Xen Fleet · Mobile Access Surface · 2026-06-12

Omni Inject

One mobile surface. Send text from any phone — it fans to all three trinity panes (genesis / exodus / leviticus) plus the xql sink, in about one second. Webhook contract, the iOS share-sheet shortcut, and the honest app-link status, all in one place.

WEBHOOK LIVE — verified through api.xlrd.org tunnel

phone → POST api.xlrd.org/api/omni/inject → xen-fanout (single source of truth)
→ resolve panes fresh → genesis %2 · exodus %3 · leviticus %4 + xql sink
spine: Mac 127.0.0.1:4441 omnimind ←(Cloudflare tunnel)— api.xlrd.org

Omni webhook contract

base https://api.xlrd.org

Reads are open (no token). Writes are gated by the X-Xen-Token header. Verified live 2026-06-12: authenticated inject returned fanned:3 all3:true through the public tunnel.

POST /api/omni/inject — fan to all 3 panes + xql

Header	Content-Type: application/json X-Xen-Token: <XEN_API_TOKEN> (64 chars, from ~/.xen/secrets.env, not in repo)
Body	{ "text": "...", "source": "..." } (source optional, defaults "omni")
Returns	{ "ok":true, "fanned":3, "expected":3, "all3":true, "detail":"[FANOUT] ✓✓✓ ALL 3 +xql✓ genesis=%2 exodus=%3 leviticus=%4" }

# Inject one line to all 3 panes (replace TOKEN with the value from ~/.xen/secrets.env)
curl -X POST https://api.xlrd.org/api/omni/inject \
  -H 'Content-Type: application/json' \
  -H 'X-Xen-Token: TOKEN' \
  -d '{"text":"hello from my phone","source":"omni"}'

Why this path: /api/omni/inject routes through xen-fanout, the single source-of-truth fanout that resolves panes fresh, hits all 3 with poll-until-idle + verify + retry, and appends to the xql feed. It is the only inject path that feeds xql. (Alternates also exist on the spine: POST /api/route with {"role":"all","text":...} also fans 3-of-3; POST /api/inject hits a single pane only.)

Reads — open, no token, verified 200 JSON

Method	Endpoint	Returns
GET	/api/omni/feed?limit=N	the xql-feed stream — {ok,feed:[{ts,label,body,fanned,ok}],count}
GET	/api/omni/threads	{ok,threads:[...]}
GET	/api/xql	panes + feed snapshot
GET	/api/omni/messages	message history

# Read the live xql feed — no token needed
curl 'https://api.xlrd.org/api/omni/feed?limit=5'

Auth model: a global middleware gates every write method (POST / PUT / DELETE / PATCH) on the X-Xen-Token header; GET / HEAD / OPTIONS are open. A missing or wrong token returns 401 {"error":"unauthorized"} — confirmed both locally and through the api.xlrd.org tunnel.

iOS share-sheet shortcut

build by hand in ~60 seconds

Select text or hit Share in any app → Omni Inject → the content fans to all 3 panes. No App Store, no signing — built straight in the Shortcuts app.

The one value you paste: the XEN_API_TOKEN value from the Mac at ~/.xen/secrets.env (the text after XEN_API_TOKEN=). It goes into the Shortcut's X-Xen-Token header where the recipe says PASTE_XEN_API_TOKEN_HERE. The real token is never committed and is not in this file or any repo.

Recipe

Open the Shortcuts app → tap + → name it Omni Inject.
Tap (i) / Details → turn ON Show in Share Sheet. Accept Text, URLs, and Safari web pages as the share types. This makes it appear in every app's Share button.
Add action Receive → "Receive Text and URLs from Share Sheet". Set "If there's no input" → Ask For Text so you can also run it standalone. This produces the variable Shortcut Input.
Add action Text → insert the Shortcut Input variable. Coerces the input to a clean string before JSON encoding.
Add action Get Contents of URL → URL https://api.xlrd.org/api/omni/inject → Show More → Method POST. Add header: X-Xen-Token = PASTE_XEN_API_TOKEN_HERE. (Content-Type is set automatically when Request Body = JSON.)
Request Body: JSON → add field, key text, value = the Text variable (key source = omni optional).
(Optional) Add Get Dictionary Value for key fanned from the response → Show Notification "Injected to {fanned}/3 panes".
Done. In any app: select text or Share → Omni Inject. Expect fanned 3, all3 true.

Why no .shortcut file is shipped: an iCloud shortcut link / signed .shortcut plist can only be minted on a logged-in Apple device (it embeds an Apple signing blob) — it cannot be generated headlessly. The 8-step recipe reproduces the identical shortcut with zero Apple-signing dependency. Once built on the device, tap its Share button → Copy iCloud Link to share it off-device. Full text spec also lives at /inject/shortcut.md.

App download status

truthful — no fake links

The mobile webhook above needs nothing installed. These are the native VVSVEI shells. Status verified 2026-06-12. Links are shown only where a real, reachable file exists.

APK live

Android — real downloadable link. Live now: hitthe.link/vvsvei/vvsvei.apk — HTTP 200, application/vnd.android.package-archive, 12,789 bytes. A real APK (WebView shell pointed at the VVSVEI surface). Caveat: it is debug-signed and a minimal shell — sideload-installable (adb install / tap-to-install), but not Google-Play publishable.

No IPA link

iOS — no public download link exists. Every hitthe.link IPA URL is 404 (verified). The only iOS build is an unsigned GitHub Actions artifact in xlrdtech/xen-vvsvei-ios (requires GitHub login; sideload-only via AltStore + free Apple ID). There is intentionally no tap-to-install iOS link here because one does not truthfully exist yet.

CI in progress

Automated app pipeline — pending / red. The live APK was hand-committed into the Pages repo, not produced by CI. The Android "Build APK" workflow last completed with a Gradle failure; a fresh run was in progress at check time. The shippable (Play / App Store) builds remain a work in progress — this is the demoable-vs-shippable gap, stated honestly.

Bottom line: for mobile access you do not need an app — use the iOS shortcut (section 02) or the raw webhook (section 01). The Android APK is a real, live, sideloadable demo link today. A signed, store-publishable iOS/Android build is pending.