Weekly — week of 2026-05-17

Weekly digest for the week of 2026-05-11 → 2026-05-17. What shipped:

Four slices shipped across both repos, six ADRs recorded in the product repo, and a structural bug in CSS theming closed the week.

The week’s center of gravity was MemberIntel V1 Slice 1, which went from spec to running GCP deployment in roughly two days. Auth (JWT, Google OAuth with CSRF and email_verified), retrieval (Voyage voyage-3-lite, pgvector, Hive Mind seeding), SSE streaming chat, and the full Terraform/Cloud Run/Cloud SQL stack all landed, with ADRs 0006–0008 locking the key architecture choices. GCP deploy and brain-seeding stabilization followed the next session, including a cron-driven 8-hour reseed cadence and graceful rate-limit backoff.

Thursday was the week’s biggest single day. The Customer Brain layer shipped — SOUL, BIBLE, HEARTBEAT, MEMORY — plus the MemberIntel Connect WordPress plugin (API key auth, six data endpoints, WP admin settings), site data sync, and the full SvelteKit SPA at app.membersintel.com. Six more ADRs (0009–0014) committed the CI/CD, observability, secrets, Stripe, GCP project, and cross-pollination security decisions. Friday carried the remaining surface area: transactional emails via Jinja2, Free→Pro upgrade prompts with five nudge types, bus-factor runbooks, and ADRs 0015–0018 locking the brain architecture and mutation policies.

On the KB side, Slice 6 (standup auto-publish pipeline) and Slice 7 (Resend email notifications) both shipped early in the week. The cross-repo /activity feed landed Sunday in PR #1. Routine but worth noting: the standup CI had a staging bug where new files weren’t committed before the diff-check — caught and fixed the same session.

Several bugs surfaced mid-implementation and were fixed before merging: the OAuth CSRF/email_verified gap, the Anthropic SDK returning usage fields as strings, a double-WHERE in the WordPress plugin’s memberships and members endpoints, and the Voyage embed_query input_type argument — the last two capable of silently degrading either query reliability or retrieval quality in production.

Notable. The CORS allowlist required three separate hotfixes during integration, and the CSS variable mismatch on the activity page and ADR board (referencing --mi-surface, --mi-text-muted, and similar nonexistent tokens) would have been invisible to anyone testing only in light mode. Both point to the same pattern: integration surfaces — domain origins, design-system token names — weren’t locked before code shipped against them. A short pre-integration checklist for those categories would catch the class before it recurs.

---

Synthesized from 7 daily standups in [2026-05-11, 2026-05-17].