Cracks I've identified across OPUS — places where the current design ran out of road, and where the next-generation step lives. Per the protocol: don't fix bugs, step through cracks.
products.ts is a static config — every consumer (LandingPage, DroidFleet, AutoCMO, others) re-imports it independently. No single source of truth feeds the ecosystem.
Next gen: @opus-studio/products npm package + <ProductCard /> embed lib + /api/products JSON endpoint. Site becomes the registry, every product subscribes.
connector framework is the most reusable thing in the studio but 3/7 connectors return stubs. The contract is solid; the implementations aren't.
Next gen: extract connectors\ as @opus-studio/connectors (with stub-honesty: each connector declares analytics_supported: true|false). Sell to ad-tech as a standalone product even while OPUS uses internally.
AutoCMO's Optimizer needs feedback to improve. DroidFleet runs N phones. These never talked.
Next gen: wire AutoCMO Distributor → DroidFleet test scenarios. Each campaign variant runs on an emulator with a Persona archetype. Engagement metrics flow back to Optimizer. Productize as 'simulate before publish'.
appproof-server.ts is 3,200 LoC and self-documents as 'next refactor target' despite src/ being modularized. Race condition workaround in relay cleanup (1-hour early expiry) is a known hack.
Next gen: extract @opus/relay package first (highest value), then peel auth, billing, persona routes out of appproof-server.ts. Goal: appproof-server.ts < 500 LoC, pure orchestration.
4 of 7 family members are stubs (Search, Vision, Trust scaffolds; only Classifier and DNS are feature-complete). Signature verification is reimplemented in DNS and Trust — no shared lib.
Next gen: focus the next 60 days entirely on kosher-classifier as 'Brand-Safe Filter API' for B2B. Pause Search/Vision/Trust completion. The religious users get the same engine on a different surface. Shared signature lib becomes @opus/cryptocontracts.
NO product in OPUS uses any other product's capability today. Every cross-OPUS feature is theoretical. The studio is 32 isolated projects, not an ecosystem.
Next gen: pick ONE cross-OPUS wire to ship this month. Recommendation: AutoCMO Distributor → DroidFleet Persona for variant testing. This proves the pattern, creates the first ledger entry with status=shipped.
9 concrete fractures: hard-coded Android SDK path (src/lib/builder.ts:17), fire-and-forget error handling silences job failures (src/app/api/projects/[id]/play/route.ts), schema/orchestrator enum mismatch (prisma/schema.prisma vs builder.ts), unknown-as-never type suppression (src/lib/builder.ts:41), incomplete non-Anthropic LLM routing, 12K+ lines of hardcoded showcase brands in source, forced OneAPIKey proxy even for direct calls, Build Mode proposes diffs but never patches, no audit trail for APK uploads. Plus: 13.6K LoC across 122 files, ZERO tests, no pre-commit hooks, ~97 loose type casts.
Next gen: add a 50-test minimum suite covering builder.ts, llm-router.ts, deployer.ts. Add pre-commit (typecheck + lint). Extract showcase-brands.ts as data file. THEN extract domain-site-generator as @opus/domain-interpreter for cross-pollination.
bizforge has llm-router.ts, autocmo has its own tier-aware LLM routing in backend/app/llm.py. Two implementations, neither shared. Other products (kosher-classifier, sigsense, sonara) will write a third.
Next gen: merge the two implementations into @opus-studio/llm-router. Bizforge's multi-provider + AutoCMO's tier-aware routing + Ollama fallback. Publish to npm. New products use it from day 1.
No response caching anywhere. Every call forwards raw to upstream (src/lib/providers/forward.ts:117-130). Identical prompts pay full price every call.
Next gen: add Redis-backed response cache keyed by (provider, model, message-hash, params-hash). 1-hour TTL by default. Customer-tunable. Bill cached responses at 10% of fresh-call price (still revenue, much higher margin).
OneAPIKey exists as the right place to route all OPUS LLM traffic, but bizforge, autocmo, sigsense, wizetube each have their own multi-provider routing implementations. SigSense uses OneAPIKey but its Anthropic mapping is broken — it falls back to DeepSeek silently.
Next gen: deprecate per-product routers. Force all OPUS LLM traffic through OneAPIKey. Each product gets a virtual API key with budget + tier. Fix the SigSense Anthropic mapping bug as the first migration.
Real production-ready products with no exposure: Sonara is on Play Store (v1.1.1 shipped) but absent from opus site catalog. Karov ships APK to Vercel but its discoverability is minimal. delivery-platform exists with full-stack maturity, not catalogued.
Next gen: emergency catalog audit. Within 7 days: add Sonara, Karov, delivery-platform, sigsense to products.ts. Generate LandingConfig for each (use bizforge domain-site-generator via wire-001 for premium variants).
Catalog dormant: 25 entries in DB vs 50K-150K target. GoDaddy API adapter coded but not wired. Inngest pipeline scaffolded but never run. Marketplace adapters drifting from upstream schemas.
Next gen: replace Inngest with simpler Vercel Cron + Postgres locks. Wire GoDaddy key. Catalog explodes 25 → 50K+ in days. Add price-drop detection + composite ranking. THEN integrate bizforge wire-001 for premium landing pages.
Pricing page promises 'Pro' tier but Stripe is dormant. Clerk auth disabled. BETA models exposed publicly and fail in production. /match route duplicates /phrase. Mobile scaffolded Expo never built.
Next gen: Week-1 cleanup: hide /match, fix pricing page honesty, toggle BETA models off, decide on mobile (delete or commit). One PR.
Two independent archaeology passes (mine via direct read + the smarts-domains agent) arrived at the SAME wire proposal: bizforge domain-site-generator → smarts-domains parking pages. Strong signal that this is THE first wire to ship.
Next gen: ship wire-001 within 7 days. Provider side already implemented (bizforge /api/public/domain-styles route created today). Consumer side documented in D:\Alef\plans\WIRE_001_smarts_domains_patch.md.
Top-heavy ecosystem: producers (kosher-classifier, smarts-domains catalog) are starved; apex (opus.studio site, ALEF) is well-developed. Capabilities can't flow up without healthy producers.
Next gen: next 60 days: 70% of dev time on producers (catalog scaling, classifier ML wiring, OneAPIKey caching). 30% on everything else.
Catalog drift is the studio's #1 chronic. Real production products (Sonara on Play Store, Karov live, pundak=delivery-platform feature-complete) are absent from opus.studio's products.ts.
Next gen: 7-day sprint: add Sonara, Karov, pundak, sigsense, delivery-platform-confirmation to products.ts with at least stub LandingConfig. Use wire-001 for premium variants.
server.ts:43-60 — no circuit breaker for Keycloak. If Keycloak goes down, JWT validation silently allows anonymous access. SECURITY HIGH.
Next gen: add Keycloak circuit-breaker: if 3 consecutive validations fail with connection errors, deny all access (fail-closed) with 503 + clear log. Borrow pattern from kosher-dns emergency channel.
mobile is a Capacitor webview. Zero offline, no push, no native features. Stops AutoCMO from being mobile-first.
Next gen: replace Capacitor with React Native or Expo. First feature: variant-feed with offline ratings synced when back online.
7 OPUS-mature projects from D:\projects\ (delivery-platform, scanform, webapi.tools, etc.) are not in the catalog. Two known-good ones (Annoying Secretary, Karov) also missing. Site claims to be the compass but it's stale.
Next gen: audit + add delivery-platform and scanform to products.ts within the week. Document Annoying Secretary and Karov on the bonus track.
Privacy contradiction: DNS claims no query logs, but Classifier logs all classifications. Same user can be re-identified through the classifier's logs.
Next gen: audit logging policy across both services. Either DNS adds short-lived debug logs OR Classifier strips PII before logging. Document final policy in CONTRACTS.md and enforce in CI.
Production blocked on Google Play Closed Testing requirement: 12 testers + 14-day hold. Currently only 3 testers consented. Production-ready code shipped (v26.1 vc31, signed AAB) but stuck behind operational/recruiting gate.
Next gen: recruitment campaign: ask via OPUS site, Karov user base, AutoCMO mailing list. Target: 12 testers within 7 days. Side-effect: 12 OPUS-aligned users seeing WizeTube and giving feedback.
Production system runs on SQLite that re-seeds per Vercel cold start (server.js:8-273). Plus recursive treasury autobuy with no depth limit (server.js:330) — pathological seed data could stack-overflow.
Next gen: migrate to Neon Postgres (same stack as smarts-domains, sigsense). Cap autobuy recursion depth at 5 with explicit error. THEN promote eventfund to listed-on-site status.
Mother-tree concentration risk: OneAPIKey + opus.studio site are both single points of failure for capability flow and attention flow respectively. Neither has redundancy or a documented failure drill.
Next gen: quarterly keystone-failure drill (LLM_DISABLED=true mode in every product; verify graceful degradation). Build fallback routing in OneAPIKey itself (multi-region or cold-spare).
No 'self markers' whitelist for ALEF's destructive ops. The Hebrew-regex bug only didn't delete real data because of quarantine architecture. Next bug could be deeper.
Next gen: build D:\Alef\automation\self_markers.json listing protected paths, file extensions, mount points. Every destructive op checks first.
folder `Claude-Opus-4.7` is actually traktoroni — the most misleading name in the studio. Multiple subsequent confusion events in archaeology agents.
Next gen: rename folder to `traktoroni\`. Update OPUS_PROJECTS_MAP, products.ts (paths if any), local shortcuts. Single-day operation.
v0 target 2026-06-22 still pending. Privacy enforcement ("images never leave device") has no automated test, only static analysis on release builds.
Next gen: add integration test: airplane-mode emulator, run classifier on N images, verify zero outbound network. Fail build if any egress observed. Plus: build kosher-vision INTO @opus/brandsafe v2 from day-one (multi-modal) rather than as a separate path.
server.ts:43-60 - no circuit breaker for Keycloak; silent anonymous fallthrough
INVALIDATED