Security posture
No public operational records
Counts, task titles, event names, worker runs, approvals, and database errors are not rendered from the public root. Operator views should be built as authenticated consoles over the same generic APIs.
Continuous Core
Operating layer for human, AI, and robot workforces
The public root stays static. Operational data lives behind the control-plane APIs, where tokens, tenant scope, worker role scope, command scope, approvals, and evidence can be enforced before any business record is read or changed.
StatusLockedOperational summary requires control-plane auth
Route/workerWorker role and config stay in the payload
Public/healthSafe liveness only
ExecutionBlockedExternal actions require scoped approval proof
Control plane
Public dashboard locked
POST /worker with command or view, worker selectors, command idempotencyKey, and config.
POST /core with command, core selectors, idempotencyKey, and config.
POST /workflow with command or view, workflow selectors, idempotencyKey for mutations, and config.
API shape
Generic routes, typed payloads
Worker APIGeneric
Core APICanonical
Workflow APILedgered
Approval APIShared
Platform
Core primitives
Business graph
Customers, leads, jobs, invoices, payments, workers, and operating facts share the same persisted substrate.
Task ledger
Work is tracked through clear state, owner, capability, evidence, and outcome fields.
Capability registry
Agentic actions are typed, scoped, risk-aware contracts instead of loose credentials.
Evidence layer
Actions can attach packets, documents, approvals, traces, and external receipts.
Worker runtime
Worker families extend role, command, view, and config metadata without creating family-specific URLs.
Adapter model
External systems are represented as scoped connectors before live execution is allowed.