docs: optimize canonical .md pack (CHITTY/CHARTER/SECURITY/AGENTS)

[chitcommit]

Summary

Sync the canonical documentation pack to reflect current Phase 3.5/4/6 shipped state and add AGENTS.md for agent registry discoverability.

• CHITTY.md: type: summary → architecture (resolves open compliance follow-up); fill did:chitty:REG-XE6835; endpoint table modernized to 22 categories matching 33 route modules; deps grew 7 → 13 with Live/Partial/Pending status
• CHARTER.md: Scope reflects allocations, classification trust-path, valuation, imports, Schedule E, forensics, inbound email; API Contract grew 12 → ~50 endpoints; Compliance checklist 8 → 17 items; Last Updated 2026-03-22 → 2026-05-02
• SECURITY.md: Mercury per-tenant HMAC details, ChittyID PKCE primary path, ChittyOS integrations table, npm/pnpm audit, PR chore(governance): add governance gates #95 hardening notes, ChittyChronicle read-side limitation flagged
• AGENTS.md (new): Internal AI agents, MCP capabilities, ChittyOS agent interactions, dev subagent guide, trust boundaries, contribution guide

Test plan

• CHITTY.md frontmatter type: architecture (was summary)
• Endpoint tables match server/app.ts route mounts (verified against 33 modules in server/routes/)
• Dependency status tags align with PR history (feat: ChittyID SSO via OAuth 2.0 PKCE #72 ChittyID SSO, feat: ChittyDiscovery self-registration and heartbeat #79 ChittyDiscovery, feat: Phase 5 ecosystem integration (5 features) #92 Chronicle, feat: Cloudflare Email Service (replaces SendGrid) #102 Email, feat(wrangler): add SERVICE_SCOPE_DB hyperdrive binding #110 Hyperdrive)
• No code changes, no schema changes, no behavior changes — docs only
• Document Triad cross-references unchanged
• Reviewer: spot-check that AGENTS.md trust boundaries match SECURITY.md trust-path table
• Reviewer: confirm all "Live" deps are actually deployed

Notes

• Docs-only, no runtime impact
• Workers Builds will likely show its known 0s stopped failure (issue Workers Builds: chittyfinance — instant 0s failure on every PR + main #111) — auto-merge configured to ignore
• Local MEMORY.md was also trimmed in the same session (224 → 69 lines, content moved to topic files); that work stays in ~/.claude/, not pushed

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Significantly expanded security policy documentation including OAuth verification, webhook signature handling, and enhanced CI/CD security controls
  • Comprehensive service charter update with detailed capability scope, dependency tracking, and structured API contracts
  • Enhanced architecture documentation reflecting runtime variations, complete technology stack details, and certification records
  • New AI agent registry documentation defining agent capabilities, integration patterns, and delegation boundaries

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	chittyfinance	f1b2d61	May 02 2026, 12:41 PM

[github-actions]

@coderabbitai review

Please evaluate:

• Security implications
• Credential exposure risk
• Dependency supply chain concerns
• Breaking API changes

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR expands ChittyFinance's documentation across four key files to comprehensively define the system's architecture, capabilities, agent integration framework, API contracts, and security policies, moving from summary-level descriptions to detailed operational specifications.

Changes

Comprehensive System Documentation Update

Layer / File(s)	Summary
Architecture & Stack CHITTY.md	System metadata updated from "summary" to "architecture" type. Runtime stack expanded to cover dual modes (Cloudflare Workers + Neon Postgres vs. Node.js + SQLite with Express fallback). Technology details clarified including Drizzle ORM, GPT-4o-mini classification, Mercury webhooks, ChittyConnect proxy, and Cloudflare Email Service. Dependencies and endpoints tables restructured with status/phase information and expanded route coverage (forensics, AI, integrations, MCP, tasks).
Responsibilities & API Contract CHARTER.md	"IS Responsible For" scope significantly expanded to detail consolidated reporting, multi-tenant isolation, Mercury/Wave/Stripe integration specifics, AI advice/classification, COA trust-path segregation, recurring charge optimization, property/lease/allocation management, transaction import/export, tax reporting, forensic accounting, and GitHub cost attribution. Dependencies section replaced with structured matrix (Upstream/Peer/External/Storage services with status and PR references). API Contract transformed from minimal endpoint list into categorized specification covering unauthenticated endpoints, sessions/auth, financial data, tenants, phased property endpoints, allocations, COA/classification, tax reporting, multi-source imports, AI services, integrations, webhooks (per-tenant verification), and forensics.
Agent Integration Framework AGENTS.md	New file establishing the ChittyFinance agent registry with frontmatter metadata (URI, namespace, type, version, compatibility, registration target, visibility). Documents internal AI agents (transaction classification, financial advice, recurring charge optimization) with sources, endpoints, and trust/fallback behavior. Specifies MCP capabilities under /api/mcp/* with Bearer service token authentication. Includes table of relevant ChittyOS agents, recommended development subagents, explicit delegation boundaries (what ChittyFinance never delegates vs. external delegations), step-by-step checklist for adding new agent integrations, and links to related documentation (CHITTY.md, CHARTER.md, SECURITY.md, CLAUDE.md).
Security & Compliance SECURITY.md	New "OAuth & Webhook Security" section added specifying HMAC-SHA256 OAuth state tokens (10-minute expiry, timing-safe verification), provider-specific webhook signature verification (Stripe, Mercury, Wave), and KV-based 7-day webhook event deduplication. Provider integrations table expanded with updated auth/data-flow details for Mercury, Wave, Stripe, OpenAI, and Cloudflare Email. New "ChittyOS Integrations" table added listing internal service-to-service auth and directional flows. CI/CD Security expanded with CodeQL alert counts, secret scanning specifics, dependency audit variants, workflow secret enforcement, bot detection, and Workers build pipeline details. Known Limitations section broadened with webhook/storage/accounting constraints and Chronicle read-side limitations. Compliance checklist enhanced with OAuth CSRF protection, webhook verification, reconciliation locking, ledger audit, and schema registration items. Last Updated date changed to 2026-05-02.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• docs: update CLAUDE.md phase tracker (PRs #86-104) #105 — Companion docs-only PR updating API/architecture documentation for overlapping features (allocations, email routes, COA trust-path, MCP, webhooks, security, and auth details).

Poem

🐰 A system documented, strong and true,
From agent frameworks to security through and through,
With CHARTER clear and AGENTS strong,
ChittyFinance now knows where it belongs. 🌿✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: optimizing/updating four canonical markdown documentation files (CHITTY, CHARTER, SECURITY, AGENTS) to reflect the current system state.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/md-pack-optimization-2026-05-02

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review — PR #114: docs: optimize canonical .md pack

Docs-only PR. No runtime impact. The changes accurately reflect Phase 3.5/4/6 shipped state and the new AGENTS.md is a useful addition to the canonical pack. A few items worth flagging before merge:

---

✅ What's well done

• CHITTY.md type: architecture — correct compliance fix; summary was a misnomer for a document that describes stack, endpoints, and ChittyDNA.
• Dependencies tables with Status column — Live / Partial / Pending is much more useful than a plain list. The honest Partial for ChittyChronicle (write succeeds; read 404s) avoids misleading future contributors.
• AGENTS.md trust boundary section — the explicit enumeration of what ChittyFinance never delegates (L2 coa_code writes, reconciled-row mutations, L4 COA edits, webhook signature verification) is exactly the kind of operational invariant that belongs in a docs artifact.
• SECURITY.md Known Limitations growth — SHA-256 session auth, no app-level rate limiting, integer-ID forensic tables, and the new ChittySchema fall-open note are all real limitations and flagging them proactively is good practice.

---

⚠️ Items to address or confirm

1. Canonical URI change in CHITTY.md is a breaking rename

-uri: chittycanon://docs/ops/summary/chittyfinance
+uri: chittycanon://docs/ops/architecture/chittyfinance

Any service that has indexed or cached this URI (ChittyDiscovery, chittyagent-canon, ChittyRegistry) will get a 404 on the old path. Confirm that:

• chittycanon has been updated to redirect or re-point the old URI, or
• no live service currently polls/caches this specific URI and a cold update is safe.

This is called out as "resolves open compliance follow-up" — if there's a tracking issue or Chronicle entry confirming downstream services are updated, a link here would close the loop.

---

2. dev:legacy script referenced in CHITTY.md doesn't exist in package.json

CHITTY.md now reads:

Express (legacy dev:legacy fallback)

But CLAUDE.md lists npm run dev:standalone and npm run dev:system — no dev:legacy. If this script hasn't been added yet, the reference is premature. Suggest either:

• Change to npm run dev:standalone (legacy Express fallback) if that's the accurate mapping, or
• Add the dev:legacy script before merging this reference.

---

3. /api/import/rei-hub — confirm this endpoint is deployed

CHARTER.md's new Imports table lists:

| `/api/import/rei-hub` | POST | REI Hub general ledger |

CLAUDE.md Phase 4 completions mention TurboTenant, Mercury, HD Pro, Amazon Business, and Wave sync — but REI Hub is not listed as completed. If server/routes/import.ts doesn't yet handle REI Hub, this endpoint should be marked Planned or removed from the live API contract table until it ships.

---

4. AGENTS.md confidence floor — verify against code

AGENTS.md states:

Confidence floor: 0.80 for bulk-accept eligibility (≤$500, exclude 9010 suspense)

This should match server/lib/ai-classifier.ts (or wherever bulk-accept thresholds are enforced). If the threshold or amount cap has drifted, the docs will mislead future contributors about the actual behaviour. Worth a quick grep to confirm.

---

5. npm audit vs pnpm audit inconsistency in SECURITY.md

-**Dependency audit**: `pnpm audit --prod --audit-level high`
+**Dependency audit**: `npm audit --omit=dev --audit-level high` (or `pnpm audit` if using pnpm-lock)

The parenthetical "or pnpm audit if using pnpm-lock" suggests uncertainty about the active package manager. CLAUDE.md uses npm install throughout. Pick one canonical command and remove the hedge — the ambiguity undermines the CI/CD security section.

---

Minor nits

• CHARTER.md compliance checklist: CHITTY.md present (\type: architecture`)` — the backticks inside the checkbox render fine in GitHub Markdown but look odd in raw editors. Not a blocker.
• AGENTS.md "ChittyOS Subagents Useful for Development" table references ~/.claude/agents/ — this path is developer-local and won't exist in CI. Fine for a guide document, but worth a note that these are optional local subagents, not repo-shipped artifacts (unless they are shipped elsewhere).

---

Reviewer checklist (from PR description)

• CHITTY.md frontmatter type: architecture — confirmed
• AGENTS.md trust boundaries match SECURITY.md trust-path table — confirmed (L1 for AI classifier, L2/L4 delegations listed in both places consistently)
• Canonical URI rename is safe — needs confirmation (see item 1 above)
• /api/import/rei-hub is deployed — needs confirmation (see item 3 above)
• All "Live" deps are actually deployed — ChittyID (PR feat: ChittyID SSO via OAuth 2.0 PKCE #72), ChittyDiscovery (PR feat: ChittyDiscovery self-registration and heartbeat #79), Cloudflare Email (PR feat: Cloudflare Email Service (replaces SendGrid) #102) are referenced; confirm these are live in production at finance.chitty.cc

---

Summary: Strong documentation update that reflects real shipped state. The URI rename (item 1) and the unconfirmed rei-hub endpoint (item 3) are the two items I'd want resolved before merging. Items 2, 4, and 5 are low-risk but worth a quick fix in this same pass.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f1b2d61ce1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Document the actual MCP route path

Update this endpoint to /mcp (not /api/mcp/*) so clients can connect successfully. The server only registers POST /mcp in server/routes/mcp.ts and protects /mcp in server/app.ts; publishing /api/mcp/* in the architecture doc will cause integrators to call a non-existent path and receive 404s.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Fix classification and COA API paths in contract table

These paths do not match the implemented API: there is no /api/classification/queue, /api/classification/bulk-accept, or /api/chart-of-accounts route in the server. The current implementation exposes /api/classification/unclassified plus /api/classification/{batch-suggest,ai-suggest} and COA routes under /api/coa (see server/routes/classification.ts), so the published contract currently directs clients to endpoints that fail.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Updates the repo’s canonical documentation pack to reflect the current shipped state (Phase 3.5/4/6) and adds a new AGENTS.md registry document for agent discoverability across the ChittyOS ecosystem.

Changes:

• Updated CHITTY.md frontmatter/type and refreshed architecture/dependencies + endpoint categorization.
• Expanded CHARTER.md scope/dependencies and significantly updated the API contract + compliance checklist.
• Refreshed SECURITY.md OAuth/webhook security details and added a ChittyOS integrations section; added new AGENTS.md.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 18 comments.

File	Description
SECURITY.md	Updates OAuth/webhook security notes, integrations tables, CI/CD security notes, and known limitations.
CHITTY.md	Updates doc type to architecture; refreshes stack/dependencies and replaces endpoint list with categorized route summary.
CHARTER.md	Expands scope/dependencies and rewrites the API contract + compliance checklist to match current phases.
AGENTS.md	Adds a public agent registry covering internal AI agents, MCP surface area, and trust boundaries.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.