Read control-plane status
/api/status
Reads VDS control-plane status without local desktop permissions.
Desktop Shell
Desktop shell reads shared VDS control-plane APIs. Native runtime, local automation, keychain storage, and provider calls are not enabled.
Control plane
needs credentials
typescript seed / needs credentials
Records
18
4 live records from shared API.
Profiles
5
0/106 redacted vault references.
Shared API
needs credentials
Read control records
/api/control-center/records
Reads project, integration, and deployment records through the shared API.
Read continuation rail
/api/handoffs/current
Reads the active build task and checkpoint state.
Read credential profiles
/api/desktop/profiles
Reads redacted vault references for API keys, VPS connections, ElevenLabs agents, and voices without returning values.
Read provider readiness
/api/providers/readiness
Displays provider readiness metadata without calling providers.
Local desktop automation
not-enabled
Blocked until macOS Accessibility and desktop audit policy are explicitly approved.
approvals: macos-accessibility-approval
Credential Profiles
Raw values returned
no
Desktop secret storage
no
api keys
ElevenLabs API Keys
Vault needs approval
Runtime needs approval
Refs 0/26
Wire approved runtime consumers server-side after provider health approval.
server side only / desktop storage: none
agent ids
ElevenLabs Agent IDs
Vault needs approval
Runtime needs approval
Refs 0/26
Wire approved runtime consumers server-side after provider health approval.
server side only / desktop storage: none
voice ids
ElevenLabs Voice IDs
Vault needs approval
Runtime needs approval
Refs 0/26
Wire approved runtime consumers server-side after provider health approval.
server side only / desktop storage: none
service config
Legacy Hub Runtime Config
Vault pending
Runtime pending
Refs 0/24
Wire approved runtime consumers server-side after provider health approval.
server side only / desktop storage: none
vps connection
VDS Connection Profile
Vault needs credentials
Runtime needs credentials
Refs 0/4
Collect approved vault references without exposing values.
not collected / desktop storage: none
Approval Boundary
Runner Output Promotion Approval
needs approvalPromotion can move agent-written changes into the visible build. It must not expose raw output, raw workspace files, secrets, provider calls, wallet actions, desktop automation, or public deploy authority.
macOS Accessibility Approval
needs approvalDesktop automation can paste or operate local apps.
Orchestrator Execution Policy Approval
needs approvalUncontrolled execution could run provider calls, leak operational context, mutate production, or cross the wallet/provider/desktop boundaries.
Provider Generation Staging Approval
needs approvalProvider generation can spend credits, expose prompts or references to third parties, and return unsafe or unusable assets if not scoped to staging.
Desktop Build Approval
needs approvalDesktop packaging can create local binaries and artifacts; it must not silently enable automation permissions or secret storage.
Durable Memory Write Approval
pendingMemory records may contain sensitive operational context.
External Research Approval
pendingExternal requests may disclose intent or depend on unstable third-party state.
Control Records
project
THE LAB
project
Agent Registry
project
THE LAB Desktop
project
THE LAB Skills Library
integration
Codex
Next Task
Make Agent Run activity simple to follow
localAgent Run now surfaces redacted run feed events, receipts, action queue state, review handoff, current action, completed actions, locked gates, and the next safe command without exposing raw output.
npm run typecheck && npm test && npm run build
Blocked Actions
macOS Accessibility automationlocal app controllocal keychain secret storageprovider health callsdesktop background agent