◆
SOVEREIGN CONSOLE
GOD MODE
OPERATOR MANUAL
LEGACY_49 EYES ONLY
As of 2026-05-26 · main @ 545c42a
Re-verify after any wave commit closes
probeedge.com
OVERVIEW
How the console is organized, what every zone owns, and the rules every dial must follow.
God Mode is the architect-only operator console. It is laid out as 5 zones: OVERVIEW (live vitals + state), USERS (people and identities), REVENUE (money flows), OPERATIONS (cron, bots, rate limits, sentinel) and SYSTEMS (foundation: flags, containment, escalation gate, treasury, dangerous tools).
High-governance actions route through the Signed Escalation Gate — every click that mutates a critical surface opens a 5-minute escalation challenge and waits for the architect's TOTP approval from the PENDING ESCALATION vital card.
The console is a single page: /MasterGodMode.html. Switching zones is a UI-level toggle; nothing reloads. All write actions hit the architect-gated /api/god/* namespace.
Dial doctrine. The Sovereign Console exposes 71 platform-flag dials at the time of this manual version. The live, authoritative list is rendered by Zone 5 → DIAL BROWSER (GET /api/god/dial-schema); the Platform Flags entry in Zone 5 names categories and representative keys. This manual is not exhaustive about every dial — it points you at the live browser.
Hardcoded parameters. Several economic/policy parameters live in code by deliberate architect decision and are NOT exposed as dials (product prices, the seat-transfer closure-invariant). These are documented inline at the relevant zone with their file:line and current value so the architect knows their real state. They are not gaps — they are intentional code-managed surfaces.
ZONE 1 · OVERVIEW
Live state of every system. No actions here mutate data directly — overview is the eyes, not the hands.
VITAL SIGN CARDS
Location
Zone 1 → top row, sticky under header
What it does
Live counters across the platform: FLIP STATE, CONTAINMENT, PENDING ESC, TOTAL REVENUE, ACTIVE USERS, GLOW SIGNALS, LIVE BATTLES, KINGDOMS. Each refreshes on its own cadence (3–30s).
When to use
At a glance — every load. The 24h users + glow-signal numbers tell you if the platform is alive. Pending escalations > 0 means you have a TOTP approval waiting on the PENDING ESCALATION card.
How to use
Read only. Three cards are clickable: FLIP STATE (no action — display only), CONTAINMENT (click to reset CONTAINED → CLEAR, opens escalation challenge), PENDING ESC (click to open pending-escalation modal).
Expect
Values update without page reload. CONTAINMENT colored green=CLEAR, amber=WATCHLIST, red=CONTAINED.
Errors
Cards stuck at "—" mean the underlying GET failed silently (likely session expired). Refresh the page.
TOTP ESCALATION BANNER
Location
Zone 1 → directly above the vital cards (full-width, permanent)
What it does
Surfaces 2FA enrollment status and lets you enable, disable, or re-enroll TOTP. Red OFF / amber PENDING / green ACTIVE. Used by the Signed Escalation Gate as the fallback approval path when Telegram is unreachable.
When to use
First-run setup, after rotating your authenticator app, or to disable 2FA if you've lost the device (requires your current TOTP code).
How to use
- Click ENABLE.
- Scan the QR with Google Authenticator / Authy / 1Password / Bitwarden.
- Type the 6-digit code → VERIFY & ACTIVATE.
- Banner turns green;
LAST VERIFIEDstamps with the current time.
Expect
Once ACTIVE, every pending escalation in the modal grows a 6-digit input + APPROVE button — Telegram becomes optional.
Errors
TOTP_INVALID: code mismatch / clock skew > 30s. Re-enter. NOT_ENROLLED on disable: there's nothing to disable.Enrollment writes
users.totp_secret. Disable requires a current code (you can't disable from a stolen JWT alone). Re-enroll invalidates the old secret only after a NEW code is verified.PENTAGON STATUS · APP ROWS
Location
Zone 1 → left column under vitals
What it does
Click any of the 6 launchable app rows to open that surface: Impulse Engine, AXON Play, ProbeEdge Vault, Slot Wars, Rap Battle, Hangout.
When to use
QA, walkthroughs, dogfooding a specific app surface as the architect.
How to use
Click row → navigates in the same tab. Use browser back to return.
AI COUNSEL · COMPOSE PANEL
Location
Zone 1 → floating bottom-right (or center when expanded)
What it does
Live Cody/RiRi chat in-console. Routes to
/api/ai/operator/chat or /api/ai/operator/stream. Persona toggled via /flip Telegram or the SOVEREIGN FLIP SWITCH platform flag.When to use
Asking the AI operator a question, running a tool call, debugging via natural language.
Doctrine
Under Containment Mode = CONTAINED, non-architect users receive only flat "console is quiet" replies. Architect bypasses.
ZONE 2 · USERS
People, identities, tier control, founder slot management, defense actions per user.
USER LIST · FILTER + SEARCH
Location
Zone 2 → main table
What it does
Renders every non-architect user. Filters: tier / instinct / badge / status. Search field filters live as you type (name, email, slot).
Route
GET /api/god/usersHow to use
Click any user row → opens the User Profile Panel with deep actions.
Errors
API returns 0 users → likely DB connectivity issue. Refresh the page to retry the GET.
USER PROFILE PANEL
Location
Zone 2 → opens on user row click (right rail)
What it does
Profile + every per-user action: force tier, adjust signal score, verify email, override device, grant/revoke founder slot, clear warning, purge.
Routes
POST /api/god/user/:userId/force-tier · /signal-score/adjust · /verify · /device-override · /grant-founder · /revoke-founder · /clear-warningHow to use
Open panel → choose action → fill modal → confirm. Most actions emit a trust event after success.
REVOKE-FOUNDER routes through the Signed Escalation Gate — opens an escalation challenge before executing. The slot returns to the pool only after architect TOTP approval. Audit row carries
approved_via and approver identity.PURGE USER · ADMIN DELETE
Location
Zone 2 → User Profile Panel → Admin Tools
What it does
Soft-delete a user (
is_deleted=true). Cron sweeps actual data after the grace window.Route
POST /api/god/purge-userHow to use
Click PURGE → confirm modal → type the email exactly → CONFIRM. Soft-delete is reversible until cron sweep.
Soft-delete preserves the user_id so foreign keys don't break. The user disappears from all listings via the
is_deleted=FALSE filter applied across ~10 auth surfaces. Read more in project_user_soft_delete_v1_shipped.PULSE OVERRIDE
Location
Zone 2 → Pulse Override panel
What it does
Manually overrides the pulse window for a user — used when the default 30-day signal-decay window (
signal_decay_days dial) needs adjustment for a specific actor (e.g., a partner with sparse-but-correct picks who keeps tipping below the decay floor).Route
POST /api/god/pulse-overrideHow to use
Enter user_id, override window (days), reason → SET. Override is non-stick — next pulse-engine cron tick (every 24h) re-applies the base window unless the override is renewed.
PULSE VISIBILITY AGGREGATE
Location
Zone 2 → Pulse Visibility panel (Phase 1 visibility surface)
What it does
Hangout activity visibility aggregate — who's visible to whom under current pulse + relationship-tier rules. Read-only display.
Route
GET /api/god/hangout/visibility-aggregateIDENTITY CARD STATS
Location
Zone 2 → Phase 1 Identity Card Stats panel
What it does
Tier-transition counters + intent-profile distribution. Read-only observability for F4 Identity Cards (shipped 2026-05-17).
Routes
GET /api/god/users/tier-transitions · GET /api/god/intent-profilesZONE 3 · REVENUE
Where money lives. War tax, override royalty, founder seats, B2B licenses, treasury.
REVENUE OVERVIEW STRIP
Location
Zone 3 → top of zone
What it does
Live revenue totals by source: WAR TAX 1%, OVERRIDE 5%, founder subscriptions, B2B licenses, persona-plus.
Routes
GET /api/god/analytics/revenue/breakdown · /charts · /api/god/house/balanceErrors
Numbers stuck at "—" usually mean
platform_revenue or ledger empty in this window. Not an error.FOUNDER SEAT BOARD
Location
Zone 3 → Founder Seats section
What it does
Renders the 100 founder slots, who holds each, and which are open. LEGACY_49 (slots 1-50) and SOVEREIGN_100 (slots 51-100) priced separately. Pivot is
FOUNDER_PIVOT = 50 at lib/seat_tier_resolver.js:14 — slot 50 resolves to LEGACY_49; slot 51 is the first SOVEREIGN_100.Routes
POST /api/god/user/:userId/grant-founder (auto-resolves tier via slotToTier) · /revoke-founder (escalation-gated) · GET /api/god/founder/occupancyslotToTier resolver shipped in F-PRICE-1 (commit
1fd18af) — never hardcode LEGACY_49. Slot 51+ MUST resolve to SOVEREIGN_100 pricing. FOUNDER_CAP = 100: slot > 100 throws. See SOVEREIGN_200 warning at the end of this zone.B2B LICENSES · LOCK / RESTORE
Location
Zone 3 → B2B Licenses table
What it does
Show every partner license, status, tier, trust_score, expires_at, lock_reason. Lock action gated by Signed Escalation.
Routes
GET /api/god/licenses · POST /api/license/lock (escalation) · /unlock · POST /api/god/license/:license_key/restoreHow to use restore
- Find the partner in LOCKED rows.
- If
trust_score ≤ 0.05, jump to Zone 1 → Trust Controls and override first. - Click RESTORE FROM AUTO-REVOKE, paste the
license_key, CONFIRM. - Verify
license_audit_logshows aLICENSE_UNLOCKEDrow.
Errors
404: license_key typo. Re-copy from the LOCKED row. If score still ≤0.05, the auto-revoke cron will re-lock within an hour.
Restoration is reversible — if the partner re-offends, cron auto-revokes again.
license_audit_log is append-only (hash-chained). Lock route is Signed-Escalation gated.TRUST CONTROLS · MANUAL OVERRIDE
Location
Zone 1 → Trust Controls + Zone 3 → near B2B Licenses
What it does
Manually set an actor's trust_score (0.0–1.0) and emit a
manual_override trust event for the audit trail.Route
POST /api/god/trust-override (Signed Escalation gated)How to use
Pick actor_type (user / b2b_partner / api_key / etc.), enter actor_id (uses typeahead), enter override_score 0.0–1.0, optional reason → click SET → approve via Telegram or TOTP.
Override is overwritten by the next
compute_trust_scores cron tick (every 6h). Re-override if you need stickiness. A is_overridden flag is banked as a follow-up.WAR TAX + OVERRIDE STREAMS
Location
Zone 1 → Revenue Streams · Zone 3 → top strip
What it does
War Tax = 1% on every transaction (pooled in
war_tax_pool). Override = 5% architect royalty (recorded in ledger via trg_battle_architect_royalty, schema-enforced in transactions via Ghost Layer trigger).Doctrine
Royalty rate is at
platform_flags.ghost_royalty_rate. Editing the flag routes through Signed Escalation (PLATFORM_FLAG_WRITE).TREASURY · BALANCE + SWEEP
Location
Zone 3 → Treasury section (separate panel via god/treasury/ routes)
Routes
GET /api/god/treasury/global · /ledger · /changes · /agents · PATCH /api/god/treasury/agents/:agent · GET /api/god/house/balance · GET /api/god/war-tax/balance/v2 · POST /api/god/sovereign/sweep · GET /api/god/sovereign/sweep_historyWhat it does
Surface global treasury balance, recent ledger movement, agent-by-agent breakdown. Sweep moves war_tax_pool funds to architect destination.
TRANSFER_PLATFORM_FEE = 0.19 (19%) — HARDCODED BY DESIGN. Lives at
routes/founder_system.js:575. Closure-invariant math: 19% platform + 5% royalty + 1% war tax + 75% seller = 100% exactly. A dial for seat_transfer_fee_pct was explicitly rejected in code review (see file comment lines 569-575). Doctrine-locked NOT a dial — changing the value without re-deriving the math invariant would silently desync the breakdown. If this needs to change, edit the const AND re-derive the math in the same commit.ECONOMIC POLICY · DIAL SURFACE
Location
Zone 3 → Economic Policy panel
What it does
Direct edit surface for the rate dials:
ghost_royalty_rate (5% default), war_tax_rate (1% default), sovereign_royalty_floor (5% default, 🔒 signed-escalation), b2b_royalty_pct.Routes
GET /api/god/flags · POST /api/god/flags (escalation: PLATFORM_FLAG_WRITE)Reads use
getPlatformFlagRate(key, default, min, max) — never getPlatformFlagInt (parseInt('0.05')=0 silent trap). Bounds enforced by lib/dial_schema.js entries.REVENUE BY STREAM
Location
Zone 3 → Revenue By Stream panel (Phase 1 visibility)
What it does
Per-stream revenue breakdown: Stars · Persona+ · B2B · founder subscriptions · token packs · voice top-ups · backstage passes. Read-only.
Route
GET /api/god/analytics/revenue/by-stream · /by_tierSTAR PRICING DISPLAY
Location
Zone 3 → Star Pricing panel (Phase 1 visibility)
What it does
Display-only surface for the live Stars purchase prices (F1 Stars Purchasable, shipped 2026-05-17). Underlying prices are managed at the code+Stripe layer — see HARDCODED PRICES block below.
GOLDEN KEYS
Location
Zone 3 → Golden Keys section
What it does
Manage architect-issued one-time keys that bypass payment for founder onboarding / partner gifts. List issued + redeemed + revoked keys.
Route
GET /api/god/golden-keysPENDING SETTLEMENT
Location
Zone 3 → Pending Settlement panel (B2B SRRS sub-surface)
What it does
Surface B2B settlements currently in pending state. Action endpoints transition each row through the settlement state machine (dispute / invoice / mark-paid / write-off).
SUBSCRIPTION MATRIX
Location
Zone 3 → Subscription Matrix panel
What it does
Tier × revenue matrix showing active subscribers per tier and the implied monthly run-rate.
Route
GET /api/god/subscription-matrixSRRS · B2B ACCOUNTS / REVENUE FEED / SETTLEMENTS
Location
Zone 3 → 3 stacked panels under B2B Licenses
What it does
SRRS = Sovereign Royalty Reconciliation Surface. Accounts: B2B partner CRUD + per-account royalty override. Revenue Feed: live stream of B2B revenue events. Settlements: settlement state machine (pending → invoiced → paid / disputed / written-off).
Routes
GET/POST /api/god/b2b/accounts · PATCH /api/god/b2b/accounts/:license_key/override · GET /api/god/b2b/revenue-feed · GET /api/god/b2b/settlements · POST /api/god/b2b/settle · POST /api/god/b2b/settlement/:id/{dispute,invoice,mark-paid,write-off}AUTO-REVOKE LOG
Location
Zone 3 → Auto-Revoke Log panel
What it does
Audit trail of Sentinel/Sovereign-Defense automatic license revocations triggered by
trust_score ≤ 0.05. Read-only — pair with B2B LICENSES → RESTORE to undo.Route
GET /api/god/trust-autorevoke-logHARDCODED PRICES · MANAGED OUTSIDE GOD MODE
Where
Product prices live in code + the Stripe dashboard, NOT in
platform_flags. By architect decision, product pricing is intentionally not exposed as a God Mode dial. Documenting current values for reference — changes require a code edit + redeploy and/or Stripe dashboard action.Persona+ Basic monthly
$4.99 / 499¢ —
routes/architect_god_mode_panels.js:25 (PERSONA_PLUS_BASIC_CENTS)Persona+ Premium monthly
$14.99 / 1499¢ —
routes/architect_god_mode_panels.js:26 (PERSONA_PLUS_PREMIUM_CENTS)Voice top-up tier 1
$2.99 / 299¢ —
routes/voice_topup.js:23Voice top-up tier 2
$7.99 / 799¢ —
routes/voice_topup.js:30Voice top-up tier 3
$14.99 / 1499¢ —
routes/voice_topup.js:37Backstage pass
$4.99 / 499¢ —
routes/audience_features.js:1044 (BACKSTAGE_PRICE)Animated companion monthly
$4.99 / 499¢ default — env-overridable via
PRICE_CENTS_ANIMATED_MONTHLY in Railway. Read at routes/animated_companion.js:198.Founder tier upgrade fallback
10000¢ ($100) —
routes/tier_upgrade.js:131 (fallback when amount_cents not supplied)Founder Stripe prices
Stripe-managed price IDs from env:
STRIPE_PRICE_FOUNDER_49_MONTHLY (LEGACY_49) · STRIPE_PRICE_FOUNDER_100_MONTHLY (SOVEREIGN_100). The numeric monthly amount lives in Stripe — edit there, not in code.SOVEREIGN_200 · UI LABEL ONLY, NOT IMPLEMENTED
Warning
Two console/copy surfaces refer to a SOVEREIGN_200 tier at $200/mo for seats > 100. This tier is NOT wired into the resolver or billing.
References (UI-only)
routes/ai_operator.js:1152 (chat-tool tier description copy) · routes/architect_god_mode.js:4285 (SQL CASE WHEN founder_slot > 100 THEN 'Sovereign_200' label)Why it doesn't work
lib/seat_tier_resolver.js:14setsFOUNDER_CAP = 100slotToTier(101)throws'slot 101 out of saleable range (1..100)'- No
STRIPE_PRICE_FOUNDER_200_MONTHLYenv var exists - No
'SOVEREIGN_200'entry inTIER_ORDERatlib/vault_intelligence.js(only LEGACY_49 + SOVEREIGN_100)
Do NOT grant a founder slot > 100. The resolver will throw, the Stripe checkout will 400
STRIPE_PRICE_NOT_CONFIGURED. SOVEREIGN_200 is a planned tier whose UI copy preceded its implementation — treat the label as aspirational until the tier is wired across resolver + Stripe price env + dial_schema + TIER_ORDER.ZONE 4 · OPERATIONS
Sentinel rules, bot spend ceilings, rate-limit overrides, defense events.
SENTINEL · RULES + EVENTS
Location
Zone 4 → Sentinel section
What it does
13 health-check rules run on cron (5-min through 24h). Each rule writes to
sentinel_health_events. CRITICAL escalations fire to architect Telegram. Rule 3 (redis_connection) is currently dormant — Redis is disabled via REDIS_ENABLED=false (Fix A circuit-breaker, see Zone 5); the reconnect probe re-activates when Redis returns. The other 12 fire on schedule.Routes
POST /api/god/sentinel/events/:id/resolve · /rules/:id/toggle · /run (force full sweep) · /test-escalationHow to use
Click any unresolved event → mark resolved. Click rule row → toggle enable/disable. RUN button triggers full sweep on demand.
Doctrine
Every new Sentinel rule MUST seed a row in
sentinel_rules in the same migration — isOnCooldown treats missing rows as disabled.BOT CONTROLS · ENABLE / SPEND CEILING
Location
Zone 4 → Bot Controls section
What it does
Per-bot kill switch and Anthropic-cost ceiling. Bots: cody, riri, pookie, ray_ray.
Routes
GET /api/god/bot-status · POST /api/god/bot-toggle (escalation) · /bot-spend-ceiling (escalation)How to use
Toggle ENABLED → opens an escalation challenge. Edit spend ceiling cents → opens challenge. Approve via TOTP from the PENDING ESCALATION card.
Spend ceiling enforcement is READ-side: when
current_spend_cents ≥ spend_ceiling_cents, the bot's Anthropic dispatch falls through to a templated reply. Banked as Phase 4.5 in project_anthropic_retry_followups.RATE LIMIT OVERRIDE
Location
Zone 4 → Rate Limits section
What it does
Per-user override for a specific rate-limit bucket (e.g.
ai_tokens, sim_parlay). Active until the bucket's window resets.Route
POST /api/god/rate-limit-override (Signed Escalation gated)How to use
Enter user_id (typeahead populated), bucket_name (e.g. ai_tokens), new_limit (integer), reason → SET → approve.
DEFENSE · BLOCK IP, FREEZE ACCOUNT, LOCKDOWN
Location
Zone 4 → Defense section
Routes
POST /api/god/defense/block-ip · /unblock-ip · /freeze/:userId · /unfreeze/:userId · /lockdown (escalation) · /lockdown/release (escalation) · /resolve/:idWhen to use
Block IP: known bad actor. Freeze user: under investigation. Lockdown: nuclear — denies all non-architect traffic.
Lockdown engage AND release both require Signed Escalation approval. The watchdog (Sentinel Rule 9) escalates if lockdown stays active for >
lockdown_alert_threshold_minutes (default 30 — B3 dial). Recovery via /api/sovereign/god-terminal with override_key is the documented break-glass.STORIES STATS
Location
Zone 4 → Stories Stats panel (Phase 1 observability)
What it does
Hangout Stories telemetry — story creation rate, view rate, expiry cadence (F2 Sovereign Stories, shipped 2026-05-17).
Route
GET /api/god/hangout/stories-statsSTORY TRIGGERS
Location
Zone 4 → Story Triggers panel (Phase 1 observability)
What it does
Display of the events that auto-spawn Hangout Stories (parlay commit, signal-score milestone, founder grant, etc.).
STORY TTL
Location
Zone 4 → Story TTL panel
What it does
Time-to-live config display for Hangout Stories. Vacuum cron at
0 4 * * * sweeps expired rows.ZONE 5 · SYSTEMS
The foundation — platform flags, containment ladder, signed escalation gate, treasury internals, danger zone.
PLATFORM FLAGS · GOD MODE DIALS
Location
Zone 5 → Platform Flags (legacy CRUD) AND Zone 5 → DIAL BROWSER (typed, schema-validated, audit-aware)
Count
71 dials currently live in
platform_flags. The DIAL BROWSER below is the authoritative list — fetches via GET /api/god/dial-schema and renders type-aware editors with min/max bounds.Categories (representative)
- Economic rates —
ghost_royalty_rate,war_tax_rate,sovereign_royalty_floor🔒,b2b_royalty_pct - Policy versions —
tos_current_version🔒,privacy_current_version🔒 - Grace windows —
consumer_grace_days,b2b_grace_{reminder,warning,restricted}_max_days,b2b_expires_at_grace_days,b2b_subscription_deleted_grace_days - Tier parlay caps —
tier_{free,legacy49,sovereign}_parlay_legs - Sentinel thresholds (20 dials, B1+B2+B3 waves) — count thresholds (
*_min_sample,*_threshold,*_batch_limit), duration windows (*_hours/*_days/*_seconds— 11 dials), rate (ai_fallback_rate_max), lockdown (lockdown_alert_threshold_minutes), plus retry-wait/drift-max - Cody Sleep config (15+ dials) — see CODY SLEEP entry below
- Platform toggles —
registration_open,sovereign_seats_cap,maintenance_mode,ai_responses_enabled,sovereign_flip,containment_level,lockdown_active,chain_audit_suppress_baseline_in_summary,market_drift_threshold,calibration_threshold,signal_decay_days - Bot heartbeat —
bot_heartbeat_{stale_seconds,fail_threshold}
Routes
GET /api/god/flags · GET /api/god/dial-schema · POST /api/god/flags (Signed Escalation gated)How to use
Edit any flag's value → SAVE → opens an escalation challenge → approve via TOTP from the PENDING ESCALATION modal. Every flag write is a one-shot escalation. 🔒 dials require signed escalation; plain dials use the same endpoint but the executor short-circuits without challenge.
All flag writes are append-logged via auditor_ledger with
event_type=escalation_executed:PLATFORM_FLAG_WRITE. The audit row carries the key, before/after values, approver identity (last_changed_by, last_changed_via on the row itself). containment_level writes here ARE accepted but the architect-side POST /api/god/containment/reset is the doctrinal path (it routes a typed reason). 🔒 = escalation: true in lib/dial_schema.js.CONTAINMENT MODE · LAYER 3 SOVEREIGN LOCK
Location
Zone 1 vital card (display) · Zone 5 reset action
What it does
Three-state ladder:
CLEAR (normal) · WATCHLIST (anomalies observed; silent logging) · CONTAINED (premium narrows, governance restricts, the platform stays operational — sovereign functions withdraw silently).Routes
GET /api/god/containment/status · POST /api/god/containment/reset (Signed Escalation)How to use
Sentinel Rule 11 auto-escalates CLEAR → WATCHLIST on 1 qualifying CRITICAL event in 60min, WATCHLIST → CONTAINED on 3 events. Only manual reset moves CONTAINED → CLEAR. Click the red CONTAINED vital card → confirm → escalation challenge.
Never auto-de-escalates. The intruder sees a ghost town; the architect retains full access. Every state change writes to
containment_state_log which is append-only (UPDATE/DELETE blocked errcode 42501).SIGNED PRIVILEGE ESCALATION GATE
Location
Zone 1 PENDING ESC vital card · Zone 5 → mechanism (no direct UI)
What it does
High-governance actions return 202 + open a 5-minute challenge. Approve via TOTP from the PENDING ESCALATION modal (enter the 6-digit code from your authenticator app).
Routes
GET /api/god/escalation/pending · POST /api/god/escalation/:id/cancel · POST /api/escalation/approve-totpGated actions (11)
SLOT_REVOKE · FOUNDER_REVOKE · LOCKDOWN_ACTIVATE · LOCKDOWN_RELEASE · CONTAINMENT_RESET · PLATFORM_FLAG_WRITE · LICENSE_LOCK · TRUST_OVERRIDE · BOT_TOGGLE · BOT_SPEND_CEILING · RATE_LIMIT_OVERRIDE
How to approve
- Trigger the gated action — you see "Pending approval" toast.
- PENDING ESC vital turns amber, shows count.
- Click it → modal lists each pending row with countdown, CANCEL, TOTP input, APPROVE button.
- Enter your 6-digit TOTP code from the authenticator app → APPROVE.
- auditor_ledger row writes with
approved_via='totp_fallback'(literal kept for historical-row consistency; rename to'totp'banked as future cleanup).
Tokens never persist in plaintext — only sha256 hash. Terminal states (executed/failed/expired/cancelled) freeze the challenge row at trigger level (errcode 42501 on UPDATE/DELETE). Sentinel Rule 12 fires HIGH if > 5 pending challenges open in 60s.
2FA / TOTP · ARCHITECT ENROLLMENT
Location
Zone 1 → TOTP Escalation banner (always above the fold)
Routes
GET /api/auth/2fa/status · POST /api/auth/2fa/setup · /confirm · /disableWorkflow
- Click banner → ENABLE.
- Server returns Base32 secret + QR data URL (rendered server-side; secret never transits a third-party QR service).
- Scan with authenticator app. Enter 6-digit code → VERIFY & ACTIVATE.
totp_secret+totp_last_verified_atpersist on the users row.
Without TOTP enrolled, the escalation gate's UI-side approval path is unavailable — Telegram becomes the only approval channel. With
ARCHITECT_TELEGRAM_ID also unset in Railway env, BOTH paths are closed — all gated actions enter the pending queue and cannot be approved. Verify env on each deploy.SOVEREIGN FLIP SWITCH
Location
Zone 1 → FLIP STATE vital card (display only) · Telegram
/flip (architect action)What it does
Toggles the active web persona between Cody and RiRi. Architect-only via Telegram
/flip cody|riri|status. The web AI Operator dispatcher honors the flag.Doctrine
Cody owns the flip.
/flip in Telegram now passes through Cody's AI pipeline — he generates the line, then the state writes. Auto-wakes to cody on architect login.DIAL BROWSER
Location
Zone 5 → Dial Browser panel (live, schema-driven)
What it does
Renders all 71
platform_flags dials with type-aware editors (rate / integer / boolean / enum / string), min/max bounds from lib/dial_schema.js, an 🔒 indicator on signed-escalation-gated dials, and a default-value comparison marker. Single source of truth for which dials exist.Routes
GET /api/god/dial-schema (schema + bounds) · GET /api/god/flags (current values) · POST /api/god/flags (write; escalation as required)Bounds and types are enforced server-side via
validateDialWrite before the escalation challenge opens. Unknown keys return 400. Out-of-bound values return 400 with the schema's min/max in the detail message. Add a new dial by editing lib/dial_schema.js + adding a platform_flags seed migration in the same commit — the four-gate cycle.RECENT CHANGES
Location
Zone 5 → Recent Changes panel
What it does
Audit log of
platform_flags writes — surfaces last_changed_at, last_changed_by (architect UUID), last_changed_reason, last_changed_via (channel: god_mode_ui / migration / policy_version_escalation / sleep_threshold / etc.). CHECK constraint pins the via column to a known allow-list.MODAL ENTRY · SIGNED-ESCALATION CHALLENGE
Location
Zone 5 → Modal Entry panel (entry point for challenge creation)
Routes
POST /api/god/challenge (open) · POST /api/escalation/approve-totp (approve via TOTP)What it does
Direct architect-driven challenge entry point for actions that don't have a per-route signed-escalation flow yet. Approve via TOTP from the PENDING ESCALATION modal.
AUDIT EXPORT
Location
Zone 5 → Audit Export panel
What it does
Export
auditor_ledger rows (hash-chained, append-only) and other audit tables to CSV for external reporting or evidence-prep.Routes
GET /api/god/export/audit · GET /api/god/export/:typeCARD VERIFY RATE LIMIT (Phase 1)
Location
Zone 5 → Card Verify Rate Limit panel
What it does
Display surface for the F4 Identity Cards verify-rate-limit config (per-IP and per-user buckets). Shipped 2026-05-17.
CRON HEALTH (Phase 1 detail)
Location
Zone 5 → Phase 1 Cron Health panel (extended view alongside Zone 4 CRON HEALTH)
What it does
Unified node-cron + pg_cron health view — 31 scheduled jobs surfaced with last_run_at, last_status, overdue marker (amber > 1.5× interval, red > 3×). 11 node-cron heartbeats from server.js + 20 pg_cron jobs.
Routes
GET /api/god/cron-health · GET /api/god/cron/healthMEMORY BRIDGE STATUS (Phase 1)
Location
Zone 5 → Memory Bridge panel
What it does
Status of the Hangout ↔ Vault memory bridge — relays signal events from Hangout into Sovereign memory for Cody/RiRi recall.
Route
GET /api/god/hangout/memory-bridge-statusPAYOUT ENV STATUS (Phase 1)
Location
Zone 5 → Payout Env Status panel
What it does
Read-only presence check of payout-webhook env vars — confirms each Stripe webhook secret (founder / persona / persona-plus / token-pack / voice-topup / payout) is set in the running container.
Route
GET /api/god/env/payout-webhook-statusCODY SLEEP · NIGHTLY AUTONOMOUS DIAL PROPOSALS
Location
Zone 5 → Cody Sleep Morning Reveal + Cody Sleep Proposals panels
What it does
Cody's overnight Telegram-driven proposal subsystem. Reads platform performance + recent ledger movement during quiet hours, drafts dial-tune proposals (e.g., adjust
signal_decay_days from 30 → 25, or bump ai_fallback_rate_max from 0.20 → 0.25), surfaces them for architect approval at morning. Auto-apply is gated behind a confidence floor + a whitelist of target tables and proposal types.Routes
GET /api/god/sleep/morning-reveal · GET /api/god/sleep/proposals · POST /api/god/sleep/proposal/:id/approve · /reject · /revert · POST /api/god/sleep/run-now · PATCH /api/god/sleep/threshold · GET /api/god/sleep/simulation-statusConfig dials (~17)
cody_sleep_master_enabled · cody_sleep_auto_apply_enabled · cody_sleep_auto_apply_require_signed · cody_sleep_auto_apply_min_confidence · cody_sleep_auto_apply_target_tables · cody_sleep_auto_apply_whitelist_types · cody_sleep_dry_run_mode · cody_sleep_model · cody_sleep_llm_max_tokens · cody_sleep_max_dequeue_per_cycle · cody_sleep_ingest_lookback_hours · cody_sleep_proposal_min_score · cody_sleep_render_count_max · cody_sleep_severity_alert_threshold · cody_sleep_severity_watch_threshold · cody_sleep_drift_alert_pct · cody_sleep_adjustment_default_pct
How to use
Open the Morning Reveal panel after sunrise → review each proposal's draft change + confidence + signal summary → APPROVE (writes the dial via signed escalation) or REJECT (proposal discarded) or REVERT (rolls back a previously-applied auto-apply). Use RUN NOW to trigger an out-of-cycle ingest for debugging.
Auto-apply is OFF by default (
cody_sleep_auto_apply_enabled=false). Even when ON, it only applies proposals against the cody_sleep_auto_apply_target_tables + _whitelist_types intersection AND above _min_confidence. require_signed=true forces signed-escalation on every applied dial. Architect-approved proposals write to auditor_ledger with the proposer (Cody) and approver (architect) identity.REDIS CIRCUIT-BREAKER · REDIS_ENABLED
Location
Currently env-var only (Railway Variables). No God Mode UI dial yet.
What it does
Env-flag at
lib/redis.js:80-83 (Fix A, commit 545c42a, shipped + deployed live). When REDIS_ENABLED === 'false' (literal string), the Redis client init short-circuits before createClient — no socket attempt, no Connection timeout log spam, no infinite reconnect loop. getRedis() returns null and all 14 callers take their existing if (r) truthy-fallback path (in-memory state). Unset = treated as enabled (backward-compat preserved).When to use
Redis service removed / Redis URL points at a dead host / cost-reduction temporary disable. The existing
if (!REDIS_URL) gate only fires if the URL is completely unset; this new check catches the "REDIS_URL still set but the service is gone" case.How to set
Railway dashboard → Variables →
REDIS_ENABLED=false → click Deploy (staged-pending does not engage — deploy-click doctrine).God Mode UI dial is banked behind Combo World Phase 5 → founder seat tier bug → Rap Battle RAG close. Caveat for the future dial: flipping it would only take effect on next process restart (in-process client teardown/recreate not viable) — dial value is auditability via
platform_flags.last_changed_by, not runtime hot-toggle. Until shipped, treat REDIS_ENABLED as Railway-env-only.DANGER ZONE · SET USER PASSWORD, PURGE INACTIVE
Location
Zone 5 → bottom, red banner
Routes
POST /api/god/set-user-password · POST /api/god/purge-inactive · /purge-warningsWhen to use
Set Password: account recovery. Purge Inactive: maintenance run (soft-deletes accounts past grace).
Set-Password writes the new bcrypt hash and emits a
password_changed trust event. The user is forced to re-login on next request. Never share the new password via Telegram — deliver out-of-band.PHASE 1 VISIBILITY SUITE
Cross-cutting index of the observability + admin panels shipped 2026-05-17 (F1 Stars · F2 Stories · F3 Activity Pulse · F4 Identity Cards · Rap Battle 6 · memory bridge · pg_cron). Each panel is documented in its proper zone above; this section is a feature-name index for discoverability.
| Phase 1 feature | Console section | Zone in this manual | Route |
|---|---|---|---|
| F1 Stars Purchasable | gp-p1-star-pricing | Zone 3 → Star Pricing Display | (display) |
| Revenue by Stream | gp-p1-revenue-by-stream | Zone 3 → Revenue By Stream | GET /api/god/analytics/revenue/by-stream |
| F2 Sovereign Stories — Stats | gp-p1-stories-stats | Zone 4 → Stories Stats | GET /api/god/hangout/stories-stats |
| F2 Sovereign Stories — Triggers | gp-p1-story-triggers | Zone 4 → Story Triggers | (display) |
| F2 Sovereign Stories — TTL | gp-p1-story-ttl | Zone 4 → Story TTL | (display, pg_cron vacuum at 0 4 * * *) |
| F3 Activity Pulse — Override | gp-pulse-override | Zone 2 → Pulse Override | POST /api/god/pulse-override |
| F3 Activity Pulse — Visibility | gp-p1-pulse-visibility | Zone 2 → Pulse Visibility Aggregate | GET /api/god/hangout/visibility-aggregate |
| F4 Identity Cards — Stats | gp-p1-identity-card-stats | Zone 2 → Identity Card Stats | GET /api/god/users/tier-transitions · /intent-profiles |
| F4 Identity Cards — Verify Rate Limit | gp-p1-card-verify-ratelimit | Zone 5 → Card Verify Rate Limit | (display) |
| Rap Battle 6 (audience streams) | (integrated across hangout panels) | (no dedicated zone — see Hangout endpoints under /api/god/hangout/*) | GET /api/god/hangout/comments · /top-relationships |
| Memory Bridge Status | gp-p1-memory-bridge | Zone 5 → Memory Bridge Status | GET /api/god/hangout/memory-bridge-status |
| pg_cron Health (P1 unified) | gp-p1-cron-health | Zone 5 → Cron Health (Phase 1 detail) | GET /api/god/cron-health · /cron/health |
| Payout Webhook Env | gp-p1-payout-env | Zone 5 → Payout Env Status | GET /api/god/env/payout-webhook-status |
Most Phase 1 panels are read-only observability — they surface counters/timestamps without mutating state. Mutation surfaces (Pulse Override, Audit Export, Sleep Proposal approve/reject) route through the same architect-gated
/api/god/* chain as core controls.QUICK REFERENCE
One-page summary of every operator control. Reversible flag means: can be undone without database surgery.
| Control | Zone | Use when | Irreversible? |
|---|---|---|---|
| Enable TOTP | 1 | First setup / device rotation | No |
| Disable TOTP | 1 | Lost authenticator | No |
| Containment reset | 1 | Threat verified clear | No (Sentinel may re-escalate) |
| Cancel pending escalation | 1 | Suspicious challenge / changed mind | Yes (one-shot) |
| Approve via TOTP | 1 | Architect-side confirmation — the sole approval channel | Yes (executes the action) |
| Force tier | 2 | Manual upgrade/downgrade | No |
| Adjust signal score | 2 | Trust correction / boost | No (decays toward true score) |
| Verify user email | 2 | Email delivery failure | No |
| Device override | 2 | User locked out by device fingerprint | No |
| Grant founder slot | 2 | Whale onboarding / partner award | No (revocable) |
| Revoke founder slot | 2 | ToS violation | Yes (escalation-gated) |
| Clear warning | 2 | False purge flag | No |
| Purge user (soft-delete) | 2 | Account removal request | No until cron sweep (grace period) |
| Send broadcast | 2 | Platform-wide announcement | Yes (notification fires) |
| Warn user | 2 | Behavior nudge | No |
| Set user password | 5 | Account recovery | Yes (old password gone) |
| Lock B2B license | 3 | ToS violation / fraud | Yes (escalation; reversible via unlock) |
| Unlock B2B license | 3 | Issue resolved | No |
| Restore from auto-revoke | 3 | Trust score recovered | No |
| Trust override | 1/3 | Engine misjudged actor | No (cron re-overwrites in 6h) |
| Treasury sweep | 3 | Move war_tax pool to architect | Yes (funds move) |
| Edit platform flag | 5 | Toggle feature / change rate | Yes (escalation; ledger-logged) |
| Engage LOCKDOWN | 4 | Active incident | Yes (escalation; all non-arch traffic blocked) |
| Release LOCKDOWN | 4 | Incident resolved | Yes (escalation) |
| Block IP | 4 | Bad actor / scraper | No (unblock available) |
| Unblock IP | 4 | False positive | No |
| Freeze account | 4 | Suspicious financial activity | No |
| Unfreeze account | 4 | Investigation complete | No |
| Toggle bot enabled | 4 | Bot misbehavior / cost cap hit | Yes (escalation) |
| Bot spend ceiling | 4 | Anthropic cost limit | Yes (escalation) |
| Rate limit override | 4 | User needs temporary lift | Yes (escalation; resets at window) |
| Sentinel rule toggle | 4 | Maintenance / debugging | No |
| Sentinel event resolve | 4 | Issue addressed | No |
| Sentinel force run | 4 | Confirmation sweep | No |
| Test escalation | 4 | Verify Telegram path | No |
| Pookie blacklist | 4 | Repeat abuser | No |
| Pookie ghost mode | 4 | Stealth observation | No |
| DMK generate | 5 | Pre-emptive break-glass | Yes (old DMK invalidated) |
| DMK revoke | 5 | Suspected DMK leak | Yes |
| Slot Wars grant card | 2 | Architect awarded card | No (revocable) |
| Slot Wars revoke card | 2 | Card abuse / chargeback | Yes (escalation) |
| Sovereign reserve view | 3 | Audit reserve balance | No (read) |
| House balance view | 3 | Revenue audit | No (read) |
| Export users CSV | 2 | External reporting | No |
| Export revenue CSV | 3 | External reporting | No |
| Auctions close/extend | 3 | Seat auction lifecycle | No (close finalizes winner) |
| Pulse override | 2 | Sparse-pick user keeps tipping below decay floor | No (cron re-applies base window 24h) |
| Edit dial via Dial Browser | 5 | Tune any of the 71 platform_flags | Yes (escalation; audit-trail logged) — 🔒 dials require signed approval, plain dials short-circuit |
| Approve Cody sleep proposal | 5 | Morning reveal accept | No — has explicit /revert action |
| Reject Cody sleep proposal | 5 | Morning reveal discard | Yes (proposal lost, but underlying dial state unchanged) |
| Revert Cody sleep proposal | 5 | Rollback a previously-applied auto-apply | No |
| Audit export | 5 | External reporting / evidence prep | No (read-only CSV) |
BACKEND-ONLY SURFACES
Routes exposed under /api/god/* with no current UI wire. These are programmatic-only — call via curl, the AI Operator chat (tools), or a sidecar CLI.
Approximate. Total god-namespace handlers: 212 across 10 route files (
routes/architect_god_mode.js + 8 siblings + routes/god_terminal.js). Console UI fetches reference 156 distinct endpoints. The table below lists ~50 known backend-only routes; the three-way reconciliation audit (2026-05-26) noted up to ~16 routes may exist that are neither UI-wired in the console NOR documented here — per-route verification was not done. The authoritative list is the route handlers themselves; this table is for navigation, not coverage.| Route | Method | Purpose |
|---|---|---|
/api/god/sovereign-reserve | GET | Reserve balance + holdings snapshot |
/api/god/user/:id/profile | GET | Single-user deep profile |
/api/god/user-debug | GET | Auth + session debug payload |
/api/god/logs | GET | Recent server-side logs (architect filter) |
/api/god/sessions | GET | Active session table |
/api/god/db-state | GET | Database connection / pool stats |
/api/god/endpoint-health | GET | Per-route health probe |
/api/god/console-errors | GET | Recent console-error reports |
/api/god/blocklist | GET | IP blocklist table |
/api/god/blocklist/clear-pattern | DELETE | Bulk unblock by pattern |
/api/god/blocklist/:ip | DELETE | Single unblock |
/api/god/vault-core | GET | Vault Core sealed-to-Twins config |
/api/god/pookie/status | GET | Pookie agent state |
/api/god/animated/grant/:id | POST | Grant animated companion (Stripe-served alt) |
/api/god/animated/revoke/:id | POST | Revoke animated companion |
/api/god/ghost-trace/flags | GET | Ghost trace flagged events |
/api/god/ghost-trace/flags/:id/review | POST | Mark ghost trace flag reviewed |
/api/god/sw/sovereign-override/:id | POST | Slot Wars Sovereign override |
/api/god/sw/credits/adjust | POST | Slot Wars credit adjustment |
/api/god/sw/cards/:id/ban | POST | Ban a Slot Wars card from rotation |
/api/god/sw/royalty/conflicts | GET | SW royalty conflict view |
/api/god/sw/ghost-trace/alerts | GET | SW ghost trace alerts |
/api/god/sw/ghost-trace/:id/verdict | PATCH | Record verdict on SW ghost trace |
/api/god/slot/missions | GET | SW mission list |
/api/god/slot/seasons | GET, POST | SW season management |
/api/god/slot/seasons/:id | DELETE | Delete SW season |
/api/god/slot/grants | GET | SW grant history |
/api/god/slot/grant | POST | Manual SW grant |
/api/god/slot/revoke | POST | Manual SW revoke (escalation gated) |
/api/god/slot/inactivity | GET | SW inactivity flagged grants |
/api/god/slot/inactivity/:id/dismiss | POST | Dismiss SW inactivity flag |
/api/god/slot/enforcement | GET | SW enforcement rejections log |
/api/god/feed_integrity/config | GET, PUT | Feed integrity multipliers |
/api/god/field_analyst/audit_log | GET | Field analyst override log |
/api/god/family/trigger | POST | Trigger family dialogue cycle |
/api/god/family/config | GET, POST | Family dialogue tuning |
/api/god/purge-inactive | POST | Run inactive-user purge sweep |
/api/god/purge-warnings | POST | Send purge warnings |
/api/god/cookie-jar/balance | GET | Cookie jar balance |
/api/god/cookie-jar/disperse | POST | Disperse cookie jar |
/api/god/war-tax/balance | GET | War tax pool balance |
/api/god/war-tax/disperse | POST | War tax disperse |
/api/god/hangout/comments/:id | DELETE | Delete a hangout comment |
/api/god/treasury/agents | GET | Treasury agent registry |
/api/god/treasury/agents/:agent | PATCH | Edit treasury agent config |
/api/god/treasury/ledger | GET | Treasury ledger |
/api/god/treasury/changes | GET | Treasury change log |
/api/god/treasury/global | GET | Treasury global state |
GLOSSARY
Plain-English definitions for the technical vocabulary used across the console.
- Trust Score
- A 0.0–1.0 number computed every 6 hours that summarizes whether an actor (user, partner, api_key, bot) is behaving like a real, well-aligned operator. Drives auto-throttle and auto-revoke decisions. Lives in
trust_snapshots; derived from append-onlytrust_events. - Signal Weight
- The delta a single event applies to a trust score. Strong-positive = +0.300; mild-positive = +0.100; mild-negative = −0.100; strong-negative = −0.300; terminal = −1.000. 15-day exponential half-life decay.
- Commit Credit
- The currency that lets a user "commit" a parlay draft to lock its result. FREE tier gets 3/week. Architect bypasses.
- Draft Slot
- The visual board lane (1, 2, 3…) a parlay occupies before commit. Draft slots cap by tier. Commit moves the slot from draft → committed state. Locked = built but commit credit exhausted (upsell).
- Auto-Revoke
- Sentinel/Sovereign Defense action that automatically locks a B2B license when its
trust_score ≤ 0.05. Setslicenses.status='LOCKED', writeslicense_audit_log, kills partner API access. - Append-Only
- A database table that rejects UPDATE and DELETE via a trigger (
RAISE EXCEPTION USING ERRCODE='insufficient_privilege'). The trail is permanent evidence. Examples:ledger,auditor_ledger,trust_events,containment_state_log,license_audit_log. - God Mode Dial
- A mutation control in Zone 4/5 that flips a platform behavior (bot enable, spend ceiling, rate-limit override, trust score override, platform flag). All gated by Signed Escalation.
- Ghost Clause / Ghost Layer
- The schema-level enforcement of the architect's 5% royalty. A trigger on
transactionstable auto-fills the royalty when missing, OR silently force-pends the row if under-recorded. "Architect royalty is a law of physics in this system, not a line of application code." - War Tax
- 1% tax applied to qualifying transactions, pooled in
war_tax_pool. Disperses to the architect on sweep. Enforced viaenforce_battle_war_taxtrigger with override metadata. - LEGACY_49
- Founder tier 1 — slots 1 through 50 (pivot is
FOUNDER_PIVOT = 50atlib/seat_tier_resolver.js:14; slot 50 resolves to LEGACY_49). Subscription tier shipped at $49/mo via Stripe priceSTRIPE_PRICE_FOUNDER_49_MONTHLY. Pricing per slot range resolved byslotToTier(). - SOVEREIGN_100
- Founder tier 2 — slots 51 through 100. Subscription at $100/mo via Stripe price
STRIPE_PRICE_FOUNDER_100_MONTHLY.FOUNDER_CAP = 100:slotToTier(101)throws. - SOVEREIGN_200
- UI label only — NOT implemented. Referenced as a $200/mo tier for seats > 100 in
routes/ai_operator.js:1152+routes/architect_god_mode.js:4285. Resolver throws on slot > 100; no Stripe price env exists. Do NOT grant a slot > 100. See Zone 3 → SOVEREIGN_200 entry. - Dead Man's Key (DMK)
- 32-character break-glass key that lets the architect regain JWT auth even when normal login paths are broken (DB partial, ip-blocklisted, password unknown). bcrypt-hashed at rest. 5 failed attempts → key locks; only architect email or Telegram can issue a recovery sequence.
- Sentinel
- The 13-rule self-healing scheduler. Runs on cron, detects platform health issues, attempts auto-fix where safe (DB pool restart, Railway redeploy probe), escalates to architect Telegram for the rest. Rule 3 (
redis_connection) is currently dormant — Redis disabled viaREDIS_ENABLED=false; reconnect probe re-activates when Redis returns. The other 12 fire on schedule. - B2B License Tiers
- STARTER / GROWTH / SCALE / WHALE — pricing + entitlement tiers for partner API access. Each license stamps a
tieron every audit row. - Persona+
- $4.99 / $14.99 monthly subscription that unlocks dual-persona AI (Cody AND RiRi) for non-LEGACY_49 users. LEGACY_49 founder tier already bundles both — Persona+ checkout 409s for LEGACY_49.
- Context Injection
- Per-parlay external-variables field. Architect or user attaches narrative context (injury / weather / fatigue / revenge / etc.); the commit-time engine parses signals and applies a probability delta before grade assignment. Persists across draft/commit/locked. Edit anytime via
PATCH /api/parlay/context/:id. - Sovereign Flip Switch
- The
sovereign_flipplatform flag (cody|riri) that determines the active web AI persona. Architect-only via Telegram/flip. Cody owns it — the command passes through his AI pipeline. - Containment Mode
- Layer 3 of the Sovereign Lock doctrine. Three states: CLEAR → WATCHLIST → CONTAINED. Sentinel auto-escalates on persistent CRITICAL defense events. Only architect can manually reset.
- Signed Privilege Escalation
- The challenge/response gate every high-governance action passes through. Returns 202 + opens a 5-minute challenge row in
escalation_challenges. Approve via TOTP from the PENDING ESCALATION vital card — enter the 6-digit code from your authenticator app. - Approved Via
- Field on every auditor_ledger row written by the escalation gate:
'telegram'(bot path) or'totp_fallback'(UI path). Names which channel authorized the action. - Cody Sleep
- Autonomous nightly proposal subsystem. Cody reads platform performance + ledger activity during quiet hours, drafts dial-tune proposals, surfaces them for architect approval at morning. Auto-apply gated behind a 17-dial config cluster (
cody_sleep_*) — OFF by default, whitelist-driven when ON. See Zone 5 → CODY SLEEP. - Phase 1 Visibility Suite
- The observability + admin panels shipped 2026-05-17: F1 Stars Purchasable, F2 Sovereign Stories, F3 Activity Pulse, F4 Identity Cards, Rap Battle 6 audience streams, memory bridge, pg_cron unified health. See the PHASE 1 VISIBILITY SUITE section for the cross-cutting index.
- Hardcoded Prices (managed outside God Mode)
- Product prices live in code + the Stripe dashboard by architect decision and are NOT exposed as God Mode dials. Documented at Zone 3 → HARDCODED PRICES with file:line and current values: Persona+ Basic $4.99, Persona+ Premium $14.99, Voice top-ups $2.99/$7.99/$14.99, Backstage pass $4.99, Animated companion $4.99, Founder tier upgrade fallback $100. Changes require a code edit + redeploy and/or Stripe dashboard action.
- TRANSFER_PLATFORM_FEE
- The seat-transfer platform cut, hardcoded at
0.19 (19%)inroutes/founder_system.js:575. Closure-invariant: 19% platform + 5% royalty + 1% war tax + 75% seller = 100% exactly. A dial forseat_transfer_fee_pctwas explicitly rejected because changing the value without re-deriving the math invariant would silently desync the breakdown. Doctrine-locked NOT a dial. - REDIS_ENABLED
- Env-var circuit-breaker at
lib/redis.js:80-83shipped in Fix A (commit545c42a). When set to the literal string'false', Redis client init short-circuits — nocreateClient, no infinite reconnect loop. Unset = enabled (backward-compat preserved). God Mode UI dial banked behind Combo World Phase 5. See Zone 5 → REDIS CIRCUIT-BREAKER. - Dial Browser
- The live, schema-driven dial editor at Zone 5 → DIAL BROWSER. Renders all 71 platform_flags with type-aware editors, min/max bounds from
lib/dial_schema.js, 🔒 indicators for signed-escalation-gated dials. Authoritative source for which dials exist + what their bounds are. - B-wave (B1 / B2 / B3)
- Three-tier Sentinel threshold-scatter dial conversion completed 2026-05-26. B1: 5 count-type dials (min-samples + thresholds + batch limits). B2: 11 duration/window dials (SQL
INTERVAL '1 X' * $Nparameterization across 7 rules — unit-suffix doctrine locks _hours/_days/_seconds against multiplier). B3: 4 rate/lockdown dials (including the only rate-type Sentinel dialai_fallback_rate_max). 20 of 22 banked threshold-scatter candidates wired; #19 severity-matrix dropped as architectural-choice-not-config; #22 ride-along auto-resolved via B1.