Operational State

This page is the current-state ledger. It is intentionally less romantic than the architecture pages. The architecture pages explain how Sanctum is supposed to work — the blueprint, the mythology, the council sessions in the basement in Québec. This page is the mirror the haus holds up to itself every morning to make sure none of that is a hallucination. Less romance. More receipts. What was actually verified on the actual machine, on an actual Tuesday, by an actual test run that either passed or didn’t.

Current Verified State

Workspace-owned slice

• sanctum/catalog.yaml is the checked-in canonical source for the workspace service manifests
• sanctum/agent_capabilities.yaml is the checked-in canonical source for the Code Forge permission model
• The canonical agent persona markdown now lives in the raw mlx-finetune workspaces and is synced mechanically into runtime workspaces via tools/sync_agent_markdown.py
• sanctum/render_services.py --check reproduces the checked-in manifests deterministically
• tools/sync_runtime_calibration.py --check verifies that ~/.sanctum/.instance.json and the template-managed LaunchAgents still match their canonical runtime inputs
• tools/sync_agent_markdown.py --check --audit-live verifies that reachable ~/.openclaw/workspace* copies still match the canonical IDENTITY.md, SOUL.md, TOOLS.md, and HEARTBEAT.md sources and that the MBP still looks like a healthy fanout target
• ~/.sanctum/state/agent-markdown-sync.json is now the machine-readable calibration ledger for the most recent local sync or audit pass
• tests/test-sanctum-audit.sh covers rendering, sidecar behavior, graph compatibility, and docs wiring
• tests/test-agent-markdown-sync-e2e.sh proves local sync plus best-effort VM/MBP fanout in a disposable harness
• tests/test-sanctum-immune-system.sh exercises the live Rust watchdog end to end, including anomaly logging, root-cause remediation, failed escalation, and the local API
• tests/test-sanctum-code-forge.sh exercises the shared Code Forge scripts end to end, including permission rejection, deploy success, rollback, review, list, and audit logging
• tests/test-sanctum-evolution-loop.sh exercises the real incident-learning, performance-review, and evolution-report scripts together in a disposable Sanctum home
• tests/test-sanctum-genetic-health.sh exercises the local genome-mcp CLI through its checked-in virtualenv and verifies the exported health profile surface
• tests/test-sanctum-tech-lookout.sh exercises the tech-lookout scan, brief, and dispatch scripts against a disposable report directory without requiring council-router
• sanctum/sanctum-spec-surface.yaml, sanctum/kitchenloop-canaries.yaml, sanctum/kitchenloop-tribunal.yaml, and sanctum/kitchenloop.yaml now define the checked-in Kitchen Loop surface
• tools/run_kitchen_loop.py and tests/test-sanctum-kitchen-loop.sh prove the six-phase loop, oracle output, and pause-gate behavior in a disposable state directory
• navigator-sidecar.js exposes aggregate project status and scrubs obvious secret material from its payload

Runtime slice

• ~/.sanctum/instance.yaml validates cleanly
• ~/.sanctum/services/ now contains 38 rendered manifests: the watchdog reports 38/38 healthy as of 2026-04-18. Includes instance-backed services, SSH tunnel services, and the five off-catalogue services registered during the April 2026 audit (obliteratus, force-flow, sanctum-bridge, livekit-server, reranker)
• ~/.sanctum/config/agent-capabilities.yaml is now present and synced from the checked-in workspace source
• Runtime wrappers under ~/.sanctum/bin are present
• com.sanctum.agent-markdown-sync keeps the local runtime markdown aligned at login and every 5 minutes
• The installed helper scripts now live under ~/.sanctum/scripts with absolute paths, which is a less exciting place for launchd to look and therefore a better one
• LaunchAgent drift has been remediated to a clean baseline according to the custom auditor, including retirement of the legacy shell-era Living Force plist in favor of the Rust watchdog plist
• The runtime graph now carries explicit verified edges such as qwen3-tts -> voice-agent instead of treating every instance service as an isolated root (rename history: xtts → xtts-server Q2; → qwen3-tts 2026-04-25 after the Coqui→Qwen3 backend swap)
• The watchdog API snapshot now clears resolved root causes after a successful self-heal instead of reporting stale pre-remediation causes
• The instance.yaml JSON cache and template-managed LaunchAgents are now part of the checked calibration surface instead of being unverified byproducts
• Reachable remote nodes are now part of the markdown calibration path: the VM is synced over the configured SSH alias, and mobile nodes such as the MBP are updated opportunistically when reachable over Tailscale
• The MBP now behaves as a passive fanout target by default. If it is offline, the Mac Mini skips it. If it is online, it receives the canonical markdown and records a healthy fanout-target status instead of trying to reinvent the council from a stale local checkout

Documentation slice

• Stable architecture doctrine lives primarily in The Living Force
• Dated changes and migration events live in Operational History
• Audit-style corrections live in Implementation Audit, Runtime Drift Audit, and Feature Status Matrix

What This Means Practically

Sanctum is in better shape than it was when the audit started:

• one canonical checked-in service catalog for the workspace slice
• deterministic manifest generation
• a cleaner sidecar contract
• end-to-end audit coverage on the parts we touched
• a mechanically proven immune-system loop instead of a mostly-plausible one
• a mechanically proven Code Forge pipeline instead of a narrative one
• a mechanically proven evolution loop instead of a missing weekly synthesis step
• a mechanically proven genetic-health layer instead of a purely doctrinal one
• a mechanically proven tech-lookout pipeline instead of a Jocasta-only architecture promise
• a mechanically proven Kitchen Loop surface instead of a pure architecture blueprint
• a mechanically checked runtime calibration surface instead of stale generated artifacts hiding in plain sight
• a mechanically checked persona-calibration surface instead of hand-edited markdown drifting between machines
• a mechanically checked live-node audit for the MBP instead of assuming the road machine probably did the right thing
• runtime LaunchAgent drift repaired
• documentation boundaries made explicit

Tip

The system is now easier to reason about because fewer things are implicit. That is the whole game in infrastructure. Performance matters. Reliability matters. But clarity is what keeps you from debugging ghosts at 4 AM wearing the same underwear the incident started in. Implicit state is how a working haus becomes a story you tell during therapy.

What Is Still Not True

A few claims remain too generous if stated without qualifiers:

• Sanctum is not yet a single-repo system
• Sanctum is not yet a fully portable install experience
• The runtime layer still depends on local state outside the checked-in workspace

Those are not failures. They are the boundaries of the current design — the part of the map where it still says here be dragons, and on a quiet enough night, if you listen, you can hear them snoring.

Related Pages

• Implementation Audit
• Feature Status Matrix
• Runtime Drift Audit
• Operational History