Operator Guide
A concise reference for operators running Voxera OS. Covers queue contracts, approval lifecycle, security posture, and hygiene commands. For complete run instructions, read the README.
Reference areas
Architecture
How Substrate OS, AI Control Plane, and Experience Layer relate to each other — and how jobs flow through the queue from inbox to outcome.
Read section →Security model
How Voxera OS prevents unauthorized actions, records what happened, and isolates execution with rootless Podman.
Read section →Ops commands
The hygiene and observability commands operators use to maintain a healthy queue, diagnose failures, and package incidents.
Read section →Roadmap
What's coming in the next release: panel auth hardening, health degradation signals, and ops visibility improvements.
View roadmap →Ops contracts
| Contract | Rule |
|---|---|
| Job drop location | notes/queue/inbox/*.json only. Legacy root drops are auto-relocated with an audit event. |
| Approval-required jobs | Move to pending/ — never to failed. Explicit approve or deny required before processing continues. |
| Failed-job sidecars | Written to failed/<job_stem>.error.json with schema_version, job, error, timestamp_ms. |
| Startup recovery | Ambiguous jobs go to quarantine on daemon startup. Never silently re-run. Operator must clear quarantine manually. |
| Daemon lock | Single-writer lock prevents concurrent daemon instances. Stale locks auto-cleared on safe startup; --force available. |
| Prune safety | Always dry-run unless --yes is passed. Reconcile is always report-only and never modifies state. |
Security model
pending/approvals/*.approval.json.notes/queue/artifacts/<job_id>/ include plan, action timeline, stdout/stderr, and generated file metadata.voxera ops bundle system packages queue state + artifacts for handoff.--read-only.--network=none) unless explicitly requested and policy-approved.~/.voxera/workspace/<job_id> as /work — no cross-job filesystem access.voxera config snapshot writes an audit-ready view of active configuration.voxera config show — secrets never appear in CLI output.Ops commands
# Dry-run preview (safe, no changes)
voxera artifacts prune --max-age-days 30
# Delete entries older than 30 days
voxera artifacts prune --max-age-days 30 --yes
# Keep newest 50, prune the rest
voxera artifacts prune --max-count 50 --yes
# Prune terminal job buckets (done/failed/canceled)
voxera queue prune --max-age-days 30 --yes
# Report-only hygiene diagnostic
voxera queue reconcilevoxera queue health # paused flag, lock, counters
voxera queue status # live bucket counts
voxera doctor # provider endpoint validation
voxera doctor --quick # fast local check (no model calls)
# Panel (browser)
voxera panel
# http://127.0.0.1:8844/jobs?bucket=all&n=80voxera ops bundle system
voxera ops bundle job job-123.json
# Combined handoff folder
voxera ops bundle system \
--dir notes/queue/_archive/INCIDENT-001
voxera ops bundle job job-123.json \
--dir notes/queue/_archive/INCIDENT-001# Run end-to-end demo
voxera demo
# Validate before merge
make merge-readiness-check
# Broader local validation
make full-validation-checkThe demo flow validates queue init, daemon reliability, and approval gating in a single command.
Next
Panel auth hardening, ops health dashboard, and health degradation signals — the next stability milestone before broader expansion.