// SOP · WIN ⇋ MAC2026-05-22 · 14h ET

State of play,
this hour.

Win-side shipped four moves. Mac-side ran five waves and landed two canon verdicts. Two new foundational canons locked. UI-TARS probe converged.

↻ Tick 14 · 20h45 ET · utmctl control paths confirmed · direction = SNAPSHOT FIRST

mac-xen surfaced three UTM control paths from m4. Now we have programmatic VM lifecycle + snapshot + scripted launch. xvm UUID: E2BD1556-24D0-42DC-8A09-D37A7B3EE9C1.

1. utmctl CLI · /Applications/UTM.app/Contents/MacOS/utmctl · list/start/stop/suspend/resume/restart/status <UUID>
2. AppleScript bridge · osascript → System Events events to UTM
3. utm:// URL handler · launch by URL from any script/browser

Ezekiel direction (auto-PGS, ranked by leverage)

SNAPSHOT xvm NOW — 30s cost, infinite optionality. Captures the known-good state we just landed (Claude 2.1.149 + PATH fix + Win pubkey + zshrc edit + tailnet healthy). Name it xvm-2026-05-22-pre-sttvei. Before any further mutation.
Then ROUTE voice/clipboard into xvm — that's the actual STTVEI capability. UTM's audio/clipboard sharing toggles in the guest config; Apple SFSpeech works once mic passthrough is on. This delivers what the unlock prompt prescribes for Step C.
Later: MCP-wrap utmctl for omnimind. Polish, not urgent. Once xvm-xen is online and we have a need for programmatic VM ops from agent tools.
Skip: new VM — focus stays on xvm until it's load-bearing.

★ Tick 13 · 20h37 ET · CLAUDE CODE installed on xvm · mesh is now THREE panes

qi: "I installed claude code there." The mesh just promoted from Mac ↔ Win to Mac ↔ Win ↔ xvm. xvm goes from "passive SSH target" to co-equal Claude Code agent inside a sandboxed Mac VM, reachable via tailnet.

$ ssh xen@xvm 'claude --version'
2.1.149 (Claude Code)
$ ssh xen@xvm 'file ~/.local/bin/claude'
Mach-O 64-bit executable arm64 → ~/.local/share/claude/versions/2.1.149
$ ssh xen@xvm 'cat ~/.claude/settings.json'
{"skipDangerousModePermissionPrompt":true,"theme":"dark","agentPushNotifEnabled":true}

install path · ~/.local/bin/claude → versions/2.1.149 (arm64 Mach-O)
state · ~/.claude/ populated · backups · cache · sessions · projects · plugins · history.jsonl
PATH fix · appended $HOME/.local/bin:$PATH to ~/.zshrc — bare claude now resolves in login shells (non-interactive SSH inject path unlocked)
config · skipDangerousMode=true · agentPushNotifs=true · channels enabled · permissive autonomous
A2A current · ssh xen@xvm 'claude -p "..."' from Win or Mac · SSH-exec inject works today
A2A future · install Mac-style /api/inject server on xvm · register in canon_agent_urls roster · third row in the mesh table

↻ Tick 12 · 20h21 ET · Tailscale-SSH polish · architectural floor hit (honest)

qi said "you do it now." Tried, hit a hard limit. Honest report:

$ sudo tailscale set --ssh=true
2026/05/22 17:20:54 The Tailscale SSH server does not run in sandboxed Tailscale GUI builds.

Root cause · macOS App Store Tailscale is a sandboxed GUI build · its daemon can't host the SSH server. CLI binary can run read-only commands (status, whois) — the symlink at /usr/local/bin/tailscale is in place and works for those.
Path to unlock · install standalone Tailscale (tailscale.com Mac pkg, NOT App Store) — that's the non-sandboxed build. Or brew install --cask tailscale if Homebrew is installed first.
No actual capability loss · OpenSSH + ed25519 pubkey path (tick 10) is already keyless from Win-Ezekiel. Tailscale-SSH was a polish, not a requirement.
Bundle-id fatal caveat · invoking the symlinked binary with certain subcommands (e.g. version) triggers Tailscale/BundleIdentifiers.swift:47 Fatal error. Direct path + read-only subcommands are safe.

Tried + verified the floor. The "Install CLI" menubar click would create the same symlink and hit the same sandbox restriction. The unblock is OS-level (swap to non-sandboxed Tailscale), not a click qi missed.

↻ Tick 11 · 20h15 ET · Termius Terminal Multiplayer link from qi

qi shared a Termius Terminal Multiplayer peer-link for "Local Terminal" — co-piloting a real terminal across panes. Opened Win-side via Start-Process so the Termius client (if installed) takes the deep-link; otherwise Zen renders the join page. Relayed to mac-xen for parallel join. Link contains session pw — handled as session-only.

Termius Multiplayer = real-time shared TTY (paid Termius feature). Both panes pointing at the same session lets us see qi's keystrokes + run side-channel commands in the same shell.

★ Tick 10 · 20h14 ET · KEYLESS VERIFIED · password retired

Polish landed. Win-side Ed25519 pubkey installed into xen@xvm:~/.ssh/authorized_keys. SSH now works with no password from Ezekiel.

$ ssh -o PasswordAuthentication=no -o BatchMode=yes xen@xvm 'whoami; hostname; pwd; date'
=== KEYLESS VERIFIED ===
xen
xens-Virtual-Machine.local
/Users/xen
Fri May 22 17:14:06 PDT 2026

auth path · publickey-only · no pw on disk anywhere
guest authorized_keys · 1 entry (this Win Ezekiel) — additive, no eviction of any future entries
Tailscale-SSH polish · BLOCKED — tailscale: command not found on guest. macOS App-Store Tailscale needs one-time "Install CLI" click from the menubar to symlink into /usr/local/bin/.
Win pubkey · ssh-ed25519 ...oarF92 grailbookings@gmail.com

★ Tick 9 · 20h03 ET · VERIFIED FROM WINDOWS · SSH end-to-end working

qi said "done" — sshd flipped ON in the guest. Win-side connected via paramiko + env-passed pw + username probe. The UTM/macOS plan is now end-to-end live across the tailnet.

$ ssh xen@xvm 'whoami; hostname; sw_vers; uptime'
xen
xens-Virtual-Machine.local
ProductName:    macOS
ProductVersion: 26.5
BuildVersion:   25F71
17:03  up  2:24, 2 users, load averages: 0.48 0.78 0.94

guest user · xen (matches Xen agent identity)
guest hostname · xens-Virtual-Machine.local
OS · macOS 26.5 (25F71)
guest uptime · 2h 24m · clock at 17:03 PDT (matches m4 timezone)
Win path · paramiko 4.0.0 over Tailscale magic-DNS · pw session-only
next polish · tailscale up --ssh on guest → keyless tailnet-identity auth, retire pw entirely

↻ Tick 8 · 19h07 ET · xvm sshd STILL refused · pw cached in-session

qi supplied the macOS guest pw [redacted · session-only]. Probe retry on 100.92.53.81:22 / 5900 / 8080 — all still connection refused. Network layer still healthy, service layer still bare. Holding the pw in session context for when sshd flips ON; not persisting to disk. Mac-xen unblock command re-relayed with urgency.

↻ Tick 7 · 18h36 ET · xvm LANDED on tailnet · sshd off (unblock needed)

qi fired tailscale ssh xvm. The UTM macOS VM has authenticated onto the tailnet since the last tick — the A/B/C question advanced under us toward option C (host a specific service), though the macOS guest is still bare.

Network state

Tailscale node · xvm · 100.92.53.81 · macOS · active
P2P direct · LAN via 10.13.92.100:33848 (same host as m4 — confirms UTM-on-Mac topology)
tailscale ping · pong in 2ms (network healthy)
All TCP services refused · 22 · 5900 · 5901 · 8080 · 80 · 443 — none listening

Unblock — one of these inside the macOS guest

GUI path: System Settings → General → Sharing → toggle Remote Login ON (enables sshd on port 22)
Terminal path: open Terminal in the guest, run sudo systemsetup -setremotelogin on · then sudo dseditgroup -o edit -a $(whoami) -t user com.apple.access_ssh
For Tailscale SSH (no key needed): ensure tailscale up --ssh ran on the guest at install

Mac-xen has UTM-window access to the guest (host = m4 = qi's Mac). Quickest path: mac-xen types the terminal command directly into the UTM window. Once sshd flips ON, tailscale ssh xvm succeeds end-to-end from either Mac or Windows.

↻ Tick 6 · 15h12 ET · csb-G9 SBB audit done · 18+ min uptime

csb-G9 SBB audit · done · mostly compliant, 2 cosmetic drifts Mac-side · report at ~/.xen/state/csb-g9-sbb-audit-2026-05-22.md
Drift 1: MMM banner missing "All Spark Beside Beeper" tagline — Mac-side mmm.xlrd.org fix drafted, not applied (uptime discipline)
Drift 2: /api/pulse canon-name diverges from shipped /api/omni/* (functionally unified — naming-only)
Win-side parity: zero /api/pulse or /api/omni references on hitthe.link (outside shang/* absorbed copies). No Win-side MMM banner exists. Audit is Mac-scope only — no Win-Ezekiel fixes needed.
omnimind 18+ min uptime · new PR · the 60→120s grace bump is holding. lazy-load sqlite + defer web-push require still on the architectural fix queue.
UTM A/B/C · still no qi reply · both peers idle on the build, no auto-fire

↻ Tick 5 · 15h09 ET · va-G11 converged + 15-min omnimind PR

va-G11 done · Mac-side canon banner + MEMORY.md index already had supersede pointer (Win-side parity good — same fix landed in tick 1 via the retire frontmatter)
Mac MEMORY.md:183 cleaned · one stale "Voice 2" ref fixed; Win-side scan confirms no equivalent stale refs (only one Canary Qwen mention and it's the RETIRED frame)
omnimind uptime PR · 15:08 — today's longest run, no new wedges since the grace bump
UTM VM · still no Tailscale node, both peers idle on the build (Win not auto-firing; Mac awaiting qi A/B/C greenlight)

↻ Tick 4 · 15h00 ET · iOS Shortcut spec landed + 5 qi-only blockers

mac-xen dropped iOS Shortcut spec at ~/.xen/state/xen-tool-call.ios-shortcut.json (Mac-side). Trigger shape: Siri · Watch · NFC · Focus — feeds into the new IFTTT tools-router canon. omnimind.js untouched this turn (preserving the 11-min uptime, good discipline).

qi-only blockers (5)

wrangler login — Cloudflare CLI auth (browser flow on qi's Mac)
CF service token — Cloudflare service-token creation in dashboard
Secret — shared secret value wrangler secret put XEN_TOOLS_TOKEN (composes with [[canon_ifttt_tools_xlrd_org_3layer_auth]] peer-token layer)
Ingress — Cloudflare ingress config / route for tools.xlrd.org
plist — install the iOS Shortcut .shortcut/plist on qi's phone (Allow Untrusted Shortcuts toggle gotcha — see canon_agent_urls:72 for iCloud-link workaround)

Once these 5 land, the Siri/Watch/NFC/Focus → tools-router loop closes end-to-end. Win-Ezekiel updates the /ifttt/ inventory status pills as recipes wire live.

↻ Tick 3 · 14h25 ET · UTM plan-context RESTORED

mac-xen lost local plan-context for a UTM/VM/Linux-peer plan. Win-side search recovered it — three signals converge on option C (host a specific service):

Plan doc: C:\Users\selfe\gemini-mcp-remote\macos_utm_server_manual.md — 9-phase agent manual: install UTM on Windows, create macOS Sequoia+ VM, expose via Apache Guacamole (HTML5/Kasm-style) on port 8080, PWA on phone home screen.
8080 explained: mac-xen's earlier UI-TARS probe expected something on 8080/screen — that's the future Guacamole endpoint from this plan. Currently nothing listening because UTM hasn't been installed Win-side yet (Phase 1 not started).
xencom0 (100.85.133.56, linux, offline 5d): separate dormant Tailscale peer — that's option B, not this plan. Listed in canon_agent_urls:45.
Status: Phase 0-9 ALL not started Win-side. UTM not installed. WSL2/Docker not set up. No new Tailscale node has authenticated because the VM doesn't exist yet. The plan is real, just unstarted.
Decision required: Greenlight the build (10+ GB downloads, multi-hour install) — or scope it down (e.g., skip macOS Sequoia, use simpler Linux VM for the third peer instead) — or shelve until clearer trigger.

↻ Tick 2 · 14h15 ET · mac-xen delta

omnimind UP · heal grace bumped 60s → 120s (double margin during stabilization)
va-G14 stt-router quench patch · LIVE + verified-quiet-path · apple_v2 alive
Correction log re-landed · prior truncation cause confirmed: orphan-bash kill ate the pipe mid-stream
G22 real-fix queued · defer web-push require + lazy-load sqlite (architectural, not grace-tuning)
A2A loop confirmed bidirectional · mac-xen reading Ezekiel's relays; ACK path lives via the existing channel
Next 60s tick · stability check + G22 architectural fix advance

Win · Ezekiel

Four shipped.

Stripe → PayPal + Square sweep LIVE

qi corrected "i use paypal and square." Five surfaces swept: /ifttt/, /spine/, /offers/, /sao/, /menu/. Canon paypal_square_money_rails locked. Stripe removed from stack. Live-verified 13:47:55 ET.

Ava TTS autoplay everywhere LIVE

_shared/ava-play.js refactored. Silent autoplay on load + first-gesture unlock listener (pointerdown/touchstart/keydown/scroll/wheel, capture+passive, one-shot). Engaged repeat visitors get true autoplay; everyone else gets audio on first page interaction. Live-verified 13:56:45 ET.

UI-TARS probe (4471 · 4460 · 8080) REPORTED

Win-side: 4471/screen exists as Node proxy at tui-url-server.js:996, hangs 20s+. 4460 = UI-TARS Python serve-uitars.py (PID 48656, ~45h uptime). 8080 = nothing listening anywhere. Full diagnosis relayed to mac-xen.

IFTTT inventory page (carry-over from 13:32) LIVE

12-applet plan at /ifttt/ with PayPal·Payment + Square·Recurring recipes + MCP-unauth state card. Now feeds into the tools.xlrd.org runtime per the new IFTTT canon.

Mac · Xen

Five waves.

Outage caused + recovered RESOLVED

G22 Fix A wrong — STARTUP_GRACE_S=20 < 25-30s cold-start. Reverted to 60s. omnimind UP.

Wave 1 · 5 audits 5 ADVANCED

All settled · 5 advanced.

Wave 2 · 5 populates 2 OK · 3 REJECTED

OK: voice-audio + comms-sms-beeper. Rejected: l7s / governance / life-ops.

Wave 3 · 8 workers 3 DONE · 5 DRAFTED

All settled · 3 done + 5 drafted.

Wave 4 · 4 workers 4 DRAFTED

All settled · 4 drafted patches.

Wave 5 · 4 audits + wakeup ALL REJECTED

Direct mode now.

UI-TARS /click works CONFIRMED

{"q":"..."} POST body required. /screen still hangs. Peer-message to Ezekiel queued — no response path yet.

⚡ Two foundational canons locked this hour

STT verdict · Apple SFSpeechRecognizer + Whisper.cpp Metal redundancy. ALL cloud STT banned. Canary Qwen Win-side plan RETIRED. Whisper.cpp Metal is re-enabled for local use (prior "Whisper DIE" was cloud-only scope). canon_stt_apple_whisper_metal_only_2026-05-22
IFTTT verdict · YES build. Runtime = tools.xlrd.org. 3-layer auth (peer-token + HMAC + rate-budget). 20-tool allowlist. hitthe.link/ifttt/ stays as inventory. canon_ifttt_tools_xlrd_org_3layer_auth_2026-05-22
Money rails · PayPal + Square only. Stripe out. PayPal MCP + Square MCP both in session, ready to fire once authed. canon_paypal_square_money_rails_2026-05-22
Always monitor until live · 200 OK + content-marker grep before claiming shipped. Push ≠ live. GH Pages has 30-90s deploy lag. canon_always_monitor_until_live_2026-05-22

⚠ Open threads — what comes next

Ezekiel A2A response path — mac-xen says peer messages queued, no response path yet. mac-vvs.ps1 sends via SSH → vvs --stdin; need to confirm mac-xen reads that inbox. Investigate omnimind inject path as alternative.
UI-TARS /screen still hung — Node proxy at 4471 blocks 20s+, Python on 4460 has queue-blocked. Restart serve-uitars.py (PID 48656) recommended. /click works with POST body {"q":"..."}.
tools.xlrd.org build — mac-xen owns runtime. Win-Ezekiel keeps inventory /ifttt/ in sync as recipes wire live. 20-tool allowlist needs finalization.
Canary Qwen background install — was pip-installing weights pre-verdict. Should kill the background download; STT verdict moved Win out of STT entirely.
PayPal MCP + Square MCP auth — qi's browser sign-in unblocks direct payment-link tool dispatch (would bypass IFTTT for the 4 payment applets).
Correction (truncated) — mac-xen had one more line of state-of-play that didn't transit. Awaiting re-send via better channel.