Verdict: the control plane is fully designed and completely unmanned. 13 repos under viewport-corp hold the doctrine; 64 containers on 194.163.153.171 run the business — and between them there is no webhook, no runner, no deploy workflow, no schedule, no lease, no handoff file. Exactly one container was ever built from GitHub. Every other deploy is SSH-and-run. The agent loop has no actor, no trigger, and no heartbeat — which is why every session starts amnesiac, hallucinates state from stale branches, and GSD/RalphLoop sits orphaned on a branch 117 commits behind.
The corporate layer above, the GitHub control plane below. The org holds 13 repos, not the 9 on the known list — tenant-buddha-corporation and associate-vinay-patil were absent from the briefing; demo-repository (GitHub starter junk) still lives in the org.
viewport-corpOperations, governance, migration council, GitHub-first control plane.
Control-plane handoff + operating-state repo — an 8-file, 15 KB stub holding the only HANDOFF.md, with a self-declared [BLOCKER] (#2) untouched 5 days.
Public-safe Git-backed knowledge base — the healthiest organ: INDEX.md present, closed-loop v0.1 report published 2026-06-08. A publishing channel, not a loop.
Upstream Hermes fork with the full Kanban subsystem (hermes_cli/kanban*.py, v1 spec PDF) — the swarm/lease reference implementation, frozen since 2026-05-31, unused.
MLH client portal source + Dokploy deployment package — the source of the one proven GitHub→VPS container.
Internal migration dashboard inspired by ReleaseBar; not a public fork.
BCCL/Buddha Corp tenant source-of-truth: Hermes identity, runtime policy, evidence, workspace boundaries. Not on the known list.
Associate-scoped Hermes runtime/control repo for Vinay Patil. No secrets. Not on the known list.
BCCL / LaoWise website source. BCCL-only access boundary.
TradeX experimental product repo.
OpenClaw fork (“the lobster way”) — frozen since 2026-05-31.
Second Hermes fork, BCCL-scoped — frozen since 2026-05-11.
GitHub starter junk (“the best GitHub has to offer”) — 2 KB, still in the org.
One connected tree from the holding down to the runtime engines: corporation → 6 entities → GitHub org → 13 role-tagged repos → control-plane branches → 14 departments → seat registries → live engines on the VPS. Every node is real and verified read-only (gh CLI + SSH). On mobile the tree reads as an indented list.
The designated primary operator (server hands / GitHub+VPS executor per the seat index). Two live containers, v0.15.2, gpt-5.5 via openai-codex. The shell is healthy and talking to Sam on Telegram — but its automation surface is almost entirely switched off.
gpt-5.5 via openai-codex (codex_responses against the chatgpt.com backend), reasoning medium, zero fallback providers.gateway-codex, gateway-default, gateway-bccl, gateway-claude.modernlao-odoo-api-key, modernlao-slack-bot-token, modernlao-slack-signing-secret, modernlao-slack-user-token, modernlao-slack-webhook-url.| Rail | State | Evidence |
|---|---|---|
| Telegram | CONNECTED | queue 0 · last successful send 2026-06-10 (gateway_state.json) |
| Slack | DEAD since 2026-05-08 | state retrying · “failed to reconnect” |
| Discord | config only | configured section, not in gateway_state platforms |
| empty | empty config |
Kanban subsystem: kanban.db with tasks/task_runs/task_events tables, boards modern-lao-war-room + viewport-ops-live, dispatch_in_gateway=true every 60s, auto_decompose on — and tasks table = 0 rows. The plumbing exists; nothing flows. gateway_state reports active_agents: 0; duplicate gateway+dashboard process pairs running since Jun 08/10.
The intake_persistence plugin is on, but the last capture (2026-06-05) is a trivial “Hi” (tags [QUESTION], tenant unknown, dept ops; KB 16 notes, 3 recent issues loaded). Full intake-hook activation is blocked_by_approval — the gateway restart it needs would kill running agents (blocker gateway_restart in gsd-ralphloop-active-queue.yaml). The anti-amnesia pipeline is stalled at one approval.
Three OpenClaw installations share one VPS. The repo designates the fresh docker instance as live (centralized-runtime-seat-index.yaml: agent_count 26, config sha256 6085c958…, evidence issue #123 / PR #126) and marks the old one reference_only_do_not_touch_without_approval — but the old one didn’t get the memo.
Root process openclaw gateway --port 47293 has been running since May 28 (~3,787 CPU-min). Its cron store holds 50 jobs / 49 enabled, and the run logs are CURRENT — /root/.openclaw/cron/runs updated 2026-06-11 00:04 (performer-p1-monitor.jsonl at 00:02). This directly contradicts “crons 50→1 (disabled)”: that is true only of the fresh instance. An uncontrolled actor is firing 49 jobs nightly against openai-codex/gpt-5.5 with no GitHub trail — untracked runtime mutation + token burn. First reconciliation target.
2 containers Up 9 days healthy (viewport-openclaw-fresh, ghcr.io/openclaw/openclaw:latest). 26 agents, all model: null (default model, near-default rebuild state), no bindings — all traffic lands on main. Channels slack+telegram. Cron: 1 job (TradeX MT5 blocker check), disabled; last run file 2026-05-30.
Config /root/.openclaw/openclaw.json: 26 agents all pinned openai-codex/gpt-5.5 (no fallbacks), 27 bindings, telegram+slack+modelByChannel. 49 of 50 crons enabled and firing (runs logged 2026-06-11 00:04). Only 2 workspace dirs. Repo policy: reference_only — reality: executing nightly.
26 agents with rich per-agent model+fallback arrays (codex-pro, deepseek-v3.2, glm5, kimi-k2.5, px-gemini31-pro, px-opus-thinking, gemini-3.1-pro, llama-3.3-70b, claude-haiku-4-5…), 27 bindings, two cron stores (51/50 and 48/48 enabled on paper) but run logs stale since 2026-04-12. ~70 .bak config siblings. 25 workspace dirs + main at /opt/platformx/openclaw/workspace-main holding 24 SOUL.md files + SOUL/IDENTITY/DREAMS/HEARTBEAT.
The locked “OpenClaw routing v14: 4-tier, 25 agents” decision appears in zero live configs — 0 occurrences of “tier” in the fresh config (which has 26 agents, not 25, and no bindings at all). The fleet design that was signed off is not the fleet that runs.
24 SOUL.md files in the dormant archive: analytics, atlas, benchmark, bizdev, codex, content, crisis, cs, experiment, eye, finance, hiring, innovation, legal, marketing, media, omnibrand, performer, qa-master, resource, sales, scout, training, verify — plus workspace-main’s SOUL/IDENTITY/DREAMS/HEARTBEAT, the fresh workspace SOUL.md, and Hermes’ own /srv/viewport/runtime/hermes/SOUL.md.
14 departments in companyos/departments/taxonomy.yaml and a 20-industry ontology — but the 48-seat registry maps every seat’s department as “UNKNOWN until mapped” and every readiness as seed_only_not_production. The newer 26-seat live index is the only register with real lifecycle state.
centralized-agent-registry.yaml (553 lines, draft_from_legacy_and_fresh_evidence, phase P0-5, issue #196): 48 entries, all seed_only_not_production, departments all “UNKNOWN until mapped”. Allowed: read-only analysis · draft task packet · draft PR/artifact. Forbidden = the hard-stop list (container restarts, Hermes restart, docker prune, DNS, billing/legal/finance, customer sends, secrets).
Counts recorded in the registry itself: old config 24 agents · old workspaces 25 · fresh config 26 · fresh workspaces 25 · registry 48.
centralized-runtime-seat-index.yaml (live_control_plane, partially_centralized_live): 7-stage readiness lifecycle seeded → activated → smoke_tested → reviewed → validated → operational → proven; default authority class_b_read_write_repo_only. Runtime classes: hermes=primary_operator, openclaw=live_agent_runtime, github_copilot_agent=code/docs/backlog, codex_claude=specialist, github_actions=deterministic_validator, n8n=approved_workflow, odoo=approved_business_record.
Plus: agent-seats/seats.yaml — 6 runtime seats (hermes-operator active, github-actions-validator active, openclaw-reviewer / codex-coding-reviewer / claude-design-reviewer planned, +1 more); 6 trained specialists (issues #33–#38: github-office, openclaw-runtime, hermes-runtime, devops-sre, kb-librarian, actions-platform-engineer); 8 charters (agent-qa-evaluation, agent-runtime-fleet, company-os-orchestrator, github-office-queue, hermes-operator, pmo-operating-review, security-access-review, sre-healthcheck).
The doctrine layer is genuinely strong: a tight AGENTS.md, a label state machine, risk tiers, a 13-field runtime contract with ~75 instances, an authority matrix, and the GSD/RalphLoop contract. The law exists — the enforcement actors don’t.
Now small enough to inject whole (previous oversize problem fixed). 9 sections: non-negotiable control-plane rule, where-to-work (VPS preferred, Mac terminal-only), repo boundary doctrine, 12-step standard sequence, risk gates, secret handling (names only), tenant routing, evidence-before-close, if-unsure.
docs/agent-entry-protocol.md: work ONLY state:active; state:blocked / protected / not-now / stale / superseded are no-work states. Every PR must declare exactly one of Closes #N / Supersedes #N / Part of #N — remains open because… Rule: an agent that cannot prove it read current rules/issues/PRs/boundary must not write files.
approvals/authority-matrix.yaml: Sam required for paid spend/vendor, DNS/domain/production deploy, legal/public claim/client-facing send, external outreach/social/ads, destructive data/container action, new role needing cost/secrets/external access. Autonomous: research/draft/analysis, GitHub branch/PR/staging (reviewer+verifier), low-risk role drafts via PR. Two sibling matrices exist (agents/ + migration-control-plane/).
| Tier | Scope |
|---|---|
| 0 observe | research / summarize / monitor |
| 1 draft | issues / comments / plans / PR drafts |
| 2 controlled write | repo-only via PR + checks |
| 3 sensitive | runtime / Odoo / n8n / customer / finance / legal / deploy — approval required |
| 4 prohibited | secrets exposure, destructive prod data, legal/HR/financial final decisions — never autonomous |
Source: companyos/runtime/hermes-openclaw-operating-model.md L112–118.
Skill agent-scripts/skills/runtime-contract/SKILL.md + runtime-contract.schema.json. Required fields (13, not the expected 8): service_id, owner, tenant/entity, repo, runtime target, domain/route, env template, secret refs (not values), healthcheck, logs/metrics/traces, backup, rollback, evidence bundle. ~75 contract files committed under viewport-company-os/runtime/contracts/.
Task plumbing schemas also on main: task-lease.schema.yaml, task-packet.schema.yaml, intake-interpreter.yaml.
Goal → Setup → Do → Verify → Diagnose → Fix → Repeat → Evidence. Contract gsd-ralphloop-operating-contract.yaml (status active_repo_only); active queue holds 3 workstreams (github_ops_truth active, vps_runtime_reconciliation active_read_only, migration_live_status active); failure policy max 3 fix attempts before architecture review; proof-loop doc, test spec and activation-proof evidence all committed. Current blocker: gateway_restart = blocked_by_approval.
Hard stops (always Sam): secrets or credential values · DNS/nameserver/billing/legal/tax/finance commitments · Odoo/Slack/customer-facing writes or sends · destructive deletion/prune/volume/database/prod config mutation · old Docker/OpenClaw live service changes.
The designed pipeline: Sam → Telegram → Hermes intake → GitHub issue/task-packet → seat routing → executor (OpenClaw seat) → VPS runtime → evidence → PR → merge → status.json → Slack/Odoo rails. Verdict: the spine works (Telegram→Hermes, PR/evidence discipline, status.json publication) — the middle is dead (seat routing all-to-main, scheduled execution 1/8 + zombie crons, Slack rail down since May 8).
viewport-ops has 93 branches and 1,478 paths on main. The default branch is main — NEW as of today (older docs claimed council/bootstrap-20260510). The live site is served from a diverged feature branch, and the canonical control-plane files don’t exist where agents are told to read them.
| Branch | Role | Ahead / behind main | Last commit | State |
|---|---|---|---|---|
main | Default branch — NEW default as of today | — | 2026-06-10 · “Merge pull request #219… ops/status-main-218” | default |
ops/openclaw-github-flow-44 | Serves the live site viewport.llc/migration | 13 ↑ / 87 ↓ | 2026-06-10 · “redesign: unify shell across all 17 migration pages” | diverged |
council/bootstrap-20260510 | Council bootstrap — the branch STATE.md declares as its own control plane | 0 ↑ / 206 ↓ | 2026-05-10 (bootstrap day) | frozen / abandoned |
ops/gsd-ralphloop-githubops-runtime | GSD/RalphLoop runtime — built, never merged | 2 ↑ / 117 ↓ | 2026-06-05 · “feat: add vps runtime reconciliation queue” | orphaned |
ops/finish-migration-p0-foundation | P0 foundation work | 1 ↑ / 110 ↓ | — | diverged |
The 8 canonical files every agent is told to read on entry, checked via the contents API on both the default branch and the branch serving the live site. HANDOFF.md, current-active-task.yaml and active-leases.json exist on NO branch checked. An agent arriving fresh has no current task, no lease, no handoff — the literal mechanism of amnesia.
| Canonical file | main (default) | ops/openclaw-github-flow-44 (serving) |
|---|---|---|
AGENTS.md | ✓ 3,826 B | ✕ 404 |
HANDOFF.md | ✕ 404 | ✕ 404 |
Migration/council/STATE.md | ✓ frozen 2026-05-10 | ✓ same frozen copy |
Migration/council/tracker.json | ✓ 1 event ever | ✓ 1 event ever |
tasks/current-active-task.yaml | ✕ 404 | ✕ 404 |
companyos/runtime/task-ledger-and-fallback-policy.yaml | ✓ 1,391 B | ✕ 404 |
Migration/council/leases/active-leases.json | ✕ 404 | ✕ 404 |
docs/agent-entry-protocol.md | ✓ 3,297 B | ✕ 404 |
Score: main 5/8 · serving branch 2/8 (only the frozen council STATE.md + tracker.json copies). Council STATE.md sits at revision: v3, active_round: 000 with its only commit on 2026-05-10 — the council loop ran 0 rounds in 31 days, and its declared branch is 0↑/206↓.
23 open issues in viewport-ops, every single one unassigned. 166 labels across 3 overlapping state systems (state:*, status:*, agent:*) — and nothing consumes them. Open PRs: 0.
100% of the open queue has no owner. The label state machine exists (state:active / blocked / protected / not-now / stale / superseded among 166 labels) but no actor reads it.
open pull requests across the entire org. The issue→branch→PR→merge→close loop that AGENTS.md mandates has nothing in flight anywhere. 4 of the last 100 CI runs failed (companyos-foundation + github-office on ops/hygiene-216, 2026-06-10) and were re-run green — the gates work when invoked.
Carries the strongest urgency labels the state machine has — priority:today + state:active + agent-entry-required — created 2026-05-11 and unassigned for ~30 days. The one issue agents are required to work, and nothing ever picked it up.
The designated vehicle meant to fix the loop — lease file, ACTIVE_TASK, bootstrap, write-back. Sitting untriaged (type:intake, needs-triage) with 0 comments since creation on 2026-06-08. The loop-builder itself is a victim of the missing loop.
The one proven pattern: its 7 comments carry the plain-English Phase/Task/Done/Proof/Blocker/Next contract that produced the only week where work actually chained. Still open, still unassigned; its runtime branch sits orphaned 2↑/117↓.
github-inventory.json (gh CLI read-only) + vps-inventory.json (read-only SSH) · Machine snapshot: /migration/github/github-data.json · No secrets embedded — the one leaked PAT appears only as ghp_hq…[REDACTED].agent-os-inventory.json (read-only SSH + gh CLI; secret key names only, never values) · Machine snapshot: /migration/github/agent-os-data.json · Live KPIs also pulled from /migration/status.json.