{
  "name": "yes-ceo-macmini-agent-contract",
  "version": "0.2.0",
  "updatedAt": "2026-05-02T15:36:37+08:00",
  "purpose": "Define the safe boundary between yes.ceo cloud control plane and a user's local Mac mini agent.",
  "principles": [
    "Original private data stays on the user's Mac mini by default.",
    "The agent initiates outbound connections to yes.ceo; home networks do not need inbound public ports.",
    "Every user has an isolated tenant space.",
    "Write actions require review before execution.",
    "Device tokens must be revocable.",
    "Cloud results should be minimal, scoped, and redacted unless the user explicitly approves more."
  ],
  "observedLocalPrototype": {
    "status": "healthy-via-private-bridge",
    "serviceRole": "local-personal-information-hub",
    "frontendShape": "single-page-control-room-with-secondary-viewers",
    "recommendedExposure": "do-not-publicly-proxy-local-service"
  },
  "cloudStores": [
    "user_identity",
    "wechat_or_oauth_login_identity",
    "tenant_membership",
    "device_registration",
    "agent_capability_manifest",
    "agent_heartbeat",
    "task_queue",
    "task_status",
    "review_records",
    "operation_receipts",
    "minimal_result_summaries"
  ],
  "localStores": [
    "private_files",
    "message_archives",
    "local_indexes",
    "local_databases",
    "browser_or_app_credentials",
    "macos_keychain_items",
    "full_personal_databases",
    "source_media_and_attachments"
  ],
  "agentApiDraft": {
    "register": "POST /api/agent/register",
    "heartbeat": "POST /api/agent/heartbeat",
    "capabilities": "POST /api/agent/capabilities",
    "pullTasks": "GET /api/agent/tasks?device_id=...",
    "submitResult": "POST /api/agent/tasks/{task_id}/result",
    "submitReceipt": "POST /api/agent/operation-receipts",
    "revoke": "POST /api/devices/{device_id}/revoke"
  },
  "minimumTaskEnvelope": {
    "task_id": "server generated id",
    "tenant_id": "server scoped tenant id",
    "device_id": "bound device id",
    "kind": "health_check | list_capabilities | read_redacted_summary | propose_writeback",
    "scope": "declared allowed local capability",
    "requires_review": true,
    "created_at": "ISO-8601 timestamp"
  },
  "firstReadOnlyTasks": [
    "agent_health_check",
    "local_service_health",
    "capability_manifest",
    "redacted_tool_directory",
    "workflow_template_inventory"
  ],
  "firstMilestone": [
    "device pairing code",
    "read-only heartbeat",
    "capability manifest",
    "read-only sample result",
    "manual review queue",
    "revocation path"
  ]
}