[extensions] Add RLS policies to family-calendar

.claude/settings.local.json

@@ -0,0 +1,7 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(python3 -c \"import sys,json; d=json.loads\\(sys.stdin.read\\(\\).split\\(''''warning''''\\)[0].rstrip\\(\\).rstrip\\('''',''''\\)\\); [print\\(f''''  {r[\"\"table_name\"\"]}''''\\) for r in d.get\\(''''rows'''',[]\\)]\")"
+    ]
+  }
+}

.gitignore

@@ -23,3 +23,7 @@ sync-log.json
 
 # Build artifacts
 deno.lock
+/ankit114.json
+recipes/email-history-import/token*.json
+recipes/email-history-import/sync-log*.json
+recipes/email-history-import/credentials.json

.vscode/extensions.json

@@ -0,0 +1,3 @@
+{
+  "recommendations": ["denoland.vscode-deno"]
+}

.vscode/settings.json

@@ -0,0 +1,24 @@
+{
+  "deno.enablePaths": [
+    "supabase/functions"
+  ],
+  "deno.lint": true,
+  "deno.unstable": [
+    "bare-node-builtins",
+    "byonm",
+    "sloppy-imports",
+    "unsafe-proto",
+    "webgpu",
+    "broadcast-channel",
+    "worker-options",
+    "cron",
+    "kv",
+    "ffi",
+    "fs",
+    "http",
+    "net"
+  ],
+  "[typescript]": {
+    "editor.defaultFormatter": "denoland.vscode-deno"
+  }
+}

AGENTS.md

@@ -0,0 +1,75 @@
+<!-- MYBCAT-GUIDELINES-START -->
+<!-- DO NOT EDIT BETWEEN THESE MARKERS - managed by mybcat-sync-guidelines -->
+<!-- Last synced: 2026-04-02 13:17:49 -->
+## MyBCAT Universal Rules (Lean v2)
+## Red-teamed by Codex HIPAA review 2026-04-02. Grown from real incidents.
+
+## Outcome
+MyBCAT is a managed back-office and call center service for 30+ U.S. optometry practices.
+We handle PHI (patient names, insurance, call recordings). HIPAA compliance is mandatory.
+Built primarily with AI coding agents (Claude Code). Founder is not a software engineer.
+Revenue: ~$1.3M annualized. 60+ remote Filipino agents. 3-person tech team.
+
+## Risk Profile
+Single AWS account (no dev/prod separation). All systems are production. PHI-bearing databases and call recordings. Large tables (100K–1.37M rows). Manual deploys only.
+
+## Security (HIPAA — non-negotiable)
+- Never log, display, or store PHI (patient names, emails, insurance IDs, phone numbers, payment info) in plaintext.
+- All patient-facing endpoints require Cognito auth with MFA (TOTP minimum). No anonymous access to PHI.
+- Row-level security: users see only their tenant's data.
+- S3 PHI storage requires encryption (KMS preferred). RDS SGs restricted to VPC CIDR.
+- Rate-limit all public API Gateway endpoints. WAF required on public endpoints.
+- Never expose internal tools (n8n, Metabase) to 0.0.0.0/0.
+- No 0.0.0.0/0 ingress on ANY security group — we had 5+ DBs exposed this way.
+- All DB queries use parameterized statements. No string interpolation in SQL.
+- Credentials go in AWS Secrets Manager via `secret-store` CLI. Never in chat, code, comments, or git URLs — agents have leaked credentials in Google Chat before.
+- Never embed GitHub tokens in git remote URLs. Use SSH or credential helpers.
+
+## Infrastructure Safety
+- No security group modifications without explicit approval.
+- No DB migrations without a snapshot. We have no rollback procedures.
+- No DynamoDB Contacts table structure changes without approval (1.37M records, high blast radius).
+- No direct pushes to main on repos with CI/CD. Branch + PR required.
+- No infrastructure deploy without `terraform plan` review first.
+- IaC via Terraform exclusively (no console-created resources).
+- Manual CI/CD trigger only — never auto-deploy to prod.
+- RDS backup retention minimum 35 days. Snapshot before every migration.
+- Bland AI: versioned pathway endpoint only. Edge labels don't persist on non-versioned.
+- Assume production scale. Avoid full-table scans on large tables. Add indexes or justify why none are needed.
+- DynamoDB: use Query with GSI, never Scan on tables >100K items.
+- Run CloudFormation drift detection monthly.
+
+## Code Standards (security-relevant)
+- Python: use logging module, not print — print can leak PHI to stdout. Lambda handlers return proper status codes.
+- TypeScript: strict mode — enforces auth/tenant boundary safety.
+- Every API endpoint includes error handling with user-friendly messages. No raw errors to users.
+- All repos must have CI that runs lint + build before merge to main.
+
+## Working Boundaries
+- If a task will touch more than 3 files, propose a plan and wait for approval.
+- Before destructive operations (DELETE, DROP, TRUNCATE, SG changes), state what you're about to do.
+- Fresh session per logical task — prevents cross-client PHI context bleed.
+- If working more than 5 minutes without results, stop and reassess.
+
+## Response Quality Rules
+- Say "I don't know" when uncertain. Do not guess, fabricate, or speculate without actual knowledge.
+- Verify with citations. Back up factual claims with sources — documentation links, file paths, line numbers, or command output.
+- Use direct quotes for factual grounding. Quote relevant text directly from code, docs, or sources rather than paraphrasing.
+
+## Available Tools
+- AWS MCP (102 read-only tools for infrastructure inspection)
+- MyBCAT Ops MCP (1,126 docs, operational knowledge)
+- MyBCAT Playbook MCP (security audits, procedures, onboarding)
+- GitHub (CI/CD, repos, PRs)
+- Terraform (infrastructure management)
+- `secret-store` CLI (secrets management)
+
+## Full Operational Playbook
+For deeper context beyond these rules, query the **mybcat-playbook MCP** (`search_playbook`, `get_playbook_doc`, `list_playbook`):
+- Security audit with findings, remediation steps, and fix prompts
+- Business context: clients, team, services, tech stack, compliance posture
+- Task decomposition templates for safely making risky changes
+- Engineer onboarding briefing for new contractors or team members
+- Nate's operational frameworks: blast radius discipline, scar tissue rules, 80-20 threshold
+
+<!-- MYBCAT-GUIDELINES-END -->

CLAUDE.md

@@ -1,3 +1,5 @@
+<!-- MYBCAT guidelines inherited from /repos/.claude/CLAUDE.md — do not duplicate here -->
+
 # CLAUDE.md — Agent Instructions for Open Brain
 
 This file helps AI coding tools (Claude Code, Codex, Cursor, etc.) work effectively in this repo.

docs/brainstorming/2026-03-30-brain-pan-inventory.md

@@ -0,0 +1,98 @@
+# Panning for Gold: Full Brain Inventory
+**Date:** 2026-03-30
+**Source:** 975 thoughts (3 Obsidian vaults + 2 Gmail accounts), 4 Google Calendars
+**Method:** Cross-reference search across all Open Brain data, emails, and calendar
+
+---
+
+## Thread Inventory (22 threads extracted)
+
+### BUSINESS & STRATEGY
+
+**1. The Two-Business Model: BPO + Roll-Ups**
+MyBCAT is actually two businesses: (1) BPO/offshoring for optometry practices (short-term revenue), (2) practice roll-ups/acquisitions (long-term equity). This framing came from strategy sessions with Tamara Loer in late 2023.
+> "shorterm - bpo, longterm - roll-ups" — Obsidian vault
+> "make program around offshore to profitability" — strategy notes
+
+**2. Optometrist Academy as Roll-Up Feeder**
+A training/optimization forum for optometrists that serves as a funnel for the acquisition strategy. "9 month program then go to upper echelon for premier folks, to annual membership."
+> Connected to Customer Value Journey framework (Beusail Academy notes)
+
+**3. Slicing Pie Equity Model for Key Employees**
+Explored slicingpie.com for dynamic equity splits. Two acquisition approaches documented: (a) group buy-in with shared back-end services, (b) raise fund, buy, integrate.
+> Back-end services list: insurance/billing, phones, bookkeeping, buying group, lab, inventory
+
+**4. Customer Value Journey (CVJ) — Mapped but Not Executed**
+Full CVJ documented: Aware > Engage > Subscribe > Convert > Excite > Core/Upsell > Advocate > Promote. Channels mapped (podcasts, video shorts, LinkedIn, FB ads, SEO). This is comprehensive but appears to be from 2023 — status unclear.
+
+**5. AI Agents Collapsing Transaction Costs (Brian Flynn, Feb 2026)**
+Recent insight: AI agents are eliminating search + evaluation costs for services. "Discovery and buying decisions at runtime become machine optimization, not human attention capture." Coase framing applied. This directly affects how MyBCAT's services get discovered.
+
+**6. 8-Dimension Practice Assessment Framework**
+Structured evaluation across: Growth Potential, Patient Services, Leadership & Strategy, Financial Benchmarking, Market/Competitive Analysis, Succession Planning. This is IP that could be productized.
+
+### PROPERTY & REAL ESTATE
+
+**7. West Georgia Rental Property — Lease Non-Renewal**
+Mital is actively managing a rental property through Vision's Owner Services. Lease expires 05/12/2026. Decision made: "I do not want to renew their lease when the time comes." Multiple emails about timing and 90-day notice requirements.
+> Action items still open: property turnover planning, next steps after lease expires
+
+**8. Lease Timeline Confusion**
+Mital questioned Vision's about the 90-day notice timing. This thread may need follow-up — is the notice sent? Is the tenant aware?
+
+### FAMILY & KIDS
+
+**9. Jovan's Academic Support System**
+Active tutoring with Tasha Babiar at High Meadows. Math tutoring on Mondays. Testing with Dr. Palmer at Atlanta Child Psych for evaluation. BAA set up for Google Meet telehealth sessions.
+> Calendar shows: Jovan tutoring (Mon 3:45 PM), Jovan soccer (Mon 5:30 PM)
+
+**10. Hana's Sleep & Anxiety Pattern**
+Hana has trouble sleeping — "her brain is running and it's hard for her to slow it down." 10-minute meditation works for Jovan but not for Hana. Mital flagged this to school in January 2026. Teacher was asked to check in.
+> This is a recurring pattern worth tracking. Consider: has it improved since January?
+
+**11. Hana's Dance Schedule**
+Hana rhythm dance every Monday 4:30-5:30 PM (from Mital's calendar, recurring).
+
+**12. Kids' School — High Meadows**
+Both kids at High Meadows School. Active parent involvement — Mital is on the board, attends State of the Meadow events, reviews board packets, coordinates with teachers.
+
+### MITAL'S BOARD & COMMUNITY INVOLVEMENT
+
+**13. High Meadows School Board**
+Mital is an active board member. She votes on decisions, joins virtually when she can't attend in person, reviews notes, and scouts potential new board members (the Bavelys).
+> "Families that align with our mission, vision, and values" — she's actively recruiting
+
+**14. HMS Business Group: Reframed**
+Mital is involved in a business group at the school. Reference to Leah being "really good at creating intentional meaningful experiences" — experience design thread.
+
+**15. Board Member Recruitment Pipeline**
+Mital is actively identifying families for future board positions. This is a leadership/governance thread that shows long-term institutional thinking.
+
+### CALENDAR CROSS-REFERENCES
+
+**16. Richard Workshop (Recurring Monday 9 AM)**
+Weekly meeting with Richard on mybcat calendar. Topic: "workshop." This is a recurring strategic session — what's being workshopped?
+
+**17. Weekly EMP Learning Forum (Mon 9:30 AM CVC)**
+23 attendees on ankit@classicvisioncare.com calendar. This is a significant recurring commitment. Public visibility event.
+
+**18. Capacity Planning (Recurring)**
+MyBCAT calendar, 4 attendees. You declined this one — is someone covering?
+
+**19. Ramp.com (Mon 8:45 AM)**
+Short 15-min slot. Financial tooling? Expense management?
+
+### CONNECTIONS & PATTERNS
+
+**20. The "AI + Optometry" Convergence**
+You're building AI infrastructure (Open Brain, MCP servers, agent systems) AND you run an optometry services company. The Brian Flynn insight about AI agents collapsing transaction costs applies directly to how optometry practices discover and buy BPO services. Your AI agent work IS your competitive moat for MyBCAT.
+
+**21. Mital as Institutional Builder**
+Across all her emails: board governance, teacher coordination, experience design, family scheduling, property management. She's building institutional relationships, not just managing logistics. This is complementary to your tech-first approach.
+
+**22. The Knowledge System You Just Built**
+You now have a unified brain (975 thoughts, 4 calendars, 29 MCP tools) that any AI can access. This IS the "record and process later" workflow that brain dump thinkers dream about. The system itself is a product-worthy idea.
+
+---
+
+**Total threads: 22**