Acropolis Ops Command
Overnight …

Overnight Operator

The overnight lane, accountable by morning.

Live host-health from the overnight sentinel, plus a read-only view of the operator framework: runs, risk mode, artifacts, proof, approvals, collector output, and morning packets. This page is read-first — it triggers no host actions, sends no messages, and exposes no local paths or secrets.

read-first Live feed: host-health sentinel Other sections: framework (pending wiring) No auto-run · no auto-send · no auto-spend
Live feed1

sentinel snapshot

Risk defaultGreen

auto-eligible only

ControlsRead-first

gated affordances

Side effectsNone

on tab load

Current status

Live overnight host health.

host-health feed
Host health sentinelnyx-overnight-sentinel · Checking

Checking

Checking overnight host health… no observation has loaded yet. No green status is shown until a real snapshot returns.

Open Operators

Source: nyx-overnight-sentinel via the Mission Control API. The poll reads a cached snapshot every 90s; only the explicit Recheck button forces a real re-run. Green is shown only with an observation timestamp.

Overnight runs

Runs with status, risk mode, budget, packet & proof.

runs feed
Loading runs…
Loading overnight runs…

No run state has loaded yet. No green status is shown until a real run returns.

Open-thread collector (newest)

No open-thread collector output recorded yet. The collector is read-only and does not auto-run from this page.

Source: the Overnight Operator controller's durable run state via the Mission Control API. Every run summary, morning packet, proof file, open-thread list, and approval is sanitized server-side — no local filesystem path or secret is exposed here. "View packet" loads a run on demand; "Mark reviewed" records an acknowledgement in an MC-owned store and never mutates operator state.

Risk mode

Green-only by default. Read-only here.

policy
Green

Reversible, in-scope, no external side effects. Auto-eligible to execute after the review gate returns ACCEPT.

Yellow

External or harder-to-reverse. Never auto-executed — emits an approval packet for the operator instead.

Red

Deploy, push, send, spend, trade, or schema change. Forbidden unattended; requires explicit human approval.

Risk class follows the operator risk-class policy. The lane never elevates its own risk mode; anything beyond Green becomes an approval packet rather than an automatic action.

Artifacts

What a run writes.

  • Mission Mission + definition of done for the run.
  • Morning packet Mission / DoD / proof / blockers / approvals / memory-checked summary.
  • Proof Real verification evidence for each claimed work item.
  • Work log Per-step controller log and durable state.json.
  • Open threads Ranked, read-only collector output (no auto-execution).
  • Approval packets Fixed-shape requests for any Yellow/Red action.

Artifacts are stored on the operator host. They are never linked by local path from the browser — the live runs panel above serves sanitized copies of the morning packet, proof, and open threads via GET /api/overnight/runs/:id.

Proof, approvals & open threads

Now live, per run.

  • ProofEach run's proof.md is loaded on demand under "View packet" — evidence, not assertions.
  • Approval requestsAny Yellow/Red action surfaces as a fixed-shape approval packet inside the run detail. Green-only runs produce none.
  • Open threadsThe ranked, read-only collector list appears per run and in the collector block of the runs panel.
  • Collector sourceshermes status · cron jobs (failed / paused) · git working trees (read-only) · pending / TODO / action scan · vespera_ledger pending items · Context Exchange relay

These were honest empty states before the feed existed; they now read from the live /api/overnight/* endpoints in the runs panel above. Nothing is fabricated — a run with no proof or approvals says so.

Morning packets

Delivered briefs, on demand.

Open a run to read its morning packet.

Each run renders a fixed-shape morning packet (mission, DoD, proof, blockers, approvals, memory-checked). Use "View packet" on any run in the runs panel above to load it from GET /api/overnight/runs/:id — sanitized, with no local paths or secrets.

Controls

Read-first. No broad run-everything button.

2 live · 2 host-only
live View packet

Open the rendered morning packet, proof, and open threads for a run.

GET /api/overnight/runs/:id (live, in the runs list above)
live Mark reviewed

Record that the operator has read a morning packet (MC-owned store).

POST /api/overnight/mark-reviewed (CSRF, live in the runs list)
host process — disabled Cancel run

Set a queued or running lane to cancelled with a reason.

host process — run the controller directly; not web-triggerable
host process — disabled Re-run collector

Re-run the read-only open-thread collector for a date.

host process — run the collector directly; not web-triggerable

Deliberately the only controls: view and mark-reviewed are live (read + CSRF-gated MC-owned acknowledgement). Cancel run and Re-run collector spawn host processes and are intentionally left disabled — not web-triggerable, so no new attack surface. There is no deploy, send, spend, or run-everything action, and nothing fires on load.