
+#
 # Consumer = a reader that ingests the gstack-brain git repo as a source of
 # session memory. v1 primary consumer is GBrain; later versions can register
 # Codex, OpenClaw, or third-party readers.
 
@@ -22,19 +22,16 @@
 #   8. Prompt for remote (default: gh repo create --private gstack-brain-$USER)
 #   9. Initial commit + push
 #   10. Write ~/.gstack-brain-remote.txt  (URL-only, safe to share)
-#   11. Register GBrain consumer (HTTP POST if GBRAIN_URL set; else defer)
 #
 # Env:
 #   GSTACK_HOME — override ~/.gstack
-#   GBRAIN_URL  — GBrain ingest endpoint base URL (for consumer registration)
 
 set -euo pipefail
 
 GSTACK_HOME="${GSTACK_HOME:-$HOME/.gstack}"
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 CONFIG_BIN="$SCRIPT_DIR/gstack-config"
 REMOTE_FILE="$HOME/.gstack-brain-remote.txt"
-CONSUMERS_FILE="$GSTACK_HOME/consumers.json"
 
 REMOTE_URL=""
 while [ $# -gt 0 ]; do
@@ -280,68 +277,6 @@ fi
 echo "$REMOTE_URL" > "$REMOTE_FILE"
 chmod 600 "$REMOTE_FILE"
 
-# ---- register GBrain consumer ----
-mkdir -p "$GSTACK_HOME"
-CONSUMER_STATUS="pending"
-GBRAIN_URL_VAL="${GBRAIN_URL:-$("$CONFIG_BIN" get gbrain_url 2>/dev/null || echo "")}"
-GBRAIN_TOKEN_VAL="${GBRAIN_TOKEN:-$("$CONFIG_BIN" get gbrain_token 2>/dev/null || echo "")}"
-
-if [ -n "$GBRAIN_URL_VAL" ] && [ -n "$GBRAIN_TOKEN_VAL" ]; then
-  # Try the HTTP handoff.
-  HTTP_RESP=$(curl -sS -X POST "${GBRAIN_URL_VAL%/}/ingest-repo" \
-    -H "Authorization: Bearer $GBRAIN_TOKEN_VAL" \
-    -H "Content-Type: application/json" \
-    --data "{\"repo_url\":\"$REMOTE_URL\"}" \
-    -w "\n%{http_code}" 2>&1 || echo -e "\ncurl-error")
-  HTTP_CODE=$(echo "$HTTP_RESP" | tail -1)
-  if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "201" ] || [ "$HTTP_CODE" = "204" ]; then
-    CONSUMER_STATUS="ok"
-    echo "GBrain consumer registered: $GBRAIN_URL_VAL"
-  else
-    echo "GBrain ingest endpoint returned HTTP $HTTP_CODE; will retry on next skill run."
-  fi
-elif [ -z "$GBRAIN_URL_VAL" ]; then
-  echo "(GBRAIN_URL not configured; skipping consumer registration. Set it with:"
-  echo "   gstack-config set gbrain_url <url>"
-  echo "   gstack-config set gbrain_token <token>"
-  echo " then run: gstack-brain-consumer add gbrain --ingest-url <url> --token <token>)"
-fi
-
-# Write consumers.json — the canonical registry. Tokens are NOT stored here;
-# they stay in gstack-config (machine-local). This file IS synced so a new
-# machine knows which consumers exist and can prompt for tokens.
-python3 - "$CONSUMERS_FILE" "$GBRAIN_URL_VAL" "$CONSUMER_STATUS" <<'PYEOF'
-import sys, json, os
-path, url, status = sys.argv[1:4]
-try:
-    with open(path) as f:
-        data = json.load(f)
-except (FileNotFoundError, json.JSONDecodeError):
-    data = {"consumers": []}
-# Upsert GBrain entry.
-entry = {"name": "gbrain", "ingest_url": url, "status": status, "token_ref": "gbrain_token"}
-updated = False
-for i, c in enumerate(data.get("consumers", [])):
-    if c.get("name") == "gbrain":
-        data["consumers"][i] = entry
-        updated = True
-        break
-if not updated:
-    data.setdefault("consumers", []).append(entry)
-with open(path, "w") as f:
-    json.dump(data, f, indent=2)
-    f.write("\n")
-PYEOF
-
-# Stage and commit consumers.json in the same session.
-cd "$GSTACK_HOME"
-git add -f consumers.json 2>/dev/null || true
-if ! git diff --cached --quiet 2>/dev/null; then
-  git -c user.email="gstack@localhost" -c user.name="gstack-brain-init" \
-      commit -q -m "chore: register GBrain consumer"
-  git push -q origin HEAD 2>/dev/null || true
-fi
-
 # ---- done ----
 cat <<EOF
 
@@ -350,12 +285,14 @@ Repo:    $GSTACK_HOME (git)
 Remote:  $REMOTE_URL
 Remote URL also saved at: $REMOTE_FILE
 
-Sync happens automatically at the start and end of each skill (no daemon).
-Check status anytime with:
+Sync to GitHub happens automatically at the start and end of each skill
+(no daemon). Check status anytime with:
   gstack-brain-sync --status
 
-To activate sync, the next skill you run will ask you one question about
-privacy mode (sync everything / artifacts only / off).
+The next skill run will ask you one question about privacy mode (full /
+artifacts-only / off). After that, /setup-gbrain Step 7 (or the
+gstack-gbrain-source-wireup helper) registers this repo as a federated
+source on gbrain so its content is searchable via 'gbrain search'.
 
 New machine? On the other laptop, put a copy of:
   $REMOTE_FILE
 
@@ -19,7 +19,8 @@
 #   3. rsync-copy tracked files into ~/.gstack/ with skip-if-same-hash
 #   4. Move staging's .git into ~/.gstack/.git
 #   5. Register local git config merge drivers (they don't clone from remote)
-#   6. Rehydrate consumers.json endpoints; prompt for tokens
+#   6. Wire the cloned brain into gbrain via gstack-gbrain-source-wireup
+#      (best-effort; restore continues even if gbrain wireup fails)
 #
 # Env:
 #   GSTACK_HOME — override ~/.gstack
@@ -195,25 +196,6 @@ sys.exit(0)
 HOOK_EOF
 chmod +x "$HOOK"
 
-# ---- rehydrate consumers, prompt for tokens ----
-if [ -f "$GSTACK_HOME/consumers.json" ]; then
-  echo ""
-  echo "Consumer registry restored. Tokens are machine-local and NOT synced."
-  echo "Run these for each consumer to re-enter tokens:"
-  python3 - "$GSTACK_HOME/consumers.json" <<'PYEOF'
-import sys, json
-try:
-    with open(sys.argv[1]) as f:
-        data = json.load(f)
-except Exception:
-    sys.exit(0)
-for c in data.get("consumers", []):
-    name = c.get("name", "")
-    token_ref = c.get("token_ref", f"{name}_token")
-    print(f"  gstack-config set {token_ref} <your-token>")
-PYEOF
-fi
-
 # ---- write remote helper file if missing ----
 if [ ! -f "$REMOTE_FILE" ]; then
   echo "$REMOTE_URL" > "$REMOTE_FILE"
@@ -222,6 +204,12 @@ if [ ! -f "$REMOTE_FILE" ]; then
   echo "Wrote $REMOTE_FILE for future skill-run auto-detection."
 fi
 
+# ---- wire the cloned brain into gbrain (best-effort) ----
+WIREUP_BIN="$SCRIPT_DIR/gstack-gbrain-source-wireup"
+if [ -x "$WIREUP_BIN" ]; then
+  "$WIREUP_BIN" || >&2 echo "WARNING: gbrain wireup failed; run $WIREUP_BIN manually after fixing prereqs"
+fi
+
 cat <<EOF
 
 gstack-brain-restore complete.
 
@@ -120,6 +120,16 @@ rm -f "$GSTACK_HOME/.brain-last-pull" 2>/dev/null || true
 rm -f "$GSTACK_HOME/.brain-skip.txt" 2>/dev/null || true
 rm -f "$GSTACK_HOME/.brain-sync-status.json" 2>/dev/null || true
 rm -rf "$GSTACK_HOME/.brain-sync.lock.d" 2>/dev/null || true
+
+# ---- unregister gbrain federated source + remove worktree (best-effort) ----
+# The wireup helper handles: gbrain sources remove, git worktree remove,
+# launchd plist (future). All best-effort; uninstall continues on failure.
+WIREUP_BIN="$SCRIPT_DIR/gstack-gbrain-source-wireup"
+if [ -x "$WIREUP_BIN" ]; then
+  "$WIREUP_BIN" --uninstall 2>/dev/null || true
+fi
+
+# ---- legacy consumers.json (no longer written by gstack-brain-init since v1.17.0.0) ----
 rm -f "$GSTACK_HOME/consumers.json" 2>/dev/null || true
 
 # ---- clear config keys ----