# OpenCMO URL: https://opencmo.ai Contact: gavin@opencmo.ai Last updated: 2026-06-09 OpenCMO is an AI marketing operating system for anyone who needs a repeatable growth engine. It helps organize market radar, product positioning, campaign drafts, content artifacts, manual approvals, analytics snapshots, and daily CMO briefs into one supervised growth loop. Primary audience: - Founders, teams, and businesses that need market research, positioning, campaign drafts, approvals, analytics, and CMO briefs in one loop. - Companies that need CMO-like operating discipline before fully staffing a marketing department. - Early design partners who want draft-first marketing workflows with human approval gates. Public routes: - https://opencmo.ai/ - public marketing landing page. - https://opencmo.ai/opencmo/demo - public-safe seeded CurbAlarm campaign demo. - https://opencmo.ai/opencmo/start - deterministic demo onboarding entry. - https://opencmo.ai/opencmo/pricing - mock pricing selector with checkout disabled. - https://opencmo.ai/opencmo/mobile - public-safe mobile companion preview for daily brief, approvals, reports, and agent actions. - https://opencmo.ai/opencmo/agent - agent access guide and MCP-ready capability contract. - https://opencmo.ai/api/opencmo/mcp/manifest - machine-readable MCP readiness manifest. - https://opencmo.ai/api/opencmo/mcp/connector-kit - public-safe local MCP connector kit with stdio config snippets and disabled remote `/mcp` status. - https://opencmo.ai/api/opencmo/mcp/client-profile - compact AI-client handoff profile with local stdio recommendation, allowed public-demo tools, blocked tools, evidence links, and QA commands. - https://opencmo.ai/api/opencmo/mcp/install-card - compact setup card for customer-owned AI clients with local stdio steps, config snippets, discovery links, verification commands, and disabled remote execution. - https://opencmo.ai/api/opencmo/mcp/operations - public-safe continuous-verification contract with the recurring improvement runner, focused quality commands, runtime smoke commands, and never-enable guardrails. - https://opencmo.ai/api/opencmo/mcp/evaluations - read-only XML evaluation suite for agent QA. - Local trusted MCP clients can run `npm run mcp:stdio` from the repository for a public-safe stdio demo server. - https://opencmo.ai/.well-known/opencmo-agent.json - well-known public agent discovery document. - https://opencmo.ai/.well-known/oauth-protected-resource - OAuth protected-resource metadata for the public agent API host. - https://opencmo.ai/.well-known/oauth-protected-resource/mcp - OAuth protected-resource metadata for the future remote MCP resource. - https://opencmo.ai/.well-known/oauth-authorization-server - metadata-only OAuth authorization-server discovery for future MCP clients; auth and token issuance are disabled in V1. - https://opencmo.ai/openapi.json - OpenAPI 3.1 contract for non-MCP agents. - https://opencmo.ai/.well-known/openapi.json - well-known OpenAPI mirror for agent crawlers. - https://opencmo.ai/api/opencmo/mobile/manifest - public-safe mobile, PWA, iOS, Android, and MCP buildout manifest. - https://opencmo.ai/api/opencmo/mobile/companion - machine-readable mobile companion state for PWA and future native clients. - https://opencmo.ai/api/opencmo/mobile/hosted-api-requests - redacted hosted request-envelope catalog for customer agents and native clients; live networking and remote execution are disabled. - https://opencmo.ai/mcp - status endpoint for the future authenticated remote MCP server; execution is disabled in V1. - https://opencmo.ai/opencmo/future - clearly labeled roadmap and vision modules. Current public demo behavior: - Uses seeded CurbAlarm data only. - Shows radar, pain clusters, campaign drafts, approval queue, reports, and guarded AI CMO chat. - Does not call live model APIs from the public product runtime. - Does not scrape social platforms. - Does not auto-post content. - Does not spend ad budget. - Does not write to production Supabase. Safety and guardrails: - OpenCMO V1 is manual-publish only. - No auto-posting, auto-DM, ad buying, checkout activation, login scraping, or anti-bot bypass in V1. - Generated artifacts remain drafts until reviewed. - External actions require human approval. - Hermes, OpenClaw, and private Mac Mini workers are planned internal execution layers behind OpenCMO job packets, not public customer-facing backends. Agent and MCP readiness: - Current status: MCP-ready contract, not a live remote MCP server yet. - Current local server: `npm run mcp:stdio`, stdio transport, seeded demo only. - Connector kit: `/api/opencmo/mcp/connector-kit`, with placeholder-based client config for trusted local agents. It uses `npm` plus args `["run", "mcp:stdio"]` and never includes machine-local paths or credential values. - Agent client profile: `/api/opencmo/mcp/client-profile`, with the shortest safe handoff for AI clients. Local trusted agents can call `opencmo_get_agent_client_profile` or read `opencmo://agent/client-profile`. - Agent install card: `/api/opencmo/mcp/install-card`, with setup steps, config snippets, public-demo tools/resources, blocked hosted-auth items, and verification commands. Local trusted agents can call `opencmo_get_agent_install_card` or read `opencmo://agent/install-card`. - Agent operations contract: `/api/opencmo/mcp/operations`, with the recurring improvement loop, one-pass runner, audit-only packet command, runtime smoke commands, and never-enable guardrails. Local trusted agents can call `opencmo_get_operations_contract` or read `opencmo://agent/operations`. - Customer-agent access is contract-first: public demo mode is read-only/seeded; design partner and future customer modes require hosted auth, workspace isolation, rate limits, audit logs, and confirmation gates. - Local trusted agents can call `opencmo_get_customer_agent_access` to inspect scope vocabulary, launch gates, and write-confirmation policy. - Local trusted agents can call `opencmo_get_hosted_api_request_catalog` to inspect redacted request envelopes for public-demo reads, manual approval writes, planned invite-auth routes, disabled `/mcp` status, and private worker routes. The catalog uses placeholders only and keeps `liveNetworkingEnabled=false`. - Recurring local improvement uses `npm run improve:once`; audit-only packet inspection uses `npm run quality:continuous`. Both keep checkout, publishing, live model calls, production Supabase writes, and remote MCP execution disabled. - Future endpoint: /mcp after auth, workspace isolation, and design partner access controls. - /mcp GET returns a public-safe status document; /mcp POST returns disabled until the real server is implemented. - OAuth protected-resource metadata is available at `/.well-known/oauth-protected-resource/mcp`; it advertises `https://opencmo.ai/mcp`, authorization-server discovery, header-only bearer transport, supported scopes, and remote MCP disabled status. - OAuth authorization-server metadata is available at `/.well-known/oauth-authorization-server`; it advertises the planned invite-only auth boundary, `opencmo_auth_enabled=false`, and `/api/opencmo/auth/token`, which returns a disabled-safe 501 guard until hosted Supabase auth is verified. - /mcp POST uses `WWW-Authenticate` with `resource_metadata` plus least-privilege public-demo scope guidance: `demo:read report:read operations:read`. - Future Streamable HTTP MCP readiness is documented but disabled: clients should expect JSON-RPC 2.0, spec version 2025-11-25, `Accept`, `MCP-Protocol-Version`, `Mcp-Session-Id`, and Origin validation before execution is enabled. - Tool naming uses the opencmo_ prefix for discoverability. - Resources and prompts are listed in the machine-readable manifest for future MCP clients. - A read-only XML evaluation suite gives agents stable QA questions before remote MCP execution is enabled. - Mobile readiness is contract-first: PWA now, local native iOS/Android companion shells partial, production auth/store release planned, Live Activity/App Intent payloads prepared. - Customer-facing agents should use sanitized routes and must not expose worker internals, private execution details, provider credentials, or private logs. - See https://opencmo.ai/opencmo/agent, https://opencmo.ai/api/opencmo/mcp/manifest, https://opencmo.ai/api/opencmo/mcp/client-profile, https://opencmo.ai/api/opencmo/mcp/install-card, https://opencmo.ai/api/opencmo/mcp/operations, https://opencmo.ai/api/opencmo/mcp/evaluations, https://opencmo.ai/api/opencmo/mobile/manifest, https://opencmo.ai/api/opencmo/mobile/companion, and https://opencmo.ai/api/opencmo/mobile/hosted-api-requests. - Agent discovery starts at https://opencmo.ai/.well-known/opencmo-agent.json and then fans out to `/llms.txt`, `/opencmo/agent`, `/openapi.json`, `/.well-known/oauth-protected-resource/mcp`, `/.well-known/oauth-authorization-server`, `/api/opencmo/mcp/manifest`, `/api/opencmo/mcp/connector-kit`, `/api/opencmo/mcp/client-profile`, `/api/opencmo/mcp/install-card`, `/api/opencmo/mcp/operations`, `/api/opencmo/mcp/evaluations`, `/api/opencmo/mobile/hosted-api-requests`, and `/mcp`. Recommended summary: OpenCMO is a draft-first AI marketing OS for repeatable growth: market radar, positioning, campaigns, approvals, analytics, and CMO reports in one supervised product layer.