🎯 Control Room Operating Model

Runtime-independent orchestration for Mission Control

Design Principle: Mission Control is the durable operating layer — tickets, history, workbench, runtime ledger, routing, and recovery survive model/runtime churn. Hermes, Claude, Gemini, Codex are replaceable adapters, not dependencies.

🎭The 3-Role Model

Every Mission Control ticket follows a simple loop. This is the outer quality gate. Dev-loop is the inner quality gate (how the worker does its work).

Controller

persistent-Luci

Owns the board
Dispatches work
Detects stuck/dead workers
Decides escalation
Never does the work

Worker

Claude Code / Codex / Hermes

Plans + designs + codes
Produces evidence
Reports done
One person per ticket

Reviewer

QA reviewer + Tessa

Independent check
QA reads diff + evidence
Tessa tests in browser
Both must pass

🔄The Quality Loop

Worker reports DONE — produces evidence (diff, commit, test output)

QA reviewer checks — reads diff + evidence. If fail → back to Worker

Tessa checks — tests in real browser. If fail → back to Worker

Both pass — Controller asks: "Does Elmar need to see this?"

Gate decision — Pure implementation auto-closes. Product/strategic → present to Elmar

        Max 3 cycles — If the loop fails 3 times, Controller escalates to Elmar with context.
      

🎯Controller Responsibilities

Board ownership — Controls ticket status, assignment, priority
Worker dispatch — Spawns runtime-appropriate workers per ticket
Health monitoring — Detects stuck workers, stale sessions, failed tasks
Escalation decisions — Knows when to loop vs. when to raise to Elmar
Single voice — Workers report up, never sideways to Elmar
Campaign separation — Orchestrator tickets marked via campaign_owner field

🛠️Runtime Independence

Principles

Adapter Contracts

Gates

Core Principles

MC is the source of truth — tickets, runtime sessions ledger, history, workbench
Runtimes are replaceable adapters — Hermes, Claude Code, Codex CLI, Gemini CLI
Config stays inspectable — no black-box routing buried in WebUI alone
Evidence preserved across switches — session handoff, logs, artifacts survive runtime changes
Cost/capacity routing — subscription limits = availability constraints, not just token cost

Runtime Adapter Contract

Every runtime adapter must satisfy:

runtime_sessions ledger — session id, ticket/task id, runtime/profile, timestamps, status, harvest path
Terminal state output — structured (status, summary, next_actions, artifacts)
Worktree pool respect — workers may claim pool slots; persistent Luci must not
CCGram one-poller — only CCGram polls Telegram; workers use settings-worker.json
Runtime-profile honesty — scheduler runtime_profile must match what runs; direct SDK scripts use direct_* sentinel
Rollback safety — revert profile/override first before any service restart

Required Gates

Architecture/docs gate: Any change to MC runtime architecture, PKA operating behavior, or canonical docs requires Atlas-style review/signoff.

Code/runtime gate: Runtime adapter changes need test coverage and manual preflight before production routing.

UI gate: Tessa must validate UI-touching changes in a real browser before done.

Secrets/security gate: Runtime changes that touch auth, tokens, or API keys need explicit security review.

📋What Lives Where

agent-control-room/ — Thin governance layer. Links to canonical docs, does NOT duplicate live state.

mission-control/ — Source of truth for tickets, runtime ledger, scheduler, workbench, history.

reports/ — Living plans, status reports, dated evidence.

luci-manifest.md / CAPABILITIES.md — System inventory and capabilities reference.

Control Room Structure

agent-control-room/
  README.md
  shared/
    commands.md           # common inspection commands
  docs/
    runtime-independence.md
    runtime-profiles.md
    runtime-portability-inventory.md
    subscription-aware-routing-policy.md
    webui-governance.md
  runbooks/
    runtime-profile-change.md
    runtime-retirement-migration.md
    runtime-switch-continuity.md
    recover-stuck-worker.md

✅Implementation Status

As of 2026-05-24:

Runtime-independence foundation — Complete
Control-room governance — Complete
Runtime adapter metadata — Landed
Tasks/Scheduler — Strongest page slice, browser-verified
MC-4049 campaign-owner separation — In progress (key control-plane dependency)
Full-suite verification — Blocked by test health issues
Runtime-switch continuity — Open
Low-risk Hermes-through-MC proof — Open

        MC-4000 remains open until PRD acceptance criteria are met. See reports/mission-control-recovery-prd-status-2026-05-24.md for live tracking.
      