The dashboard should not hold OAuth tokens, API keys, or publishing power. Hermes and agent workspaces do the work, then return drafts to the CMO OS for review.
Daily-driver runtime
Use Hermes as the credential and workflow owner. It can hold tokens, run profiles, expose REST contracts, and coordinate recurring work without leaking secrets into the dashboard.
hermes gateway start
Parallel specialist workbench
Use OpenClaw for named specialist agents, workspaces, memory, delivery queues, and multi-agent briefs when the CMO OS needs more than one worker.
openclaw workspace run neural-forge-cmo
Continuity layer
Use Hive to manage agent memory, swarm routing, and confirmed brand facts. This keeps future drafts from starting cold.
memory-hive digest --week
This is how the site can “talk to Codex” in production: the site queues a request, an external worker performs the task, then the worker uploads the finished artifact.
The admin CMO form writes a queued request to `/api/admin/cmo/requests`.
A Hermes/Codex worker can poll Redis or receive `CMO_AUTOMATION_WEBHOOK_URL` events.
The worker posts the finished draft to `/api/admin/cmo/artifacts/receive` using a worker secret.
Returned assets stay `needs_review` until manually approved inside the CMO OS.
Store API keys and OAuth tokens inside Hermes or Vercel environment variables, never in page content, browser local storage, or returned artifacts. The dashboard only receives scoped work requests and finished draft files.