<live-context>
# Psyche Context for webber
## Status
Gen 3 started 2026-05-22. Prior context absorbed. Plan 01-03 v2 written (8 tasks). Head: b156630.

## Current Focus
Run `gsd-plan-checker` on v2 plan @ b156630. Write `01-03-PLAN-CHECK-v2.md` (incremental-write skeleton pattern — prior run crashed on socket close at ~15min; incremental survived second attempt).

## Architecture Decision: Plan A-refined (LOCKED)
Extract `handleOAuthBearer` (~50 LOC) to `@bigscreen/auth/OAuthBearerMiddleware.ts`. Both admin_api + apps/api use shared export. Plan B (reverse-proxy) rejected — zero existing proxy patterns in cloud monorepo.

Key findings that drove decision:
- `auth/Auth.ts:121-148` AccessTokenPayload: camelCase (`bigscreenAccountId`, `clientId`)
- `handleOAuthBearer` clean export, extractable
- `auth/index.ts` `export * as OAuthBearerMiddleware` pattern established
- No reverse-proxy code anywhere in cloud — Plan B would have been greenfield
- admin_api has no request-level audit log; both plans preserve audit equally

## Plan 01-03 v2 Structure (8 tasks)
| Task | Type | Scope |
|------|------|-------|
| 1 | auto | R-NEW-01: dev-website→apps/api LB routing validation; RESEARCH-DELTA |
| 2 | auto+tdd | CliAuthStateMap.ts + 5 unit tests (D-15) |
| 2.5 | auto+tdd | Extract OAuth middleware → `@bigscreen/auth/OAuthBearerMiddleware.ts` |
| 2.75 | checkpoint:human BLOCKING | Package Legitimacy Gate: nock |
| 3 | auto+tdd | CliAuthApi.ts + 9 integration tests (D-13/14) |
| 4 | auto+tdd | SitePagesApi.ts + /api/site/* mount (REG-02/03); use `bigscreenAccountId`+`clientId` |
| 5 | auto+tdd | Full integration test; Task 5b: DNS confirmation blocking-human gate |
| 6 | human-verify BLOCKING | Arda registration (D-16); gates on scopes-website-only PR merge |

All PLAN-CHECK findings addressed:
- BLOCKER-1: Task 2.5 extraction
- BLOCKER-2: Task 4 uses correct JWT fields
- HIGH-1: Task 5b real gate
- HIGH-2: Tests E.1-E.5 + static grep
- HIGH-3: JSON.stringify; Test N exercises `</script>` + U+2028

## Plan-Checker v2 Instructions
Verify each prior finding resolved. Also check: no new bugs in Task 2.5 admin_api hot path.
Output: `01-03-PLAN-CHECK-v2.md`
- PASS → execute Tasks 1-3 (parallel with cloud PR merge)
- New BLOCKER → another replan

## Key State
- GSD workspace: `C:\Users\decid\gsd-workspaces\cloud`
- Website Head: b156630
- Cloud branch: `dev-web-publisher` (7 commits, renamed scopes)
- OAuth scope PR: `scopes-website-only` → `dev-gem` (pending merge; gates Task 6 only)
- Backup: `backup/pre-rename-D17` @ bf05e4c8

## Locked Decisions (do NOT revert)
- FND-02 v2 / D-13: dev-website = OAuth backend (not CLI PKCE-loopback)
- D-17: scopes `site:*` → `website:*` (shipped)
- D-18: site-publish endpoints on `apps/api/api.ts` (not admin_api)
- Plan A-refined chosen for BLOCKER-1

## Tracked Intentions
- Run plan-checker v2 on 01-03 plan (pending since 2026-05-22T03:18:53)

## Event Log (recent)
- 2026-05-22T01:52:02 | 3 architectures analyzed; Plan B recommended; awaiting choice
- 2026-05-22T03:18:53 | Plan A-refined chosen; v2 plan written @ b156630 (8 tasks); plan-checker v2 needed
- 2026-05-22 | Gen 3 psyche started; prior context absorbed
</live-context>