v4 → n8n Migration

Plan went through two QC rounds. v2 of PLAN.md was reviewed Codex+Gemini and refined. Then your six points of feedback (Telegram, DeepSeek, morning brief, Hermes meta-orchestration, file SoT, Railway/Cloudflare) produced CHANGES-v3.md, which also went through Codex+Gemini — both said REFINE. The reviewers caught real architecture mismatches I missed; the refined v4 sits below in Section 3.

Decision state (compact)

QC verdict trail

• v2 PLAN.md — Codex REFINE / Gemini REFINE — 6 HIGHs (runner substrate, PAUSED HITL, sheet-write wrap, shadow-run mechanism, credentials SSOT, verification CLI). All folded into v2.
• CHANGES-v3.md — Codex REFINE (4 HIGH) / Gemini REFINE (3 HIGH). Converged on: Windows/Linux mismatch on Option E; compliance-gate substitution = legal risk; Hermes adoption contradicts my own VIDEO-RESEARCH.md; Telegram webhook + Bearer auth incompatible; data.json is cache not SoT; Hermes git-write contradicts safety boundary.
• v4 refined — narrows Phase 0 to ~1.5 weeks, quarantines Hermes + DeepSeek as parallel R&D pilots, reverts runner to Option A.

You mentioned 49E is rolling out M2 of the GSD Task Spine. Confirmed by reading projects/briefs/gsd-task-spine/.planning/2026-05-16-m2-freshness.md and 2026-05-19-m5-surface-migration.md. This is a SQLite task store at F:/Agentic-OS/.command-centre/tasks.db, with CLI at tools/tasks.py. M1 shipped 2026-05-16; M2 adds the trust layer; M5 ingests 4 existing surfaces into it.

What M2 adds (in scope right now)

• Freshness signals on every read (verify-before-trust)
• Daily cron sweep — reap dead tasks, flag drift
• Atomic SQLite snapshots
• done becomes a stable state, only left via deliberate reopen
• New definition_of_done column + goal-brief command (folds in the native /goal feature)

Impact on the v4 migration plan

Net: M2 is helpful infrastructure for this migration. It gives us a trusted SQL task substrate that didn't exist when I wrote v3. If you approve, I'll bake Spine integration into PLAN.md v3 alongside the v4 refinements.

M2 tasks (per .planning/2026-05-16-m2-freshness.md):
  Task 1 · verify_task — record a verification outcome
  Task 2 · reopen_task — controlled state transition
  Task 3 · reap_task — daily sweep removes expired ephemerals
  Task 4 · freshness.py — pure-function freshness signals
  Task 5 · reconcile.py — daily sweep entry point
  Task 6 · snapshot.py — atomic SQLite backups
  Task 7 · CLI gains verify/reopen/reconcile/snapshot/dod/goal-brief subcommands
  Task 8 · freshness-annotated get/list output
  Task 9 · definition_of_done column (schema migration)
  Task 10 · write path to set/refine DoD
  Task 11 · goal-brief command (emits /goal-ready brief from a task)

M5 surface migration (next):
  Surface 1 · Markdown pending-tasks registry → ingest
  Surface 2 · Session-file open loops → ingest
  Surface 3 · Claude Code TaskCreate/Update → hook writes
  Surface 4 · Creative Production Tracker Sheet → ingest

Post-QC refinement of your six feedback points. Two were downgraded to parallel R&D pilots rather than Phase 0 substrate (Codex+Gemini both flagged the risks of bundling them in).

Distilled from the 5 video transcripts (mined verbatim via tool-youtube) and the 2-round QC. Full doc: projects/briefs/v4-n8n-migration-2026-05-18/VIDEO-RESEARCH.md.

What's real vs hyperbolic

The Triad pattern

Conductor (Opus, plans) → Worker (DeepSeek, bulk execution) → Critic (Gemini/GPT, shipping verdict). Same shape as our Cascade Gate B (Codex + Gemini + Opus + Sonnets) but cheaper. Worth considering for Gate B in Phase 5+ after migration stable. Don't bundle now.

Pilot pass/fail criteria (refined v4)

All planning artefacts in F:/Agentic-OS/projects/briefs/v4-n8n-migration-2026-05-18/:

• PLAN.md — v2 plan, post-QC (12-week strangler-fig)
• OPEN-DECISIONS.md — runner contract Options A/B/C (and D/E added in v3)
• VIDEO-RESEARCH.md — synthesis of 5 transcripts (real vs hyperbolic claims)
• CHANGES-v3.md — 6-change recompile w/ implementation specifics (pre-this-QC-round)
• QC-CACHE/codex-2026-05-18.md + gemini-2026-05-18.md — v2 QC verbatim
• video-research/*.en.md — 5 raw transcripts (audit cache)

Related project context:

• projects/briefs/gsd-task-spine/.planning/2026-05-16-m2-freshness.md — GSD M2 plan (session 49E)
• projects/briefs/gsd-task-spine/.planning/2026-05-19-m5-surface-migration.md — surface ingest plan
• context/sessions/session-49d-n8n-smoke-and-sample.md — n8n integration entry session
• reference/services/n8n.md — n8n service contract (dual host, webhookId gotcha)
• projects/briefs/calum842-vps-migration-2026-05-17/MIGRATION-PLAN.md — VPS migration parent context

Tap a button to indicate direction, type any reasoning in the box, then hit Submit at the bottom. Submission lands in F:/Agentic-OS/inbox/v4-n8n-migration/ and I'll process it next session.

Genuine uncertainties I haven't resolved. Add your thoughts via the cards in §6 or just note here for next session.

Open questions

• Telegram bot state: the TELEGRAM_BOT_TOKEN in .env is missing despite the contract at reference/services/telegram.md. Is the bot itself gone (need to mint fresh via @BotFather), or just the key value lost from .env (rotate)? Affects Change #1 start.
• 49d pending-tasks-registry section: I added a "Session 49d" block during /bank-full. If we approve Spine integration (§6 card 2), should I migrate those 6 entries into Spine rows now, or wait for M5's first ingestor to do it automatically?
• Hermes pilot resource hosting: if the pilot advances, Hermes-as-daemon needs Linux hosting (Docker). Three options: (a) Joe SEO Coolify project (recommended — reuses infra), (b) Railway managed PaaS ($5-15/mo), (c) Calum's local Docker. (a) and (c) are zero incremental cost.
• DeepSeek benchmark scope: Codex flagged the 1-hour benchmark too thin. What's the right effort? Per task class: 50 fixtures, schema validation, regression diff vs Claude baseline. ~1 day per class. 3-4 days total for keyword/GAQL/compliance triplet.
• Cascade Gate B Triad refactor (Phase 5+ stretch): Tempting to refactor the current 4-reviewer pattern to Opus-plan + DeepSeek-check + Gemini-verdict. Cost saving real; risk of regressing the most important compliance gate is also real. Worth a separate plan in Phase 5.

Theories worth checking

• The Spine becomes the single migration-work substrate. All Phase 0-5 tasks live there; Hermes (if it pilots successfully) reads from it and writes proposals back; n8n workflows reference Spine task IDs for traceability; cron jobs reconcile state nightly. If this holds, the migration's audit trail is end-to-end queryable.
• The runner-contract decision is more bounded than I thought. Option A (Windows-native, Calum local) is the only viable path while tools have hardcoded Windows paths. Option D (Railway) and E (Joe SEO Coolify) both require multi-week tool refactor. Until that refactor is done, Phase 0-4 is stuck on Option A. Worth deciding: do we ever want to do that refactor? If yes, that's a separate workstream worth scoping.
• Hermes' real value might NOT be cost reduction. If Hermes generates structurally-fragile n8n JSON that QC rejects 40% of the time, the "85x cheaper" claim collapses (4 retries × DeepSeek cost > 1 attempt × Claude cost). Pilot quantifies this. If rejection rate > 25%, Hermes-as-worker is net-loss.

Ran 9 prompts × 5 candidate models = 45 calls (30 successful — 15 Featherless 429s due to 1-slot concurrency limit). Real money: $0.00150 total. Cost concern essentially solved.

Empirical winner — `qwen/qwen3-235b-a22b-2507`

*Featherless rate-limited (1 slot at a time); sample biased low. When they ran, Qwen3-Coder-480B was best on n8n JSON (2/3 pass). R1-0528 is very slow (51-159s/call) — only worth it for genuine reasoning.

3-reviewer QC peer added

tools/qwen_qc.py built + smoke-tested. From now on, every plan / decision / agent-prompt QC fires three reviewers in parallel — Codex 5.5 + Gemini 3.1 Pro + Qwen3-235B. A HIGH from any of the three = HIGH. Independent angles, single reconciliation by Claude.

Dual-provider routing live (tools/llm_router.py)

• Featherless primary during paid window (until 2026-05-25) — $0 marginal, 1-slot concurrency, 32K ctx cap
• OpenRouter fallback (or primary post-expiry) — per-token billing, up to 1M ctx, parallel-safe
• Router auto-flips on FEATHERLESS_EXPIRY env date OR rate-limit OR context overflow
• Per-call cost logged to cron/logs/llm-costs.jsonl
• Compliance / ad-copy / creative-brief / strategic-decision task classes — router REFUSES, caller must use Claude direct

Refined routing table (per benchmark)

migration_worker   → featherless:Qwen3-Coder-480B  / openrouter:deepseek-v4-flash
gaql_generation    → openrouter:qwen3-235b         / openrouter:deepseek-v4-flash
keyword_clustering → openrouter:qwen3-235b         / featherless:Qwen3-235B
structured_extract → openrouter:qwen3-235b         / openrouter:deepseek-v4-flash
reasoning_chain    → featherless:DeepSeek-R1-0528  / openrouter:deepseek-r1
critic_verdict     → featherless:GLM-5.1           / openrouter:deepseek-v4-pro
ad_copy / creative_brief / strategic_decision / compliance_scan → CLAUDE_DIRECT

Full results: projects/briefs/v4-n8n-migration-2026-05-18/llm-router-benchmark-2026-05-19.md

Hermes powered by Qwen3-Coder-480B drafts n8n workflows; three-reviewer QC gates; Claude in-session applies. From the video synthesis: Hermes ↔ Claude share state through the git-tracked codebase, not by calling each other's APIs.

Architecture

                    F:/Agentic-OS/ ── GitHub remote ──┐
                          │                            │
                  ┌───────┴───────┐                    │
                  │               │                    │
         Hermes pulls READ    WRITES via PR ───────────┘
         everything       (proposals only — no main commits)
                  │
                  ▼
         ┌──────────────────────────────────────┐
         │ Hermes daemon (Joe SEO Coolify)      │
         │  hermes.nutritionalproducts.org      │
         │ ┌──────────────────────────────────┐ │
         │ │ Worker:    Qwen3-Coder-480B (FL) │ │
         │ │ Fallback:  DeepSeek V4 Flash (OR)│ │
         │ │ Reasoning: DeepSeek R1-0528 (FL) │ │
         │ │ Critic:    GLM-5.1 (FL)          │ │
         │ │ Memory:    GSD Spine + git       │ │
         │ │ Trigger:   Telegram + cron       │ │
         │ └──────────────────────────────────┘ │
         └────────────┬─────────────────────────┘
                      │ proposes via PR
                      ▼
              ┌───────────────────────────────────┐
              │ Three-reviewer QC (parallel)      │
              │   Codex 5.5 + Gemini + Qwen       │
              └────────────┬──────────────────────┘
                           │ verdicts
                           ▼
              ┌───────────────────────────────────┐
              │ Claude (in-session)               │
              │  - reconciles HIGHs               │
              │  - applies the PR or rejects      │
              │  - moves Spine task forward       │
              └───────────────────────────────────┘

Hermes's sandboxed write zones

• n8n/workflows/proposed/*.workflow.json — never n8n/workflows/ directly
• projects/briefs/v4-n8n-migration-2026-05-18/hermes-output/<task-id>/ — drafts + briefs
• GSD Spine task rows (only its own; status proposed → never done)

Pilot pass/fail

Cost per migration workflow

• Worker draft (~5K tokens): $0 Featherless / $0.0005 OpenRouter
• 3-reviewer QC (~30K tokens total): ~$0.001 + Codex/Gemini subscriptions
• Total per workflow: ~$0.0015 · 20 workflows = ~$0.03 total drafting cost

Both rounds of Codex 5.5 + Gemini 3.1 Pro QC, full text. v2 round addressed runner substrate / PAUSED HITL / sheet-write wrap / shadow-run mechanism / credentials SSOT / verification CLI. v3 round addressed Telegram-Cloudflare auth / Windows-Linux mismatch / compliance substitution / Hermes contradiction / data.json SoT violation.

HIGH:
1. data.json is READ CACHE, not SoT. Morning brief reads it directly — violates AGENTS.md 2026-05-15 rule.
2. Routing compliance through DeepSeek mid-migration = publish-critical legal-risk change at the wrong time.
3. Hermes adoption contradicts my own VIDEO-RESEARCH.md which explicitly rejected the framework for this use case.
4. Hermes "writes JSON + commits to git" violates the same doc's "Hermes only proposes" safety boundary.

MEDIUM:
- Telegram env var name mismatch (plan: TELEGRAM_ALLOWED_CHAT_IDS, contract: TELEGRAM_ALLOWED_USERS).
- Approval callback mechanics underspecified.
- OpenRouter already in registry — work is model ID validation, not registry add.
- 1-hour DeepSeek benchmark too thin.
- Joe SEO Coolify single-point-of-failure underplayed.
- Existing 49d open follow-ups skipped in v3 sequencing.
- "3 days + 2 weeks" estimate not credible without install/security/integration/validation breakdown.

HIGH:
1. Windows-vs-Linux mismatch on Option E. Tools have hardcoded F:/Agentic-OS/ and /c/Python314/python.exe. Linux Coolify breaks them.
2. Telegram webhook can't pass Cloudflare Bearer auth. Telegram API doesn't carry custom Bearer headers. Exempt the webhook path; use Telegram's X-Telegram-Bot-Api-Secret-Token header.
3. Compliance gate substitution is legal risk. Even if fixtures pass technically, Calum must explicitly sign off.

MEDIUM:
- Morning brief stale-state (re-check pre-conditions before mutation).
- SQL location affects network access mapping.

LOW:
- Telegram webhook cleanup when rotating tokens (deleteWebhook on old token).

HIGH:
1. Execution substrate undefined. Joe SEO n8n won't have F:/Agentic-OS/, Python 3.14, .env, etc.

MEDIUM (highlights):
- Joe SEO open loops (49d) must close before workflow migration starts.
- Shadow-run "7 days" weak for low-frequency events — define cutover by time AND sample count.
- Gate workflow contracts underspecified (need JSON I/O schema + PASS/WARN/BLOCK fixtures per gate).
- HITL approval URLs need signed one-time tokens + expiry + replay protection.
- RESEARCH-NOTES.md "to be created" — should exist before approval.

HIGH:
1. Phase 1 shadow-run protocol — no technical mechanism defined to route same trigger to both Claude and n8n simultaneously.
2. Phase 0 credentials — "all secrets in n8n's credential store" splits the auth SSOT.
3. All phases — missing concrete verification commands.

MEDIUM:
- Concrete file path for CI script.
- Phase 1 compliance gate must WRAP existing Python script, not re-implement.
- Self-answer the 49-checks open question.