Plain-English verdict: the architecture is right — GitHub as control plane, VPS as disposable runtime, Hermes as operator shell. But the execution loop (issue → branch → artifact → evidence → PR → merge → close) completed zero times ever. Sessions die cold — 488–522 of them in 30 days, each re-deriving state from scratch. The rules existed as documents agents were asked to read, never as gates that forced them to. Voluntary reading was measured at 0% compliance. This page maps what exists, what was intended, what broke, and what the enforced bootstrap can build on.
Every figure below comes from the system's own committed surfaces — task board, audit, forensics, session database.
Only Cloudflare pages (S0) and S12 recommended-architecture pass. Detail in §1.6.
DONE = 1 of 139 — throughput ≈ 0. The closure loop never completed outside the #196 stretch.
Everything right of the white line was silently truncated — agents never saw the bottom of the rulebook. Fresh rebuild later cut it to 7,759, then 3,525 chars.
One cell per day. Every session re-derives state from scratch; a root kill-cron pkills all agents at 00/06/12/18 UTC.
The five mechanical reasons the system could never have worked — independent of how good the plans and prompts were.
/etc/cron.d/claude-cleanup runs as root: pkill -u openclaw claude + pkill -f "claude --dangerously" at 00/06/12/18 UTC. Every agent hard-killed mid-task. Handoffs were only written at completion — so a killed agent left nothing. This is forensics root cause #1 and explains "agents keep dying".
The old OpenClaw workspace AGENTS.md was 18,870 chars against a 12,000-char injection limit. Runtime log: "truncating in injected context". Agents literally never saw the bottom of the rule file. Truncated silently instead of failing loudly. (Fresh rebuild later cut it to 7,759, then 3,525 chars.)
Every bootstrap contract was a "please read this first" convention with no gate. Measured: council STATE.md frozen at round 000 for 29 days on one unread flag; tracker.json holds exactly 1 event; LIVE_HANDOFF.md went stale within ~24h. Forensics verbatim: "state files no one is FORCED to read are dead state."
GitHub push 403 (commit fbd75bc stranded); the PAT was never wired into the agents' exec environment; gh CLI missing on the box; and the repo has no main branch (default is council/bootstrap-20260510) — so every /blob/main/ "canonical" URL 404s and sessions improvise.
Task state lived in a 139-row board, 4 flat HANDOFF bullets, 3 status.json active_tasks, 24 open issues, and a "today_focus" list — none authoritative, none with an owner or lease. Result: duplicate issues (#193/#194, #179–#181), parallel tracks (PR #83 vs #56), and wrong-task pickup.
The published surface, the repos, the machine contract, the runtime, the task board, the audit, the secrets — as found on 2026-06-10.
Nine public pages, all generated from the private repo viewport-corp/viewport-ops (branch ops/openclaw-github-flow-44) and served by a lightweight Cloudflare Worker proxying committed GitHub files (the prior embedded Worker exceeded the 3 MiB limit — recorded as a resolved failure in status.json):
| Page | Role | Freshness at fetch (2026-06-10) |
|---|---|---|
/migration/ | Command Center hub; "GitHub is source of truth. VPS is disposable runtime. Hermes is the operator shell. Everything is evidence-backed or it does not count." | status.json generated 2026-06-08 |
/migration/restart (+ /forensics, /transcript, /brain, /ideas, /plan) | Featured 5-section forensic rebuild suite, built 2026-06-09 by 5 read-only agents | 2026-06-09 |
/migration/plan | "Master Operating Plan V2 / Reality-audited V3", 37 phases, 17 departments | body 2026-06-05, live bar 2026-06-09 |
/migration/task | 139-task execution board, declared "the active handoff board" (T-080, Sam's explicit request) | generated 2026-06-04 |
/migration/audit | Full system audit, 13 sections, ~3.5 MB incl. inline evidence | audit run 2026-06-05 |
/migration/status + /migration/status.json | Human + machine status surfaces; ui_contract: "React UI (Sam builds) fetches status.json; Hermes updates JSON only" | status.json generated 2026-06-05, rendered 2026-06-09 — 4-day stale at render |
/migration/public/slack | Slack Command Room (top approval layer) | 2026-06-05 |
/migration/public/odoo | Odoo Command Room (record-first rule) | 2026-06-05 |
9 repos in viewport-corp: fork-hermes-agent, viewport-ops, fork-openclaw, fork-hermes-bccl, tenant-bccl-laowise-website, demo-repository, modern-lao-homes-client-portal, product-tradex, migration-dashboard-internal. Write access proven via throwaway test issue #177 (created+closed same second). Only 3 repos have runtime-contract files; 2 repos unmappable to tenant; the PAT has near-total admin scope (admin:enterprise, admin:org, delete_repo, repo, workflow…) with unknown expiry (S01-PAT UNKNOWN).
Critical structural fact (forensics page): repo name inversion — viewport-corp/viewport-os ("the obvious name") is an 8-file stub on main; viewport-corp/viewport-ops is the real 522-file control plane (later tree: 734 paths, 69 commits), and its default branch is council/bootstrap-20260510, not main — no main branch exists. Every /blob/main/ URL 404s. The repo contains three generations of agent OS side by side (Migration/council v3 harness; root AGENTS.md + agent-entry-protocol; companyos runtime layer) plus duplicate dirs company-os/ vs companyos/ and Migration/ vs migration/.
Schema viewport-status-v1 (~514 lines). Contains: system_health (Hermes ONLINE v0.15.2, gateway restart still needed for live Telegram intake hook), task_board, today_focus (3), active_tasks (3: setup4, accept, status-react), blocked (1), completed_today (1), recent_failures (2), agent_handoff_pack ("New agent? Read this first": HANDOFF.md → /migration/audit → /migration/task → viewport-kb INDEX.md, plus do_not_touch list and next_priority), instruction_files registry (6 canonical docs), gsd_ralphloop block, runtime-contract policy, migration_execution ledger pointer, 3 structured blockers, 5 approval gates, secrets register summary, plain-English update format, and a not_done_claim ("Website/status reporting is not the migration").
/opt/data/state.db with 488 sessions / 29,009 messages in 30 days (restart page counts 522 sessions / 34,330 messages) — each a cold start./etc/dokploy/traefik/dynamic/modernlao-transition.yml owns key routes). Operational debris: 4 stale mlh-clients-portal clones, 3 frozen mlh-api-handler rollback copies, sandbox container openclaw-sbx-agent-bizdev-134566cd, 2 hash-named unidentifiable containers./srv/viewport/migration exists on VPS; /opt/data/migration MISSING inside active Hermes; restart "can kill running agents" — approval packet drafted, no apply (P0-1, PR #202).fbd75bc; T-122 source-of-truth push repair (branch ahead 6 commits unpushed, gh CLI missing on box, GitHub MCP get_file_contents Not Found); T-018K old-Docker cleanup queue; T-024 Modern Manager live identity unverified.13 sections: PASS: 2 FAIL: 10 UNKNOWN: 1. Only Cloudflare pages (S0 build + working routes) and S12 recommended-architecture pass.
FAILs: GitHub inventory, VPS runtime, agent fleet, KB/brain (no unified brain — Hermes/old OpenClaw/fresh OpenClaw use 3 different stores, S04), Domain+DNS (21/61 ghost zones, bccl.la UNKNOWN), observability (no unified dashboard), security (sk- ×970, ghp_ ×138, TELEGRAM_BOT_TOKEN ×276, CF_API_KEY ×61, AIza ×32, xoxb- ×14 in session DB; no secret manager), old Docker reference (49 ghosts), CompanyOS schema (10/10 files exist, zero runtime/CI enforcement, no authority gateway — S09), plan-vs-reality (ledger drift). S11 UNKNOWN (Telegram export access blocked).
Published as 36 redacted evidence files with 1,187 redactions (~886 in 5 weekly Hermes transcripts alone — live credentials routinely leaked into session logs). Per-section remediation issues #182–#191 filed — all flat, unowned, 0 comments, several with evidence pointers that 404 on the default branch (evidence never committed: #182, #183, #184, #186, #187).
Secrets exposure register (category-only, P0-2/PR #203): openai_sk 179, secret_value 99, password_value 29, google_key 13, telegram_env 6, cf_key 5, github_pat 2, ip_non_public 854. Zero rotations complete, no owners assigned; automation_gate: no expanded production autonomy until rotated/scoped. The leaked admin:enterprise PAT remains unrevoked since 2026-05-10 (pat_revoked:false in Migration/council/STATE.md) — this single flag froze the council at round 000 for 29 days. Five approval gates (Hermes/gateway/container restart; Docker mutation; DNS/billing/legal; production Odoo/Slack writes; service-breaking secret rotation) remain in force; 0 runtime mutations have ever been applied under the GSD loop.
validate_company_os.py hard-fail validator, migration execution ledger, tasks/current-active-task.yaml, secrets register, 72 RuntimeContracts, 48-entry agent registry, authority matrix, enforcement-gate spec, Slack/Odoo policy, 15-min script-only status cron (job 781cf3aa1cad). This is the only stretch where the loop demonstrably closed, and it did so precisely because a CI validator failed loudly when state artifacts were missing.validate_odoo_slack_integration.py 15/15.How GitHub Ops was designed to drive agents, by layer, with sources.
agent_handoff_pack ("New agent? Read this first"): ordered reads — viewport-os/HANDOFF.md → /migration/audit → /migration/task → viewport-kb INDEX.md ("anti-amnesia knowledge base"); do_not_touch list (old Docker/OpenClaw, secrets/raw Telegram sessions, DNS/billing/legal/destructive, production Slack/Odoo writes); single next_priority field. Plus instruction_files registry of 6 canonical docs.state:active issues; exactly one issue is state:active (#15, Odoo production install).evidence/agent-runs/<date>/<task>/{evidence.json, summary.md}, dozens of Phase 4a–4v records.seed_only_not_production; R0 draft → R5 proven, gated per level; forbidden status claims ("100% sure", "fully autonomous", "production-ready") until evidence.Migration/council/leases/active-leases.json with git-merge-conflict as race detection; mandatory session bootstrap in exact order BEFORE first tool call (STATE.md → the single state:active issue → tracker.json last 10 → weekly digest → policy.yaml; inaccessible ⇒ state:blocked + Telegram alert); handoff = issue comment with fixed format + label swap; authority-gateway policy.yaml with sam_only_actions and verifier ≠ executor; evidence bundle YAML schema; memory tiering; 2 watchers (morning brief, stale-loop detector); v0.1 smallest system = ONE state:active issue + Hermes with scoped PAT + one daily cron; loop invariant "a session that ends without closing the issue is a partial run that must be resumed, not restarted"; hard-stop list with scripted refusal.companyos/runtime/task-ledger-and-fallback-policy.yaml (committed, default branch): required ledger fields incl. lease_owner, lease_expires_at, policy_version_git_sha, last_checkpoint_ref, resume_instruction; split-brain rules (one_lease_owner_per_task; check_lease_before_write; renew_lease_before_side_effect; stop_if_policy_git_sha_changed_without_reload; stop_if_conflicting_runtime_active); 8-step fallback takeover protocol.needs-dod and NOT picked up; truth-label state machine (truth:unverified → confirmed → superseded); dedup gate; "Agent restarts read the brain first — always"; AGENTS.md per repo = "the harness boundary"; daily heartbeat ("if the heartbeat goes silent, that IS the alert").Every failure below maps to one of Sam's three described failure modes — (A) context loss after /clear or exit/reopen, (B) wrong-task pickup, (C) harness drift (agents stop following the rules) — plus the cross-cutting (D) state went stale/false.
The three red joints are the breaks the research found: commits stranded behind the 403'd push token, evidence pointers that 404 on the default branch, and PRs that were never merged. Details below and in §3.4. The green counterexample — the #196 stretch — is drawn in “The one pattern that worked”.
agent:main:main stayed pinned to the dead provider route — Telegram traffic routed through a dead session until explicit reset (transcript P3). Same class: intake_persistence plugin installed+enabled but the running gateway never loaded it (config ≠ runtime, viewport-os#2)./etc/cron.d/claude-cleanup as root: pkill -u openclaw claude; pkill -f "claude --dangerously" every 6h — every agent hard-killed at 00/06/12/18 UTC, mid-task, with no handoff written (forensics root cause #1; "agents keep dying" explained). Handoffs were written at completion, so a killed agent left nothing.tasks/current-active-task.yaml, tasks/gsd-ralphloop-active-queue.yaml (at the cited path), evidence/current-proof-index.yaml (at the cited path), runtime/p0-3-runtimecontracts-first-pass.yaml, plans/migration-phases.yaml (at the cited path) do not exist on any default-branch path — they live only on feature branches or nowhere. A session told "read the active task file" 404s and improvises. viewport-os#194 is a hallucinated/stale reference (repo max issue = 2).current_phase: bootstrap / pat_revoked: false / next_agent: claude-opus-4.7 (a retired model) / active_round: 000; tracker.json holds exactly ONE event. The v3 protocol (527-line AGENTS.md, handoff blocks, turn-taking next_agent) never ran a single round. Council frozen 29 days on one unread flag.fbd75bc stranded); PAT never wired into agent exec env; gh CLI missing on the box; GitHub MCP get_file_contents Not Found for the live branch — live Cloudflare pages not traceable to a committed artifact ("GitHub is truth" claim itself FAILed in the audit).evidence/full-system-audit/sections/*.json paths that 404 on the default branch — evidence lives only in the VPS workspace.setup4 and accept (Telegram intake wiring + acceptance tests) pending since 2026-06-05 behind the gateway-restart approval (viewport-os#2 still open, 0 comments); Hermes mount apply (P0-1) parked as draft packet; secret rotation (P0-2) zero rotations, no owners; council Round 001 never started; the 5 automation prerequisites of the Origin Audit — durable task intake, shared context, authority grant, verification loop, memory writeback — "zero of five exist."The corpus itself proves each structural gap — these are observations, not theory.
Every bootstrap contract (HANDOFF.md, agent_handoff_pack, LIVE_HANDOFF.md, council AGENTS.md, agent-entry-protocol) is a write-side convention with no read-side gate. Measured compliance of voluntary reads: STATE.md never advanced past round 000; tracker.json 1 event; LIVE_HANDOFF stale in 24h. Forensics lesson, verbatim: "state files no one is FORCED to read are dead state (voluntary convention = measured 0% compliance)." Worse, when a read was enforced (OpenClaw injection), the file exceeded the injection limit and was silently truncated instead of failing loudly.
Issues #2, #3, #187, #191, #192, #195 all rotted unowned (no assignee, no heartbeat, no expiry). Two-owner coordination issue #2: one agent went silent for 3 weeks and nothing reclaimed the work. The kill-cron hard-killed owners and their tasks never returned to a claimable state. The lease schema exists (task-lease.schema.yaml, task-ledger-and-fallback-policy.yaml with lease_owner/lease_expires_at) but T-029 records flatly: "schema exists but board does NOT enforce it."
Task state was a 139-row board + 4 flat HANDOFF bullets + 3 status.json active_tasks + 24 open issues + "today_focus" — at least five competing "what should I do" surfaces, none authoritative. Result: duplicates (#193/#194, #179–#181, PR #83 vs #56), mega-issues (#195's 7-item checklist), and wrong-task pickup. The one proven counterexample — tasks/current-active-task.yaml + active_issue singular in the CI-validated queue (PRs #197–#205) — produced the only week where work actually chained.
Forbidden lists existed as prose (do_not_touch, protected boundaries, stop lists) but with no mechanical check; the May-31 OTP incident (#133) and the "fresh rebuild" that deleted 47 crons both happened inside sessions that had the prose available. The only scope mechanisms that held were structural ones: staging containers with zero published ports + traefik.enable=false labels (no-hostname parity doc), iptables DROP on port 3000, and Dokploy's org-context refusal — enforcement in the substrate, not in the prompt.
Three generations of agent OS in one repo; company-os/ vs companyos/ vs viewport-company-os/ vs Migration/ vs migration/; default branch council/bootstrap-20260510 with no main; canonical files only on feature branches; secrets register copies on ~19 branches; the validator forked into two versions; repo-name inversion (viewport-os stub vs viewport-ops real). Any session resolving "the plan" had multiple stale candidates and frequently 404'd the canonical one.
Done-claims required no committed proof: checkboxes ticked without evidence (#195); "P0 complete" from an unpushed branch; "updated" meaning "pulled" (#88); simulated acceptance tests claimed as pass while the live gateway never loaded the plugin (viewport-os#1/#2). tracker.json was never appended after bootstrap; nightly brain writeback never ran; handoffs were written only at completion, so killed sessions wrote nothing. The Origin Audit's loop verdict: issue→branch→artifact→evidence→PR→merge→close completed zero times outside the #196 stretch.
No contract can survive a root cron pkill-ing every agent every 6h, a 403'd push token, a PAT absent from the exec env, or sandboxes that can't write files. The transcript's root-cause confession (2026-05-28) generalizes it: "Telegram as control plane with no durable queue, no fallback providers, no health watchers, no automatic recovery."
The corpus codified this itself: not_done_claim "Website/status reporting is not the migration"; Origin Audit failure loop #3 "report mistaken for completion → Sam believes progress made"; architecture 9/10, execution 1/10.
Issue #196 + PRs #197–#205 (2026-06-05) — the only stretch where the closure loop demonstrably closed, and the only week work actually chained. Why it worked:
tasks/current-active-task.yaml with active_issue singular: one task, one issue, one branch, no competing surfaces.validate_company_os.py failed loudly when state artifacts were missing or empty, instead of trusting agents to volunteer compliance.It did so precisely because the validator failed loudly — enforcement in the pipeline, not a request in prose. This is the direct ancestor of the ACTIVE_TASK.json bootstrap.
Concrete artifacts, committed and live — plus the actual gaps still to close.
| Artifact | Where | What it gives the bootstrap |
|---|---|---|
tasks/current-active-task.yaml (PR #201, merged into the ops/* stack) | viewport-ops, branch ops/openclaw-github-flow-44 lineage | Direct ACTIVE_TASK.json ancestor: id, title, status, phase, issue, branch, owner, approval_required, mutation_class, why_first, acceptance[], proof_required[] (exact commands + curl markers), blocked_by[], next_after_done. Missing only lease TTL/heartbeat. |
companyos/runtime/task-ledger-and-fallback-policy.yaml | viewport-ops default branch | lease_owner, lease_expires_at, policy_version_git_sha, last_checkpoint_ref, resume_instruction; split-brain rules; 8-step fallback takeover protocol. Field names ready to lift. |
viewport-company-os/tasks/task-lease.schema.yaml + task-packet.schema.yaml | branch fix/migration-public-pages-and-audit-routes (+ siblings) | Partial lease/packet schemas — T-115 already lists their gaps (reviewer/verifier/tests/rollback/heartbeat/takeover/backup seat). |
validate_company_os.py | two feature branches (two versions) | Working pattern of hard-fail CI on missing/empty state artifacts incl. active_issue singular check, readiness state machine, evidence-path existence-on-disk checks, red/green activation proof. |
plans/migration-execution-ledger.yaml + migration-phases.yaml | branch ops/migration-execution-ledger | Exactly-one current_task bound to issue+branch; phase order; approval split (5 Sam-gates vs 4 standing-safe); plain-English update contract; not_done_until[]. |
| Plain-English status contract | issue #196 comments, status.json | Phase / Task / Done / Proof / Blocker / Next / Status-URL — the proof/blocker/next-step trio Sam wants in ACTIVE_TASK.json, already in production use. |
/migration/status.json | live | Machine bootstrap surface any fresh session can curl; ui_contract; agent_handoff_pack; structured blockers {id, status, fact, unsafe_without_approval}. |
| HANDOFF.md | viewport-os main | The write-side handoff convention (needs an enforced read + freshness field). |
/migration/task board + task.json plan (T-081) | live | The backlog layer beneath the single active task; column taxonomy (NOW/NEXT/BLOCKED/WATCH) and Use rules. |
| Issue label state machine + entry protocol | root AGENTS.md, docs/agent-entry-protocol.md | state:active as work selector; "must not write files" rule; PR-must-name-one-issue contract. |
| Issue templates 01–05 incl. 02-task-packet.yml | .github/ISSUE_TEMPLATE | Intake/packet/incident/runtime-change forms already defined. |
| Council triple-state | Migration/council/{STATE.md, TASK.md, tracker.json, rounds/, handoff/template.md} | Append-only event log + mutable state + handoff block with verdict enum and git{branch, sha, pushed_to_remote}; TASK.md = existing single-task + allowed/forbidden Markdown contract. |
| GSD/Ralph contract + active queue + activation proof | merged via PR #197 | The 8-step loop, source-of-truth order, max-3-attempts rule, stop_for_sam vs standing_approval split — CI-enforced once. |
| RuntimeContracts (72) + authority matrix + 48-seat registry + enforcement-gate spec | PR #204/#205 artifacts | The scope-fence raw material: per-container owner/tenant/repo/route/backup/rollback/approval class; per-seat allowed/forbidden. |
| File-based request queue | migration-control-plane/openclaw-requests/pending/ → completed/ (commits 40444bf…facb874) | Proven "file move + commit = state transition" primitive (transcript P8). |
| Evidence-run contract + redaction pipeline | evidence/agent-runs/…, redaction-report.json (8-type classifier) | Evidence bundle shape + the scrubber the write-back path must pass through. |
| Adoption-packet pattern | PRs #75/#81/#82/#83/#84 | Phase-gated plans with stop conditions, before-AND-after verification, named backup families, terminal dispositions (superseded/not-now distinct from done/blocked). |
.claude/state/current-task.json, changes-log.jsonl, HANDOFF.md, QUEUE.md | mlh-clients-portal repo | Sam has built current-task.json before — audit's own note: consolidate, don't add a third variant. |
| Modern/CLAUDE.md SESSION BOOTSTRAP | local Mac | Proven in-house enforced-read + end-of-session protocol with documented rationale. |
| Hermes Kanban subsystem | fork-hermes-agent (upstream) | Production-hardened reference implementation of the whole design: 9-status state machine, atomic CAS claim with claim_lock/claim_expires (15-min TTL), heartbeats, 3-tier stale-lease recovery (each tier fixed a numbered production bug), TASK-vs-RUN separation, protocol-violation = crashed, circuit breaker, sticky vs auto-recovering blocks, force-injected 6-step bootstrap in the worker system prompt, single-task pinning via env, structured complete/block contracts, anti-hallucination completion gate. |
| Closed Operating Loop v0.1 design | viewport-kb reports | The fullest paper spec: task packet with out_of_scope, lease file with git-conflict race detection, mandatory ordered bootstrap, authority policy.yaml, evidence bundle schema, memory tiering, 2 watchers, 7-day plan TP-01..TP-10, hard-stop list. |
| Issue #213 "Build Viewport closed operating loop v0.1" | viewport-ops, open | The designated fix vehicle; acceptance already includes "Active lease file/table exists" and one safe test task closed end-to-end with memory writeback. |
Ambiguities the corpus cannot resolve — each needs a decision before/while building the bootstrap.
At least four candidates exist or are designed: tasks/current-active-task.yaml (PR #201), the single state:active GitHub issue (entry protocol; currently #15), the v0.1 active-leases.json + state:active issue combo, and the new ACTIVE_TASK.json. The audit explicitly warns against adding "a third variant" next to mlh-clients-portal's current-task.json. Pick one; declare the rest derived or retired.
viewport-ops default is council/bootstrap-20260510; the live pages build from ops/openclaw-github-flow-44; the execution ledger names ops/finish-migration-p0-foundation; GSD names ops/gsd-ralphloop-githubops-runtime — three-plus "current" branches referenced simultaneously, and viewport-os vs viewport-ops naming is inverted. Does Sam want a main created/promoted, a monorepo consolidation (restart plan says viewport-os monorepo), or the bootstrap hard-pinned to the existing default?
Revoke the leaked admin:enterprise PAT and mint scoped credentials (audit S01/S12 and restart both say GitHub App auth) — but rotation of live Telegram/CF/Odoo tokens is on the do_not_rotate_without_approval list. What's the rotation order and window, and does pat_revoked:true get flipped in STATE.md or does STATE.md retire?
Forensics says remove /etc/cron.d/claude-cleanup and one gateway restart unblocks setup4/accept/intake (viewport-os#2) — but both are behind Sam's own approval gates and the mount packet recommends "do NOT restart." Approve a restart window (Option A) or accept Option C (GitHub as canonical evidence path, no restart) permanently?
66 vs 72 vs 73 in the system's own surfaces. Which probe is canonical, and should the bootstrap refuse to run when its state file disagrees with the live probe?
Awaiting Samv0.1 design = committed JSON file with git-merge-conflict as the race detector; task-ledger policy = YAML ledger fields; Hermes Kanban = SQLite CAS with heartbeats. Git-file leases are auditable but slow and conflict-prone for sub-minute claims; SQLite is fast but off-GitHub. Which trade-off — and is GitHub-as-lease acceptable given the push path was 403'd for weeks?
Awaiting SamUpstream Hermes learned (bugs #23025/#29747) that long tool-free LLM calls can't heartbeat — naive TTL reclaim creates spawn-then-reclaim loops. What TTL, and does a wrapper-level heartbeat run out-of-band?
Awaiting Samv0.1 says verifier ≠ executor and specialists may not close issues; sandboxed subagents demonstrably cannot write files at all. Is the rule "canonical state writes only from the main/host session" formalized?
Awaiting SamSam wants allowed repo/path/tools + explicit forbidden scope in the task file. The corpus has three fence vocabularies: RuntimeContract approval classes, risk tiers 0–4, and per-seat authority matrix flags. Which one does ACTIVE_TASK.json reference so fences stay consistent with the 72 contracts and 48-seat registry already committed?
Awaiting SamOne-task-only bootstrap implies everything else is backlog. Bulk-triage with the state:* labels (and who owns triage — Hermes, a cron, Sam)? AUDIT-FINDs are findings records, not work tickets — do they feed a triage queue or get a dedicated consumer?
Awaiting SamApproval packet options A/B/C are still open ("current_decision: No apply"). If C (GitHub canonical) is permanent, the /srv/viewport/migration evidence tree and 90-day private-evidence retention policy need an owner and sync story.
Awaiting SamSTATE.md froze on next_agent: claude-opus-4.7 (retired) and old config carried dead model fallbacks. Should ACTIVE_TASK.json ban model IDs entirely (seat names only) or validate against a live registry?
The restart plan mandates API keys for all agent runtimes (citing the Anthropic OAuth policy change, June 15 2026 credit pool) and Claude Max interactive-only — this interacts with Sam's locked subscription-NEVER-API rule and the 2026-06-22 Fable 5 deadline. Which workloads, if any, move to paid API keys?
Awaiting SamWhen ACTIVE_TASK.json is missing/stale/unparseable: hard-stop the session (forensics lesson: fail LOUDLY), or auto-create a diagnose-the-loop task (v0.1: "the session's first job = diagnose why the loop broke")? And what is "stale" — a TTL field, last-heartbeat, or git mtime?
Awaiting Sam"One task only" globally, or one per tenant/runtime (Hermes viewport, hermes-bccl, MLG/MLH lanes)? The v0.1 lease design forbids two active leases sharing tenant+domain — which implies N concurrent leases, not 1.
Awaiting Sam"MLH Postiz Automation Handoff" repo not found anywhere (T-106) — does it exist privately, or should the board entry be retired? Same question for every phantom path catalogued in §3.2.
Awaiting SamEvery headline number on this page, in one place, sourced from the corpus.
pat_revoked:false.fbd75bc; gh CLI missing; ≥6 phantom canonical paths.wf_4b071e30-ef7 · source report reports/viewport-migration-deep-research-2026-06-10.md · GitHub-sourced, served via viewport-ops public/migration/claude-research/index.html.