docs(specs): prioritized implementation plan for highest-value designs

[glassBead-tc]

Summary

Adds .specs/PRIORITIZED-IMPLEMENTATION-PLAN.md — a review of the full .specs/ corpus (~171 files, ~30 suites) that selects the highest-value designs and proposes a sequenced plan, with explicit reasoning for every choice (and every deliberate deferral).

This is a review/proposal artifact only — no product behavior changes. It is intended as input to the HDD lifecycle: each accepted initiative should graduate into its own staging ADR + spec pair.

Method

• Cross-referenced every major spec suite against /workspace/src and /workspace/apps/web to separate "shipped" from "prose."
• Anchored selection to settled product intent (product-shape/PRODUCT-INTENT-AND-DIVERGENCE.md) and verified production reality (production-overview/PRODUCTION-SYSTEM-MAP.md).
• Scored candidates on a 4-axis rubric: intent fit × leverage on existing code × friction/risk × trust-correctness floor.

Key finding

Backends in this corpus are repeatedly ahead of their surfaces (audit engine, knowledge graph, hub profiles, peer-notebook control plane, eval harness all have working server code that is unexposed/unwired). The cheapest high-value work is finishing the last mile of built capabilities, not greenfield builds.

The plan (4 waves)

• Wave 0 — Trust & safety floor: lock down unauthenticated /hub/api + /events (verified: workspace_id defaults to "*", no auth); session recovery via MCP root (prevents orphaned thought chains on client timeout).
• Wave 1 — Cheap correctness on the shipped surface: Code Mode discoverability cleanup; finish project-scoping contract; cognitive-harness quick wins (CHX-01/03/07/08 + T2 defaults); citation fields on thoughts.
• Wave 2 — Make built capabilities legible: surface the audit engine in web UI; knowledge-graph web UI; wire hub profile priming; coherent "one run" view.
• Wave 3 — Strategic bets: close the sleep-time evolution-check learning loop; peer-notebook manifest lifecycle + web inspection.

Plus an explicit Deliberately deferred section (Canonical IR/TBX-C1, standalone RLM, srcbook preview lifecycle, OBS sidecar, MAP-Elites/Unified Autonomy Loop, Theseus v0.2, etc.) with reasoning.

Verification

Documentation-only change. All load-bearing factual claims were verified directly against source, including:

• Public MCP surface = 3 tools (src/server-factory.ts:581-583)
• /events wildcard + /hub/api no-auth (src/http/event-stream.ts:39-44, src/http/hub-http.ts:12-37)
• No mcpRootUri in session model (src/persistence/types.ts)
• decision_frame exactly-one-selected constraint (src/thought-handler.ts:482-485)
• Hardcoded audit gap window (src/audit/manifest-generator.ts:178-195)

Pre-commit gates (cyclic-dependency check, oxlint) passed.

  

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
thoughtbox-web-two	Ready	Preview, Comment	Jun 3, 2026 5:21am

[supabase]

This pull request has been ignored for the connected project akjccuoncxlvrrtkvtno because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 59c72ca492

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Correct the nextThoughtNeeded defaulting claim

If Wave 1.3 is staged from this plan, the nextThoughtNeeded part is scoped as a schema/SDK/docs cleanup even though the current runtime still rejects omitted values: src/thought-handler.ts:349-350 throws unless data.nextThoughtNeeded is a boolean, while only thoughtType is defaulted at src/thought-handler.ts:386-387. In the scenario where an implementer relaxes the SDK/schema based on this text, tb.thought({ thought: ... }) would still fail at runtime, so the plan should call out the handler change explicitly or remove nextThoughtNeeded from the claimed existing defaults.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Reword the OAuth callback open-redirect claim

This companion fix labels the callback as an open redirect, but the cited route prefixes next with the current origin before redirecting (apps/web/src/app/api/auth/callback/route.ts:19-20), so next=//attacker.example stays on the same origin rather than becoming an external redirect. Unless there is another vulnerable callback path, keeping this as a Wave 0 security obligation sends follow-up work toward fixing a non-issue instead of the actual isolation gaps documented above.

Useful? React with 👍 / 👎.