Voxera OS Join Waitlist

Capabilities

Five pillars of operator-grade AI

Voxera OS isn't feature-complete — it's stability-first. Here's what's solid today, what's planned next, and why each pillar matters for real-world operator workflows.

Pillar 1

Queue railguard system

  • Deterministic lifecycle: inbox → pending → done or failed — no silent state transitions, no ambiguous stuck jobs
  • Cancel, retry, prune, and reconcile — every queue bucket is inspectable and cleanable on demand
  • Quarantine-first recovery: ambiguous jobs on daemon startup go to quarantine, never silently re-run
Operator proof: "Every queue state transition is visible. Reconcile diagnostics report without modifying state — always safe to run."
Engineering details

Queue drop location: notes/queue/inbox/*.json only. Legacy root drops are auto-relocated with a queue_job_autorelocate audit event. The daemon ignores dotfiles, *.tmp, and *.partial artifacts.

  • voxera queue status — live bucket counts
  • voxera queue reconcile — report-only hygiene diagnostic
  • voxera queue prune --max-age-days 30 --yes — remove stale terminal jobs
  • voxera queue cancel <job_id> / retry / pause / resume

Pillar 2

Human-in-the-loop approvals

  • Risky actions gate on explicit operator sign-off — never auto-approved by default
  • Policy decides allow, ask, or deny at runtime; reason and scope are tracked in a structured approval artifact
  • Approve once or approve-always — operator controls persistence, not the AI
Operator proof: "No job requiring approval can reach done state without an explicit CLI or panel confirmation. The approval artifact records who approved, when, and why."
Engineering details

Approval-required jobs move to pending/ — never to failed. Approval artifacts are written to pending/approvals/*.approval.json with policy reason and scope metadata.

  • voxera queue approvals list
  • voxera queue approvals approve <job_id>
  • voxera queue approvals approve <job_id> --always (persist for skill)
  • voxera queue approvals deny <job_id>

Malformed approval artifacts surface as "(unparseable)" rows in the list view — fully audited, never silently dropped.

Pillar 3

Observability that explains itself

  • Every job emits a structured bundle: plan, action timeline, stdout/stderr, generated file metadata — persisted under notes/queue/artifacts/<job_id>/
  • Brain fallback reason classified and surfaced: TIMEOUT, AUTH, RATE_LIMIT, MALFORMED, NETWORK, UNKNOWN — never a silent failure
  • Queue health snapshot: paused flag, lock status, counters, last fallback reason, and last error summary — all in one command
Operator proof: "When something goes wrong, voxera queue health and voxera doctor show exactly why — no log-diving required."
Engineering details

Health counters persist in notes/queue/health.json (shared by daemon and panel). Failed-job sidecars at failed/<job_stem>.error.json carry schema_version, job, error, and timestamp_ms.

  • voxera queue health — snapshot with paused flag, lock status, counters
  • voxera doctor / voxera doctor --quick — provider + local health
  • Panel at http://127.0.0.1:8844/jobs?bucket=all&n=80 — filter, search, per-job artifact view
  • voxera ops bundle system / voxera ops bundle job <job_id> — incident packages

Pillar 4

Provider flexibility with constraints

  • Gemini, OpenAI-compatible, OpenRouter, and local Ollama — tiered fallback chain that degrades gracefully, not silently
  • Non-destructive setup wizard: keep, skip, or replace per provider — existing config is never overwritten without asking
  • Fallback reason surfaced in voxera doctor output — operators always know which provider tier failed and why
Operator proof: "Provider configuration is inspectable with voxera config show and snapshotted for auditing. Config precedence is always deterministic: CLI → env → file → defaults."
Engineering details

Brain roles: primary, fast, reasoning, fallback — each tier is independently configurable. OpenRouter is supported out of the box with base URL and headers.

  • voxera config show — redacted view of active config
  • voxera config validate — non-zero exit on validation errors
  • voxera config snapshot — write an audit snapshot
  • voxera setup — interactive provider catalog wizard

Pillar 5

Operator hygiene and retention

  • Artifact prune by age or count: configurable thresholds, dry-run by default, JSON-summary output for scripting
  • Queue prune removes stale terminal jobs; reconcile diagnoses without modifying state — always safe to run first
  • Incident bundles: package system state and job artifacts into a structured handoff folder in a single command
Operator proof: "Hygiene commands are additive and non-destructive by default. Prune never touches live queue state; reconcile is always report-only."
Engineering details
  • voxera artifacts prune --max-age-days 30 — dry-run preview (no changes)
  • voxera artifacts prune --max-age-days 30 --yes — delete stale entries
  • voxera artifacts prune --max-count 50 --yes — keep newest N, prune the rest
  • voxera queue prune --max-age-days 30 --yes — clean terminal job buckets
  • voxera queue reconcile — report-only hygiene check
  • voxera ops bundle system --dir <path> — incident bundle

Status

What ships today vs what's planned

Ships today

  • Demo flow — voxera demo end-to-end
  • Queue prune + reconcile toolchain
  • Daemon reliability: single-writer lock, graceful SIGTERM shutdown
  • Startup recovery + quarantine-first hygiene
  • Brain fallback classification with visible reasons
  • Artifact prune with dry-run + JSON summary
  • Non-destructive setup wizard with provider catalog

Planned — v0.1.6

  • Panel auth rate limiting + hardened endpoints
  • Ops health dashboard in panel
  • Health degradation signals + backoff
  • Structured mission planning previews with operator confirmation
  • Broader provider behavior hardening

Ready to start?

Get running in 5 minutes

Run voxera demo to see queue + approvals + audit in action. Then explore the operator reference for full command coverage.

Quick Start Operator Guide