Vibe Ex Corporation

This folder centralizes the working architecture for Vibe Ex Corporation.

The current focus is not to build every long-term idea immediately. The focus is to define a clean foundation for:

• the Vibe Control Center;
• the dev/deploy server;
• the VEC Central Brain MCP;
• project onboarding;
• domains, deployments, secrets, logs, analytics, and beta environments;
• future AI-native company operations.

Canonical Documents

• Vibe Control Center Platform Plan
• VEC Central Brain MCP Foundation Spec
• Domain Manager Spec
• Global Brand Registry
• Online Dev Workspace
• Forgejo Migration and Distributed Builder Plan
• Temporary rag3 MCP Deployment
• EC2 Self-Deploy Runbook

Global Brand Registry

The global visual source of truth now lives in vault/brands.

• vault/brands/<project>/brand.json stores brand metadata and indexed assets.
• logos/, mockups/, ui/, references/, fonts/, colors/, exports/, and screenshots/ store visual artifacts by project.
• The MCP exposes vec://brands, vec://brands/<project>, and vec://brands/<project>/asset-index.
• Agents can use vec_list_brands, vec_get_brand, and vec_index_brand_assets to find or refresh project assets without conversation context.
• Authenticated asset URLs are served under /brand-assets/<project>/....

Legacy VDS / Vibe Ex Brand Resources

The MCP exposes a VDS / Vibe Ex brand pack so future agents do not reinterpret the permanent canonical style sheet from high-level principles only.

• vec://brand/canonical-style -> Canonical Style Sheet
• vec://brand/core -> Brand Core
• vec://brand/tokens -> Design Tokens JSON
• vec://brand/colors -> Color System
• vec://brand/typography -> Typography System
• vec://brand/ui-system -> UI System
• vec://brand/logo-rules -> Logo Rules
• vec://brand/dashboard-logo -> Dashboard Logo PNG
• vec://brand/motion -> Motion System
• vec://brand/forbidden-styles -> Forbidden Styles
• vec://brand/reference-frames -> Reference Frames
• vec://brand/product-hierarchy -> Product Hierarchy
• vec://brand/panel-system -> Panel System
• vec://brand/sidebar-system -> Sidebar System
• vec://brand/filmstrip-system -> Filmstrip System
• vec://brand/hero-video-system -> Hero Video System
• vec://brand/workflow-editor-system -> Workflow Editor System
• vec://brand/marketplace-system -> Marketplace System
• vec://brand/jobs-panel-system -> Jobs Panel System
• vec://brand/visual-continuity -> Visual Continuity
• vec://brand/validation-checklist -> Apple-Grade Validation Checklist

Canonical image references will live in docs/brand/reference after David approves redesigned frames. The current VEC landing/admin screenshots are not canonical.

Operating Principles

• Best practices are the default unless there is a clear reason not to.
• The human stays the final decision maker.
• David is Master and Commander of all Vibe Ex AI agents.
• All company, product, project, infrastructure, and release decisions require David's explicit approval.
• Significant recommendations, decisions, and actions must be justified, traceable, and auditable.
• Authorized communications are operational intelligence, but they must be filtered and summarized to avoid noise.
• Architecture should reduce mental load, increase leverage, and accelerate execution.
• Avoid over-engineering, unnecessary complexity, noisy automation, agent chaos, and memory chaos.
• All production-changing actions need approval.
• Personal project files live online first. Local machines are optional clients or temporary runners.
• No unique personal project code, data, generated assets, .env files, or credentials should remain only on the company laptop.
• Standing approval: VEC admin UI changes are YOLO-to-production for this project after a local build passes, unless David explicitly says to hold, pause, or ship only locally.
• Real systems remain the source of truth: Git, project manifests, Infisical, Coolify, Cloudflare, observability, analytics, and documented runbooks.

Temporary MCP Endpoint

• Landing: https://vibexinc.com/
• Admin: https://vibexinc.com/admin
• URL: https://vibexinc.com/mcp
• Transport: Streamable HTTP JSON-RPC
• Auth: Authorization: Bearer <token>
• Health: https://vibexinc.com/health

This endpoint is the control surface. Project files and development workspaces should live under the online dev workspace, not on the company laptop.

Online Dev Workspace

The canonical dev workspace root is:

/opt/vec/workspaces

• One full-time developing agent is the default.
• Secondary agents run in short approved windows.
• Agents may run on the server, a laptop, Windows, or a phone-controlled session, but useful work must land in the online workspace or remote Git.
• /Users/David is not a default runner root. Add it only for an explicit temporary local runner.
• The laptop cleanup standard is remote Git plus online workspace plus build/check proof before deleting local copies.
• A Ubuntu dev runner can be prepared with bootstrap/bootstrap-dev-workspace.sh.

Web Admin

The public web surface is a React/Vite build served by server.mjs.

• / is the landing page.
• /admin is the protected admin UI.
• /api/admin/login, /api/admin/session, /api/admin/status, and /api/admin/logout power the admin session.
• /api/admin/messages returns recent agent messages for the VEC command center.
• VEC_ADMIN_USERNAME and VEC_ADMIN_PASSWORD configure access.
• Admin sessions are signed HTTP-only cookies.

QA Agent

The first autonomous QA loop is intentionally narrow and auditable.

• QA briefs are submitted through vec_submit_qa_brief.
• The built-in QA worker polls pending briefs when VEC_QA_AGENT_ENABLED is not false.
• The worker can run safe test/typecheck/lint/check/build commands when the target repo exists on the runner.
• Runner workspace roots default to /opt/vec/workspaces, /workspaces, and /workspace.
• If the target repo or required capability is missing, the worker publishes a blocked report instead of staying silent.
• QA agents or workers publish final reports through vec_record_qa_report.
• Briefs are stored under data/qa-briefs/.
• The server stores the full report under data/qa-reports/.
• Dashboard messages are stored under data/messages/.
• The admin dashboard polls /api/admin/messages and shows QA briefs, runs, and reports in Messages d'agents.
• Any recommended fix remains a proposed action; production or release decisions still require David's approval.

MCP Security

The MCP endpoint is intentionally closed by default unless VEC_MCP_TOKEN is set.

• Bearer tokens are compared through constant-time HMAC digests.
• ChatGPT can connect through OAuth authorization code + PKCE.
• OAuth discovery is exposed at /.well-known/oauth-protected-resource and /.well-known/oauth-authorization-server.
• Dynamic client registration is exposed at /oauth/register.
• CORS is restricted with VEC_ALLOWED_ORIGINS.
• JSON request bodies are capped with VEC_MAX_JSON_BYTES.
• MCP and admin login routes have per-IP rate limits.
• JSON-RPC batch requests are handled sequentially to avoid concurrent write corruption.
• Security headers are applied to all responses.

ChatGPT Connection

Use ChatGPT Developer Mode with the remote MCP URL:

https://vibexinc.com/mcp

ChatGPT should discover OAuth from the MCP WWW-Authenticate header and redirect to /oauth/authorize. Log in with the VEC admin credentials stored on the server in:

/opt/vec/shared/secrets/central-brain.env