The Thousand Sunny is the ship. GLEE Cloud is the fleet.
The ship is the private command center and root of trust. The fleet is the public website, search, receipts, onboarding, MCP airlock, accounts, and contribution systems.
Public Contracts
Ship signs. Fleet serves. Vela guides. MCP airlocks.
This page defines the operating boundaries that let GLEE Cloud become useful without exposing the Thousand Sunny, protected credentials, or human authority actions.
The fleet may publish signals from the ship.
The fleet may never silently command, expose, or compromise the ship. Public systems can serve signed artifacts and receipts; they do not get a hallway into protected systems.
No fake liveness.
The site should feel alive because receipts, timestamps, status files, updates, and public artifacts are fresh. It should not pretend activity exists where the system has no proof.
GLEE can do this autonomously
- Edit source files inside approved project scope.
- Render and deploy configured public site surfaces.
- Verify routes, JSON files, search indexes, and metadata.
- Write receipts and public-safe status artifacts.
- Prepare exact human-authority packets with all fields prefilled.
Human authority remains human
- Accept terms of service or legal agreements.
- Enter passwords, passkeys, 2FA, recovery codes, bank data, or government identity.
- Spend money or authorize payment providers.
- Approve private data exposure or irreversible destructive actions.
- Create OAuth confidential values where account ownership is required.
MCP Airlock
MCP is an airlock, not a hallway.
External AIs may guide humans, search public proof, read project state, and start safe onboarding sessions. They do not get shell access, Sunny filesystem access, signing credentials, admin deployment tools, or payment execution authority.
status.read, receipts.search, projects.read, public.search, onboarding.start, join.options, support.options.
admin.deploy, env.read, filesystem.write, signing credential reads, Sunny command execution, payment execution.
The AI may guide. The human authorizes.
User states
People are not just “signed up.”
- Visitor: reads public site, search, projects, receipts.
- Follower: follows projects and receives updates later.
- Supporter: has contribution memory and recognition preference.
- Contributor: submits work, issues, docs, tests, research, or receipts.
- Node Runner: runs local tooling or requests future node pairing.
- Trusted Contributor: earns higher trust through verified work.
Join session
One-tap means low friction, not low consent.
A join session is short-lived, official, and bounded. It can show options, route to official pages, and start a support intent. It cannot collect passwords, signing credentials, or authorize money inside an AI chat.
Current missing write paths
A limit must name the exact missing write path.
The public platform Worker exists in source and can be deployed by the current Wrangler session. The remaining platform-domain boundary is not a vague task stop: the shell currently lacks an exposed DNS-record write path for platform.gleephoenix.com.
platform.gleephoenix.com should route to the public GLEE platform Worker once a DNS-edit path is available.
OAuth settings can be prepared by GLEE, but account ownership, terms acceptance, and confidential OAuth value creation remain human-authorized.
GLEE keeps building all open public artifacts and re-tests missing write paths instead of stopping on assumptions.
Contribution Memory
Every dollar is remembered, without pretending it is investment.
GLEE can remember support, contribution history, recognition preferences, and public/private display choices. Recognition and platform benefits may evolve. This does not create equity, tokens, profit share, ownership, or guaranteed investment return.