Product specification · PMs and engineers implementing against a contract
OBS-001 · Light Station Product specification v0.2.0 Reference implementation

Operator Console Specification

Authoritative summary of what Light Station is, what it does, and what it explicitly does not do. Light Station observes Vigil governance and relays Steward commands — it does not evaluate proposals or issue verdicts.

Source binding ✓ reconciled
Bound to
lightstation-docs @ v0.2.0 · API_CONTRACT.md · WATCHSTATION_PRD_v3.md
Scope
Product requirements summary. Full source docs on GitHub.
Author
Stephen Sweeney
Light Station does not govern. A console outage does not weaken enforcement. Vigil continues to evaluate proposals and deny unauthorized actions independently of whether the operator is watching.

Product definition

Light Station (product name; repo: LightStation) is the Principal interface for Vigil-governed autonomous agents. It is a locally-hosted web application that surfaces governance state, approval queues, sprint-scoped work authorization, audit trails, and the knowledge substrate the agent navigates.

Two load-bearing pillars

Governance observability

The Principal sees what the agent is doing, what Vigil has decided, what requires human judgment, and what the budget and enforcement posture look like at any moment.

Knowledge substrate

Structured context the agent navigates — goals, constraints, prior decisions, operational history. With the governed write path, the agent proposes memory; the Principal commits.

Non-goals

Light Station does notRationale
Modify Vigil governance policyYAML config is edited directly in Vigil
Orchestrate agentsObserves and relays Steward commands only
Issue verdictsEvaluation is Vigil's exclusive authority
Host in the cloud (MVP)Local only; Tailscale for remote access
Support multi-user access (MVP)Single Principal operator
Override governance when disconnectedFail-closed; no "proceed anyway"

Personas

P1 · Principal at desk
Full-density operator

MacBook or Mac mini. Full-screen browser. Reviewing sprint progress, reading audit trails, updating the knowledge chart, dispatching missions. Wants density and detail across all 13 views.

P2 · Principal in field
Mobile approver

iPhone via Tailscale. Agent hit an approval gate. Reviews the suspended action, approves or rejects in two taps. Time-scarce — critical information above the fold on a 390pt screen.

P3 · The agent
Briefing API consumer

Not human, but a real consumer of Light Station outputs. Reads structured briefing before sessions. Proposes memory candidates for Principal review. Quality of output proportional to knowledge substrate quality.

Feature inventory

Thirteen lighthouse views, each mapping to a distinct governance or knowledge function. Canonical naming per the lighthouse metaphor.

ViewViewIdAcceptance summary
Lantern RoomlanternEnforcement badge, budget gauge, pending approvals, active sprint, recent events, chart status
LookoutlookoutLive SSE event stream; filterable by agent, law, verdict; virtual scroll for 10k+ entries
ClearanceclearanceHOLD items within 5s via SSE; approve/reject with mandatory reason on reject; STEWARD attribution
LogbooklogbookWrite-once steward record; auto-ingest on significant events; no update/delete endpoint
LedgerledgerHash-chained audit log proxied from Vigil; searchable, replayable
ChartroomchartroomKnowledge graph (Landmark / Chart / Sounding); Memory Proposals with per-edge accept/reject
BeaconbeaconAI-assisted Signal intake; severity triage; suggests route — never auto-acts
Sounding ReportsoundingDeep research briefs; promotable from Logbook or Beacon
VoyagevoyageKanban sprint board; authorization is explicit Principal act
ManifestmanifestTicket CRUD; atomic unit of authorized work
CrewcrewAgent roster and status from Vigil /agents
ProvisionsprovisionsToken budget console; Normal → Degraded → Gated → Halted ladder
RegistryregistryVigil configuration viewer (read-only)
Principle 9 — The agent proposes; the Principal commits. Memory Proposals, Signal Cards, and Clearance decisions all follow this pattern. The agent or system suggests; only the Principal authorizes state changes.

Vigil contract

Light Station consumes Vigil's HTTP governance contract via interface.ts — the language boundary seam between TypeScript and Swift. The mock client (VIGIL_MOCK=true) must never break; it enables offline development and CI.

Environment

VariableDefaultPurpose
VIGIL_BASE_URLhttp://127.0.0.1:18820Vigil daemon endpoint
VIGIL_MOCKfalseUse mock client for dev/CI
VIGIL_API_KEYOptional Bearer auth
PORT7789Light Station API port

Legacy CLAWLAW_* env aliases remain supported. VIGIL_* takes precedence when both are set.

Verdict mapping

Vigil decisionLight Station verdictOperator surface
allowALLOWLookout (observe)
deny, rejectDENYLookout, Ledger
escalateHOLDClearance (resolve)
(informational)INFOLookout, Logbook auto-ingest

Upstream endpoints consumed

EndpointPurpose
GET /healthConnectivity check
GET /governance/stateEnforcement level, budget, queue depth
GET /queuePending HOLD approvals
POST /queue/:id/approve|rejectSteward decision relay
GET /auditHash-chained decision log
POST /budget/increase|resetBudget management
GET /agentsAgent roster
POST /sprint/authorizeSprint authorization (audit in Vigil)
GET /events (SSE)Real-time governance event stream

Light Station API (canonical)

Routes mount at /api/{viewId}. Deprecated aliases (/api/queue, /api/watchlog, etc.) supported for one release.

Fail-closed contract. When Vigil is unreachable, routes return 502 with { "error": "Vigil unreachable" }. The UI shows a Disconnected banner. No stale approval data is served as current.

Knowledge model

The knowledge substrate is a relational graph — not a filing cabinet. Three layers organize information by permanence and authority.

LayerRoleWrite authority
LandmarkImmutable reference points — goals, constraints, constitutional factsPrincipal only
ChartOperational context — current state, active decisions, working knowledgePrincipal; agent via proposals
SoundingDeep research — promoted from Logbook or Beacon when warrantedPrincipal promotion

Governed write path

1Agent proposes kg_proposal with proposed edges via Briefing API context
2Proposal appears in Chartroom Proposals tab
3Principal reviews per-edge accept/reject
4On approve → kg_node and kg_edges created
5Briefing API returns recentlyCommittedProposals to agent on next session

Logbook discipline

Logbook entries are write-once. No update or delete endpoint exists. Significant governance events (DENY, HOLD, enforcement transitions, budget thresholds at 80/90/100%) auto-ingest via the State Bridge. Principal may promote entries to Sounding layer.

Beacon & Sounding

v0.2.0 adds AI-assisted intake modules. Both follow Principle 9: propose routes, never auto-act.

Beacon · Signal intake

Raw inbound text analyzed by LLM. Creates Signal Cards with severity (ADV / WARN / CRIT / EMER). Suggested routes: create ticket, propose knowledge, log to watchlog, or dismiss. Principal selects action.

Sounding · Research briefs

Deep research on a topic. Generated from Beacon escalation or Logbook promotion. Stored in research_briefs. Available in Chartroom as Sounding layer nodes.

Data model

SQLite via better-sqlite3. Schema source of truth: src/server/db/schema.ts. Deliberate choice: single-user, local, zero infrastructure.

Table groupTablesPurpose
Work managementsprints, tickets, ticket_events, ticket_commentsSprint board and ticket lifecycle
Knowledge graphkg_nodes, kg_edges, kg_fts, kg_proposals, kg_proposed_edgesChartroom substrate and governed write path
Steward recordwatchlog_entries, steward_actionsWrite-once logbook; local approve/reject record with Vigil audit linkage
AI intakesignal_cards, research_briefsBeacon and Sounding modules
Agent contextagent_briefing_timestampsPer-agent briefing cursor for session continuity

Multi-table writes must use db.transaction(). Schema must stay synchronized between schema.ts (boot) and migrate.ts (existing databases).

Invariants & QA

P0 invariants are release gates. Violation of any invariant is a blocker.

INV-01 Light Station outage does not weaken Vigil enforcement
INV-02 Vigil unreachable → 502 on queue routes; Disconnected banner; no stale queue data
INV-03 Logbook is write-once — no update or delete endpoint
INV-04 Every Steward action recorded with STEWARD attribution and Vigil audit linkage
INV-05 No governance override controls in the UI — agent cannot bypass Vigil via console
INV-06 Reject in Clearance requires mandatory reason field
INV-07 Signal/Beacon never auto-acts — Principal commits all routes
INV-08 Mock client path must never break CI (VIGIL_MOCK=true)

Test tiers

TierEnvironmentScope
AutomatedCIVitest (12 suites), typecheck, lint, Playwright E2E
Tier 1 · MockVIGIL_MOCK=true~16 manual cases — all views, queue, proposals, fail-closed
Tier 2 · LiveVigil on :188205-experiment demo, live approve/reject, kill-Vigil disconnect test

Pre-release P0 gate target: under 45 minutes. Full manual test catalog (~80 cases) and traceability matrix live in the repository under docs/qa/.

Version & status

AttributeValue
Versionv0.2.0
npm packagesteward-desk
Repositorygithub.com/stephen-sweeney/lightstation-docs
JurisdictionVigil · OBS-001
DeploymentmacOS launchd + Tailscale (Forge lab)
Contract versionAPI Contract v1.0.0 (Vigil v0.6.1+)

Shipped vs deferred

Shipped · v0.2.0Deferred
13 lighthouse viewsPlugin architecture (post-core-ship)
Beacon / Signal intakeNative iOS/macOS app
Sounding research briefsMulti-user / team access
Memory Proposals governed write pathCloud hosting
Live + mock Vigil integrationK3s cross-runtime observability
5-experiment deterministic demoAudit log virtual scroll above ~50k entries